Privacy Policy

The data controller is Blue Nodes Ltd, a company registered in England and Wales under company number 16861915, with its registered office at 86–90 Paul Street, 3rd Floor, London, England, EC2A 4NE (“Blue Nodes”, “we”, “us”).

You can contact us at contact@bluenodes.io for any question about this policy or your personal data.

Account data

When an account is created for you:

• Your email address
• A password, stored only as a salted bcrypt hash (we never see or store your password in clear text)
• Your assigned role (Admin, Client, Viewer) and the client organisation (“Group”) your account belongs to

Usage data

Generated automatically as you use the Service:

• IP address of incoming requests
• Authentication events (sign-in, sign-out, token refresh, failed login attempts) stored in an append-only audit log
• A short-lived session token (in your browser memory) and a refresh token (in a secure, HTTP-only cookie)
• Standard web-server access logs (request path, status code, timestamp)

Customer data

For paying customers only, the Service stores trading-portfolio data (such as positions, instruments and market parameters) that the customer uploads or that is provided through integrated data feeds. This data describes the customer’s business and does not generally constitute personal data about identifiable individuals.

Special categories

We do not collect any “special categories” of personal data as defined by UK GDPR Art. 9, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning sexual orientation. Our Service does not require or process this category of data.

We do not use cookies for analytics, advertising, or tracking. We do not embed third-party scripts (no Google Analytics, no advertising pixels, no social-media widgets).

Purpose	Data used	Legal basis (UK GDPR Art. 6)
Provide the Service to you	Account data, customer data	Performance of a contract — Art. 6(1)(b)
Authenticate sessions	Session and refresh tokens	Performance of a contract — Art. 6(1)(b)
Detect and prevent abuse	IP address, audit logs	Legitimate interest — Art. 6(1)(f)
Meet legal and accounting obligations	Limited account data	Legal obligation — Art. 6(1)(c)

All data is stored on infrastructure located in the European Union, specifically in OVH’s Gravelines (GRA) datacentre in France. Personal data is therefore transferred from the United Kingdom to the European Economic Area (EEA). These transfers are permitted under the UK GDPR because the European Union benefits from adequacy regulations made by the UK Secretary of State (the “UK Adequacy Regulations”), which recognise the EEA as providing an adequate level of data protection.

We share data only with the following sub-processors:

Sub-processor	Purpose	Location
OVH Cloud (OVH SAS, France)	Server hosting, managed PostgreSQL database, object storage	Gravelines, France (EEA)
Google Ireland Ltd (Google Workspace)	Business email infrastructure for @bluenodes.io mailboxes (inbound and outbound mail for contact@bluenodes.io)	Ireland (EEA)

We do not sell personal data. We do not share personal data with advertisers or data brokers. We may disclose data when required by law (e.g. a valid court order or request from a competent authority), in which case we will inform you unless the law forbids it.

Data	Retention
Account data	While the account is active, then deleted within 30 days of account closure
Audit logs (auth events)	12 months
Web-server access logs	30 days
Refresh tokens	Up to 24 hours, or until rotated / revoked
Backups	30 days, with point-in-time recovery (OVH-managed PostgreSQL)
Customer data (paying customers)	While the customer contract is active, then deleted within 30 days of contract termination unless retention is required by law

We protect data in transit with TLS, encrypt the underlying database at rest, store passwords only as bcrypt hashes, enforce rate-limiting and account lockout against brute-force attempts, and maintain an audit log of authentication events. Our full security posture is updated as part of our ongoing development; if you are evaluating Blue Nodes for enterprise use, contact us for a current security overview.

You have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data (“right to be forgotten”)
• Restrict or object to processing
• Receive a copy of your data in a portable format
• Withdraw consent where processing is based on consent

To exercise any of these rights, email contact@bluenodes.io. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection: ico.org.uk.

If you are an EU resident, you may also have equivalent rights under the EU GDPR and may lodge a complaint with your local EU supervisory authority.

We will not discriminate against you or degrade your access to the Service for exercising any of these rights.

Name	Purpose	Lifetime
refresh_token	Authenticates your browser session so you don’t have to sign in repeatedly. HTTP-only, Secure, SameSite=Lax.	Up to 24 hours

We do not use any analytics, advertising, or tracking cookies. No consent banner is required because no non-essential cookies are set.

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. For material changes we will notify account holders by email at least 14 days in advance.

Blue Nodes is a business-to-business service intended for use by professional users in commercial organisations. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us at contact@bluenodes.io and we will take reasonable steps to delete it.

For any question about this policy or your personal data:

Email: contact@bluenodes.io
Postal: Blue Nodes Ltd, 86–90 Paul Street, 3rd Floor, London, England, EC2A 4NE