GDPR Compliance

Nudgexa is committed to protecting the personal data of our users and their customers in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR as retained in UK law.

This page explains our legal basis for processing personal data, your rights as a data subject, and how we fulfil our obligations as both a data controller and a data processor.

Nudgexa operates in two distinct capacities depending on the context:

• Data controller — When we collect and process your personal data to manage your account, process payments, and communicate with you — we act as the data controller. We determine the purposes and means of that processing.
• Data processor — When we process personal data about your customers (e.g. their name, email address, invoice details) in order to send payment reminders on your behalf — we act as a data processor. You, as the Nudgexa customer, are the data controller for that data.

As a data controller for your customers' data, you are responsible for ensuring you have a lawful basis to share that data with us and to send them automated emails.

We rely on the following lawful bases under Article 6 GDPR:

• Contract performance — Processing your account data, billing information, and connected account tokens is necessary to perform the contract we have with you (Article 6(1)(b)).
• Legitimate interests — We process usage data, audit logs, and technical data to operate, secure, and improve the Service. Our legitimate interest is balanced against your rights and freedoms (Article 6(1)(f)).
• Legal obligation — We may retain certain financial records to comply with applicable law, such as tax and accounting requirements (Article 6(1)(c)).
• Consent — Where we send optional communications (e.g. product updates), we will obtain your consent first and provide a simple way to withdraw it (Article 6(1)(a)).

Under GDPR you have the following rights regarding your personal data held by Nudgexa:

• Right of access (Art. 15) — You may request a copy of all personal data we hold about you, along with information on how it is processed.
• Right to rectification (Art. 16) — You may request correction of any inaccurate or incomplete personal data without undue delay.
• Right to erasure (Art. 17) — You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent, subject to legal retention obligations.
• Right to restriction (Art. 18) — You may ask us to restrict processing of your data in certain circumstances, such as while a dispute is being resolved.
• Right to portability (Art. 20) — You may request your data in a structured, commonly used, machine-readable format to transfer to another controller.
• Right to object (Art. 21) — You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
• Rights re: automated decisions (Art. 22) — Nudgexa does not make solely automated decisions with significant legal or similarly significant effects on individuals.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.

Where we transfer personal data outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR:

• Stripe — Stripe operates under Standard Contractual Clauses (SCCs) and is certified under applicable data transfer frameworks for transfers to the United States.
• Square — Square operates under Standard Contractual Clauses (SCCs) for transfers outside the UK or EEA where applicable.
• QuickBooks — QuickBooks operates under Standard Contractual Clauses (SCCs) for transfers outside the UK or EEA where applicable.
• Email delivery provider — Our email delivery provider operates under SCCs or an adequacy decision where applicable.

We do not transfer your personal data to countries without an adequacy decision or appropriate safeguards.

We retain personal data only for as long as necessary for the purposes set out in our Privacy Policy:

• Account data — Retained for the duration of your account. Deleted within 30 days of a verified erasure request or account closure.
• Billing records — Retained for up to 7 years to comply with financial and tax obligations, even after account closure.
• Audit & reminder logs — Retained for the duration of your subscription to power your dashboard. Deleted on account closure.
• Anonymised data — Aggregated, non-identifiable usage statistics may be retained indefinitely as they do not constitute personal data.

If you are subject to GDPR and use Nudgexa to process personal data of your customers, a Data Processing Agreement (DPA) governs that relationship, as required by Article 28 GDPR.

By accepting these Terms and using the Service, you agree to the Nudgexa DPA, which forms part of the contract between us. The DPA sets out the subject matter, duration, nature, and purpose of the processing we carry out on your behalf.

To request a signed copy of the DPA or to discuss specific data processing requirements, contact us at [email protected].

As required by Article 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk:

• Encryption in transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest — Personal data stored in our database is encrypted at rest.
• Access controls — Access to production systems and personal data is restricted to authorised personnel on a need-to-know basis.
• HTTP-only cookies — Authentication tokens are stored in HTTP-only cookies to mitigate XSS attacks.
• Breach notification — In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, where required by GDPR.

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority.

• UK — Information Commissioner's Office (ICO) — ico.org.uk
• EU — Your local Data Protection Authority (DPA) in your EU member state of residence.

We would appreciate the opportunity to address your concerns directly before you contact a supervisory authority. Please reach out to us at [email protected].

Nudgexa does not currently meet the threshold requiring a formally appointed Data Protection Officer (DPO). All data protection enquiries are handled directly by our team.

For any GDPR-related questions, requests, or concerns, contact us at [email protected] or use our contact page. We aim to respond to all requests within 30 days.