Legal
Privacy Policy
This Privacy Policy explains how [LEGAL ENTITY NAME] (“Nodal”, “we”, “us”) collects, uses, shares, and protects personal data. Nodal operates a B2B platform that lets e-commerce brands embed a first-person, walkable 3D virtual store on their website. We play two different roles depending on whose data is involved — and your rights depend on that role (see Section 2).
1.Who this policy covers
This policy applies to:
- Brands / merchants who create an account and use the Nodal platform (our direct customers, the “Client”);
- Shoppers / visitors who interact with a 3D virtual store that a brand has embedded on the brand’s website; and
- Visitors to our own websites at nodal.co.in and related domains.
It does not govern how a brand itself handles the personal data of its own customers outside the Nodal experience — that is governed by the brand’s own privacy policy.
2.Our two roles: controller vs. processor
Under data-protection laws such as the EU/UK GDPR and India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), responsibility depends on who decides the purpose of processing:
- Nodal is the “controller” (a “Data Fiduciary” under the DPDP Act) of the personal data of our Clients and of visitors to our own marketing site — for example account, billing, and support data. This Privacy Policy is our controller notice for that data.
- Nodal is a “processor” (a “Data Processor” under the DPDP Act, and a “Service Provider” under the CCPA) when we handle data about a brand’s shoppers on that brand’s behalf. For that data the brand is the controller, the brand’s privacy policy governs, and our handling is set out in our Data Processing Agreement.
3.What data we collect
3.1 Account & profile data (Clients)
When you register or use a Nodal account, we collect: full name, company/brand name, work email address, your brand’s website domain, and a password (stored only as a salted cryptographic hash — we never store it in readable form). If you sign in with Google, we receive a Google account identifier and basic profile/email from Google’s OIDC flow.
3.2 Verification & security data
One-time email verification codes (stored only as a hash, short-lived), and limited security signals used for rate-limiting and bot protection (via Cloudflare Turnstile).
3.3 Billing data
Subscription and payment processing is handled by our payment processor, Razorpay. We store billing identifiers and plan/status, but we do not store full card numbers — card data is handled directly by the payment processor under its own security standards.
3.4 Integration credentials
If you connect a commerce platform (Shopify, WooCommerce, or BigCommerce), we store the access tokens/credentials needed to sync your catalog. These are encrypted at rest. We use them only to import product data and to fetch live stock and price when a shopper opens a product.
3.5 Content you provide
Product information, images, 3D models, text prompts and reference images you upload to generate worlds, and store configuration. Worlds and 3D assets are generated using third-party AI providers (see Section 7).
3.6 Technical & usage data
Standard server logs (e.g. request metadata and approximate timing) needed to operate, secure, and debug the service. We log pipeline/operational events for reliability; these are not used to profile individuals.
4.Shopper analytics & the embedded store
When a shopper walks a brand’s 3D store, Nodal records spatial behaviour analytics on the brand’s behalf so the brand can understand how its store is used (e.g. a movement heatmap, how often a product was viewed or inspected, and add-to-cart intent). By design this is privacy-minimising:
- No names, accounts, or IP addresses are stored by the analytics. We may record a coarse, country-level location (derived at our edge network from the connection — the IP address itself is not retained) and basic device-type / technical signals.
- A shopper is tracked only with an anonymous, in-memory, per-page-load identifier that is not stored on the device and is discarded when the page is closed.
- We record how shoppers move and where they look (camera orientation), which products come into view, and movement “snags”. Alongside aggregated counts and grid “heat” cells, we retain a raw, anonymised event record of these interactions — tied only to the per-page-load identifier above, with no names, accounts, or IP addresses — to power analytics and to develop and improve placement and behavioural models.
- We respect the browser “Do Not Track” signal — analytics is disabled when it is set.
- The analytics does not set advertising cookies and is never used to track shoppers across other websites.
Because this data is designed not to identify any individual, it generally falls outside “personal data” under most privacy laws. Where it is treated as personal data, the brand is the controller and our DPA applies.
5.How we use data
- To provide, operate, secure, and improve the platform and the embedded store;
- To produce spatial analytics for merchants and to develop and improve our placement and behavioural models, using anonymised and aggregated shopper data;
- To create accounts, authenticate logins, and verify email addresses;
- To generate 3D worlds and product models from the inputs you provide;
- To sync catalogs and show live stock/price in the shopper experience;
- To process subscriptions and payments;
- To provide customer support and respond to your requests;
- To detect, prevent, and investigate fraud, abuse, and security incidents;
- To comply with legal obligations and enforce our Terms of Service.
We do not sell personal data, and we do not use it for cross-context behavioural advertising.
6.Legal bases (EU/UK GDPR)
Where the GDPR or UK GDPR applies, we rely on:
- Performance of a contract — to provide the service you signed up for;
- Legitimate interests — to secure, debug, and improve the platform and prevent abuse (balanced against your rights);
- Legal obligation — to meet tax, accounting, and other legal duties;
- Consent — where we ask for it (e.g. certain communications); you may withdraw it at any time.
7.Sharing & sub-processors
We do not sell data. We share data only with service providers that help us run the platform, under contracts that require them to protect it and use it only on our instructions. Our key sub-processors are:
| Provider | Purpose |
|---|---|
| Cloudflare | Hosting, edge network, database (D1), object storage (R2), bot protection (Turnstile), email routing |
| World Labs | AI generation of 3D world environments from prompts/images |
| Tripo AI | AI generation of 3D product models |
| Razorpay | Subscription billing and payment processing |
| Resend | Transactional email (verification codes, notifications) |
| “Sign in with Google” authentication (OIDC) | |
| Shopify / WooCommerce / BigCommerce | Catalog import and live inventory/price, where you connect a store |
We may also disclose data if required by law, to enforce our terms, or in connection with a merger, acquisition, or sale of assets (with notice where required).
8.International data transfers
We and our sub-processors may process data in countries other than your own. Where we transfer personal data out of the EEA, the UK, or India, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), and the transfer mechanisms permitted under the DPDP Act — or another lawful basis for the transfer.
9.Retention
We keep personal data only as long as needed for the purposes above, then delete or anonymise it. In general: account data is kept for the life of the account and a reasonable period after closure; verification codes expire within minutes; the raw shopper-event records are anonymised (no names, accounts, or IP addresses — only a throwaway per-visit identifier plus coarse signals) and, in that anonymised form, are retained indefinitely to support long-term analytics and model development, as are aggregate metrics. We may keep limited data longer where required by law (e.g. tax records).
10.Security
We use technical and organisational measures appropriate to the risk, including: encryption in transit (HTTPS), encryption at rest for sensitive credentials, hashed passwords and verification codes, access controls, domain-locking of the embed, rate-limiting, and signed short-lived tokens for protected assets. No system is perfectly secure, but we work to protect your data and to notify affected parties of breaches as the law requires.
11.Cookies & local storage
Nodal keeps cookie use to a minimum:
- Logged-in dashboard — we store a session token in your browser’s local storage to keep you signed in. This is strictly necessary for the service.
- Bot protection — Cloudflare Turnstile may set a token to tell humans from bots on sign-up/login.
- Embedded shopper store — the analytics described in Section 4 does not set advertising or cross-site tracking cookies; it uses a non-persistent in-memory identifier only.
We do not use third-party advertising or cross-site tracking cookies. Because we do not deploy non-essential tracking, there is no “sale” of data through cookies.
12.Your privacy rights
Subject to your local law, you may have the right to: access the personal data we hold about you; correct it; delete it; restrict or object to certain processing; receive a portable copy; and withdraw consent. To exercise any right, contact us using Section 17. We will respond within the timeframe the law requires and will not discriminate against you for exercising a right.
If our processing concerns shopper data where a brand is the controller, we will refer your request to that brand, or assist them in handling it.
EEA/UK residents may also lodge a complaint with their local data-protection authority.
13.India (DPDP Act) notice
If you are in India, you are a “Data Principal” and Nodal acts as a “Data Fiduciary” for the data described in Section 2. You have the right to access and correct your data, to erasure, to grievance redressal, and to nominate another person to exercise your rights in the event of death or incapacity. To raise a grievance, contact our Grievance Officer:
Grievance Officer: [GRIEVANCE OFFICER NAME] · [[email protected]] · [LEGAL ENTITY NAME], [REGISTERED ADDRESS].
If your grievance is not resolved, you may approach the Data Protection Board of India.
14.California (CCPA/CPRA) notice
If you are a California resident, you have the right to know what personal information we collect and how we use it, to delete it, to correct it, and to opt out of any “sale” or “sharing” of it. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use sensitive personal information for purposes requiring a right to limit. We do not discriminate against you for exercising your rights. To make a request, use the contact details in Section 17; an authorised agent may submit a request on your behalf with proof of authorisation.
Our spatial-analytics data is maintained in deidentified and/or aggregate form and is therefore not “personal information” under the CCPA/CPRA. We commit not to attempt to reidentify it (except as reasonably necessary to test that the deidentification holds), we maintain and use it only in deidentified form, and we contractually require recipients not to reidentify it — and so we may retain it indefinitely. The same exclusion for deidentified/aggregate data applies under other US state privacy laws (e.g. Virginia, Colorado, Connecticut, Texas, Utah), and this notice and commitment extend to residents of those states. We do not collect biometric identifiers — “gaze” here means the in-world camera’s orientation, not eye- or face-tracking of you.
15.Children
The platform is intended for businesses and is not directed to children. We do not knowingly collect personal data from children. Embedded stores may be visited by the general public; the analytics is anonymous by design. Brands are responsible for any age-related restrictions applicable to their own audience. If you believe a child has provided us personal data, contact us and we will delete it.
16.Changes to this policy
We may update this policy from time to time. We will revise the “Last updated” date above and, for material changes, take additional steps to notify you where required. Your continued use after an update means you accept the revised policy.
17.How to contact us
For any privacy question or to exercise a right:
[LEGAL ENTITY NAME]
[REGISTERED ADDRESS]
Privacy: [[email protected]]
Grievance Officer (India): [GRIEVANCE OFFICER NAME], [[email protected]]
Data Protection Officer (if appointed): [DPO NAME & EMAIL]
EU representative (Art. 27): [EU REPRESENTATIVE] · UK representative: [UK REPRESENTATIVE]