Privacy Policy

This policy explains how PlugNode ("PlugNode", "we", "our", "us") collects, uses, and shares information when you use plugnode.ai and our related services (the "Service"). By using the Service you agree to this policy.

Information we collect

Account information. When you sign in we receive your name, email, profile image, and authentication identifiers from our OAuth provider.

Workspace content. Flows, flow versions, run history, node execution records, files you upload, and third-party API keys you add. API keys are encrypted at rest with AES-256 and only decrypted at run time.

Usage data. Request logs, IP address, user agent, correlation IDs, and error traces required to operate, debug, and secure the Service.

Cookies and analytics. A session cookie for authentication, a locale preference cookie, and (where enabled) cookies set by Google Tag Manager and Google Analytics to measure aggregate usage. We do not use advertising or cross-site tracking cookies. The full list, including cookie names and retention periods, is on our Cookies page.

How we use information

We use the information to provide the Service, authenticate you, run and log your flows, bill you accurately, respond to support requests, investigate security incidents, measure aggregate product usage, and comply with legal obligations. We do not sell personal information and we do not use your workspace content (flows, inputs, outputs, files) to train models.

Third-party services we use

We rely on the following third-party services to run PlugNode. Each is bound by its own privacy policy; we only share what the service needs to do its job.

Infrastructure and hosting. Managed cloud hosting and a managed cloud database for account and flow data.

File storage. Cloudflare R2 for files you upload and outputs your flows produce. Namespaced to your workspace and private by default.

Accounts, workspaces, subscriptions, and transactional messaging. BuildBase is PlugNode's SaaS-management backend (via the @buildbase/sdk). On our behalf BuildBase processes: sign-in and session data (name, email, profile image, OAuth identifiers); workspace and membership records (roles, permissions, invites); subscription and invoice metadata (plan, interval, currency, Stripe customer and price identifiers — not card details); usage and quota counters; feature-flag state; and transactional emails (sign-in verification, billing events, workspace invites, trial-ending alerts) and browser push notifications we send you. Push subscription tokens, if you opt in, are stored with BuildBase. See the BuildBase Privacy Policy.

Payments. Stripe is PlugNode's payment processor. When you subscribe or update your card, you submit card or bank details directly to Stripe-hosted checkout — they never touch PlugNode or BuildBase servers. Stripe receives your name, email, billing address, the last four digits of your card, IP address, and a device fingerprint for fraud prevention (Stripe Radar) and Strong Customer Authentication (SCA / PSD2). Stripe is certified PCI DSS Level 1. See the Stripe Privacy Policy and Stripe Services Agreement.

Third-party AI providers. Google Gemini, OpenAI, ElevenLabs, and any HTTP endpoint you configure. When a flow calls these, we transmit your inputs and receive their outputs under each provider's own terms. You bring your own API keys; we never share them with other customers.

Error monitoring. Sentry captures application errors. Reports may include the URL you were on and limited request context.

Product analytics. Google Tag Manager and Google Analytics for aggregate usage measurement. Not linked to your account profile.

Search-engine and SEO tooling. Google Search Console, Bing Webmaster Tools, and Ahrefs for site verification and public-page SEO analysis. They do not receive visitor data from us.

We may also disclose information if required by law, to enforce our terms, or in connection with a merger, acquisition, or sale of assets.

Data retention

We keep your account, workflows, run history, files, and encrypted API keys for as long as your account exists, even after long periods of inactivity, so when you come back your work is still here. We do not auto-delete inactive accounts. Operational logs are retained for up to 90 days for security and debugging purposes.

Account deletion

To delete your account and remove your data, email info@plugnode.ai from the address on your account. We will confirm the request and remove your data within a reasonable time. We retain anonymized operational logs for security and billing recordkeeping.

Security

We use industry-standard technical and organizational measures to protect your information, including encrypted transport (HTTPS/TLS), encrypted API-key storage, scoped JWT sessions, rotating webhook secrets, strict security headers, and append-only audit logs. No system is perfectly secure; we disclose incidents affecting customer data promptly when we become aware of them.

Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided information to us, contact info@plugnode.ai and we will delete it.

International users

The Service is operated from the United States. If you use the Service from outside the US, your information will be transferred to, stored, and processed in the US and other countries where our service providers operate.

Your choices

You can update your profile from account settings, disconnect third-party API keys at any time, and request access to or deletion of your data by emailing info@plugnode.ai.

Changes to this policy

We may update this policy as the Service evolves. When we make material changes we will update the "Last updated" date above and, for significant changes, notify you by email or in-product.

Contact

Questions about this policy? Email info@plugnode.ai.