How it works

Pricing

Login

Publish an agent

Privacy

1. Who we are

Controller: Ignacio Correia Unipessoal Lda ("Withnodes", "we", "us", "our")Address: Rua Quirino Mealha N10 RC D, 8100-231 Loule, PortugalNIF/VAT: 517951924Email: support@withnodes.comEU Supervisory Authority: Comissão Nacional de Proteção de Dados (CNPD) – PortugalData Protection Officer (DPO): [If appointed, insert contact. Otherwise: No DPO appointed].

We operate the Withnodes platform that allows Creators to build and monetize chatbots. Unless otherwise stated, we act as Controller for Personal Data we collect about Users (e.g., account, billing, risk, logs) and website visitors. For End User data processed by a Creator’s chatbot, the Creator acts as Controller and Withnodes acts as Processor (see Section 7 and Annex A (DPA) of our Terms of Service).

2. Personal Data we collect

We collect the following categories of Personal Data, depending on your relationship with us:

A. Account & business information (Users/Creators): name, email, password (hashed), company name, role, address, tax IDs, preferred language, support communications.

B. Billing & payments (Users/Creators/End Users): payer name, billing address, partial payment instrument data, transaction IDs, payout IBAN, invoices, VAT numbers, refunds/chargebacks, anti‑fraud risk signals. Note: we may use third‑party payment service providers; full card data is not stored by us.

C. Platform usage & telemetry: IP address, device/user agent, identifiers, session data, login timestamps, security events, API usage, rate‑limit counters, logs, crash reports.

D. Chatbot content & interactions: prompts, messages, uploaded knowledge base, files, context, outputs, metadata, and configuration (may contain Personal Data if provided by Users/End Users).

E. Marketing & communications: newsletter opt‑ins, campaign attribution, referral codes, in‑product messages, feedback, surveys.

F. Cookies & similar technologies: cookies, pixels, SDK events for authentication, preferences, analytics, and fraud prevention (see Section 11).

G. Creator‑selected providers data routing: if a Creator connects third‑party services (e.g., LLM APIs, vector DBs, analytics, messaging/CRM, helpdesk, webhooks), we route Content and metadata to those destinations under the Creator’s instructions (see Section 7.3).

3. Sources of data

  • Directly from you when you create an account, configure chatbots, or contact support.
  • Automatically through cookies, SDKs, and logs when you use the Platform.
  • From payment and anti‑fraud providers, KYC vendors, and identity verification tools.
  • From Creator‑selected providers when necessary to deliver the integration you requested.

4. Purposes and legal bases (GDPR Art. 6)

We process Personal Data for the purposes and legal bases below:

  1. Provide and secure the Platform (account creation, authentication, hosting, availability, security, incident response, support).Legal basis: Contract performance (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) for security and service integrity.
  2. Payments, billing, and payouts (merchant of record operations, invoices, refunds, chargebacks, anti‑fraud, KYC/AML).Legal basis: Contract performance; Compliance with legal obligations (Art. 6(1)(c)); Legitimate interests (risk management).
  3. Operate Creator‑selected integrations and routing (send/receive data to third‑party providers you connect).Legal basis: Contract performance; Legitimate interests in providing requested features; for End User data where Creator is Controller, processing under documented instructions (Art. 28).
  4. Analytics, product improvement, and AI/ML training (aggregated/anonymous statistics, quality metrics, safety systems, model evaluation; generation of embeddings/synthetic data).Legal basis: Legitimate interests in improving and safeguarding the Platform; where required, consent (e.g., non‑essential cookies). We use data without directly identifying natural persons unless we have a proper basis.
  5. Communications and marketing (service notices, transactional emails, optional newsletters).Legal basis: Contract performance for operational notices; Consent for newsletters where required; Legitimate interests for B2B direct marketing with opt‑out.
  6. Compliance and enforcement (detect, prevent, or act against fraud, abuse, policy breaches; exercise/defend legal claims).Legal basis: Legitimate interests; Legal obligations.

5. Who we share data with

We share Personal Data with:

  • Service providers/Subprocessors (hosting, storage, security, analytics, email, KYC, payments, customer support). We ensure contractual safeguards and confidentiality.
  • Payment service providers and financial institutions (merchant of record activities, payouts, anti‑fraud, chargebacks).
  • Creator‑selected providers (LLM/model APIs, vector DBs, analytics, messaging/CRM, helpdesk, webhooks) as instructed by the Creator; these are not our Subprocessors unless we expressly list them; they are under the Creator’s contracts. See Section 7.3.
  • Corporate transactions (merger, acquisition, financing, asset sale); data may be transferred to a successor entity.
  • Authorities (law enforcement, regulators, tax authorities) where legally required or to protect rights, users, and the public.

We do not sell Personal Data in the sense of exchanging it for money. We may commercialize aggregated/anonymous insights and platform‑generated data (which do not directly identify individuals).

6. International data transfers

We may transfer Personal Data outside the EEA. Where we do so, we implement appropriate safeguards such as EU Standard Contractual Clauses (SCCs), and additional measures when necessary. Copies of relevant transfer mechanisms are available on request, subject to confidentiality.

7. Roles and responsibilities (Users, Creators, Withnodes)

7.1 Withnodes as Controller. We act as Controller for account/billing data, risk/fraud logs, Platform analytics, and website data.

7.2 Withnodes as Processor. For End User Personal Data processed by a Creator’s chatbot, we act as Processor/Sub‑processor under the DPA (Annex A of the Terms). We process such data only on documented instructions from the Creator (Controller), apply security measures, assist with data subject requests, and support compliance.

7.3 Creator‑selected providers. If a Creator connects third‑party providers, the Creator instructs us to route data to those providers. Those providers are not controlled by us and are generally the Creator’s processors/sub‑processors under separate contracts. The Creator must ensure (a) a lawful basis and transparency for End Users; (b) appropriate DPAs with such providers; (c) valid international transfer mechanisms where applicable; and (d) required consents for special categories or high‑risk uses. Withnodes is not responsible or liable for those providers’ processing, security, or compliance.

7.4 Joint controllership. If a specific integration results in joint decisions about purposes and means of processing with a third party, we will transparently document responsibilities per Art. 26 GDPR.

8. Data retention

We retain Personal Data only as long as necessary for the purposes set out in this Policy, for the duration of your account, and as required to comply with legal, accounting, or reporting obligations, including tax and anti‑fraud. Typical retention examples (subject to legal requirements):

  • Account data: while the account is active and up to 6 years after closure.
  • Billing/transaction data: 10 years (Portuguese tax law).
  • Security logs: 12–24 months, depending on risk.
  • Chatbot content: configurable by the Creator; we may keep backups/archives for operational continuity and dispute resolution.
  • Marketing data: until you unsubscribe or after a period of inactivity, then we delete or anonymize.

When data is no longer needed, we will delete or irreversibly anonymize it.

9. Your rights (GDPR Arts. 15–22)

Depending on your role and circumstances, you may have the right to:

  • Access your Personal Data and obtain a copy;
  • Rectify inaccurate or incomplete data;
  • Erase data (right to be forgotten);
  • Restrict processing;
  • Object to processing based on legitimate interests or to direct marketing;
  • Data portability for data you provided to us under contract/consent;
  • Withdraw consent at any time (where processing is based on consent);
  • Lodge a complaint with the CNPD or your local supervisory authority.

If your data is processed by a Creator’s chatbot, please contact the Creator first (Controller). We will support them in responding to your request as Processor. For data we control, contact us at support@withnodes.com.

10. Security

We apply technical and organisational measures appropriate to the risk, including: access controls, encryption in transit and at rest where appropriate, credential hashing, network segregation, monitoring, backups, vulnerability management, and staff confidentiality. No system is 100% secure; we maintain incident response procedures and notify when required by law.

11. Cookies and similar technologies

We use cookies and similar technologies for authentication, preferences, analytics, and fraud prevention. Where required, we will present a consent banner allowing you to accept or reject non‑essential cookies. You can also manage cookies via browser settings. For more details, see Annex C (Cookie Overview).

12. Children

The Platform is intended for B2B use and not directed to minors. Creators must implement appropriate age‑gating where their chatbots may reach minors. If we learn we have collected Personal Data from a child without appropriate consent, we will take steps to delete it.

13. Automated decision‑making & profiling

We may use automated systems for security/fraud detection, abuse prevention, and rate‑limiting. We also generate analytics and quality scores to improve the Platform. We do not make decisions with legal or similarly significant effects solely by automated means without human involvement. Creators using automated decision‑making for their own purposes are responsible for meeting GDPR Art. 22 requirements.

14. International users

If you access the Platform from outside the EEA, your data may be processed in Portugal and other countries where we or our providers operate. We apply transfer safeguards as described in Section 6.

15. Changes to this Policy

We may update this Policy from time to time. Changes take effect upon posting the updated version with a new Effective date. Material changes will be notified through the Platform or by email where appropriate. Your continued use after the effective date constitutes acceptance.

16. Contact

Controller: Ignacio Correia Unipessoal LdaAddress: Rua Quirino Mealha N10 RC D, 8100-231 Loule, PortugalEmail: support@withnodes.comSupervisory Authority: CNPD – www.cnpd.ptEffective date: [1-10-2025]

Annex A — Roles & DPA Summary (non‑exhaustive)

  • Withnodes as Controller: account, billing, risk/fraud, logs, analytics, marketing (subject to consent where required).
  • Withnodes as Processor: End User data processed by Creators’ chatbots under documented instructions in the DPA.
  • Creator‑selected providers: controlled by Creators; not our Subprocessors unless we expressly list them. Creators must ensure DPAs and transfer mechanisms.

For the full DPA terms, see Annex A of the Terms of Service.

Annex B — Data Retention Schedule (illustrative)

  • Account & contract data: life of account + up to 6 years.
  • Invoices & tax records: 10 years (Portugal).
  • Access & security logs: 12–24 months.
  • Support tickets: 3 years after closure.
  • Marketing lists: until opt‑out or 24 months of inactivity.
  • Backups: rolling cycles; securely deleted or overwritten.

Annex C — Cookie Overview

Strictly necessary: session cookies, csrf/auth tokens, rate‑limit flags.Functional: preferences, locale.Analytics: page views, feature usage (aggregated).Anti‑fraud/security: device fingerprints, risk scoring.Marketing (optional): only with consent (if used).Controls: consent banner for non‑essential cookies; browser controls; in‑product settings where available.

Annex D — Subprocessors & Transfers (placeholders)

We use reputable providers for hosting, email delivery, analytics, customer support, payments, KYC, and fraud prevention. A current list of Subprocessors, categories of data processed, location, and transfer safeguards will be maintained at /subprocessors and updated from time to time. We will provide notice of material changes as required by the DPA.

Annex E — Law Enforcement & Government Requests

We review all requests to ensure they are valid and proportionate. Where legally permissible, we will notify the affected Customer/Creator before disclosure. We may challenge overbroad or unlawful requests.

Annex F — Security Overview (high‑level)

  • Identity & access management; least privilege.
  • Encryption in transit (TLS) and at rest where appropriate.
  • Network segregation and firewalls.
  • Monitoring, logging, and anomaly detection.
  • Secure development lifecycle and vulnerability management.
  • Business continuity and disaster recovery planning.
  • Employee confidentiality and security awareness.

Annex G — Data Subject Requests (DSR) Process

Requests relating to data we control can be sent to support@withnodes.com. For End User data controlled by Creators, we will forward or instruct requesters to contact the relevant Creator. We maintain processes to authenticate requesters, log requests, respond within statutory timeframes, and document outcomes.

Terms

Privacy

© 2025 WithNodes - All rights reserved.