← back

data processing agreement

last updated: february 2026

this data processing agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and the operator of nudge ("Processor") for the use of nudge services.

1. definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR (Regulation (EU) 2016/679).

"Services" means the nudge application and related services provided to Customer.

2. scope of processing

2.1 subject matter

the Processor will process Personal Data on behalf of the Controller to provide the nudge services as described in our Privacy Policy.

2.2 nature and purpose

processing activities include:

  • account authentication and management
  • event discovery and AI-powered personalization
  • cloud discovery requests to retrieve event data
  • on-device AI processing for notification generation
  • subscription and payment processing
  • friend connections (if enabled by user)

note on AI processing: nudge uses Apple's on-device Foundation Models to generate personalized notifications. this processing occurs entirely on the user's device and no personal data is transmitted to external AI services for this purpose.

note on discovery: when you request nearby events, we send only the minimum data needed (such as approximate location and query parameters) to retrieve results.

2.3 types of personal data

  • account identifiers (Apple ID token)
  • location data (when provided)
  • event preferences and saved events
  • payment information (processed by Paddle)

2.4 data subjects

users of the nudge application who create accounts.

3. processor obligations

the Processor shall:

  • process Personal Data only on documented instructions from the Controller
  • ensure persons authorized to process have committed to confidentiality
  • implement appropriate technical and organizational security measures
  • assist the Controller with Data Subject rights requests when applicable
  • delete or return Personal Data upon termination of services, at Controller's choice
  • make available information necessary to demonstrate GDPR compliance

4. security measures

we implement the following security measures:

  • encryption in transit (TLS 1.3)
  • encryption at rest for stored data
  • access controls and authentication
  • regular security assessments
  • incident response procedures

5. sub-processors

we use the following sub-processors:

sub-processor purpose location
Cloudflare, Inc. hosting & infrastructure USA (EU data centers available)
Paddle.com payment processing UK/USA
Apple Inc. authentication (Sign in with Apple) USA

the Controller authorizes engagement of these sub-processors. we will notify of any intended changes to sub-processors.

6. international transfers

where Personal Data is transferred outside the EEA, we ensure appropriate safeguards through:

  • EU-US Data Privacy Framework certification (where applicable)
  • Standard Contractual Clauses (SCCs)
  • adequacy decisions by the European Commission

7. data breach notification

in the event of a Personal Data breach, we will notify the Controller without undue delay and no later than 72 hours after becoming aware, providing:

  • description of the nature of the breach
  • categories and approximate number of Data Subjects affected
  • likely consequences
  • measures taken or proposed to address the breach

8. audits

upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA.

9. term and termination

this DPA remains in effect for the duration of the Services. upon termination, we will delete Personal Data within 30 days unless retention is required by law.

10. contact

for DPA-related inquiries, contact us at legal@livealittle.app.