NUDGE — Personal Relationship Assistant

Effective Date: May 10, 2026

Last Updated: May 2026

Next Scheduled Review: May 10, 2027

Introduction

This Privacy Policy describes how Nudge Labs FZ-LLC (“Nudge”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal information when you access or use the Nudge mobile application, website (www.nudgeapp.ae), and related services (collectively, the “Services”).

We are committed to safeguarding your privacy and handling your personal information in a transparent and responsible manner. This Privacy Policy is designed to comply primarily with the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL), and additionally with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy regulations.

By creating an account and using the Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. You must accept this Privacy Policy during the account registration process before using the Services.

Data Protection Officer and Human Safety Officer

We have appointed a Data Protection Officer (DPO) who also serves as our Human Safety Officer, responsible for overseeing data protection compliance, ensuring human oversight of automated data processing, and addressing any privacy-related concerns:

Data Protection Officer / Human Safety Officer

Name: Temitayo Olayiwola

Title: Managing Partner

Email: shay.nudge@gmail.com

The Data Protection Officer is responsible for:

• Monitoring compliance with UAE PDPL, GDPR, and other applicable data protection laws

• Providing advice on data protection impact assessments

• Acting as the contact point for data subjects and supervisory authorities

• Ensuring human oversight of algorithmic decision-making processes

• Reviewing and approving data processing activities

• Responding to data subject access requests within statutory timeframes

1. Information We Collect

We collect only the information necessary to provide and improve the Services, following the principle of data minimization. We do not collect more data than is required for the stated purposes.

1.1 Information You Provide Directly

Account Information: Name, email address, phone number, profile photo, and account credentials.

Profile Information: Bio, preferences, relationship goals, notification settings, and customization choices.

Relationship Data: Information about your relationships including:

• Contact details of people you add (names, phone numbers, email addresses, photos)

• Relationship types and categories (e.g., family, friends, colleagues)

• Connection frequency preferences and interaction goals

• Personal notes about contacts and conversations

• Important dates (birthdays, anniversaries, work anniversaries)

• Profession and workplace information for contacts

• “Close Circle” designations and priority settings

Interaction Logs: Records of your interactions including:

• Date, time, and method of contact (phone, text, email, in-person, social media)

• Duration of interactions (when provided)

• Notes and reflections about conversations

• Emotional mood reflections and quality ratings

• Tags and categories you assign to interactions

Gamification Data: Experience points (XP), achievement badges, streak information, quest progress, and challenge completions.

User-Generated Content: Quiz responses, relationship insights, and any content you create within the app.

1.2 Information from Third-Party Sources

Phone Contacts: When you grant permission, we import contact information from your device's address book, including names, phone numbers, email addresses, and photos.

Google Contacts: If you connect your Google account, we may import contacts via the Google Contacts API.

Gmail Interaction History: If you opt in, we may access email metadata (recipients, timestamps) from your Gmail account to help populate interaction history. We do not access email content or message bodies.

Call Logs (Android only): With your permission, we may access call log metadata to automatically track communication frequency. We do not record or access call content.

Calendar Data (Future Feature): We may integrate with Google Calendar or Outlook to identify social events and relevant dates.

Important Notice Regarding Third-Party Data: By importing contacts or interaction data, you represent and warrant that you have the legal right to share this information with us and that such sharing complies with applicable laws. We use third-party contact data solely to provide relationship management features. This data is never shared externally, sold, or used for any purpose other than providing the Services to you.

1.3 Information Collected Automatically

When you use the Services, we automatically collect:

Device Information: Device type, operating system, unique device identifiers, app version, and mobile network information.

Usage Data: Features accessed, actions taken, timestamps, session duration, and interaction patterns within the app.

Diagnostic Data: Crash reports, performance metrics, and error logs to improve app stability.

Push Notification Data: Delivery status and interaction with notifications.

2. How We Use Your Information

We use collected information only for the following specific purposes:

2.1 Service Provision

• To create and manage your account

• To provide personalized relationship nudges and reminders based on your preferences

• To display your Social Universe visualization and relationship insights

• To track and display gamification elements (streaks, XP, achievements, quests)

• To generate weekly/bi-weekly digest reports and reflections

• To deliver push notifications, email notifications, and in-app messages

2.2 Algorithmic Processing and Profiling

We use automated algorithms to analyze your interaction patterns and provide relationship insights. All algorithmic processing is subject to human oversight by our Data Protection Officer / Human Safety Officer. This processing includes:

Connection Depth Index (CDI): A score (0-100) that reflects the depth and quality of each relationship, calculated based on interaction frequency, recency, consistency, and your designated importance levels.

Circle Stability Score (CSS): A metric measuring reciprocity and balance in relationships, considering initiation patterns and interaction frequency.

Social Universe Positioning: Algorithm-driven placement of contacts in visual rings based on relationship closeness.

Staggered Scheduling: Intelligent distribution of nudges to prevent overwhelming you with reminders.

Needs Attention List: Automated identification of relationships that may be slipping based on interaction patterns.

These algorithms are designed to help you maintain relationships and do not make decisions with legal or similarly significant effects. You can view how scores are calculated within the app, adjust your preferences at any time, and request human review of any automated decision by contacting our Data Protection Officer.

2.3 Communication

• To send relationship reminders (“nudges”) via push notification or email

• To deliver milestone celebrations and achievement notifications

• To communicate service updates, security alerts, and administrative messages

• To respond to your inquiries and support requests

2.4 Improvement and Analytics

• To analyze usage trends and improve app performance

• To conduct research and development for new features

• To monitor and enhance service quality and security

• To generate aggregated, anonymized insights about usage patterns

2.5 Safety and Compliance

• To detect, prevent, and address technical issues, fraud, or security threats

• To enforce our Terms of Service

• To comply with legal obligations

3. Legal Basis for Processing (UAE PDPL and GDPR)

We process your personal information based on the following legal grounds, in accordance with UAE PDPL and GDPR requirements:

Contract Performance: Processing necessary to provide the Services you have requested and to fulfill our contractual obligations to you.

Consent: Where you have provided explicit consent, such as for importing contacts, accessing call logs, connecting third-party accounts, or receiving promotional communications. You may withdraw consent at any time by contacting our Data Protection Officer.

Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services, preventing fraud, and ensuring security, where such interests are not overridden by your rights.

Legal Obligations: Processing necessary to comply with applicable laws, regulations, or legal processes under UAE law or other applicable jurisdictions.

4. Data Minimization and Limiting Risk to Users

We are committed to minimizing the data we collect and reducing risks to our users:

Collection Limitation: We only collect data that is necessary for providing the Services. We do not collect sensitive personal data (such as health information, religious beliefs, or political opinions) unless explicitly provided by you in free-text notes.

Purpose Limitation: We use your data only for the specific purposes disclosed in this Privacy Policy. We do not use your data for purposes incompatible with those for which it was collected.

Access Controls: Only authorized personnel with a legitimate business need can access personal data. All access is logged and auditable.

No External Sharing: Your personal data and contact information are never sold, rented, or shared with third parties for their marketing purposes. Data sharing is limited strictly to service providers necessary for app functionality.

Anonymization: Where possible, we use anonymized or aggregated data for analytics and improvement purposes.

5. Sharing and Disclosure of Information

We do not sell, rent, or trade your personal information to third parties. We do not share your data externally except in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party service providers who perform essential services on our behalf, under strict confidentiality obligations and data processing agreements. These include:

• Cloud Infrastructure: Google Cloud Platform (Firebase), Amazon Web Services (AWS)

• Authentication Services: Firebase Authentication

• Database Services: Cloud Firestore

• Push Notification Services: Firebase Cloud Messaging (FCM)

• Email Delivery Services: SendGrid

• Analytics and Crash Reporting: Firebase Analytics, Crashlytics

All service providers are contractually bound to protect your data and use it only for the purposes we specify. A complete list of our current data processors is available upon request by contacting shay.nudge@gmail.com.

5.2 Legal Requirements

We may disclose information only when required to comply with applicable UAE laws, regulations, legal processes, or enforceable governmental requests, or to protect the rights, property, or safety of Nudge, our users, or others.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the app of any such change and any choices you may have regarding your data.

5.4 With Your Consent

We may share information with third parties only when you explicitly consent to or direct such sharing, such as when using referral features or sharing achievement badges on social media.

6. International Data Transfers

Your information may be processed and stored on servers located outside the United Arab Emirates, including in the United States and other jurisdictions where our service providers operate.

Where we transfer personal data internationally, we implement appropriate safeguards to protect your information in compliance with UAE PDPL requirements, including:

• Standard Contractual Clauses approved by relevant authorities

• Adequacy decisions where applicable

• Binding Corporate Rules where applicable

• Your explicit consent where appropriate

For users in the United Arab Emirates, European Economic Area (EEA), or United Kingdom, we ensure that any transfer of personal data to countries without adequate data protection laws is accompanied by appropriate safeguards as required by UAE PDPL, GDPR, or UK GDPR respectively.

7. Data Security

We implement industry-standard administrative, technical, and organizational safeguards designed to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These measures include:

Encryption: Industry-standard encryption of data in transit (TLS/SSL) and at rest to protect your information during transmission and storage.

Secure Authentication: Multi-factor authentication options, secure PIN protection, and password hashing.

Access Controls: Role-based access controls limiting data access to authorized personnel only, with all access logged for audit purposes.

Security Monitoring: Regular security assessments, vulnerability scanning, and continuous monitoring for threats.

Infrastructure Security: Secure cloud infrastructure with industry-standard certifications (SOC 2, ISO 27001).

While we strive to protect your information using commercially reasonable and industry-standard measures, no security system is completely secure. We cannot guarantee absolute security of your data. In the event of a data breach affecting your personal information, we will notify you and relevant authorities (including the UAE Data Office) as required by applicable law within the statutory timeframes.

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Our retention periods are as follows:

8.1 Active Account Data

While your account remains active, we retain all data necessary to provide the Services. You may delete specific data (such as contacts, notes, or interaction logs) at any time through the app.

8.2 After Account Deletion

When you delete your account, we process your data as follows:

• Personal identifiers and contact data: Deleted within 30 days

• Interaction logs and relationship data: Deleted within 30 days

• Anonymized analytics data: May be retained indefinitely

• Legal and compliance records: Retained for 2 years from deletion date for legal compliance, dispute resolution, and fraud prevention purposes

• Backup data: Purged from backup systems within 90 days

8.3 Legal Retention Requirements

Certain data may be retained longer where required by UAE law or other applicable legal obligations, including tax records, transaction history, and data subject to legal holds.

9. Children's Privacy

The Services are intended for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under the age of 18.

By creating an account, you represent and warrant that you are at least 18 years old and have the legal capacity to enter into this agreement.

If we become aware that we have collected personal data from an individual under 18, we will take prompt steps to delete such information within 48 hours of discovery. If you believe we have inadvertently collected information from a minor, please contact our Data Protection Officer immediately at shay.nudge@gmail.com.

10. Your Rights and Choices

Under UAE PDPL and other applicable data protection laws, you have the following rights regarding your personal information:

10.1 Access and Information

• The right to know what personal data we hold about you

• The right to request a copy of your personal data

• The right to know the categories of sources from which data is collected

• The right to know the purposes for which data is used

10.2 Correction and Rectification

• The right to request correction of inaccurate personal data

• The right to complete incomplete personal data

10.3 Deletion and Erasure

• The right to request deletion of your personal data

• The right to have your account permanently removed

Note: Certain data may be retained for the periods specified in Section 8 as required by law or for legitimate business purposes.

10.4 Data Portability

• The right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)

• The right to transmit that data to another service provider where technically feasible

10.5 Restriction and Objection

• The right to restrict processing of your personal data in certain circumstances

• The right to object to processing based on legitimate interests

• The right to object to automated decision-making and profiling

• The right to request human review of any automated decision

10.6 Consent Withdrawal

• The right to withdraw consent at any time where processing is based on consent

• The right to opt out of promotional communications

• The right to revoke third-party access permissions (contacts, calendar, etc.)

10.7 How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer:

• Email: shay.nudge@gmail.com

We will acknowledge your request within 7 days and respond fully within the timeframe required by applicable law (30 days under UAE PDPL, extendable by an additional 30 days for complex requests). We may need to verify your identity before processing your request. If we cannot fulfill your request, we will explain why in writing.

10.8 Complaints

If you believe your privacy rights have been violated, you have the right to lodge a complaint with a supervisory authority. For users in the UAE, this is the UAE Data Office. For users in the EU, this is your local Data Protection Authority.

11. Cookies and Similar Technologies

We may use cookies or similar technologies on our website (www.nudgeapp.ae) to enhance functionality, analyze usage, and improve the Services. These technologies may collect information about your browsing behavior and preferences.

You may control cookie preferences through your browser settings. Please note that disabling cookies may affect the functionality of certain features.

Our mobile applications may use similar tracking technologies such as device identifiers and mobile analytics SDKs to provide and improve our Services.

12. Third-Party Links and Services

The Services may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services you access.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the addition of new features or data processing activities.

When we make material changes, we will:

• Post the updated policy within the Services with a new effective date

• Notify you via email and/or in-app notification at least 14 days before significant changes take effect

• Obtain your renewed consent where required by applicable law

• Maintain a clear version history of all policy changes

If we introduce new features that require additional data collection or processing, we will notify you before collecting such data and obtain your consent where required.

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.

14. Annual Policy Review

This Privacy Policy is subject to annual review by our Data Protection Officer to ensure continued compliance with applicable laws and alignment with our data processing practices.

The next scheduled review date is: May 10, 2027 (anniversary of the policy effective date).

Reviews will assess:

• Changes in applicable data protection laws (UAE PDPL, GDPR, CCPA)

• New features or data processing activities introduced

• Updates to our service providers and data processors

• Security measures and incident response procedures

• Data subject requests and complaints received

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Nudge Labs FZ-LLC

Data Protection Officer: Temi Cotek, Managing Partner

Email: shay.nudge@gmail.com

Website: www.nudgeapp.ae

For all data protection inquiries, including UAE PDPL, GDPR, and CCPA requests, please contact our Data Protection Officer at the email address above.

16. Jurisdiction-Specific Provisions

16.1 United Arab Emirates (Primary Jurisdiction)

This Privacy Policy is governed primarily by UAE law, specifically the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL). For users in the UAE:

• You have the right to access, correct, and delete your personal data

• You have the right to object to processing in certain circumstances

• You have the right to data portability

• Our designated Data Protection Officer for UAE PDPL matters is Temi Cotek (shay.nudge@gmail.com)

• Complaints may be directed to the UAE Data Office

16.2 European Economic Area and United Kingdom

For users in the EEA or UK, we process personal data in accordance with the General Data Protection Regulation (GDPR) and UK GDPR. The legal bases for processing are described in Section 3. You have rights as described in Section 10, including the right to lodge a complaint with your local Data Protection Authority.

16.3 California, USA

For California residents, this Privacy Policy is designed to comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). You have the right to:

• Know what personal information is collected, used, shared, or sold

• Delete personal information held by us

• Opt out of sale or sharing of personal information (we do not sell personal information)

• Non-discrimination for exercising your privacy rights

To exercise your CCPA rights, contact us at shay.nudge@gmail.com.

16.4 Other Jurisdictions

If you are located in another jurisdiction with data protection laws, we will comply with applicable local requirements. Please contact our Data Protection Officer if you have questions about how we handle data in your jurisdiction.

Acceptance

By creating an account and using the Nudge Services, you confirm that you have read, understood, and agree to be bound by this Privacy Policy. This acceptance is recorded as part of the account registration process.

Document History

Version

Date

Description

1.0

February 2026

Initial draft

2.0

May 2026

Legal review: Added DPO/Human Safety Officer, UAE PDPL focus, data minimization, retention periods, annual review, encryption details, no external sharing clause