Privacy Policy

Your data. Your terms.

We built Nudge because behaviour change is deeply personal — and the data behind it even more so. This policy explains exactly what we collect, why we collect it, and the rights you have over it. No dark patterns. No buried clauses.

Last updated: 17 May 2026

1. The short version

  • We collect the minimum data needed to coach you well — nothing more.
  • We never sell your data. Ever. There is no advertising business here.
  • Your chats with the coach are encrypted in transit and at rest.
  • You can export everything, or delete everything, from inside the app.
  • We use a small number of trusted sub-processors. They are listed below.

2. Who we are

Nudge is operated by Nudge Labs (“Nudge”, “we”, “us”). For any privacy questions or requests, write to privacy@nudgeai.life. We respond within 7 working days.

3. What we collect

Account data

Your email, display name, and authentication tokens. This is what lets you sign in and lets us reach you if something breaks.

Coaching data

The habits you set, your check-ins, reflections, and messages with the coach. This is the raw material the coach uses to understand your patterns and tailor nudges.

Device & usage signals

Approximate timezone, app version, crash logs, and anonymous usage events (e.g. “opened daily check-in”). We use these to fix bugs and improve the product. They are not tied to advertising identifiers.

Optional integrations

If you connect HealthKit, Google Fit, or a calendar, we only request the specific scopes shown to you, and we store only the derived signal (e.g. “slept under 6 hours”) — not the raw stream.

4. How we use it

  • To deliver the coaching experience you signed up for.
  • To send you reminders, nudges, and weekly reviews you have enabled.
  • To improve the product — bug fixes, performance, and new features.
  • To keep the service safe (abuse prevention, rate limiting, fraud signals).
  • To comply with law where we are legally required to.

We do not use your coaching content to train third-party foundation models. Where we use AI providers, we use enterprise endpoints with zero-retention agreements.

5. Legal basis (GDPR)

We rely on contract to deliver the service to you, legitimate interest for product analytics and security, and consent for optional integrations and marketing emails. You can withdraw consent at any time without affecting service quality.

6. Sharing & sub-processors

We use a small set of vendors to run Nudge. Each is bound by a DPA:

  • Supabase — primary database & auth (EU region)
  • Cloudflare — edge delivery & DDoS protection
  • Anthropic / OpenAI — model inference, zero-retention
  • Resend — transactional email
  • Sentry — crash & error monitoring (PII scrubbed)

7. Where your data lives

Primary storage is in the EU (Frankfurt). Inference may be served from the US under standard contractual clauses. We do not store data in jurisdictions that lack an adequacy decision or equivalent safeguards.

8. Retention

Active accounts: we keep data for as long as you use Nudge. Inactive accounts: we warn you after 12 months of no use and delete the account after 18 months. Deleted accounts: hard-deleted within 30 days, with backups expiring within 90 days.

9. Your rights

You can, at any time:

  • Access a copy of your data (Settings → Export).
  • Correct anything that is wrong.
  • Delete your account and all associated data.
  • Object to or restrict specific processing.
  • Lodge a complaint with your local data protection authority.

10. Children

Nudge is not designed for, or directed at, anyone under 16. If you believe a child has created an account, write to us and we will remove it.

11. Changes to this policy

If we make a material change, we will notify you in the app and by email at least 30 days before it takes effect. Continued use after that constitutes acceptance.

12. Contact

Questions, requests, or pushback — privacy@nudgeai.life. A human will read it.