NoDeluluNODELULU

Privacy Policy

Version 1.0 — Last updated: 19 February 2026

1. Who We Are

Nodelulu is an AI hallucination detection service operated by S MacKenzie from England and Wales. We are the data controller for the personal data processed through this service.

We have not appointed a Data Protection Officer (DPO) as we do not engage in large-scale processing of special category data. For all privacy enquiries, contact: privacy@nodelulu.ai. For legal matters: legal@nodelulu.ai.

2. What Nodelulu Does

You submit text (by pasting or uploading a document), and we analyse it using multiple large-language models, web-evidence grounding, and academic citation databases to identify potential factual errors, unsupported claims, and hallucinated content.

3. Data We Process

  • Text you submit — the content you paste or upload for verification. This is sent to our server and forwarded to third-party AI model providers and search services (see Section 5) for analysis.
  • IP address — used solely for rate limiting (to prevent abuse). IP addresses are hashed and stored in Upstash Redis with automatic expiry (see Section 6). IP addresses are not linked to your submitted content.
  • Usage metadata — scan count (stored in your browser's local storage for free-tier enforcement), timestamps. No cookies are set by Nodelulu.

4. Data We Do NOT Collect

  • We do not require account creation, email addresses, or personal information.
  • We do not use cookies or tracking pixels.
  • We do not use analytics services (no Google Analytics, no Mixpanel, etc.).
  • We do not retain your submitted text after the analysis request completes.
  • We do not build user profiles or perform cross-session tracking.
  • We do not sell, rent, or trade your personal information to any third party. We do not share data for advertising or marketing purposes. Text is shared with the third-party processors listed in Section 5 solely for the purpose of providing the analysis service you requested.

5. Third-Party Data Processors

To analyse your text and verify claims, we send data to the following third-party services. Each processes data under their own privacy policies. We have Data Processing Agreements (DPAs) in place with each provider where applicable.

AI Model Providers

Your submitted text is sent to these providers for analysis:

Web Search & Evidence Grounding

Claims extracted from your text are searched against the public web:

  • Brave Software (Brave Search API) — US-based — Privacy Policy
  • Google (Google Search via Gemini grounding) — US-based — Privacy Policy

Academic Citation Verification

Citation text is sent to these databases to verify academic sources:

Infrastructure & Rate Limiting

  • Vercel (hosting & serverless functions) — US-based — Privacy Policy
    All requests pass through Vercel infrastructure. Vercel may process IP addresses and request metadata as part of standard serverless hosting.
  • Upstash (Redis — rate limiting) — US/EU-based — Privacy Policy
    Stores hashed IP-based counters with automatic expiry for rate limiting. No submitted text is stored in Upstash.

All API calls use encrypted HTTPS/TLS connections. We use API tiers that include data processing agreements (DPAs) and contractual commitments that your data is not used to train provider models.

6. Data Retention

  • Submitted text: Not stored. Processed in-memory during analysis and discarded when the response completes.
  • Analysis results: Not stored server-side. Results are sent directly to your browser and not persisted.
  • Rate limit data: IP-based counters stored in Upstash Redis (a cloud-hosted key-value store). Counters are keyed by hashed IP address and expire automatically within 30 days. No submitted text is stored in Redis. In development/fallback mode, counters are held in server memory and cleared on restart.
  • Local storage: Your browser stores a scan counter for free-tier enforcement. You can clear this at any time via your browser settings.

7. Legal Basis for Processing

We process personal data on the following legal bases under UK GDPR Article 6(1):

  • Text you submit for analysis — Article 6(1)(b): processing necessary for the performance of a contract (providing the analysis service you requested).
  • IP address for rate limiting — Article 6(1)(f): legitimate interests (preventing abuse and ensuring fair access to the service). Our legitimate interest in preventing abuse outweighs the minimal privacy impact, as IP addresses are hashed and auto-expire.
  • Sharing text with AI providers — Article 6(1)(b): necessary to perform the analysis service you requested. Without AI model processing, the service cannot function.

8. International Data Transfers

Nodelulu is operated from the United Kingdom. Your submitted text is transferred to third-party processors located in the United States (see Section 5).

These transfers are protected by:

  • Standard Contractual Clauses (SCCs) / UK International Data Transfer Agreement (IDTA) incorporated into our Data Processing Agreements with each processor.
  • Where available, processor participation in recognised frameworks (e.g., the EU-U.S. Data Privacy Framework).

By using Nodelulu, you acknowledge that your submitted text will be processed in jurisdictions outside your country of residence. We ensure that all transfers comply with UK GDPR Chapter V requirements for adequate safeguards.

9. Your Rights

Under UK GDPR, EU GDPR, CCPA, and similar data protection regulations, you have the right to:

  • Access — know what personal data we hold about you (Article 15).
  • Rectification — correct inaccurate data (Article 16).
  • Erasure — request deletion of your data (Article 17).
  • Restriction — limit how we process your data (Article 18).
  • Portability — receive your data in a structured, machine-readable format (Article 20).
  • Objection — object to processing based on legitimate interests (Article 21).
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

Since we do not store submitted text or create user accounts, most of these rights are automatically satisfied — there is no personal data to access, correct, or delete. For rate limiting data (IP-based counters in Upstash Redis), these expire automatically within 30 days.

To exercise any right, contact privacy@nodelulu.ai. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with:

10. App Store Privacy Declarations

For Apple App Store and Google Play Data Safety disclosures, the data types we handle are:

  • Identifiers — IP address (used for rate limiting only, not linked to identity).
  • User Content — text you submit for analysis (processed in-memory, not stored).
  • Usage Data — scan count (stored locally in your browser/app, not collected by us).

We do NOT collect: name, email, phone number, payment information (payments are handled by Apple/Google), location data, contacts, browsing history, search history, diagnostics, device identifiers, or advertising data.

Data is NOT used for: tracking, advertising, analytics, or personalisation.

11. Tracking & App Tracking Transparency

Nodelulu does not track you across other companies' apps or websites. We do not use advertising identifiers (IDFA/GAID), fingerprinting, or any cross-app / cross-site tracking technology. As such, Nodelulu does not trigger Apple's App Tracking Transparency (ATT) prompt. In Apple's App Privacy “nutrition labels” and Google Play's Data Safety section, we declare: no data is collected for tracking purposes.

12. Children's Privacy

Nodelulu is not directed at children. You must be at least 16 years old to use this service (aligned with the UK digital age of consent under the Age Appropriate Design Code).

We do not knowingly collect personal information from anyone under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete it.

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA) by not knowingly collecting information from children under 13. The app is rated 17+ on the Apple App Store in accordance with Apple's guidelines for AI-powered content analysis tools.

13. Security

We implement security measures including: encrypted API communications (HTTPS/TLS), HMAC-SHA256 request signing, Content Security Policy headers, input validation and size limits, rate limiting, URL sanitisation of evidence links, and server-side error boundaries.

14. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk, as required by UK GDPR Article 34.
  • Post a notice on our website describing the nature of the breach and remedial steps taken.

Due to our minimal data retention (no stored text, no accounts, auto-expiring rate limit counters), the scope of any potential breach is inherently limited.

15. Changes to This Policy

We may update this privacy policy from time to time. When we do:

  • The “Last updated” date and version number at the top will be revised.
  • For material changes (new data types collected, new processors, changes to legal basis), we will display an in-app notice for at least 14 days.

Continued use of the service after the notice period constitutes acceptance of the updated policy.

16. Governing Law

This privacy policy is governed by the laws of England and Wales. Any disputes relating to this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to your rights under local consumer protection or data protection laws.

17. Contact

For privacy-related questions, please contact us at privacy@nodelulu.ai.