Privacy Policy
Nudge - Mental Health & CBT Support App
Last Updated: October 4, 2025
Your Privacy Matters: At Nudge, we understand that mental health data is deeply personal. This
Privacy Policy explains how we collect, use, protect, and respect your information with the highest standards of
privacy and security.
1. Introduction
Hybrid Designs ("we," "us," or "our") operates the Nudge mobile application ("App"). This Privacy Policy explains
how we collect, use, disclose, and safeguard your information when you use our mental health and cognitive
behavioral therapy (CBT) support application.
We are committed to protecting your privacy and handling your personal information, including sensitive mental
health data, with the utmost care and in compliance with applicable data protection laws, including the General
Data Protection Regulation (GDPR) and other relevant privacy legislation.
Important: By using Nudge, you consent to the collection and use of your information as described
in this Privacy Policy. If you do not agree with this policy, please do not use our App.
2. Information We Collect
2.1 Information You Provide Directly
Account Information
- Registration data: Email address, username, password
- Profile information: Name, age group, lifestyle preferences
- Contact preferences: Notification settings and communication preferences
Mental Health and Wellness Data
- CBT session data: Thoughts, feelings, exercises completed, session progress
- Mood tracking: Mood ratings, emotional states, daily check-ins
- Action items: Personal goals, completed actions, progress notes
- Journal entries: Personal reflections and notes (if applicable)
- Assessment responses: Responses to mental health assessments and questionnaires
Communication Data
- Support interactions: Messages sent through customer support
- Feedback: App reviews, survey responses, and feedback submissions
2.2 Information We Collect Automatically
| Data Type |
Examples |
Purpose |
| Usage Data |
App sessions, features used, time spent |
Service improvement, analytics |
| Device Information |
Device model, OS version, app version |
Technical support, compatibility |
| Log Data |
Access times, error logs, performance metrics |
Debugging, service optimization |
| Analytics Data |
Screen views, user interactions, crash reports |
App improvement, bug fixes |
2.3 Information from Third Parties
- App Store data: Purchase information from Apple App Store or Google Play Store
- Authentication services: If you use third-party login services
- Analytics services: Aggregated usage data from analytics providers
3. How We Use Your Information
3.1 Primary Purposes
- Service Provision: Deliver personalized CBT exercises, mood tracking, and mental health
support
- Progress Tracking: Monitor your wellness journey and provide insights
- Personalization: Customize content based on your lifestyle and preferences
- Notifications: Send reminders, encouragement, and supportive messages
3.2 Secondary Purposes
- Service Improvement: Analyze usage patterns to enhance app functionality
- Customer Support: Respond to inquiries and provide technical assistance
- Safety and Security: Detect fraud, abuse, and ensure app security
- Legal Compliance: Meet legal obligations and regulatory requirements
3.3 Refund Assistance
Refund Data Sharing: We may share your usage data with Apple or Google to assist with refund
requests, but only with your explicit consent. You can control this setting in the
app under "Settings > Refund Assistance."
4. Legal Basis for Processing (GDPR)
For users in the EU/UK, we process your data based on:
- Consent: For marketing communications, analytics, and refund assistance data sharing
- Contract Performance: To provide the mental health services you've subscribed to
- Legitimate Interest: For service improvement, security, and customer support
- Legal Obligation: To comply with applicable laws and regulations
5. Data Sharing and Disclosure
5.1 We DO NOT Share Your Mental Health Data With Third Parties
Privacy Promise: We never sell, rent, or share your personal mental health information with
advertisers, marketers, or other third parties for their commercial purposes.
5.2 Limited Sharing Scenarios
Service Providers
- Cloud hosting: Secure data storage (encrypted)
- Analytics: Aggregated, anonymized usage statistics only
- Customer support: Technical assistance (minimal data access)
Legal Requirements
- Court orders or legal process
- Law enforcement requests (where legally required)
- Protection of rights, property, or safety
With Your Consent
- Refund assistance: Usage data to app stores (opt-in only)
- Research participation: Anonymized data for mental health research (opt-in only)
5.3 Business Transfers
In the event of a merger, acquisition, or asset sale, user data may be transferred. We will provide notice before
your data becomes subject to a different privacy policy.
6. Data Security
Our Security Measures
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access with multi-factor authentication
- Regular Audits: Security assessments and vulnerability testing
- Data Minimization: We collect only necessary information
- Secure Infrastructure: Enterprise-grade cloud hosting with compliance certifications
6.1 Your Role in Security
- Keep your account credentials secure
- Use strong, unique passwords
- Log out from shared devices
- Report suspicious activity immediately
6.2 Data Breach Response
In the unlikely event of a data breach, we will:
- Notify affected users within 72 hours
- Report to relevant authorities as required by law
- Take immediate steps to secure systems
- Provide clear guidance on protective actions
7. Data Retention
| Data Type |
Retention Period |
Reason |
| Account Information |
Until account deletion |
Service provision |
| Mental Health Data |
Until deletion request or 3 years after last activity |
Progress tracking, service continuity |
| Usage Analytics |
24 months |
Service improvement |
| Support Communications |
3 years |
Customer service history |
| Legal/Compliance Data |
As required by law |
Legal obligations |
8. Your Privacy Rights
Under GDPR and Similar Laws, You Have the Right To:
- Access: Request copies of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Export your data in a portable format
- Restriction: Limit how we process your data
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Revoke consent for data processing
8.1 How to Exercise Your Rights
- In-App Settings: Many controls available directly in the app
- Email Request: Contact privacy@hybrid-designs.co.uk
- Identity Verification: We may require verification for security
- Response Time: We respond within 30 days (1 month)
8.2 Data Export
You can request a complete export of your data, including:
- Account information and settings
- CBT session history and progress
- Mood tracking data
- Personal action items and notes
9. Children's Privacy
Age Restrictions: Nudge is not intended for children under 13. We do not knowingly collect
personal information from children under 13.
9.1 Teen Users (13-17)
- Parental consent required for account creation
- Limited data collection appropriate for age group
- Enhanced privacy protections
- Parents can request account deletion
9.2 Verification Process
If we discover that a child under 13 has created an account, we will immediately delete the account and all
associated data.
10. International Data Transfers
10.1 Data Location
- Primary storage: European Union (GDPR-compliant hosting)
- Backup systems: UK and EU only
- Processing: Limited to EU/UK approved providers
10.2 Transfer Safeguards
When data must be transferred outside the EU/UK, we ensure:
- Adequacy decisions or appropriate safeguards
- Standard Contractual Clauses (SCCs)
- Binding corporate rules where applicable
- User consent for specific transfers
11. Third-Party Services
11.1 Integrated Services
| Service |
Purpose |
Data Shared |
| Supabase |
Database and authentication |
Account data, encrypted health data |
| RevenueCat |
Subscription management |
Purchase information only |
| App Store/Play Store |
App distribution, payments |
Purchase data, optional usage data |
11.2 Third-Party Privacy Policies
We encourage you to review the privacy policies of third-party services. We are not responsible for their privacy
practices.
12. Changes to This Policy
12.1 Notification Process
- Material changes: 30-day advance notice via email and in-app notification
- Minor updates: Updated "Last Modified" date
- Continued use: Constitutes acceptance of changes
- Objection: You may delete your account if you disagree
12.2 Version History
Previous versions of this Privacy Policy are available upon request.
13. Contact Information
Regulatory Contact
If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local
data protection authority.
UK: Information Commissioner's Office (ICO) - ico.org.uk
Questions or Concerns: We take privacy seriously. If you have any questions about this Privacy
Policy or our data practices, please don't hesitate to contact us. We're here to help and ensure your privacy is
protected.
© 2025 Hybrid Designs. All rights reserved.