Privacy Policy

1. Introduction

NudgeFlow Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the NudgeFlow platform ("Service").

NudgeFlow Ltd is a company registered in England and Wales (company number 16723191), with its registered office at
Suite 74
East Ham London E6 2JA
. We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

We may collect the following categories of personal data:

2.1 Information You Provide

• Account information — name, email address, organisation, and role
• Voice recordings — audio captured during roleplay training sessions via speech-to-text functionality
• Text input — messages and responses you type during training sessions
• Custom content — scenarios, client profiles, and evaluation models you create
• Contact information — details you provide when contacting us

2.2 Information Collected Automatically

• Usage data — pages visited, features used, session duration, and interaction patterns
• Device information — browser type, operating system, screen resolution, and device identifiers
• IP address — used for security, analytics, and approximate geolocation
• Cookies and similar technologies — as described in our Cookie Policy

2.3 Information from Third Parties

• Authentication providers — if you sign in through a third-party service, we may receive your name and email address from that provider

3. How We Use Your Data

We use your personal data for the following purposes:

4. Data Sharing and Third Parties

We may share your personal data with the following categories of recipients:

4.1 Service Providers

• Microsoft Azure — cloud hosting, speech-to-text (Azure Cognitive Services), and text-to-speech services. Data may be processed in Microsoft's data centres. Microsoft Privacy Statement
• Google LLC — website analytics via Google Analytics (only with your consent). Google Privacy Policy
• Hume AI / ElevenLabs — text-to-speech services for generating AI voice responses during training sessions. Text content of AI responses is shared with these providers for audio synthesis.

4.2 Other Disclosures

We may also disclose your personal data:

• To comply with a legal obligation or lawful request by public authorities
• To protect our rights, privacy, safety, or property
• In connection with a merger, acquisition, or sale of assets (with notice to you)

We do not sell your personal data to third parties.

5. International Data Transfers

Some of our service providers are based outside the United Kingdom. When we transfer your personal data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO)
• Adequacy decisions by the UK Secretary of State
• Other lawful transfer mechanisms under UK GDPR

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

• Account data — retained for the duration of your account and up to 1 Month after account closure
• Session recordings and transcripts — retained for 30 days unless you request earlier deletion
• Analytics data — retained in accordance with Google Analytics' data retention settings 12 Months
• Contact enquiries — retained for 6 Months

When data is no longer required, it is securely deleted or anonymised.

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data (subject to legal obligations)
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time (e.g., via the cookie consent banner)

To exercise any of these rights, please contact us at contact@nudgeflow.ai. We will respond within one month of receiving your request.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit (HTTPS/TLS), access controls, and regular security reviews.

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

10. Cookies

We use cookies and similar technologies on our website. For detailed information about the cookies we use, why we use them, and how you can manage your preferences, please see our Cookie Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. We encourage you to review this page periodically.

12. Contact Us and Complaints

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):