Privacy Policy

Nodewave (“we”, “us”) is a custom-software studio based in Portugal. This policy explains what personal data we collect when you visit nodewave.io or contact us, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR).

Questions or requests? Email [email protected].

1. What we collect

We collect three kinds of data:

• Contact form submissions:name, work email and the message you send via the contact form on the homepage. Stored in our database (Supabase) so we can reply and follow up.
• Analytics and marketing events:anonymous or pseudonymous usage data (pages viewed, device type, referrer, limited conversion events) collected by the third-party services listed below, only if you accept cookies.
• Server logs:standard technical logs (IP address, user-agent, timestamp) generated by our hosting provider (Vercel) for security, debugging and abuse prevention.

2. Why we collect it

• To respond to your enquiry and deliver the services you ask about.
• To understand how the site is used and improve it.
• To measure the performance of marketing campaigns.
• Legal bases under GDPR Art. 6: your consent (analytics/marketing cookies), our legitimate interest (server logs, first-party analytics), and the performance of a contract or pre-contract measures (replying to enquiries).

3. Cookies and similar technologies

The site sets two groups of cookies:

• Strictly necessary / first-party analytics: Vercel Analytics. Aggregated, no personal identifiers stored in your browser. These run without consent because they are essential for site operation and aggregate-only.
• Analytics and marketing (opt-in):Google Tag (including Google Ads conversions), Meta Pixel and Reddit Pixel. These load only after you click “Accept” on the cookie banner. You can change your choice at any time by clearing your browser storage for this domain.

4. Third parties we share data with

• Supabase (database & authentication), stores contact-form submissions. EU-hosted instance.
• Vercel (hosting & first-party analytics), serves the site and logs requests.
• Cloudflare (DNS), routes traffic to our origin.
• Google, Meta and Reddit: marketing and conversion measurement (only after consent). These providers may transfer data outside the EU under the EU–US Data Privacy Framework.

We do not sell your data. We only share it with the providers above for the stated purposes.

5. How long we keep it

• Contact-form submissions: up to 24 months from the last interaction.
• Server logs: up to 30 days.
• Cookies: according to each provider's default (typically up to 13 months).

6. Your rights

Under GDPR you can:

• Request a copy of your personal data (Art. 15).
• Ask us to correct or delete it (Art. 16 and 17).
• Object to or restrict processing (Art. 21 and 18).
• Withdraw consent for cookies at any time.
• Lodge a complaint with Portugal's data-protection authority, CNPD.

To exercise any of these rights, email [email protected]. We respond within 30 days.

7. Security

Data is transmitted over HTTPS and stored on providers that meet EU security standards. We limit access to the people who need it to operate the business.

8. Changes to this policy

If this policy changes materially, we will update the “Last updated” date at the top and, where appropriate, notify you via the cookie banner.