Privacy Policy.

Information we collect

We collect information that helps us deliver our networking platform — and nothing we don't need.

You give us

• Account data — name, email, password (hashed), profile photo
• Career data — your goals, target roles, industries, school, work history
• Outreach data — emails you draft, send, and the contacts you reach out to
• Billing data — handled by Stripe; we never see your full card number

We collect automatically

• Usage — pages viewed, features used, session length
• Device — browser, OS, IP address (used to detect fraud and region)
• Performance — error logs, page-load timings

From third parties

• Public professional data — when you ask us to find contacts, we query publicly-available business databases (alumni directories, professional listings, public LinkedIn-style data)
• Auth providers — if you sign in with Google, we receive your name, email, and profile picture only

How we use it

We use your information to operate, improve, and communicate about the Nodalli service. Specifically:

• Run the product — generate your Networking Strategy Report, surface verified contacts, draft outreach, track replies
• Personalize — tailor recommendations to your goals and industry
• Communicate — onboarding emails, product updates, service notices, support replies
• Bill you — process payments via Stripe; manage subscriptions and refunds
• Improve — debug issues, measure feature usage, train internal models on aggregated, anonymized patterns (never on the actual content of your private outreach)
• Stay safe — detect abuse, fraud, spam, and security incidents
• Comply with the law — respond to lawful requests when required

Sharing & third parties

We do not sell your personal information. Period.

We share data only with vendors who help us operate the service, under contract:

• Stripe — payments and subscription management
• Supabase / AWS — database hosting and authentication
• Resend / Postmark — transactional email delivery (account, billing, support)
• OpenAI / Anthropic — AI model providers used to draft outreach (zero retention, your prompts are not used to train their models)
• Google Analytics / PostHog — anonymized usage analytics

We also share information when legally required (court order, valid subpoena), or to protect the rights, safety, and property of Nodalli, our users, or the public.

If Nodalli is acquired or merged, your data may transfer as part of that transaction — we'll notify you in advance.

Cookies & analytics

We use a small number of cookies to keep you signed in, remember preferences, and measure how the product is used.

• Essential — session, auth, CSRF protection (cannot be disabled)
• Analytics — anonymized PostHog and Google Analytics events to understand which features matter
• No advertising cookies. We don't run retargeting or third-party ad pixels.

You can disable non-essential cookies in your browser settings. The product will still work; some analytics will be missing on our end.

Your rights (GDPR / CCPA)

Depending on where you live, you have specific rights over your data:

• Access — request a copy of the data we hold about you
• Correct — fix anything that's wrong
• Delete — ask us to erase your account and data ("right to be forgotten")
• Export — receive your data in a portable format
• Object — opt out of specific processing (e.g., analytics)
• Withdraw consent — at any time, where processing is based on consent

To exercise any of these, email info@nodalli.com. We respond within 30 days.

California residents: we do not sell your personal information. You may request disclosure of categories of data collected and request deletion under the CCPA.

Data retention

We keep your data only as long as we need it:

• Active accounts — for the life of your account
• Cancelled accounts — 90 days after cancellation, then permanently deleted (except where law requires us to retain billing records, typically 7 years)
• Outreach drafts & sent emails — kept while your account is active; deleted with your account
• Analytics — anonymized after 26 months

Security

We protect your data with industry-standard practices:

• HTTPS / TLS encryption in transit
• AES-256 encryption at rest
• Hashed passwords (bcrypt)
• Role-based access — only employees who need data to do their job can see it
• Regular security reviews and dependency patching

No system is perfectly secure. If we ever discover a breach affecting your data, we'll notify you within 72 hours of becoming aware.

Children

Nodalli is built for adults navigating their careers. We don't knowingly collect data from anyone under 16. If you believe a minor has signed up, please email info@nodalli.com and we'll delete the account.

Changes to this policy

We may update this policy as the product evolves or laws change. When we do, we'll update the "Last updated" date at the top. For material changes, we'll email registered users at least 30 days before the change takes effect.

Contact us

Questions, concerns, or requests? Reach out anytime.

• Email — info@nodalli.com
• Mail — Nodalli, Inc. · Toronto, Ontario, Canada