Udo Privacy Policy

Privacy Policy — Udo (Free Tier)

Last updated: 21st April 2026

This Privacy Policy describes how NodeMasters GmbH ("NodeMasters", "we", "us") processes personal data when you use Udo, our conversational AI tool that helps you articulate workplace automation ideas.

This policy is specific to the Udo application. For information about our main website (node-masters.com), please see our general Privacy Policy.

1. Controller

The data controller within the meaning of Art. 4(7) GDPR is:

NodeMasters GmbH
Birkenweg 10
61184 Karben
Germany

Email: contact@node-masters.com

Managing Directors: Thomas William Barr, Steffen Huß, Wolfgang Roidl

2. What Udo Is

Udo is a free, web-based conversational tool. You can describe a workplace problem or process you'd like to improve, and Udo helps you turn it into a structured project idea, including an effort estimation and (where relevant) a recommendation against pursuing the idea. Udo uses a large language model (Anthropic Claude) to generate its responses.

You are interacting with an AI system. Responses are generated; they are not from a human and should not be relied on as professional advice.

3. What Data We Process

3.1 Conversation content

Everything you type into the chat, plus the AI-generated responses. This may include personal information you choose to share (your name, your role, the names of colleagues or clients you mention, descriptions of your work).

Please avoid sharing special categories of personal data (such as health information, religious or philosophical beliefs, trade union membership, or data concerning sexual orientation), as Udo is not designed to handle such data.

3.2 Lead data (if you provide it)

At the end of a conversation, you may optionally share your name, email address, and company. This is voluntary. Conversations are usable without it.

3.3 Technical metadata

Your IP address — stored only as a one-way HMAC hash, never as plaintext.
Your browser's User-Agent string.
The detected language of your browser.
Timestamps (start and end of conversation).
Token usage counts (for cost monitoring).

3.4 We do not collect

We do not use cookies for tracking, analytics, or advertising on the Udo application itself.
We do not use Google Analytics, Tag Manager, or comparable tools inside the Udo chat.
We do not collect device identifiers, location data, or anything beyond what is listed above.

Note: if you reach Udo via a link on node-masters.com, the cookies described in our main Privacy Policy may apply on that website.

4. Why We Process This Data and on What Legal Basis

Purpose	Legal basis
Providing the conversational AI service you requested	Art. 6(1)(b) GDPR — performance of a service requested by you
Generating an AI response (sending your message to the language model)	Art. 6(1)(b) GDPR
Storing your conversation so we can review it internally and improve the product	Art. 6(1)(f) GDPR — legitimate interest in product improvement
Sending an internal summary of your conversation to our team	Art. 6(1)(f) GDPR — legitimate interest in qualifying inbound interest
Storing the IP hash and rate-limiting	Art. 6(1)(f) GDPR — legitimate interest in protecting the service from abuse
Storing the lead data you voluntarily provide	Art. 6(1)(b) and Art. 6(1)(f) GDPR — to follow up on your enquiry

You have the right to object to processing based on legitimate interest at any time (Art. 21 GDPR). See Section 9 below.

5. Where Your Data Is Processed and Stored

All processing takes place in the European Union. We do not transfer your data to third countries.

5.1 Hosting (Microsoft Azure)

The Udo application and its database run on Microsoft Azure in the West Europe (Amsterdam, Netherlands) region. Microsoft Ireland Operations Limited acts as the EU contracting party. We have a Data Processing Agreement with Microsoft, and Microsoft is covered by the EU Data Boundary programme, which keeps customer data within the EU including for support access.

Conversation data is stored in a SQLite database on the same Azure App Service that runs the application. No external database service is used.

5.2 AI inference (Amazon Web Services / Anthropic Claude via AWS Bedrock)

Your messages are processed by Anthropic's Claude language model, which we access via AWS Bedrock in the eu-central-1 (Frankfurt) region. Amazon Web Services EMEA SARL (Luxembourg) acts as the EU contracting party.

Important characteristics of this setup:

AWS does not store, log, or retain your prompts and responses.
AWS does not use your prompts or responses to train any AI model.
Anthropic does not receive your data: the Claude model runs inside AWS infrastructure, and Anthropic has no access to traffic.

This is documented in the AWS Service Terms (Section 50.3, in which Bedrock is deliberately excluded from the list of services that may use customer content for model training) and in the AWS Bedrock data protection documentation.

5.3 Internal review (Slack)

A summary of each conversation, plus any lead data you provided, is sent to a private internal channel in Slack so our team can identify common themes and follow up where appropriate. The full conversation transcript is not sent to Slack — only an anonymised summary.

The summarisation process is instructed to remove the names of third parties you may have mentioned (colleagues, managers, clients) and to refer to them in generic terms instead. Note that this is a best-effort measure relying on AI-based anonymisation and is not guaranteed to be perfect.

Slack data is stored under Slack's EU Data Residency programme. Slack Technologies Limited (Dublin) acts as the EU contracting party. Slack is a sub-processor of NodeMasters; access is limited to the NodeMasters core team.

5.4 Sub-processor list

Sub-processor	Role	Location
Microsoft Ireland Operations Ltd	Application hosting and database	West Europe (Amsterdam)
Amazon Web Services EMEA SARL	AI inference via AWS Bedrock	eu-central-1 (Frankfurt)
Slack Technologies Ltd	Internal team notifications	EU Data Residency

We have signed Data Processing Agreements with each sub-processor.

6. How Long We Keep Your Data

Data category	Retention period
Conversation content (in our database)	Maximum 90 days from the end of the conversation, then automatically deleted
IP hash and User-Agent	Maximum 30 days, then automatically nulled
Conversation summary in Slack	Maximum 12 months, then deleted in a periodic manual review
Lead data (name, email, company) — if you provided it	Until you ask us to delete it, or until we conclude there is no further legitimate interest in keeping it
AWS Bedrock	Not retained at all (no logging)

If you ask us to delete your data sooner, we will do so within 30 days (see Section 9).

7. Sharing With Third Parties

We do not sell your data. We do not share it with third parties except for the sub-processors listed in Section 5.4, who process it on our instructions under a Data Processing Agreement.

We may disclose data if compelled by law (e.g., a binding court order). We are not aware of, and do not anticipate, any such request for Udo conversations.

8. Security

All connections to Udo use TLS encryption (HTTPS).
The internal admin endpoint that allows the NodeMasters team to view full dialogues is protected by authentication.
Your IP address is hashed before storage; the original IP cannot be recovered from the hash.
Access to our Slack workspace is limited to NodeMasters personnel.
AWS Bedrock and Microsoft Azure are both certified under ISO 27001, SOC 2, and other recognised information security standards.

We follow industry-standard practices for a tool of this kind. Udo is, however, currently in a soft-launch phase, and we do not yet hold our own SOC 2 or ISO 27001 certification. If you require this for a procurement process, please contact us.

9. Your Rights

Under the GDPR, you have the right to:

Access the personal data we hold about you (Art. 15 GDPR)
Rectification of inaccurate data (Art. 16 GDPR)
Erasure of your data ("right to be forgotten") (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability in a structured, machine-readable format (Art. 20 GDPR)
Object to processing based on legitimate interest (Art. 21 GDPR)
Withdraw consent at any time, where processing is based on consent
Lodge a complaint with a data protection supervisory authority. The competent authority for NodeMasters is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit in Wiesbaden, Germany.

To exercise any of these rights, contact us at contact@node-masters.com. To help us locate your data, please include the approximate date of your conversation and any details you remember (since we do not store names by default, this helps us find the right record).

We will respond within 30 days.

Important note on practical limitations: Because we minimise the personal data we collect (no accounts, no cookies, no persistent identifiers, IPs only as hashes), we may not be able to identify "your" data with certainty unless you provided lead information or can supply other identifying details. In such cases we will explain this honestly rather than guess.

10. Automated Decision-Making

Udo generates AI responses, including effort estimations and recommendations. These are informational only. They do not produce legal effects, and no decision affecting you is made automatically by Udo. Any subsequent action (such as a NodeMasters team member contacting you about your idea) involves human review.

The use of an AI system is disclosed to you at the start of each conversation, in line with Art. 50 of the EU AI Act.

11. Children

Udo is not directed at children. We do not knowingly process data from anyone under 16. If you believe a child has used Udo, please contact us and we will delete the data.

12. Changes to This Policy

We may update this policy as Udo evolves. Material changes will be reflected in the "Last updated" date at the top. Because Udo does not have user accounts, we cannot notify you individually of changes.

13. Contact

For any privacy-related question, request, or complaint:

Email: contact@node-masters.com
Postal: NodeMasters GmbH, Birkenweg 10, 61184 Karben, Germany