Privacy.

Nudgey looks at your money so you don't have to keep track. We built it on a principle: what you give us, you keep. This page is how we hold ourselves to that — plainly, and then in the legal version too.

1. Who we are.

Nudgey — both the mobile app and this website at thenudgey.com — is owned and operated by Riverbank Solutions Ltd, a company registered in the Republic of Kenya. Riverbank is the data controller for the personal data described in this policy, and is registered as such with the Office of the Data Protection Commissioner (Kenya) under the Kenya Data Protection Act, 2019.

Our Data Protection Officer at this stage is the founder, Nick Mwendwa, reachable at privacy@thenudgey.com. We'll appoint a separate DPO when our processing scale crosses the threshold defined in section 24 of the Kenya Data Protection Act, 2019.

2. What data we handle, and where it lives.

We split this into two categories because they're treated very differently.

2.1 On-device only — your SMS and the transactions inside them

The technical detail:

• SMS body content stays on the device. The Android system passes incoming SMS to Nudgey via a permission you grant; Nudgey processes them locally and never transmits them.
• Extracted transactions (amount, counterparty, account, timestamp, M-Pesa receipt code, balance, category, merchant name) are stored in a SQLCipher-encrypted local database. The encryption key is held in your phone's Android Keystore — it never leaves the device.
• Pattern analysis (your recurring bills, your typical spend windows, your money-out network) is computed on the device by reading the local transaction store.
• The on-device AI model (Gemma 3 1B int4, ~600 MB, bundled in the app) reads SMS and produces structured transaction data without making any network call.

This is enforced not just as a promise but as a type-system rule in our code: anything classified as a "Local-only type" (SMS bodies, transactions, conversations) cannot be sent to our servers — our build process fails if it ever tries.

For a longer explanation of why we need SMS access, what we read (and what we don't), and the alternatives we considered and rejected, see Why I read your SMS.

2.2 In the cloud — small amounts of account-shaped information

What this means in practice:

• Account information. Your phone number (used to sign you in via SMS one-time-password), the display name you choose, the device IDs of phones you've signed into, and your subscription status.
• Anonymized insights. The kind of bucketed signal that powers Mode 2 chat — e.g., transport_bucket: down_significantly_vs_last_week. We never put raw amounts, merchant names, M-Pesa receipts, exact account balances, or precise timestamps into anything that crosses to our servers.
• Mode 2 chat messages. What you type to Nudgey in Mode 2 goes to a cloud AI model (Anthropic Claude, via the Vercel AI Gateway) so it can reply meaningfully. The model is contractually prohibited from training on your data. You can leave Mode 2 at any time and your messages remain only in your local chat history; we keep cloud-side conversation logs for a maximum of 30 days for abuse-prevention and quality monitoring, after which they are deleted.
• Premium period-story narrative. If you subscribe to Nudgey Premium, your monthly recap narrative is generated by the same cloud AI model from anonymized bucket data only — never from raw amounts or merchant names.
• App usage events. Anonymized telemetry (Firebase Analytics) — screen views, taps, session length. No financial data. Tied to a random app-install ID, not to your phone number.
• Crash reports. If Nudgey crashes, a diagnostic report is sent to Firebase Crashlytics. Before it leaves your phone, we automatically scrub anything that looks like a phone number, an M-Pesa receipt code, or a transaction amount.
• Email events. If you opt into receiving emails from Nudgey (welcome notes, weekly Sunday Drops, monthly period stories), we record delivery/bounce/complaint events through our email provider so we know not to keep emailing addresses that bounce. No financial content is embedded.
• OTP delivery state. When we send you a one-time password via SMS, the verification session ID is stored for 5 minutes (then automatically deleted) so we can verify the code you type back. It is keyed by a one-way hash of your phone number, not by the phone number itself.
• Payment information. When you subscribe to Premium, payment is processed by our payment partner ZED. We do not see or store your card numbers, M-Pesa PIN, or full bank details — only a confirmation that payment succeeded and an internal subscription identifier.
• Optional Gmail connector. If you choose to connect your Gmail so Nudgey can email Sunday Drops, period stories, or Statement of Position summaries to your inbox, we store a Google OAuth token. The token's only permission is to send email from your Gmail address; we cannot read your inbox. You can revoke this connection at any time from your Google Account settings or from Nudgey's profile screen.
• Waitlist email (this website). If you joined our waitlist at thenudgey.com, your email is stored hashed (SHA-256) for deduplication, with a separate plaintext store accessible only for sending you the launch announcement. We send no other emails to waitlist addresses.

Where this cloud-side data physically lives: Firebase Firestore in the africa-south1 region (Johannesburg, South Africa) — chosen for low latency from Nairobi and POPIA residency, recognised as adequate under Kenya's DPA. Short-lived state (the 5-minute OTP session) is stored on Upstash Redis in the eu-west-1 region.

3. Why we process it (lawful basis).

Under Kenya's Data Protection Act, 2019 (DPA), every type of data we process has to have a lawful basis. Here are ours, by purpose:

• To sign you in and keep you signed in: performance of the contract you enter when you create a Nudgey account (DPA §30(1)(b)).
• To deliver the Nudgey app to you (in-app daily flows, the Sunday Drop, the pre-spend pause, period stories): performance of the contract (DPA §30(1)(b)).
• To monitor whether the app is crashing or laggy: our legitimate interest in operating a reliable service, balanced against your interest in privacy through our PII-scrubbing on crash reports (DPA §30(1)(f)).
• To send Mode 2 chat to a cloud AI model: your specific consent, given by tapping into Mode 2 and confirming the privacy notice that appears on your first Mode 2 entry (DPA §30(1)(a) and §32).
• To send you transactional emails (welcome note, OTP, account-recovery notices): performance of the contract (DPA §30(1)(b)).
• To send you Sunday Drops, period stories, or other regular email: your consent, given by tapping "Email me too" in the relevant in-app flow. You can withdraw consent at any time using the unsubscribe link in every email or in the app's profile screen (DPA §30(1)(a)).
• To send marketing email about Nudgey to people on the pre-launch waitlist: consent, given by submitting your email at thenudgey.com. We send one email when the app launches; that's the entire scope.
• To process payments for Premium: performance of the contract (DPA §30(1)(b)).

We do not sell personal data, share it for cross-context behavioural advertising, or use it to train external AI models.

4. Who we share it with.

These are the third parties (sub-processors) that touch personal data on our behalf. Each one has signed a data-processing agreement with us and is named here for transparency.

We don't add a new sub-processor without updating this page. The "Last updated" date at the top of this policy reflects the most recent change. If we add a sub-processor that would change how your data is processed materially, we'll also send a heads-up notice via the in-app conversation and (if you have email enabled) via email.

5. Cross-border data transfers.

Some of the sub-processors above are based outside Kenya. The DPA requires that data transferred outside Kenya be subject to appropriate safeguards. Here is how each transfer is grounded:

• Firebase Firestore in africa-south1 (Johannesburg, South Africa). South Africa is a POPIA jurisdiction recognised as having comparable data-protection standards to Kenya's DPA. This is the bulk of our cloud-side data.
• Twilio (US/Ireland). Twilio processes phone numbers under EU-US Data Privacy Framework certifications and Standard Contractual Clauses (SCCs) for non-EU transfers.
• Resend (US, sending from eu-west-1). Resend operates under SCCs and DPF.
• Anthropic (US). Anthropic processes data under SCCs. Importantly: Anthropic only receives anonymized bucket signal from us, not your raw transactions or personally-identifying information.
• Vercel and Upstash: data is held in EU/Ireland (eu-west-1), with US-based operating entities under SCCs.
• Clerk (US). Clerk operates under SCCs and is SOC 2 Type II certified. Clerk only sees admin-team identity (email, name, role) for the Riverbank Solutions Ltd team — never end-user Nudgey data.
• Google (Gmail OAuth): invoked only when you opt in. Google processes your token under their own DPA terms.

For each of these transfers, the cloud-side data is limited to the categories listed in section 2.2 — never your SMS messages and never raw transaction records.

6. Your rights under Kenya's DPA.

Under sections 26-29 of the Kenya Data Protection Act, 2019, you have the right to:

• Be informed of how your data is used — that's this page.
• Access a copy of the personal data we hold about you.
• Correct inaccurate or out-of-date data.
• Erase your personal data, subject to legal retention obligations.
• Object to processing for direct marketing.
• Withdraw consent that you previously gave (for Mode 2 chat, email subscriptions, the Gmail connector, etc.).
• Receive a copy of your data in a portable format (DPA §26(c)).
• Not be subject to a decision based solely on automated processing (DPA §35) — Nudgey's pre-spend pause card and Sunday Drops are surfaced automatically, but no automated decision is made for you. You always have the choice.
• Lodge a complaint with the Office of the Data Protection Commissioner (ODPC). See section 11.

To exercise any of these rights, email privacy@thenudgey.com from the address associated with your Nudgey account. We will respond within 30 days of receiving a verifiable request, in line with DPA §26(2).

For deletion specifically: since the bulk of your data lives on your phone (not on our servers), a deletion request runs in two parts — (a) we delete the account-level data we hold (phone number, name, subscription record, anonymized telemetry), and (b) uninstalling the app removes everything stored on the device. The mobile app also offers an in-app "Delete my account" action under Profile → Account that triggers both at once, with a 7-day cooling-off window to recover if you change your mind.

7. How long we keep things.

• On-device data (SMS bodies, transactions, conversations, the local chat thread): kept on your phone for as long as the app is installed. Uninstall removes it instantly. There is no cloud copy to delete.
• Account-level cloud data (phone number, display name, subscription status): kept for as long as your account is active, plus 90 days after deletion for fraud-prevention and statutory retention.
• Mode 2 chat logs on the cloud side: kept for up to 30 days for abuse-prevention and quality monitoring, then deleted automatically.
• OTP session state: 5-minute TTL, then automatically deleted by Upstash.
• Crash reports: kept for 90 days, per Firebase Crashlytics' default retention.
• Analytics telemetry: kept for 14 months, per Firebase Analytics' default retention setting we have configured.
• Email delivery logs: kept for 90 days for deliverability diagnostics.
• Waitlist emails (this website): retained until we send the one launch-announcement email, after which the plaintext store is deleted; the hash set is also deleted within 30 days of launch.
• Payment records: as required by Kenyan tax law (typically 7 years per the Income Tax Act).

8. How we keep it safe.

• On-device encryption: the local database that stores your transactions is encrypted with SQLCipher using AES-256. The encryption key is stored in the Android Keystore (hardware-backed on supported devices).
• App-open security: opening Nudgey requires either a biometric (fingerprint/face) or your device PIN.
• Type-system privacy boundary: in our codebase, anything classified as "Local-only" cannot be sent to our servers — the build fails at compile time if it tries. Reviewed continuously.
• Anonymization audit point: every piece of data that crosses from your phone to our servers passes through a single function that strips raw values and replaces them with typed buckets, with automated tests confirming nothing slips through.
• App Check: our servers verify that requests are coming from a genuine Nudgey app via Google Play Integrity API attestation.
• Crashlytics PII scrubbing: phone numbers, M-Pesa receipt codes, and email-shaped strings are removed from crash diagnostic logs before they leave the device.
• Transport security: all traffic between the app and our servers (and between our servers and sub-processors) uses TLS 1.3 with HSTS.
• Access control: only authorised Riverbank Solutions Ltd staff have access to operational systems, and access is logged.
• Breach notification: in the event of a data breach affecting personal data, we will notify the ODPC within 72 hours and notify affected users without undue delay, in line with DPA §43.

9. Children.

Nudgey is for adults — 18 years and older. We do not knowingly collect personal data from people under 18. If you believe a minor has signed up, please email privacy@thenudgey.com and we will delete the account.

10. Changes to this policy.

We update this page when the way we handle data changes. The "Last updated" date and version number at the top of this page reflect the most recent change. For material changes (a new sub-processor, a new category of data, a different lawful basis, a different retention period), we'll also send a notice through the in-app conversation and via email (if you've enabled it) at least 30 days before the change takes effect.

11. Contact us / file a complaint.

For anything related to this policy or your personal data:

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):