Privacy Policy

Last updated: May 14, 2026

This Privacy Policy describes how Skin Kins Co. ("Skin Kins," "we," "us," or "our") collects, uses, shares, and safeguards information in connection with the Nodey mobile application (the "App") and the website at getnodey.com and any related services we offer (collectively, the "Service").

This policy is the same Privacy Policy linked from the App Store, Google Play, the App, and getnodey.com. By installing, accessing, or using the Service, you acknowledge that you have read and understood this Privacy Policy.

If you have questions about this policy or want to exercise any of your privacy rights, contact us at privacy@getnodey.com.

1. Who we are

Skin Kins Co. is a Delaware C-corporation. Our registered office is 1201 Orange Street, Wilmington, DE 19801. Our mailing address is 1521 Alton Road, Miami Beach, FL 33139.

For privacy inquiries, contact privacy@getnodey.com or call (888) 441-3005.

For users in the European Economic Area, the United Kingdom, or Switzerland: Skin Kins Co. is the controller of your personal data within the meaning of the GDPR and the UK GDPR. We have not appointed an EU or UK representative at this time; for any questions, please contact us using the email address above.

2. What Nodey does and what it means for your data

Nodey is a mobile companion app for n8n, the workflow automation platform. The App connects to n8n instances that you control — either self-hosted n8n servers you operate yourself, or n8n.cloud accounts that belong to you — and lets you monitor workflows, view executions, trigger runs, diagnose failures with AI assistance, and back up workflow definitions.

This means three things matter for understanding your data:

Most operational data stays between your device and your n8n instance. When the App fetches your workflows, executions, or logs, that data flows directly from your n8n server to your phone. We do not receive a copy of it.
Some data flows to AI providers when you use AI features. AI features (such as Workflow Explainer, Error Diagnosis, Security Hardening) send the relevant workflow content to an AI model so it can analyse and respond. This is described in detail in Section 5.
Some technical data flows to our infrastructure and to operational vendors. This includes account-level information, subscription state, crash reports, anonymous usage analytics, push notification tokens, and similar operational data. This is described in Section 4.

3. Information we collect

We collect three categories of information.

3.1 Information you provide to us

Category	Examples	Why we have it
Account contact details	Email address (when you contact support, request a refund, or sign up for marketing communications)	To respond to you and provide the Service
Connection configuration	The name you give an n8n instance, its base URL (e.g., `https://n8n.example.com`), and configuration of any triggers (geofence coordinates, NFC tag identifiers, webhook URLs)	To let the App connect to your n8n instance and fire your triggers
Credentials	n8n API keys, AI provider API keys you choose to use ("BYOK" — Bring Your Own Key)	To authenticate against the services you direct the App to call
Subscription information	Your subscription tier, purchase receipts, and product entitlements	To grant you access to paid features
Support communications	Anything you choose to include in an email, support request, or feature request	To assist you

Where credentials and connection configuration are stored. API keys you enter (n8n keys, BYOK keys for Claude/Gemini/Mistral) are stored in the iOS Keychain (or Android Keystore) on your device and are not transmitted to Skin Kins servers. They are transmitted only to the service the key is associated with — your n8n instance, or the AI provider whose key you provided — and only when the App makes a request you initiated.

3.2 Information we collect automatically

Category	What it includes	Source
Device and OS info	Device model, OS version, App version, language, time zone	App telemetry
Approximate location (derived)	Country and region, derived from IP address	Server logs, analytics
Precise location	Used only if you enable location-based triggers ("geofences"). Coordinates are processed on-device and inside your geofence trigger configuration; they are not transmitted to Skin Kins servers as part of routine operation.	iOS / Android location services (with your consent)
Diagnostic data	Crash logs, performance traces, errors, stack traces, exception messages	Firebase Crashlytics
Usage analytics (in-app)	Screens viewed, features used, button taps, session start/end, in-app purchase events. We do not collect the content of your workflows, executions, or AI prompts as analytics events.	Amplitude
Website analytics (getnodey.com)	Pageviews, sessions, referrer, anonymised IP, device and browser type — collected only if you accept the analytics cookie banner on the website. See Section 12 for full details.	Google Analytics 4
Push notification token	An opaque identifier issued by Apple Push Notification Service (APNs) and forwarded to Firebase Cloud Messaging	iOS / Firebase
Subscription telemetry	Anonymous user identifier, subscription status, transaction events, entitlement state	RevenueCat, App Store / Google Play
Remote configuration metadata	Anonymous identifier used by Firebase Remote Config to deliver the correct content variant	Firebase

3.3 Information we receive from third parties

Apple and Google Play: when you make an in-app purchase, we receive a transaction receipt to validate your subscription. We do not receive your full payment card details, only the data Apple or Google passes to developers (transaction ID, product ID, dates, anonymized account identifier).
AI providers (when AI features are used): we receive the AI's response to forward back to you. We do not receive payment or account information from AI providers.

3.4 Information we explicitly do not collect

We do not collect or transmit the contents of your n8n workflows, execution data, credentials stored inside n8n, or notes inside n8n, except (i) to your own n8n instance, or (ii) to an AI provider when you affirmatively use an AI feature, as described in Section 5.
We do not collect your contacts, calendars, photos, or microphone input.
We do not use the IDFA (iOS Advertising Identifier) or Android Advertising ID for advertising purposes. Nodey contains no advertising.
We do not sell your personal information.
We do not share your personal information with data brokers or for cross-context behavioural advertising.

4. How we use information

We use the information we collect for the following purposes, each tied to a lawful basis under GDPR/UK GDPR (where applicable):

Purpose	Examples	Legal basis (GDPR)
Provide the Service	Connect to your n8n instance, fetch workflows, fire triggers, deliver push notifications	Contract (Art. 6(1)(b))
Process subscriptions	Validate purchases, manage entitlements, prevent fraud	Contract (Art. 6(1)(b))
Communicate with you	Respond to support, send service notices (e.g., security advisories)	Contract / legitimate interests (Art. 6(1)(b)/(f))
Improve the Service	Aggregate usage analytics, fix crashes, prioritise features	Legitimate interests (Art. 6(1)(f))
Comply with the law	Tax records, fraud prevention, response to lawful requests	Legal obligation (Art. 6(1)(c))
AI feature delivery	Send the workflow content you select to an AI provider so it can be analysed	Consent (Art. 6(1)(a)) — see Section 5
Security and abuse prevention	Detect unusual activity, rate-limit abuse, protect the Service	Legitimate interests (Art. 6(1)(f))

We do not use your personal information for automated decisions producing legal or similarly significant effects, and we do not profile you for advertising.

5. AI features and what gets sent where

This is the most important section of this Privacy Policy. Read it carefully.

5.1 What an AI feature is

Nodey offers AI-powered analysis features (Workflow Explainer, Error Diagnosis, Security Hardening, Code Optimizer, Workflow Cleanup, Error Pattern Analysis, Performance Profiler, Workflow Builder, Deep Dive, and Debug Companion). When you tap one of these features, the App sends the relevant workflow content to an AI service so the model can analyse it and return a response.

5.2 What gets sent to the AI

When you invoke an AI feature, the App may send the following to the AI provider you have chosen (or the default, Nodey AI):

The workflow definition (nodes, connections, parameters, and any code inside Code nodes you wrote)
The names and metadata of the workflow
Execution data relevant to the request (for example, error messages, run timing, the failing node's input/output) — truncated to a model-appropriate length
Your follow-up prompt or question, if any (e.g., for Deep Dive or Debug Companion)
The user-controlled portions of any data inside your n8n workflow that the AI is asked to analyse — for example, if you ask the AI to diagnose an error in a node that processed customer data, the AI request will include that data

5.3 Who the AI provider is

You can choose between two modes:

(a) Nodey AI (default). When you use Nodey AI, the request is processed by Mistral AI (Mistral Large) for standard tasks and Anthropic (Claude) for premium/Pro-tier tasks. Skin Kins routes the request through our infrastructure (described in Section 7), but the actual model inference is performed by Mistral or Anthropic. We do not retain prompt content or AI responses on Skin Kins infrastructure beyond what is necessary to deliver the response to your device.

(b) Bring Your Own Key (BYOK). If you supply your own API key for Anthropic (Claude), Google (Gemini), or Mistral, the request is sent directly from your device to that provider using your key. Skin Kins does not see, log, or proxy the prompt or the response. The AI provider's privacy policy and terms govern that interaction.

5.4 What the AI provider does with the data

We send only the minimum data necessary for the model to do the task, but you should understand the AI providers' practices:

Mistral AI — see https://mistral.ai/terms#privacy-policy. For our Nodey AI service Skin Kins uses Mistral's API in a configuration where prompts and outputs are not used to train Mistral's models.
Anthropic (Claude) — see https://www.anthropic.com/legal/privacy. Anthropic's API does not use API customer data to train models by default.
Google (Gemini) — see https://ai.google.dev/gemini-api/terms. Behaviour depends on the API tier and the user's API key configuration.

In compliance with App Store Review Guideline 5.1.2(i) (third-party AI disclosure), we will obtain your explicit consent the first time you use any AI feature, with a disclosure that names the AI provider for that feature and explains what data will be sent. You may revoke this consent at any time in Settings → AI Settings, after which AI features will no longer send your data anywhere. You can also delete your stored BYOK keys at any time from the same screen.

You can use Nodey without ever using an AI feature. The non-AI features of the App (monitoring, executions, triggers, backup) do not send data to any AI provider.

5.6 Sensitive data inside your workflows

If your n8n workflows process sensitive data (health records, biometric data, government identifiers, payment card data, or similar), be aware that invoking an AI feature on those workflows will transmit that data to the AI provider. You are responsible for ensuring that doing so is lawful in your jurisdiction and consistent with your obligations to your own users. Skin Kins offers a configuration option to redact node output before sending to AI; we recommend enabling it for any workflow that handles sensitive data.

We share personal information in the following circumstances:

6.1 Sub-processors and service providers

We use the following third parties to operate the Service. Each acts as a "processor" under GDPR, processing data only on our instructions.

Vendor	Role	Data shared	Location
Apple (Apple Inc.)	App distribution, in-app purchases, push notifications (APNs)	Subscription transactions, push tokens, App Store account events	United States
Google LLC (Google Play, Firebase)	Android app distribution, in-app purchases, Firebase Cloud Messaging, Firebase Remote Config	Subscription transactions, push tokens, Remote Config metadata	United States, Multi-region
Mistral AI	AI model inference for Nodey AI standard tier	AI prompt content (workflow data you submit)	European Union (France)
Anthropic (Anthropic, PBC)	AI model inference for Nodey AI premium tier	AI prompt content (workflow data you submit)	United States
Hostinger International, Ltd.	Cloud hosting (web infrastructure)	Server logs, request metadata	Lithuania (EU)
Skin Kins-operated server	AI request routing, backend services	AI prompt content (in transit), request metadata	Netherlands (EU)
Cloudflare, Inc.	DNS, CDN, edge compute (Cloudflare Workers for the registration form and other site infrastructure)	IP addresses, request headers, form submission data in transit	United States, Global edge network
Website Speedy	Performance-optimisation scripts loaded on getnodey.com	IP address, browser metadata (incidental, via CDN script delivery)	Multi-region CDN
Firebase Crashlytics (Google)	Crash reporting and diagnostics	Crash logs, device info, Firebase Installation ID	United States, Multi-region
Google Analytics 4 (Google)	Website analytics on getnodey.com	Pageviews, anonymised IP, device and browser metadata, referrer, session events	United States, Multi-region
Amplitude, Inc.	Product analytics (in-app)	Anonymous usage events, device characteristics, derived geo	United States
RevenueCat, Inc.	Subscription management	Anonymous app user ID, transaction events, entitlement state	United States

We use Phoenix, Arizona and the Netherlands as our primary data storage regions. Some vendors above route through additional sub-regions; refer to each vendor's privacy documentation for full detail.

We require each sub-processor to maintain appropriate technical and organisational measures consistent with this Privacy Policy and with applicable law.

6.2 Legal and safety disclosures

We may disclose personal information if we believe in good faith that disclosure is necessary to (a) comply with a subpoena, court order, or other lawful request from a competent authority; (b) protect the rights, property, or safety of Skin Kins, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service. Where lawfully able to do so, we will notify the affected user before disclosure.

6.3 Business transfers

If Skin Kins is involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you (by email or in-app notice) of any such change and any choices you may have.

For any other purpose, we will share information only with your consent.

We do not "sell" personal information, and we do not "share" personal information for cross-context behavioural advertising, as those terms are defined under California's CCPA/CPRA, Colorado's CPA, Connecticut's CTDPA, Virginia's VCDPA, or similar laws.

7. International data transfers

Skin Kins is based in the United States. Your data may be transferred to, processed in, and stored in the United States and other countries listed in Section 6.1. These countries may have data-protection laws that differ from those in your country.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to a country not subject to an EU adequacy decision (such as the United States), we rely on:

The EU-US Data Privacy Framework and the UK Extension to that Framework, where the receiving entity is certified; and/or
Standard Contractual Clauses issued by the European Commission, supplemented where appropriate by additional safeguards.

You may request a copy of the safeguards applicable to a specific transfer by emailing privacy@getnodey.com.

8. Data retention

We retain personal information only as long as necessary for the purposes for which we collected it.

Data	Retention
Connection configuration and credentials (on-device)	Until you delete them or uninstall the App
Subscription records	For the longer of (a) the duration of your subscription plus 7 years (US tax record-keeping) or (b) any longer period required by law
Crash logs (Crashlytics)	90 days, then aggregated
Usage analytics (Amplitude)	24 months, after which anonymised
AI prompt content (in transit through Skin Kins infrastructure)	Not persisted beyond the duration of the request, except short-term (≤ 24 hours) for abuse prevention and rate limiting
Support communications	3 years from last interaction
Marketing email lists	Until you unsubscribe
Server logs	30 days

Push notification tokens are rotated and automatically expire when invalid.

9. Your privacy rights

9.1 Universal rights

Regardless of where you live, you can:

Access the personal information we hold about you.
Correct information that is inaccurate.
Delete your personal information (see also Section 9.5 below).
Export your information in a portable format.
Withdraw consent for any processing based on consent (including AI features).
Opt out of marketing emails by clicking "unsubscribe" in any marketing email or contacting us.

To exercise any right, email privacy@getnodey.com. We will respond within 30 days (or as required by your local law).

9.2 European Economic Area, United Kingdom, Switzerland

Under the GDPR and UK GDPR, you also have the right to:

Object to processing based on legitimate interests.
Restrict processing in certain circumstances.
Lodge a complaint with your local data protection authority. A list of EU authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. The UK authority is the ICO at ico.org.uk.

9.3 California (CCPA/CPRA)

In addition to the universal rights above, California residents have the right to:

Know the categories and specific pieces of personal information we have collected about them.
Know the categories of sources from which the information is collected, the business or commercial purpose for collecting or selling the information, and the categories of third parties with whom we share it.
Opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information, but you may submit such a request anyway and we will confirm.
Limit the use of sensitive personal information. We do not use sensitive personal information for any purpose other than providing the Service.
Non-discrimination for exercising any of these rights.

To exercise these rights, email privacy@getnodey.com. You may use an authorised agent; we will require reasonable proof of authorisation.

9.4 Other US states

Residents of Colorado, Connecticut, Virginia, Utah, Texas, and other states with comprehensive privacy laws have rights similar to those above. The same email address handles all such requests.

9.5 Account / data deletion

To request deletion of your data:

In-app: Settings → Account → Delete My Data
Email: privacy@getnodey.com with subject line "Delete My Data"
Web: contact us via getnodey.com/contact-us with subject line "Delete My Data"

Deletion will remove your subscription record (subject to legal retention obligations described in Section 8), analytics records, support history, and any data in our infrastructure. On-device data (your n8n configurations, API keys, trigger settings) is deleted by uninstalling the App, which we cannot do for you.

We will confirm deletion within 30 days.

10. Security

We use technical and organisational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

Encryption in transit: TLS 1.2+ for all network connections from the App to our infrastructure and to AI providers.
Encryption at rest: API keys are stored in the iOS Keychain (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly) or Android Keystore.
Access controls: Skin Kins personnel access to user data is limited to those with a business need.
Logging and monitoring: anomalous access patterns are monitored.
Vendor diligence: each sub-processor in Section 6.1 is contracted on terms that require equivalent or stronger protections.

No security control is perfect. If we discover a security incident affecting your personal information, we will notify you and any required regulator without undue delay and as required by applicable law.

11. Children

The App is not directed to children under 13 (or the equivalent minimum age in your jurisdiction; 16 in some EU member states). The App's age rating on the App Store is 4+ because it contains no objectionable content; this rating does not imply that the App is designed for children. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and you believe your child has provided us with personal information, contact us at privacy@getnodey.com and we will delete it.

12. Cookies and similar technologies on getnodey.com

The website uses the following categories of cookies and similar technologies:

Strictly necessary: cookies that are essential for the site to function (e.g., to load CSS and JavaScript correctly, to maintain a session if you use the registration form). These do not require consent under the EU ePrivacy Directive or the UK PECR.
Analytics (Google Analytics 4): we use Google Analytics 4 to count visits, understand which content is read, and measure how visitors arrive at the site. GA4 sets cookies in your browser, collects anonymised IP addresses, and aggregates pageviews, sessions, device type, and referrer information. We do not use Google Analytics' advertising features, do not enable Google Signals, and do not share GA data with advertising platforms.
Performance: a small number of cookies and local-storage items are set by our performance-optimisation provider (Website Speedy) to remember whether assets have been preloaded.

A cookie banner on first visit lets you accept or reject non-essential cookies (Analytics, Performance) before they are set. If you reject, only strictly-necessary cookies are loaded and Google Analytics will not be initialised. Your choice is remembered for 12 months; you can change it at any time via the "Cookie preferences" link in the site footer.

To opt out of Google Analytics specifically, in addition to the cookie banner you can also install the Google Analytics Opt-out Browser Add-on, which blocks GA tracking on every site you visit.

The App itself does not use web cookies. App-level analytics are handled separately via the SDKs listed in Section 6.1.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will:

Update the "Last updated" date at the top of this document.
Post the revised policy at getnodey.com/privacy-policy.
For material changes, notify you via in-app notice and/or email at least 30 days before the change takes effect.

If you do not agree to a revised policy, you may stop using the Service. Continued use after the effective date of a revised policy constitutes acceptance of the revised policy.

14. Contact us

Privacy team	privacy@getnodey.com
Phone	(888) 441-3005
Mailing address	Skin Kins Co., 1521 Alton Road, Miami Beach, FL 33139, USA
Registered office	1201 Orange Street, Wilmington, DE 19801, USA

For data subject requests, please use the email address above with the subject line [Privacy Request] so we can route it to the appropriate team within our response timelines.