Privacy Policy
Last updated: June 2026
1. What We Collect
We collect the following categories of data:
- Account data — your email address, name, and workspace name when you sign up.
- Build artifacts — files you upload for distribution. Stored in S3 and served only to your end-users.
- Device IDs — a stable UUID generated by the Nudge installer on first run, stored in
AppData\Roaming\{appName}\.nudge\device.id. Used for analytics (install/update/uninstall events). Never tied to a personal identity. - Usage events — install, update, and uninstall events from end-user devices, including platform, OS version, and region (derived from IP address via MaxMind GeoLite2).
- IP addresses — used server-side to derive region only; not stored beyond log retention.
- Access logs — for private channels, we log which token was used, the device UUID, platform, and timestamp. Retained for 90 days.
2. How We Use It
- Providing the update distribution service to Customers.
- Showing Customers analytics about their app’s installs and adoption.
- Sending magic-link authentication emails.
- Detecting abuse and enforcing our Terms of Service.
- Billing and account management (when applicable).
We do not sell your data. We do not use your data for advertising.
3. Data Sharing
We share data only with:
- AWS — S3 for artifact storage, SES for email delivery.
- Stripe — payment processing (Pro subscribers only). We never see raw card numbers.
- Law enforcement — when required by law or to protect the safety of users.
4. End-User Data
Device IDs and usage events belong to the Customer’s end-users. Customers are responsible for providing appropriate privacy disclosures to their own end-users about the collection of device IDs and update-check events.
End-users can delete their device ID by uninstalling the app via nudge --uninstall, which removes all local Nudge data including the device ID file.
5. Data Retention
- Account data — retained while your account is active.
- Build artifacts — retained while the build is active on your account.
- Analytics events — free tier: 7 days; Pro: 90 days.
- Access logs — 90 days.
- Server logs — 30 days.
6. Your Rights (GDPR)
If you are in the European Economic Area, you have the right to access, correct, export, or delete your personal data. To exercise these rights, email privacy@unicornfamily.dev. We will respond within 30 days.
7. Security
We use TLS for all data in transit. Build artifacts and manifests are signed with Ed25519 keys stored in AWS KMS — raw key material never leaves the HSM. We apply principle of least privilege to all service accounts.
8. Changes
We may update this policy. Material changes will be notified by email to registered Customers at least 14 days before taking effect.
9. Contact
Privacy enquiries: privacy@unicornfamily.dev