> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nudgen.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy and data

> How we handle PII, tracking, and third-party providers

## What this page covers

A short, user-facing summary of how Nudgen handles personal and contact data, how tracking works in emails, and which third-party providers we use. For the full legal text, see the [Privacy Policy](https://nudgen.net/privacy) and [Terms of Service](https://nudgen.net/terms) on the main site.

## PII and contact data

**Encryption at rest**

* Contact data you upload (email addresses, names, and any custom fields) is **encrypted** before it is stored. We use AES-256-GCM; we do not see or store plaintext PII.
* Emails are also **hashed** (one-way) for deduplication so we can merge duplicates without storing the raw address in plain form.

**Masking and reveal**

* In the app, contact emails and names are shown **masked** by default (e.g. `j***@g***.com`). That limits exposure on shared screens and in logs.
* When you click **Reveal**, the real value is decrypted only in your browser and shown temporarily. After you navigate away or refresh, it masks again. We never expose decrypted PII in analytics, logs, or exports.

**Who can see contact data**

* Only people in your **workspace** with access to Contacts can see the list. Reveal is available to anyone who can view contacts in that workspace. Billing and plan limits are per workspace.

## Tracking in emails

We use tracking to measure campaign performance and honor unsubscribes.

* **Opens** — A small tracking pixel in the email loads when the recipient opens the message. We record the event (and approximate time) for analytics. Some email clients block images, so open counts can be undercounted.
* **Clicks** — Links in the email can be wrapped as **signed tracking links**. When the recipient clicks, we record the click and then redirect them to the real URL. Signing and validation help prevent abuse.
* **Unsubscribe** — Every campaign email includes an **unsubscribe link**. When the recipient uses it, we mark them as unsubscribed and they are excluded from future campaign sends. We do not send further marketing to that address unless you change their status.

When these tools run, we may process data such as browser/device details, approximate location (from IP), email client, and timestamps. This is used for analytics and to operate the service.

## Third-party providers

The service relies on the following types of providers. The exact list may change over time.

| Provider                    | Purpose                                                                        |
| --------------------------- | ------------------------------------------------------------------------------ |
| **Google / Firebase**       | Authentication (e.g. sign-in with Google) and application analytics.           |
| **Polar**                   | Subscription management, checkout, billing portal, and payment processing.     |
| **Email delivery provider** | Email delivery, bounce and complaint handling, and suppression list sync.      |
| **OpenAI**                  | AI-assisted email generation (campaign goals, brand voice, prompts).           |
| **MaxMind**                 | Approximate geolocation (e.g. from IP) for analytics and operational purposes. |

Data is shared with these providers only as needed to run the service. We do not sell your data or contact lists to third parties for their own marketing.

## Security practices

* Access inside the product is **role-based** (owner, admin, member) per workspace.
* We use **signed links and validation** in tracking and other sensitive flows to reduce abuse.
* We apply **rate limiting** and usage guards to protect the platform and enforce plan limits.
* No transmission or storage is 100% secure; we use reasonable measures but do not guarantee absolute security.

## Data retention and your rights

* We retain data as long as reasonably necessary to provide the service, maintain security and operations, comply with law, and enforce our agreements. Retention can differ by data type (e.g. account, billing, suppression, logs).
* Depending on where you live, you may have rights to access, correct, delete, or restrict certain personal data. Recipients of emails sent through Nudgen can use the **unsubscribe** link; for other requests, contact [contact@nudgen.net](mailto:contact@nudgen.net).
* If you are a **recipient** of a campaign (not the account holder), the sender is generally responsible for that outreach; you can contact them or use the unsubscribe link.

## Full policies

* **Privacy Policy:** [nudgen.net/privacy](https://nudgen.net/privacy)
* **Terms of Service:** [nudgen.net/terms](https://nudgen.net/terms)

For product-specific behavior, see [Contacts overview](/en/contacts/overview) (encryption and masking), [Contact lifecycle](/en/contacts/lifecycle) (suppression and unsubscribes), and [Deliverability basics](/en/concepts/deliverability-basics).
