Summary (TL;DR)

✅ We only collect data necessary to provide our service
✅ No cookies, no cross-site tracking, no advertising
✅ Your data is hosted in the EU
✅ You control your customer data - you're the controller, we're the processor
✅ You can export or delete your data anytime
✅ We comply with GDPR and take security seriously
✅ Contact [email protected] for any data protection questions

At Nudge, we take your privacy seriously. This Privacy Policy explains how we collect, use, and protect your personal data when you use our WhatsApp marketing automation platform.

We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

Nudge

Aldo Roman

Email: [email protected]

For data protection inquiries, please contact us at [email protected].

2. What Data We Collect

2.1 Merchant Data (You)

When you register for Nudge, we collect:

Account information: email address, name, password (hashed)
Store information: ecommerce platform (Shopify/Medusa/WooCommerce), store URL
WhatsApp Business API credentials: Business Account ID, Phone Number ID, Access Token
Billing information: payment method details (processed by Mollie)
Usage data: messages sent, campaigns configured, API usage

2.2 Customer Data (Your Customers)

When you use Nudge to send WhatsApp messages, we process:

Customer contact information: phone number, first name, last name, email
WhatsApp opt-in consent status and timestamp
Order data: order ID, total, items purchased (for message personalization)
Message history: messages sent, delivery status, customer replies

Important: You are the data controller for your customer data. We are the data processor acting on your behalf.

2.3 Analytics Data

We use Umami Analytics (privacy-friendly, open-source analytics)
Umami does NOT collect any personally identifiable information
No cookies are used for analytics
Only anonymized, aggregated data: page views, referrers, device types
All analytics data is anonymized and cannot be traced to individuals

2.4 Data We Don't Collect

No cookies - Our website does not use any cookies
No cross-site tracking - We don't track you across other websites
No advertising IDs - We don't use advertising identifiers
No IP address logging - Umami anonymizes IP addresses

3. How We Use Your Data

We use your data to:

Provide our service: Send WhatsApp messages on your behalf, manage campaigns, track message delivery
Process payments: Calculate usage costs, generate invoices
Customer support: Respond to your questions and technical issues
Improve our service: Analyze usage patterns (anonymized) to improve features
Comply with legal obligations: Tax reporting, fraud prevention

4. Legal Basis for Processing

We process your data based on:

Contract performance (GDPR Article 6(1)(b)): To provide the WhatsApp messaging service you signed up for
Legitimate interest (GDPR Article 6(1)(f)): To improve our service, prevent fraud, and ensure security
Legal obligation (GDPR Article 6(1)(c)): To comply with tax and accounting requirements
Consent (GDPR Article 6(1)(a)): Where we explicitly ask for your consent (e.g., marketing emails)

5. Third-Party Services & Data Processors

We use the following third-party services to provide our service:

Meta WhatsApp Business API

Purpose: Send WhatsApp messages to your customers

Data shared: Customer phone numbers, message content

Location: USA (covered by Standard Contractual Clauses)

Shopify

Purpose: Receive store data via API/webhooks (for Shopify merchants)

Data shared: Order data, customer data (as configured by merchant)

Location: USA/Canada

Hetzner Online GmbH

Purpose: Cloud hosting infrastructure

Data shared: All application data

Location: Germany (EU) - GDPR compliant

Cloudflare

Purpose: Content delivery network (CDN) and DDoS protection

Data shared: Request data (automatically anonymized)

Location: Global

Mollie

Purpose: Payment processing

Data shared: Payment information, billing details

Location: Netherlands (EU) - PCI DSS compliant

Umami Analytics

Purpose: Privacy-friendly website analytics

Data shared: Anonymized page views (no PII, no cookies)

Location: Self-hosted (EU)

We have Data Processing Agreements (DPAs) in place with all third-party processors to ensure GDPR compliance.

6. Data Retention

Account data: Retained while your account is active
Customer data: Retained while your account is active or as required by law
Message history: Retained for 90 days after account deletion (for billing/dispute resolution)
Billing records: Retained for 7 years (legal requirement)
Analytics data: Retained for 24 months (anonymized, aggregated only)

When you delete your account, we delete or anonymize your data within 90 days, except where we're legally required to retain it (e.g., for tax purposes).

7. Your Rights (GDPR)

Under GDPR, you have the following rights:

Right to Access: Request a copy of all data we hold about you
Right to Rectification: Correct any inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten"): Request deletion of your data (submit deletion request)
Right to Restriction: Limit how we process your data
Right to Data Portability: Receive your data in machine-readable format
Right to Object: Object to processing based on legitimate interest
Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

8. Data Security

We implement industry-standard security measures:

Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
Access controls: Role-based access, multi-factor authentication for staff
Regular security audits: Penetration testing and vulnerability scanning
Secure infrastructure: EU-hosted servers with physical security
API authentication: All API requests require authentication

9. International Data Transfers

Your data is primarily stored in the European Union (Germany) on Hetzner servers.

Some third-party services (Meta WhatsApp API, Shopify) may transfer data outside the EU. In these cases, we ensure adequate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions for specific countries
Additional security measures as required by GDPR

10. Children's Privacy

Nudge is not intended for use by individuals under 16 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately at [email protected].

11. Your Responsibilities (Merchants)

As a Nudge merchant, you are the data controller for your customer data. You are responsible for:

Obtaining valid consent: Ensure customers have explicitly opted in to WhatsApp marketing
Privacy policy: Inform customers in your privacy policy that you use Nudge to send WhatsApp messages
Data accuracy: Ensure customer data you provide to Nudge is accurate
Respecting opt-outs: Honor customer unsubscribe requests (Nudge handles this automatically)

We provide a Data Processing Agreement (DPA) which defines our relationship as processor and your obligations as controller. Contact us at [email protected] to request a copy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

Update the "Last updated" date at the top
Notify you via email if changes are material
Post a notice in the dashboard

Continued use of Nudge after changes indicates acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Privacy Inquiries:

Email: [email protected]

Data Protection Officer:

Email: [email protected]

General Support:

Email: [email protected]