Privacy Policy
This page is currently available in English and Dutch only. You are seeing the English version.
This Privacy Policy explains how Nudge (“we”, “us”, “our”) collects, uses and protects personal data when you use our website, web app and mobile apps (the “Service”). We comply with the EU General Data Protection Regulation (GDPR).
1. Who we are
The data controller is Nudgeworks B.V. (the “Controller”), a company established in the Netherlands.
- Email: privacy@nudgeworks.app
2. What data we collect
We collect only what we need to provide and improve the Service.
2.1 Account data
- Name (optional), email address, authentication identifiers
- Space membership and roles you configure
2.2 Usage data
- Interactions with tasks, assignments, completions and reminders
- Aggregated analytics about feature usage and performance
2.3 Device and technical data
- Device type, OS version, app version, language and time zone
- Log data necessary for security and debugging (e.g. error events)
2.4 Payment data
- Subscription status, plan, billing period and invoices
- Payment card details are processed by our payment provider (Stripe) and are not stored by us
2.5 Communications
- Messages you send to support, feedback, and administrative emails
3. Legal basis for processing
We process personal data under the following GDPR legal bases:
- Article 6(1)(b) — performance of a contract (providing the Service)
- Article 6(1)(f) — legitimate interests (security, fraud prevention, service improvement)
- Article 6(1)(a) — consent (where required, e.g. certain optional communications)
- Article 6(1)(c) — legal obligation (e.g. accounting and tax)
4. How we use data
- Provide, maintain and support the Service
- Operate fairness features, assignments and analytics you request
- Secure accounts, prevent abuse and investigate incidents
- Process subscriptions, invoices and payment status
- Communicate important service and policy updates
- Improve performance, reliability and usability
5. Data sharing and processors
We share personal data only with trusted service providers (“processors”) who help us run the Service:
- Supabase — database, authentication and storage
- Stripe — payments, billing and invoices
- Resend — transactional email delivery
Where required, we use the EU Standard Contractual Clauses (SCCs) and other GDPR-appropriate safeguards with these providers.
6. International transfers
Some providers may process data outside the European Economic Area. In those cases, we rely on appropriate safeguards such as SCCs, and we implement additional technical and organizational measures where necessary.
7. Data retention
- Account and operational data: retained while you use the Service, then deleted or anonymized.
- Deletion requests: we aim to delete personal data within 30 days, unless we must retain it longer for legal reasons.
- Financial records (invoices, tax-related records): retained for up to7 years as required under Dutch law.
8. Your rights
Under GDPR (Articles 15–21), you have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion (“right to be forgotten”)
- Restrict processing in certain cases
- Object to processing based on legitimate interests
- Data portability (export your data where applicable)
- Withdraw consent at any time (where processing is based on consent)
You can exercise your rights by emailing privacy@nudgeworks.app.
9. Security
We use industry-standard security measures, including TLS in transit, strong encryption at rest (e.g. AES-256 where applicable), and database-level access controls such as Row Level Security (RLS). We also apply least-privilege access internally.
10. Children
The Service is not intended for children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes
We may update this policy from time to time. We will post the updated version on this page and adjust the “Updated” date.
12. Contact
For privacy questions or requests, contact us at privacy@nudgeworks.app.