Privacy Policy

Last updated · 1 July 2026

This policy explains how Pointnode Ltd ("we", "us") handles personal data when you use the Pointnode platform — the Cloud dashboard at pointnode.io and the craneIQ iOS app (the crane-vertical mobile client). It applies to everyone whose personal data is processed through the platform.

It is written in plain English. If anything is unclear, email privacy@pointnode.io.

1. Who is responsible for your data

Pointnode is a B2B platform sold to organisations that operate industrial assets (cranes today, additional asset types over time). Each is a "Customer". Two roles apply under UK GDPR:

If you're an asset operator or site manager and you want to access, correct or delete your data, contact your employer first — they hold the relationship with us.

Pointnode contact details

2. What personal data we process

For Customer accounts (Pointnode as Processor)

Telemetry from assets (not personal data, with caveats)

The bulk of data on the platform is operational telemetry from on-asset PLCs (load, cycle counts, fault codes, etc.). This is machine data, not personal data. It only becomes personal data when correlated with operator activity through the audit log (e.g. "operator X started a session on asset Y at time Z").

Profile contact details

Support tickets and help-centre feedback

Integration credentials (where you choose to use them)

Multi-factor authentication state

Technical data

3. Why we process it (lawful basis)

PurposeLawful basis (UK GDPR Art. 6)
Provide the platform under our contract with the CustomerPerformance of contract
Send transactional emails (alerts, password resets)Performance of contract
Audit logging for security and accountabilityLegitimate interest + Customer's legal obligation
Asset records (statutory inspections, services, pre-use checks) and LOTO recordsCustomer's legal obligation under H&S regulations
Detect and respond to security incidentsLegitimate interest
Comply with valid law-enforcement requestsLegal obligation

4. Who we share it with (sub-processors)

We do not sell personal data and we do not share it with anyone other than the sub-processors listed at /legal/sub-processors and their immediate hosting providers. Each sub-processor is engaged under a written data-processing agreement satisfying UK GDPR Article 28, and is engaged solely to deliver the platform.

Customers are notified at least 30 days before any new sub-processor is added and may object before the change takes effect.

5. International transfers

We aim to keep all personal data within the UK and EU. Where a sub-processor processes data outside the UK / EEA (e.g. Resend for transactional email, and — for the optional AI features described in Section 9 — Anthropic PBC and Voyage AI / MongoDB, Inc., all in the United States), we use the UK's International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) plus any required supplementary measures to ensure equivalent protection. See the sub-processor list for region-by-region detail.

6. How long we keep it

DataRetention
Active user accountFor the life of the account, plus 30 days after deletion
Audit log of user actions7 years rolling, consistent with the UK Health & Safety retention carve-out (LOLER / PUWER / RIDDOR) invoked at Section 7
Notification log (sends, failures)12 months rolling
Asset records — statutory inspections (LOLER, PUWER, wire rope) and services5 years from the date of the record, aligned with UK H&S retention practice
Asset records — pre-use safety checks2 years from the date of the record
Lock-out / tag-out recordsPer Customer policy and UK H&S retention rules (typically 5 years)
Asset telemetry (machine data)Full-resolution telemetry retained for a minimum of 30 days on the dashboard; aggregated / summary history (hourly and coarser) retained for longer. Extended full-resolution retention available by arrangement.
Server logs (hosting and infrastructure providers)Per provider defaults — typically 7–30 days

At the end of the contract with a Customer, we return or delete the Customer's personal data within 30 days, subject to retention obligations imposed by law on either party.

7. Your rights

Under UK GDPR you have the right to:

8. Security

Technical and organisational measures we apply:

Technical detail for your security team: see our public security overview page and the Annex 3 (Security Measures) of our DPA.

9. Automated processing and AI features

Pointnode offers an optional set of AI features, marketed as the Asset Intelligence add-on. These are:

What data is sent, and to whom

To generate this analysis we send a bounded amount of context to two AI sub-processors, both in the United States and both engaged under the EU Standard Contractual Clauses / UK International Data Transfer Agreement (see the sub-processor list):

We do not send payment data, account credentials, or any personal data beyond what a user chooses to type into a question or upload as a document. This processing is separate from Pointnode's own engineering use of AI tooling, which does not touch production Customer data.

When these features run

The per-asset AI features (an asset's briefing, and the AI Engineer scoped to a single asset) require the paid Asset Intelligence add-on to be enabled for that asset. No asset context is sent to Anthropic or Voyage for an asset that does not have the add-on switched on. Certain fleet-level features — for example a fleet-wide briefing or a fleet-scoped AI Engineer available to an organisation's administrators — may run for an organisation whether or not individual assets carry the add-on.

Automated decision-making

These features are advisory and human-in-the-loop. They produce analysis and suggestions about equipment for a person to review and act on; they do not make automated decisions, and they do not produce legal or similarly significant effects concerning an individual. Accordingly, they do not constitute solely automated decision-making under UK GDPR Article 22. AI-generated output can be incomplete or wrong and must not be relied on as a substitute for a competent person's judgement or a statutory inspection.

10. Cookies

We use essential, strictly-necessary cookies only — no advertising, analytics, or tracking cookies — so no consent banner is required under the Privacy and Electronic Communications Regulations (PECR). Every cookie we set is first-party and needed for the service to function or to keep it secure. They fall into these categories:

You can clear cookies in your browser settings; you will need to sign in again afterwards.

11. Children

Pointnode is a workplace tool intended for adults using or managing industrial equipment. We do not knowingly collect personal data from anyone under 18.

12. Personal data breaches

If a personal data breach occurs that is likely to result in a risk to rights and freedoms, we will:

Where Pointnode is acting as Processor, the affected Customer (Controller) is responsible for any onward notification to the ICO and to data subjects.

13. Changes to this policy

Material changes will be notified by email to org admins at least 30 days before they take effect. The current version is always at this URL with a "Last updated" date at the top.

14. Contact

Privacy queries, data subject requests, and matters that would otherwise be addressed to a Data Protection Officer: privacy@pointnode.io. (Pointnode has not formally appointed a DPO because the platform does not meet the UK GDPR Article 37 thresholds for mandatory appointment; the privacy mailbox is monitored by senior engineering staff.)
Pointnode Ltd, registered in England and Wales (Company No. 13338758).