NudgeNudge

Privacy Policy

How we collect, use, and protect your data.

Last updated: 2026-04-10

This Privacy Policy explains how Nudge (“we”, “us”, “our”) collects, uses and protects personal data when you use our website, web app and mobile apps (the “Service”). We comply with the EU General Data Protection Regulation (GDPR).

1. Who we are

Nudge is operated by Zorzen Studios, a sole proprietorship (eenmanszaak) established in the Netherlands. Zorzen Studios is the data controller for the purposes of the GDPR.

2. What data we collect

We collect only what we need to provide and improve the Service.

2.1 Account data

  • Name (optional), email address, authentication identifiers
  • Space membership and roles you configure

2.2 Usage data

  • Interactions with tasks, assignments, completions and reminders
  • Aggregated analytics about feature usage and performance

2.3 Device and technical data

  • Device type, OS version, app version, language and time zone
  • Log data necessary for security and debugging (e.g. error events)

2.4 Payment data

  • Subscription status, plan, billing period and invoices
  • Payment card details are processed by our payment provider (Stripe) and are not stored by us

2.5 Telegram integration (optional)

  • If you choose to connect your Telegram account, we store your Telegram chat ID solely to deliver task notifications to you via Telegram.
  • We do not read your Telegram messages or access any Telegram data beyond what is necessary to send you notifications you requested.
  • You can disconnect Telegram at any time from the app (Settings → Notifications), which removes your chat ID from our systems.

2.6 Communications

  • Messages you send to support, feedback, and administrative emails

2.7 Ambassador program data (only if you join)

If you register for the Nudge Ambassador Program, we collect additional data needed to track your referrals and pay your commission:

  • Profile data: your chosen handle (e.g. fairjames — this becomes part of your public referral URL nudgeworks.app/join/fairjames), your display name, the date you joined the program, and a record of your acceptance of the Ambassador Terms (the date and version accepted).
  • Payout details: depending on the method you choose, either your PayPal email address or your IBAN (international bank account number). We use these only to send you commission payments owed under the Ambassador Terms. You can update them at any time from your ambassador dashboard. We retain payout records under §7.5 for tax and audit reasons, even after you leave the program.
  • Referral attribution: when someone signs up using your link or code, we link their account to yours in our database so commission can be calculated. We never disclose their email, name, or contact details to you — your dashboard shows only an anonymised display name and the plan they are on.
  • Earnings and payout history: monthly commission rows, milestone bonuses, payout requests and their status, and (when paid) the payment reference number. This is visible to you on your dashboard and to authorised Nudge personnel for accounting purposes.

Payout details are stored in our Supabase database. Access is controlled by Postgres row-level security and our service-role boundary, so only you and authorised Nudge personnel processing payouts can read them. We never share them with other ambassadors or any third party, except the payment rail used to actually send a payment (i.e. your bank or PayPal). General security measures we apply to all personal data are described in §9 below.

3. Legal basis for processing

We process personal data under the following GDPR legal bases:

  • Article 6(1)(b) — performance of a contract (providing the Service)
  • Article 6(1)(f) — legitimate interests (security, fraud prevention, service improvement)
  • Article 6(1)(a) — consent (where required, e.g. certain optional communications)
  • Article 6(1)(c) — legal obligation (e.g. accounting and tax)

4. How we use data

  • Provide, maintain and support the Service
  • Operate fairness features, assignments and analytics you request
  • Secure accounts, prevent abuse and investigate incidents
  • Process subscriptions, invoices and payment status
  • Communicate important service and policy updates
  • Improve performance, reliability and usability
  • For ambassadors only: calculate referral commissions, send commission payments, and maintain audit records for tax and legal compliance

5. Data sharing and processors

We share personal data only with trusted service providers (“processors”) who help us run the Service:

  • Supabase — database, authentication and storage
  • Stripe — payments, billing and invoices
  • Zoho — transactional email delivery
  • Google Analytics — analytics and usage tracking
  • Telegram — optional notification delivery (only if you connect your Telegram account); governed by Telegram's Privacy Policy
  • PayPal / your bank — only for ambassadors who have chosen those payout methods, and only at the moment we send you a commission payment. We do not share ambassador payout details with any other party.

Where required, we use the EU Standard Contractual Clauses (SCCs) and other GDPR-appropriate safeguards with these providers.

6. International transfers

Some providers may process data outside the European Economic Area. In those cases, we rely on appropriate safeguards such as SCCs, and we implement additional technical and organizational measures where necessary.

7. Data retention

7.1 Tasks and spaces

  • Task templates, occurrences, assignments and related operational data are kept while your space exists and you use the Service. They are removed when you delete them, when a space is deleted, or when account deletion removes spaces where you are the only member.
  • If you are a member of a shared space with others, deleting your account removes your membership and profile data from that space; it does not delete the space or other members' data.

7.2 Photo proof (optional completion photos)

  • If your plan includes photo proof, completion images are stored in our infrastructure (object storage) and linked to the task occurrence.
  • After a task is marked completed, we retain the photo for up to 90 days, then automatically delete the file and clear the reference in our database (scheduled processing).
  • If you delete a task or space sooner, we remove associated photos as part of that deletion where technically applied.

7.3 Analytics

Historical analytics and exports may be limited by your subscription plan (e.g. how many months of history are available). That limit is a product setting, not the same as deletion of underlying personal data.

7.4 Account deletion and recovery

  • You can delete your account from the app settings, or follow the step-by-step guide at /delete-account. When you confirm deletion, we immediately hide your profile, sign you out of all devices, and schedule your data for permanent removal.
  • Recovery Window: To prevent accidental data loss, we retain your account data in a deactivated state for 30 days. You can cancel the deletion request at any point during this window by simply logging back into the app.
  • Permanent Erasure: If you do not recover your account within 30 days, we permanently erase or anonymize your personal data as described in sections 7.1–7.2.
  • Copies in backups held by our processors may persist for a limited additional period and are purged according to the provider's standard retention cycles.

7.5 Financial and legal retention

  • Financial records (invoices, tax-related records): retained for up to 7 years as required under Dutch law.
  • Ambassador payout details (PayPal email or IBAN), earnings rows, payout requests, and payment references are likewise retained for up to 7 years after the last commission was paid, for tax and audit compliance — even if you leave the Ambassador Program. You can request earlier removal where Dutch tax law permits; financial records that we are legally required to keep will be retained for the full statutory period.

8. Your rights

Under GDPR (Articles 15–21), you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion (“right to be forgotten”)
  • Restrict processing in certain cases
  • Object to processing based on legitimate interests
  • Data portability (export your data where applicable)
  • Withdraw consent at any time (where processing is based on consent)

You can exercise your rights by emailing privacy@nudgeworks.app.

9. Security

We use industry-standard security measures, including TLS in transit, strong encryption at rest (e.g. AES-256 where applicable), and database-level access controls such as Row Level Security (RLS). We also apply least-privilege access internally.

10. Children

The Service is not intended for children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes

We may update this policy from time to time. We will post the updated version on this page and adjust the “Updated” date.

12. Contact

For privacy questions or requests, contact us at privacy@nudgeworks.app.