nudgg by DeltaIQx LLP

Privacy Policy

Last updated: April 2026 · Effective: April 2026

1. Who We Are

nudgg is a product of DeltaIQx LLP, a limited liability partnership registered in India. We build behavioral analytics tools for traders. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use nudgg at www.nudgg.in or via the nudgg browser extension.

For any privacy-related queries, contact our Grievance Officer at privacy@nudgg.in. We respond within 72 hours.

2. Legal Basis

This policy is governed by the Digital Personal Data Protection (DPDP) Act, 2023 and the Information Technology Act, 2000 and its rules. By creating an account, you (the Data Principal) give us (the Data Fiduciary) explicit, informed consent to process your personal data as described below. You may withdraw consent at any time by deleting your account.

3. Data We Collect

3.1 Account Data

Email address — used for account identification, OTP verification, and weekly insight delivery. We do not collect your name, phone number, or address unless you voluntarily provide them.

3.2 Cryptographic Salt

A randomly generated 32-byte salt stored alongside your email. This is used by your device to derive your encryption key via Argon2id. The salt is not a secret — it cannot decrypt your data. Your encryption key is never transmitted to us.

3.3 Encrypted Trade Blobs

Your trade data is encrypted on your device before transmission. We store only the encrypted ciphertext. We cannot read, access, or analyse your raw trade data. We are technically incapable of decrypting it.

3.4 Behavioural Preferences

Trading style preferences (frequency, instruments, hold time), coaching preferences, and onboarding selections are stored locally in your browser's localStorage and optionally synced to our servers in anonymised form.

3.5 Usage & Technical Data

Standard server logs: IP address, browser type, request timestamps. These are retained for 30 days for security and debugging, then automatically deleted. We do not use these for profiling.

3.6 Data We Never Collect

We never collect: your password, your encryption key, plaintext trade data, Aadhaar, PAN, bank account details, or any government-issued identifiers. nudgg is not a financial institution and does not require or request such information.

4. How We Use Your Data

  • To authenticate your account and maintain your session.
  • To deliver OTP verification codes via email (Resend, a US-based email service).
  • To store encrypted trade blobs as backup (you own and control the decryption key).
  • To send weekly behavioural insight summaries if you opt in.
  • To detect abuse, fraud, or security incidents.
  • To comply with legal obligations under Indian law.

We do not use your data for advertising, profiling, or sale to third parties. We do not use automated decision-making that produces legal or similarly significant effects.

5. Zero-Knowledge Architecture

nudgg is built on a zero-knowledge principle. Your encryption key is derived from your password using Argon2id exclusively on your device. It is never transmitted to our servers. This means:

  • We cannot read your trade data under any circumstances.
  • A court order, law enforcement request, or data breach cannot expose your plaintext trade data — we do not hold it.
  • If you forget your password, your encrypted data is permanently inaccessible. There is no recovery mechanism because we do not hold your key.

6. Third-Party Services

Resend (email delivery): OTP codes and weekly emails are sent via Resend (Resend Inc., USA). Your email address is shared with Resend solely for message delivery. Resend is GDPR-compliant and does not use your email for marketing.

Google OAuth: If you sign in with Google, Google shares your email address and profile name with us under Google's OAuth 2.0 protocol. We do not receive your Google password or any financial account data.

Railway (hosting): Our backend runs on Railway (Railway Corp., USA). Encrypted trade blobs are stored on Railway-hosted PostgreSQL. Data is encrypted at rest and in transit.

Vercel (frontend hosting): Our web application is hosted on Vercel (Vercel Inc., USA). Vercel processes standard web traffic logs.

All third-party processors are bound by data processing agreements. Cross-border data transfers to the US are made under standard contractual clauses.

7. Data Retention

  • Account data (email, salt): Retained until account deletion.
  • Encrypted trade blobs: Retained until account deletion.
  • Server logs: 30 days, then auto-deleted.
  • Audit logs: 90 days, encrypted, accessible only to you.
  • Session tokens: Expire after 30 days or on logout, whichever is sooner.

8. Your Rights (DPDP Act 2023)

As a Data Principal under the DPDP Act 2023, you have the following rights:

  • Right to Access: Request a summary of what personal data we hold about you.
  • Right to Correction: Request correction of inaccurate personal data (e.g., email address).
  • Right to Erasure: Delete your account at any time from Settings. All data is permanently and irreversibly destroyed within 30 days.
  • Right to Grievance Redressal: Raise a complaint with our Grievance Officer at privacy@nudgg.in. If unresolved, you may escalate to the Data Protection Board of India.
  • Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any right, email privacy@nudgg.in from your registered email address. We will respond within 72 hours and resolve within 30 days.

9. Cookies

nudgg uses minimal cookies:

  • Essential cookies: Session authentication (httpOnly, Secure, SameSite=Strict). Required for the service to function. Cannot be disabled.
  • No tracking cookies: We do not use Google Analytics, Facebook Pixel, or any third-party tracking cookies.
  • No advertising cookies: We do not serve advertisements and use no ad-related cookies.

10. Security

We implement the following security measures:

  • AES-256-GCM double-layer encryption on all trade data (client-side + server-side).
  • Argon2id key derivation (time=3, memory=64MB) — resistant to GPU and ASIC attacks.
  • TLS 1.2+ for all data in transit.
  • Rate limiting and brute-force protection on all authentication endpoints.
  • Session revocation on logout — tokens invalidated server-side immediately.
  • No plaintext trade data ever persisted to disk or logs.

In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware, as required under applicable law.

11. Children

nudgg is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact privacy@nudgg.in and we will delete the account immediately.

12. Changes to This Policy

We may update this policy to reflect changes in our practices or applicable law. Material changes will be notified by email to registered users at least 15 days before taking effect. Continued use of nudgg after the effective date constitutes acceptance of the revised policy.

DeltaIQx LLP · nudgg · Last updated April 2026 · Grievance Officer: privacy@nudgg.in · 72-hour response · Governed by the laws of India

← HomeTerms of ServiceRisk Disclosure