Privacy Policy
This Privacy Policy explains how Cordillera Ventures LLC, a Wyoming limited liability company, operator of the NodalPulse software-as-a-service product (collectively, "NodalPulse," "we," "us," or "our"), collects, uses, shares, and protects information about you when you use the website at nodalpulse.com and app.nodalpulse.com (the "Site") and the NodalPulse subscription service (the "Service"). It is incorporated into our Terms of Service. "NodalPulse" is a product and trade name of Cordillera Ventures LLC; the data controller in all cases is Cordillera Ventures LLC.
If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia (or any other U.S. state with a comprehensive privacy law in effect when you read this), additional rights apply. See Section 10.
If you are in the European Economic Area, the United Kingdom, or Switzerland, additional rights apply. See Section 11.
1. Quick summary (non-binding)
This summary is provided for convenience. The detailed sections that follow govern in case of any conflict.
- We collect the account information you give us, the content you submit (market roles, tracked dockets, saved searches, Q&A questions), billing data through Stripe, and technical data (IP address, device, usage).
- We use it to deliver the Service, bill you, support you, improve the Service, send transactional and limited marketing email, and comply with law.
- We share it only with a short list of named service providers (Stripe, Anthropic, Brevo, Cloudflare, Railway, Google, Microsoft), with authorities when required by law, and in a corporate transaction.
- We do not sell your personal information and we do not engage in cross-context behavioral advertising.
- We retain it for as long as your account is active and up to ninety (90) days after deletion, longer where required by law (e.g., tax records for seven (7) years).
- You have rights to access, correct, delete, port, and object. Contact support@nodalpulse.com.
- AI processing. When you use the Service, your inputs are sent to Anthropic's Claude API for processing. We do not use your Customer Data to train AI models, and we contractually require Anthropic not to use it to train theirs.
2. Who is the data controller?
For purposes of GDPR and UK GDPR, Cordillera Ventures LLC (operating the NodalPulse service) is the data controller of the personal data we collect about you. Our address and contact information are at the bottom of this Policy.
We do not currently maintain a representative in the European Union or the United Kingdom under Article 27 GDPR or its UK equivalent, because at the time of this Policy our scale of EU/UK processing falls below the thresholds at which appointment is required. If that changes, we will update this Policy.
3. Information we collect
3.1 Information you give us directly
- Account information. Your name, work email, work organization (optional), market roles, tracked markets, tracked dockets, saved searches, and your OAuth identifier when you sign in through Google or Microsoft.
- Billing information. When you subscribe to a paid plan, you provide payment information to Stripe directly. We do not see or store full card numbers. We do store your customer ID with Stripe, subscription status, plan tier, billing email, and the last four digits and brand of your default card (as returned by Stripe).
- Support and communications. Messages you send to support@nodalpulse.com, feedback you submit through in-app forms, and any documents you choose to attach.
- Content and queries. The questions you ask in Q&A Chat, the saved searches you create, the dockets you track, and any documents you upload.
3.2 Information we collect automatically
- Usage data. Pages you view, features you use, the time and duration of sessions, the briefs we deliver to you, the Q&A queries you submit, and similar interaction telemetry.
- Device and technical data. IP address, browser type, operating system, screen size, language, referring URL, and timestamps.
- Cookies and similar technologies. We use a small number of strictly necessary cookies for authentication, session management, and security (CSRF protection). We do not use advertising cookies or third-party tracking cookies, and we do not engage in cross-context behavioral advertising. If we add a privacy-respecting analytics product in the future, we will update this section and provide a cookie banner if applicable law requires one.
3.3 Information from third parties
- OAuth providers. When you sign in through Google or Microsoft, we receive your name, email address, and a stable account identifier from the provider. We request only the
openid,email, andprofilescopes. We do not request access to your calendar, mail, drive, contacts, or any other resource. - Payment processor. Stripe shares with us limited billing metadata as described in Section 3.1.
- Public-source content. The Service ingests public regulatory filings and market notices from sources such as the PUCT Interchange Filing System and the ERCOT Market Information System. These filings sometimes contain personal data about filers, parties, and counsel. We process that personal data solely to provide the Service.
3.4 Categories under CCPA/CPRA
For California residents, the categories of personal information we collect include: identifiers (name, email, IP address, OAuth identifier); commercial information (subscription and billing metadata); internet or network activity information (usage telemetry); inferences (derived attributes such as your role and tracked markets, used to personalize briefs). We do not collect sensitive personal information as defined under CCPA/CPRA.
4. How we use information
We use the information described above for the following purposes:
(a) To provide and operate the Service: authenticate you, deliver Morning Briefs, fire saved searches, answer Q&A questions, render dashboards, send transactional email, store your settings and content.
(b) To bill you and process payments: through Stripe.
(c) To support you: respond to your questions, troubleshoot, and notify you of service-affecting issues.
(d) To improve the Service: understand which features are used, measure performance, debug errors, evaluate AI output quality, and develop new features. Where we use Customer Data for this purpose, we use it in aggregated or de-identified form whenever practical.
(e) To communicate about the Service: product announcements, security notices, billing reminders, and (where permitted) limited marketing communications. You can opt out of marketing email at any time.
(f) To enforce our Terms of Service and protect the Service: detect fraud, abuse, account compromise, and violations.
(g) To comply with law: respond to lawful requests from authorities, preserve records, and meet our tax and accounting obligations.
4.1 Legal bases (GDPR / UK GDPR)
If you are in the EEA, the UK, or Switzerland, we rely on the following legal bases under Article 6(1) GDPR:
- Performance of a contract (Art. 6(1)(b)) for processing necessary to deliver the Service you have asked us to provide.
- Legitimate interests (Art. 6(1)(f)) for processing to improve and secure the Service, prevent fraud, and send limited service-related communications.
- Compliance with a legal obligation (Art. 6(1)(c)) for tax, accounting, anti-fraud, and lawful-disclosure obligations.
- Consent (Art. 6(1)(a)) for any processing that requires it, such as certain marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
We do not currently process special-category personal data under Article 9 GDPR.
5. Who we share information with
We share personal information with the limited set of categories of recipients below. Each is bound by a written contract restricting its use of the personal information.
5.1 Subprocessors
| Subprocessor | Purpose | Data categories | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management, billing | Billing information, customer ID, plan + subscription state | United States |
| Anthropic, PBC | Large-language-model inference for Morning Briefs, Q&A responses, and filing summaries (Claude API) | Customer queries, filing text we send for summarization, and limited account context | United States |
| Sendinblue SAS d/b/a Brevo | Transactional email delivery (Morning Briefs, account notices, magic-link sign-in) | Email address, name, message content | European Union (France) |
| Cloudflare, Inc. | Content delivery network, DNS, DDoS protection, email routing for @nodalpulse.com mailboxes | IP address, request metadata, message envelopes | Global edge network with U.S. headquarters |
| Railway Corp. | Application hosting, managed Postgres database | All Customer Data processed by the Service | United States |
| Google LLC | OAuth sign-in (Google Sign-In) | OAuth identifier, name, email, profile | United States |
| Microsoft Corporation | OAuth sign-in (Microsoft Identity Platform) | OAuth identifier, name, email, profile | United States |
This list reflects our current subprocessors. We will update this list before engaging a new subprocessor that materially expands the scope of data sharing, and customers may subscribe to subprocessor-change notifications by emailing support@nodalpulse.com.
5.2 Use of Anthropic and AI inputs
The Service sends user queries, filing excerpts, and limited account context to Anthropic for LLM inference. We use Anthropic's commercial API. Under Anthropic's commercial API terms in effect at the time of this Policy, inputs and outputs are not used to train Anthropic's models. If those terms change in a way that materially affects this commitment, we will update this Policy.
We do not use Customer Data to train AI models of our own.
5.3 Legal compliance and protection
We may disclose personal information to a court, regulator, or law-enforcement authority where we believe in good faith that disclosure is required by applicable law, a valid legal process, or a binding governmental request. We may also disclose where necessary to protect our rights or property, our users' safety, or the public.
5.4 Corporate transactions
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will give you reasonable notice before personal information becomes subject to a different privacy policy.
5.5 Aggregated and de-identified data
We may share aggregated or de-identified information (which cannot reasonably be used to identify you) for research, benchmarking, or marketing.
5.6 No sale; no cross-context behavioral advertising
We do not sell personal information for monetary or other valuable consideration, and we do not engage in cross-context behavioral advertising or "share" personal information for such purposes, as those terms are defined under CCPA/CPRA and similar state laws.
6. International data transfers
NodalPulse is established in the United States, and most of our subprocessors operate from the United States. When we transfer personal data of EEA, UK, or Swiss data subjects to the United States or to other countries that are not subject to an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, or, where applicable, the EU-U.S. Data Privacy Framework and its UK and Swiss extensions. Copies of the relevant transfer mechanisms are available on request to support@nodalpulse.com.
7. How we secure information
We use commercially reasonable administrative, technical, and physical safeguards to protect personal information, including TLS in transit, encryption of data at rest in our managed database, secret rotation, least-privilege access controls for our team, and routine security review of our subprocessors. No system is perfectly secure, and we do not warrant that personal information will never be accessed by unauthorized persons. If we become aware of a breach that affects your personal information and triggers a notification obligation under applicable law, we will notify you and any required authority within the applicable statutory deadline.
You play a role in security too: use a strong, unique password (or use Google/Microsoft sign-in), do not share your account credentials, and report suspected unauthorized access to support@nodalpulse.com.
8. How long we keep information
We retain personal information for as long as your account is active and as needed to provide the Service. When you delete your account, we delete personal information from our active production systems within ninety (90) days, except for:
- Records we are required to retain by law (for example, tax and accounting records, which U.S. law generally requires for seven (7) years);
- Limited information necessary to enforce our Terms of Service, resolve disputes, or prevent fraud or abuse;
- Backup archives, from which records are purged on the rolling schedule of each backup system; and
- Aggregated or de-identified information.
If you request deletion under a statutory right described in Section 10 or Section 11, we will process the request on the timelines required by the applicable law.
9. Children
The Service is not directed to children under 18, and we do not knowingly collect personal information from children under 18. If we learn we have collected personal information from a child under 18 without parent or guardian consent, we will delete it. Contact support@nodalpulse.com if you believe a child has provided us personal information.
10. Rights of U.S. state residents
The privacy laws of an expanding list of U.S. states give you rights regarding the personal information businesses hold about you. The rights below apply to residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, and to residents of any other state with a comprehensive consumer privacy law in effect at the time of your request.
10.1 Rights summary
- Right to know / access. Request the categories and specific pieces of personal information we have collected about you.
- Right to correct. Request that we correct inaccurate personal information.
- Right to delete. Request that we delete personal information about you, subject to permitted exceptions.
- Right to portability. Request a copy of personal information in a portable, structured, machine-readable format.
- Right to opt out of sale and of "sharing" (cross-context behavioral advertising). We do not engage in either; the opt-out is effectively a no-op for us.
- Right to opt out of targeted advertising and certain profiling. We do not engage in targeted advertising and do not currently use automated decision-making with legal or similarly significant effects.
- Right to limit use of sensitive personal information (California). We do not collect sensitive personal information as defined under CCPA/CPRA.
- Right against retaliation. We will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right.
10.2 How to exercise
Send a request to support@nodalpulse.com with "Privacy Request" in the subject line and describe the right you wish to exercise. We may need to verify your identity, typically by confirming you control the email address associated with your account.
You may use an authorized agent to make a request on your behalf, where applicable law allows. We will require evidence of the agent's authorization.
10.3 Timing
We will respond to your request within the time required by applicable law (typically 45 days, extendable in limited cases).
10.4 Appeals
If we decline your request, you may appeal by replying to our response with "Appeal" in the subject line. If we deny your appeal, you may contact the attorney general of your state.
11. Rights of EEA, UK, and Swiss data subjects
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR (or the UK GDPR or Swiss FADP, as applicable):
- Access — confirmation of whether we process your personal data and, if so, a copy.
- Rectification — correction of inaccurate or incomplete personal data.
- Erasure (the "right to be forgotten") — deletion of personal data in defined circumstances.
- Restriction of processing — in defined circumstances.
- Data portability — receipt of personal data you provided in a structured, commonly used, machine-readable format.
- Objection — including objection to processing based on our legitimate interests, and objection to direct marketing at any time.
- Withdrawal of consent — where processing is based on consent.
- Lodging a complaint — with a supervisory authority in your country of residence or place of work. A list of EEA supervisory authorities is available at
edpb.europa.eu. UK residents may contact the Information Commissioner's Office atico.org.uk.
To exercise any of these rights, email support@nodalpulse.com. We will respond within one month of receipt, extendable by up to two months for complex requests.
We do not currently make solely automated decisions that produce legal or similarly significant effects about you.
12. Do Not Track and Global Privacy Control
Some browsers send "Do Not Track" signals. Because there is no industry standard for how to respond to these signals, we do not currently respond to them. However, we will recognize the Global Privacy Control (GPC) signal sent by certain browsers as a valid opt-out of "sale" and "sharing" of personal information for residents of states whose laws require us to do so. As stated above, we do not sell or "share" personal information in the relevant sense, but we will treat a GPC signal as a confirmation of that status for your browser.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to the address on your account or by a prominent notice on the Site at least fifteen (15) days before the change takes effect, except where applicable law requires a shorter or longer notice period. The "Last updated" date at the top of this Policy indicates when it was most recently revised.
14. How to contact us
Privacy questions, requests, and complaints can be sent to:
Cordillera Ventures LLC
A Wyoming limited liability company, operator of the NodalPulse service
support@nodalpulse.com
nodalpulse.com
Please put "Privacy Request" in the subject line for data-rights requests and "Privacy Question" for general inquiries; we triage on subject line.