Legal
Privacy Policy
Last updated: 1 January 2025 · Effective: 1 January 2025
1. Overview
NodeMesh ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what data we collect, how we use it, and the rights you have over it. It applies to all users of the NodeMesh platform at nodemesh.app.
We process personal data in accordance with the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.
2. Data Controller
The data controller for the NodeMesh platform is NodeMesh. For privacy-related enquiries: privacy@nodemesh.app.
3. Data We Collect
The table below describes the categories of personal data we collect, the source, the legal basis, and how long we keep it.
| Category | Data | Basis | Retention |
|---|---|---|---|
| Account | Discord user ID, username, avatar URL | Contract | Until account deletion + 30 days |
| Session | Encrypted session cookie, IP address at login | Contract | Session duration (max 30 days) |
| Billing | Subscription tier, payment method last 4 digits (via Stripe) | Contract | 7 years (tax law) |
| Node & Instance | Node name, instance names, game configs | Contract | Until deletion + 30 days |
| Performance | CPU/RAM metrics, uptime stats (aggregated) | Legitimate interest | 30 days rolling |
| Support | Emails, Discord messages, crash reports | Legitimate interest | 2 years |
| Analytics | Page views, feature usage (anonymised, self-hosted) | Legitimate interest | 12 months |
4. Agent and Node Data
The NodeMesh agent installed on your hardware transmits the following data to our servers:
- Heartbeat telemetry: CPU utilisation, RAM utilisation, agent version
- Instance stdout/stderr logs (streamed to the web console, not permanently stored)
- Agent status events (online, offline, error)
The agent does not access any files outside the NodeMesh data directory (/opt/nodemesh/ on Linux). It does not collect system-wide process lists, personal files, network traffic of other applications, or environment variables outside its own process.
5. How We Use Your Data
- Provide, maintain, and improve the Service
- Authenticate you via Discord OAuth2
- Process subscription billing via Stripe
- Send service notifications (outages, billing, security alerts) via email or Discord DM
- Detect and prevent abuse or security incidents
- Produce aggregated, anonymised usage analytics to guide product development
We do not sell your personal data. We do not use your data for advertising profiling.
6. Data Sharing
We share personal data only with the following sub-processors, strictly as necessary to deliver the Service:
- Stripe — payment processing (privacy policy)
- Discord — OAuth2 authentication (privacy policy)
- Cloud infrastructure provider — server infrastructure (EU data centres)
We may disclose data to law enforcement when legally required to do so.
7. Data Retention
We retain personal data only for as long as necessary for the purposes described above. When you delete your account, personal data is erased within 30 days except where retention is required by law (e.g., billing records for 7 years under tax regulations).
8. Security
We protect your data using industry-standard measures: TLS 1.3 in transit, AES-256 encryption at rest for sensitive fields, bcrypt for session secrets, and strict access controls. Agent–server communication uses mutual TLS over gRPC.
Despite these measures, no system is completely secure. Please report security vulnerabilities to security@nodemesh.app.
9. Cookies
We use a single first-party session cookie (nodemesh_session) to maintain your login state. This cookie is HttpOnly, Secure, and SameSite=Lax. We do not use third-party tracking cookies or advertising cookies.
10. Your Rights
Under GDPR you have the right to: access, rectify, erase, restrict or object to processing, and data portability. To exercise these rights, email privacy@nodemesh.app. We respond within 30 days. You may also lodge a complaint with your national data protection authority.
11. International Transfers
Your data is stored in EU data centres. Any transfers outside the EEA are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.
12. Children
NodeMesh is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, contact privacy@nodemesh.app and we will delete it.
13. Changes to this Policy
We may update this Privacy Policy. When we do, we'll revise the "Last updated" date and, for material changes, notify you via email or in-app notification. Continued use of the Service after changes take effect constitutes acceptance.
14. Contact
Privacy questions: privacy@nodemesh.app
Security reports: security@nodemesh.app
General: hello@nodemesh.app