Privacy Policy

Last Updated: 16 May 2026

Private Node ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our website and managed infrastructure services.

Private Node is a trading name of Twakka Ltd, a company registered in England and Wales (Company No. 14001176). Registered Office: 167-169 Great Portland Street, London, W1W 5PF.

Contents

  1. Data We Collect
  2. How We Use Your Data
  3. Lawful Basis for Processing
  4. Data Storage & Sovereignty
  5. Data Retention
  6. Your Rights Under UK GDPR
  7. Cookies & Analytics
  8. Third-Party Processors
  9. Optional Cloud Storage Connections
  10. International Transfers
  11. Changes to This Policy
  12. Contact Us

1. Data We Collect

We collect minimal data necessary to provision and secure your intelligence node:

Identity Data

Names, usernames, job titles, or professional identifiers for admin-level users.

Contact Data

Business email addresses, billing addresses, and telephone numbers.

Financial Data

Payment card details and billing information, processed via PCI-DSS compliant third-party providers (Stripe).

Technical Data

IP addresses, access timestamps, browser type, and device information used strictly for security logging and service delivery.

Usage Data

Information about how you use our website and services, collected via privacy-focused analytics.

2. How We Use Your Data

  • To provision and maintain your Private Node infrastructure
  • To process payments and manage your subscription
  • To provide technical support and respond to enquiries
  • To send service-related communications (maintenance notices, security alerts)
  • To detect and prevent fraud, abuse, or security threats
  • To comply with legal obligations

3. Lawful Basis for Processing

We process your personal data under the following lawful bases:

Purpose Lawful Basis
Service provision Performance of contract
Payment processing Performance of contract
Security logging Legitimate interests
Marketing communications Consent (opt-in only)
Legal compliance Legal obligation

4. Data Storage & Sovereignty

Client Data (Your "Firm Memory")

The documents, datasets, and vectors uploaded to your Private Node are stored on dedicated, single-tenant servers hosted by Hetzner Online GmbH in Germany and Finland (EU). This data remains under your absolute control as the Data Controller. We act strictly as the Data Processor.

Operational Data

Internal records required for service provision (billing, support history) are stored securely within the UK and EEA. We do not transmit client data outside of these jurisdictions.

5. Data Retention

Data Type Retention Period
Client Node data Deleted within 14 days of contract termination
Billing records 7 years (UK legal requirement)
Support correspondence 3 years from last contact
Security logs 12 months
Website analytics 24 months (anonymised)

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access

Request a copy of your personal data.

Right to Rectification

Request correction of inaccurate data.

Right to Erasure

Request deletion of your data ("right to be forgotten").

Right to Restrict Processing

Request limitation of how we use your data.

Right to Data Portability

Receive your data in a machine-readable format.

Right to Object

Object to processing based on legitimate interests.

To exercise any of these rights, please contact us at legal@privatenode.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Cookies & Analytics

We use minimal, privacy-focused tracking:

Umami Analytics

We use Umami, a privacy-focused analytics platform that does not use cookies and does not collect personally identifiable information. All data is anonymised and aggregated.

Essential Cookies

We may use strictly necessary cookies for security purposes (e.g., CSRF protection, session management). These cannot be disabled as they are essential for service operation.

8. Third-Party Processors

We work with the following carefully selected sub-processors:

Provider Purpose Location
Hetzner Online GmbH Server infrastructure Germany / Finland (EU)
Cloudflare Inc. CDN, DDoS protection, DNS Global (EU data centres)
Nebius / OpenRouter AI inference (Zero Data Retention) EU
Stripe Payment processing UK / EU
Umami Privacy-focused analytics EU

9. Optional Cloud Storage Connections (Google Drive, Microsoft OneDrive)

This section is specific to one optional feature only. The rest of PrivateNode does not run on, depend on, or share data with Google or Microsoft. Our platform infrastructure is hosted on Hetzner (Germany / Finland) with AI inference on Nebius (EU) — see Section 4 (Data Storage & Sovereignty) and Section 8 (Third-Party Processors). Connecting your cloud storage is something you opt into per account; it does not change where any other PrivateNode data lives or how it is processed.

The PrivateNode Company Knowledge Base feature allows you to connect a folder from your own Google Drive or Microsoft OneDrive / SharePoint account so its contents can be indexed for semantic search by your AI assistant. This is purely an optional data-ingestion mechanism initiated and controlled by you.

9.1 What we access

  • Google Drive: only the folder you explicitly select, via the read-only scope https://www.googleapis.com/auth/drive.readonly. We never request write, delete, or share permissions.
  • Microsoft Graph (OneDrive / SharePoint): only the folder you explicitly select, via Files.Read.All and offline_access (the latter purely so token refresh runs without re-prompting you). We never request write, delete, or admin scopes.

9.2 Where the data goes

  • Files are copied, once per change, from your cloud storage into your own dedicated EU-hosted PrivateNode server. They never traverse PrivateNode's shared infrastructure.
  • The OAuth refresh token is pushed directly to that same dedicated server and is then cleared from the account portal database (typically within seconds of the consent flow completing). All ongoing token refreshes happen on your server, not centrally.
  • The synced files remain on your dedicated server until you disconnect the source.

9.3 What we do with the data

  • Files are indexed for semantic search so your AI assistant can answer questions referencing your own documents.
  • No content from your synced folders is written back to Google Drive or OneDrive. The integration is read-only by design.

9.4 What we do NOT do with the data

  • We do not use any content from your synced folders to train, fine-tune, or otherwise improve any artificial intelligence or machine learning model — ours or any third party's.
  • We do not transfer your synced content to any party outside your own dedicated server, except as needed to provide or improve user-facing features that you initiate (e.g. an AI assistant query you run).
  • We do not serve advertising, profile you for advertising, or use your synced content for any advertising purpose.
  • PrivateNode personnel do not read your synced documents. Exceptions are strictly limited to: (a) cases where you give us explicit, scoped, time-limited consent for a support request you initiate; (b) where required to comply with applicable law; (c) the minimum access necessary to investigate a security incident affecting your account.

9.5 Google API Services User Data Policy (Limited Use)

PrivateNode's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

9.6 Disconnecting and deletion

  • You can disconnect a cloud storage source at any time from your account portal at accounts.privatenode.uk/dashboard/kb.
  • Disconnect with deletion (the typed-confirmation flow) permanently removes every synced file, every extracted text chunk, every embedding, and any cached OAuth credentials from your dedicated server. This action is irreversible and is recorded in your account's audit log.
  • You can also revoke PrivateNode's access entirely from your Google account (myaccount.google.com/permissions) or Microsoft account (account.live.com/consent/Manage) directly. Doing so immediately invalidates any tokens; in-flight sync jobs will fail on the next refresh.

10. International Transfers

We do not transfer your personal data or client data outside of the UK and European Economic Area (EEA). All infrastructure and AI processing occurs within GDPR-adequate jurisdictions. Where any sub-processor operates globally (e.g., Cloudflare), we ensure that data is processed only in EU data centres and that appropriate safeguards are in place.

11. Changes to This Policy

We may update this privacy policy from time to time. Any material changes will be communicated to you via email or through a prominent notice on our website. The "Last Updated" date at the top of this policy indicates when it was last revised.

12. Contact Us

For all privacy-related enquiries or to exercise your rights under UK GDPR, please contact our Data Protection team:

Email: legal@privatenode.uk

Address: Private Node, 167-169 Great Portland Street, London, W1W 5PF

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).