Privacy Policy
Last updated · 25 May 2026
This policy explains how Pointnode Ltd ("we", "us") handles personal data when you use the Pointnode platform — the Cloud dashboard at pointnode.io and the craneIQ iOS app (the crane-vertical mobile client). It applies to everyone whose personal data is processed through the platform.
It is written in plain English. If anything is unclear, email privacy@pointnode.io.
1. Who is responsible for your data
Pointnode is a B2B platform sold to organisations that operate industrial assets (cranes today, additional asset types over time). Each is a "Customer". Two roles apply under UK GDPR:
- For your Customer's data (operator names, lockout records, asset records including statutory inspections and pre-use safety checks, telemetry from your Customer's assets) — your Customer is the data Controller. Pointnode is the data Processor, acting only on documented instructions from your Customer (the Data Processing Agreement).
- For our own platform data (Pointnode staff accounts, security logs that identify Pointnode users, system audit data) — Pointnode is the data Controller.
If you're an asset operator or site manager and you want to access, correct or delete your data, contact your employer first — they hold the relationship with us.
Pointnode contact details
- Pointnode Ltd, registered in England and Wales.
- Privacy queries: privacy@pointnode.io
- ICO Data Protection Fee — registered.
2. What personal data we process
For Customer accounts (Pointnode as Processor)
- User profile: display name, email address, role assignment within the Customer organisation, hashed password (we never see plaintext).
- Activity: timestamps of logins, configuration changes, lockout issue/release actions, asset record submissions (including pre-use safety checks).
- Asset records: inspection, service, and safety records filed against a specific asset — including statutory thorough examinations (LOLER, PUWER, wire rope), services, pre-use safety checks, and ad-hoc reports. Each record includes the submitting user's identity, the asset identity, the person who performed the work (free-text name + qualification reference), the outcome, a short findings summary, and any attached PDF evidence file or photos uploaded as part of the submission.
- Lock-out / tag-out (LOTO) records: who locked out which asset, when, and why.
- Notification preferences: which alerts you want, on which channels.
Telemetry from assets (not personal data, with caveats)
The bulk of data on the platform is operational telemetry from on-asset PLCs (load, cycle counts, fault codes, etc.). This is machine data, not personal data. It only becomes personal data when correlated with operator activity through the audit log (e.g. "operator X started a session on asset Y at time Z").
Profile contact details
- Phone number (
user_profiles.phone) where you choose to add one to your profile. Used for out-of-band identity verification when you contact support (for example, when recovering access after losing your second-factor device). Lawful basis: performance of contract. - Job title (
user_profiles.job_title) where you choose to add one. Helps your org admin and Pointnode staff understand who they are speaking to in a multi-person team. Lawful basis: performance of contract.
Support tickets and help-centre feedback
- Support tickets and conversation history: when you raise a support request via
/support/new, we store the subject line, the message body, any attachments you upload, the assigned ticket number (PN-YYYY-NNNN), category, priority, status, and the threaded follow-up messages between you and Pointnode staff. Visible to active members of your organisation and to Pointnode staff. Lawful basis: performance of contract. - Help-content feedback: when you click "Was this article helpful?" on a
/help/<slug>page, we record your vote (yes/no) and any optional free-text feedback against your user account and organisation. Used to prioritise content improvements. Lawful basis: legitimate interest (product improvement).
Integration credentials (where you choose to use them)
- Outgoing webhook configuration: the destination URL you configure, the event types you subscribe to, and the HMAC signing secret for each webhook (the secret is shown once on creation and stored for re-display only via the one-shot reveal cookie). Lawful basis: performance of contract.
- API tokens: long-lived bearer credentials you mint for programmatic access. We store a one-way hash of the token value (we never see the cleartext after creation), the token name + scope, the creator's user identity, and last-used timestamp. Lawful basis: performance of contract.
Multi-factor authentication state
- Authenticator-app enrolment: the record that your MFA is enabled, the date you enrolled, and the status of the factor. The shared secret stored on your phone is held by our authentication provider; we do not see it in cleartext.
- Recovery codes: ten one-shot backup codes generated for you when you enrol MFA, stored only as one-way hashes (we cannot read the original code once it’s saved). The presence of a row and its
used_attimestamp records that MFA is active and which codes have been redeemed. Lawful basis: performance of contract (account security).
Technical data
- Session: a sign-in cookie that keeps you signed in.
- Device: browser type and IP address appear in standard server logs for security and abuse prevention. We do not maintain a separate analytics IP database.
- Cookies: see Section 9.
3. Why we process it (lawful basis)
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Provide the platform under our contract with the Customer | Performance of contract |
| Send transactional emails (alerts, password resets) | Performance of contract |
| Audit logging for security and accountability | Legitimate interest + Customer's legal obligation |
| Asset records (statutory inspections, services, pre-use checks) and LOTO records | Customer's legal obligation under H&S regulations |
| Detect and respond to security incidents | Legitimate interest |
| Comply with valid law-enforcement requests | Legal obligation |
4. Who we share it with (sub-processors)
We do not sell personal data and we do not share it with anyone other than the sub-processors listed at /legal/sub-processors and their immediate hosting providers. Each sub-processor is engaged under a written data-processing agreement satisfying UK GDPR Article 28, and is engaged solely to deliver the platform.
Customers are notified at least 30 days before any new sub-processor is added and may object before the change takes effect.
5. International transfers
We aim to keep all personal data within the UK and EU. Where a sub-processor processes data outside the UK / EEA (e.g. Resend in the United States), we use the UK's International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) plus any required supplementary measures to ensure equivalent protection. See the sub-processor list for region-by-region detail.
6. How long we keep it
| Data | Retention |
|---|---|
| Active user account | For the life of the account, plus 30 days after deletion |
| Audit log of user actions | 7 years rolling, consistent with the UK Health & Safety retention carve-out (LOLER / PUWER / RIDDOR) invoked at Section 7 |
| Notification log (sends, failures) | 12 months rolling |
| Asset records — statutory inspections (LOLER, PUWER, wire rope) and services | 5 years from the date of the record, aligned with UK H&S retention practice |
| Asset records — pre-use safety checks | 2 years from the date of the record |
| Lock-out / tag-out records | Per Customer policy and UK H&S retention rules (typically 5 years) |
| Asset telemetry (machine data) | 26 weeks rolling on the dashboard hot path; longer in cold storage at Customer's request |
| Server logs (hosting and infrastructure providers) | Per provider defaults — typically 7–30 days |
At the end of the contract with a Customer, we return or delete the Customer's personal data within 30 days, subject to retention obligations imposed by law on either party.
7. Your rights
Under UK GDPR you have the right to:
- Access a copy of your personal data. Org admins can export their organisation's data via
Settings → Organisation → Export organisation data; for individual access requests, contact your Customer first or email us. - Rectification: ask us to correct inaccurate data.
- Erasure ("right to be forgotten"): when you ask us to delete your account, we remove personal identifiers from your profile within 30 days — display name and contact details (phone, job title) on your profile, and your organisation-level notification subscriptions. Your TOTP enrolment and recovery-code rows remain in storage as hashes (they cannot be redeemed because the underlying authentication record is permanently banned at the same time), and are removed in full at the end of the H&S retention period together with the tombstoned profile. Your email address on the underlying authentication record is rewritten to a non-replayable tombstone of the shape
deleted+<uuid>@pointnode.io. We retain a tombstoned record (a deletion timestamp, the anonymised email, and the audit-log entries you authored) under the limited carve-out at UK GDPR Article 17(3)(b) (processing necessary for compliance with a legal obligation), by reference to your Customer's record- retention duties under the Lifting Operations and Lifting Equipment Regulations 1998 (LOLER), the Provision and Use of Work Equipment Regulations 1998 (PUWER) and the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR). Industry practice aligns this retention with the 5-year period commonly applied to lifting-equipment inspection records; the tombstoned record itself is removed at the end of that period. Active API tokens you created are revoked in the same database transaction as the account deletion. Outstanding support tickets you authored remain visible to your organisation under a "Deleted user" label so the conversation history stays readable for continuity. Where you are the sole administrator of an organisation, you cannot self-delete until you have promoted another administrator or contacted support to transfer the organisation — this is a hard guard enforced at the database and at the action layer. - Portability: receive your data in a structured, machine-readable format (we provide JSON).
- Restriction: ask us to pause processing while a dispute is resolved.
- Object to processing based on legitimate interest.
- Withdraw consent at any time, where any processing is based on your consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. In practice Pointnode does not currently rely on consent as the lawful basis for any processing of Customer Personal Data — everything is on the contract, legitimate-interest, or legal-obligation footings set out in Section 3 — so this right has limited bite today but is included here for completeness.
- Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk or 0303 123 1113.
8. Security
Technical and organisational measures we apply:
- Modern encryption (TLS 1.2 or higher) on every network connection — the same standard your bank uses.
- Your data is isolated from every other customer at the database level. Even if a bug in the application tried to access another customer’s data, the database would refuse.
- The audit log is append-only — nobody, including Pointnode staff, can edit or delete past entries.
- Every asset has its own unique digital certificate. No shared passwords; if a single asset is ever compromised, we shut it off within five minutes without affecting anything else.
- Per-organisation rate limits on write actions and outbound email.
- Internal admin credentials are held server-side only and never exposed to browsers or controllers.
- AES-256 encryption at rest (industry-standard, managed by our hosting providers).
- Strict security headers on every web page (HSTS, Content-Security-Policy, frame protection, referrer policy).
- Multi-factor authentication available on every account.
Technical detail for your security team: see our public security overview page and the Annex 3 (Security Measures) of our DPA.
9. Cookies
Pointnode uses only essential cookies:
- A sign-in cookie that keeps you signed in.
- A small session cookie used to refresh the sign-in cookie safely.
We do not use advertising cookies, third-party analytics cookies, or any cookies that require consent under PECR. You can clear cookies in your browser settings; you will need to sign in again afterwards.
10. Children
Pointnode is a workplace tool intended for adults using or managing industrial equipment. We do not knowingly collect personal data from anyone under 18.
11. Personal data breaches
If a personal data breach occurs that is likely to result in a risk to rights and freedoms, we will:
- Notify each affected Customer (Controller) within 48 hours of becoming aware, per our DPA Section 7, so they can fulfil their own breach-notification duties to data subjects.
- Notify the UK Information Commissioner's Office without undue delay and within 72 hours where required by UK GDPR Article 33, for breaches concerning personal data for which Pointnode is the Controller.
Where Pointnode is acting as Processor, the affected Customer (Controller) is responsible for any onward notification to the ICO and to data subjects.
12. Changes to this policy
Material changes will be notified by email to org admins at least 30 days before they take effect. The current version is always at this URL with a "Last updated" date at the top.
13. Contact
Privacy queries, data subject requests, and matters that would otherwise be addressed to a Data Protection Officer: privacy@pointnode.io. (Pointnode has not formally appointed a DPO because the platform does not meet the UK GDPR Article 37 thresholds for mandatory appointment; the privacy mailbox is monitored by senior engineering staff.)
Pointnode Ltd, registered in England and Wales.