Nudge← Back
Legal

Privacy Policy

Last updated: April 8, 2026

Your privacy matters. This policy explains what data Nudge collects, why we collect it, and how we protect it. We keep it short and honest.

Information We Collect

  • Account data: email address and display name when you register.
  • Habit data: titles, schedules, descriptions, and logs you create inside the app.
  • Usage data: streaks, XP, completion rates, and app interaction events used to personalise AI notifications.
  • Device token: your Expo push notification token, stored solely to deliver reminders to your device.
  • OAuth data: if you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive your Google password.
  • We do not collect precise location, contacts, financial information, health data, or any sensitive personal data.

How We Use Your Information

  • To deliver your habit reminders at the scheduled time via push notification.
  • To generate personalised AI notification messages using your streak and log history (processed by OpenAI — see Third-Party Services).
  • To display your XP, streaks, and achievements inside the app.
  • To maintain your account and authenticate your sessions.
  • We do not sell your data. We do not use your data for advertising. We do not share your data with data brokers.

Third-Party Services

  • OpenAI (privacy policy: openai.com/policies/privacy-policy): notification messages are generated using OpenAI's API. Only habit title, description, and anonymised stats (streak length, completion rate) are sent — no name, email, or identifiable information. OpenAI does not retain API inputs for model training per their data usage policy.
  • Expo / Expo Push Notification Service (privacy policy: expo.dev/privacy): push tokens and notification payloads are routed through Expo's servers to Apple APNs and Google FCM.
  • Google Firebase (FCM) (privacy policy: firebase.google.com/support/privacy): used for Android push notification delivery.
  • PostgreSQL database hosted on Railway: your data is stored in an encrypted database. Data is hosted in the United States.

Push Notifications

  • Nudge uses push notifications to send habit reminders. You can revoke notification permission at any time in your device Settings → Apps → Nudge → Notifications.
  • Disabling notifications will stop reminders but will not delete your account or data.
  • We store your device push token to route notifications to your specific device. This token is deleted when you delete your account.

Data Retention & Deletion

  • Your account and habit data is retained for as long as your account is active.
  • In-app deletion: Settings → Account → Delete Account. All associated data is permanently deleted within 30 days.
  • Web deletion request: email contact@nudge.ai-app.dev with subject line 'Account Deletion Request' and your registered email address. We will process the request within 30 days.
  • Push notification tokens are deleted when your account is deleted or when your device unregisters.

Data Storage & Transfers

  • Your data is stored on servers located in the United States.
  • If you are located outside the United States, your data will be transferred to and processed in the United States. By using Nudge, you consent to this transfer.
  • We use industry-standard safeguards including HTTPS/TLS encryption in transit and AES-256 encryption at rest.

Your Rights (GDPR — EU/EEA Users)

  • Access: request a copy of your personal data by emailing contact@nudge.ai-app.dev.
  • Deletion: delete your account in-app or via email request (see Data Retention & Deletion above).
  • Correction: update your profile information in app Settings.
  • Portability: request a full data export in JSON format by emailing us.
  • Objection: you may object to processing based on legitimate interests by contacting us.
  • You have the right to lodge a complaint with your local supervisory authority (e.g. ICO in the UK, CNIL in France).

Your Rights (CCPA — California Users)

  • California residents have the right to know what personal information is collected, disclosed, or sold.
  • We do not sell personal information.
  • You have the right to request deletion of your personal information (see Data Retention & Deletion above).
  • You have the right to non-discrimination for exercising your privacy rights.
  • To exercise any CCPA right, contact us at contact@nudge.ai-app.dev.

Security

  • Passwords are hashed with bcrypt and never stored in plaintext.
  • All API communication uses HTTPS/TLS encryption.
  • JWT tokens are signed and expire after 30 days.
  • Database connections use encrypted transport (SSL/TLS).
  • We regularly review our security practices, but no method of transmission over the internet is 100% secure.

Children's Privacy

  • Nudge is not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children under these ages.
  • If you believe we have inadvertently collected such information, contact us immediately at contact@nudge.ai-app.dev and we will delete it promptly.

Changes to This Policy

  • We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 7 days before they take effect.
  • The 'Last updated' date at the top of this page reflects the most recent revision.

Contact

  • For any privacy questions, data requests, or concerns, contact us at contact@nudge.ai-app.dev.
  • We aim to respond to all privacy requests within 30 days.