Draft — Pending Legal Review This Privacy Policy is a draft version pending review by legal counsel. Placeholder fields marked in [BRACKETS] will be completed after attorney review. This document is not yet finalized.

Privacy Policy

Effective Date: [INSERT DATE]  •  Last Updated: April 13, 2026

1. Introduction & Scope

[COMPANY LEGAL NAME] (“NudgeWell,” “we,” “us,” or “our”) operates the NudgeWell platform, an AI-powered benefits engagement service for employers and their employees. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website, platform, and related services (collectively, the “Service”).

This policy applies to:

  • HR Administrators who set up and manage NudgeWell for their organization
  • Employees who receive benefits nudges and engagement communications
  • Website Visitors who browse our marketing pages

Important: At the SMB tier (50–500 employees), NudgeWell does not collect protected health information (PHI), medical claims data, or individually identifiable health information. We work with benefits plan details—not medical records.

2. Information We Collect

2.1 Information Provided by HR Administrators

When an HR administrator sets up NudgeWell, they may provide:

  • Employee names, email addresses, and department information
  • Benefits plan details (plan type, FSA/HSA balances, enrollment status, employer match amounts)
  • Organizational information (company name, size, benefits renewal dates)
  • Administrator contact information and login credentials

We do not collect: Medical claims, diagnoses, prescription records, Social Security numbers, or any individually identifiable health information.

2.2 Engagement Data

When employees interact with NudgeWell communications, we automatically collect:

  • Email open and click events
  • Nudge reactions (helpful, not helpful, etc.)
  • Action completion status (e.g., whether an employee scheduled a preventive care visit)
  • Benefits Coach Q&A interactions (questions asked, responses provided)

2.3 Automatically Collected Information

When you visit our website or use the Service, we may automatically collect:

  • Device information (browser type, operating system)
  • IP address and approximate location
  • Pages visited, time spent, and referral source
  • Cookies and similar tracking technologies (see Section 10)

3. How We Use Your Information

Purpose Legal Basis
Deliver personalized benefits nudges and engagement communications Performance of contract with your employer
Provide Benefits Coach Q&A responses Performance of contract
Generate engagement analytics and reports for HR administrators Legitimate business interest
Calculate financial impact metrics (e.g., FSA savings recovered) Legitimate business interest
Improve AI models and nudge effectiveness Legitimate business interest (using aggregated/anonymized data)
Process payments and manage subscriptions Performance of contract
Send service updates and communications Legitimate business interest / consent
Comply with legal obligations Legal requirement

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We may share information in the following circumstances:

4.1 Service Providers

We use trusted third-party service providers to operate the Service:

  • Render — Application hosting and infrastructure
  • Neon — PostgreSQL database hosting
  • SendGrid — Email delivery
  • Stripe — Payment processing
  • Google Analytics — Website analytics (anonymized)

Each service provider is contractually bound to use your data only for the purposes of providing their service to us and to maintain appropriate security measures.

4.2 Legal Requirements & Business Transitions

We may disclose information when required by law, subpoena, court order, or government request. In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the business transaction, and we will notify you before your data becomes subject to a different privacy policy.

4.3 Aggregate & Anonymized Data

We may share aggregated, de-identified data that cannot reasonably be used to identify any individual (e.g., “78% of employees opened their FSA reminder nudge”). This data is used for benchmarking and product improvement.

5. Data Security

We take the security of your data seriously and implement industry-standard safeguards:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
  • Encryption at rest: Sensitive data stored in our database is encrypted using AES-256-GCM
  • Access control: Employee access to production data is restricted on a need-to-know basis
  • Credential security: Passwords and API keys are hashed or encrypted; we never store plaintext credentials
  • Incident response: We maintain an incident response plan and will notify affected parties within 72 hours of discovering a data breach

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

  • Engagement analytics: 12 months from collection
  • Support logs and correspondence: 24 months from last interaction
  • Account and subscription data: Duration of the subscription plus 90 days
  • After contract termination: Employee data is deleted within 30 days of contract end. HR administrators may request a data export during this period (see Section 16 of our Terms of Service)

7. Your Data Rights

7.1 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request that we delete your personal information, subject to certain exceptions
  • Right to Opt-Out: You may opt out of the “sale” or “sharing” of personal information. NudgeWell does not sell personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Information: We do not collect sensitive personal information as defined by CPRA

To exercise these rights, contact us at [privacy@nudgewell.com]. We will respond within 45 days.

7.2 State Privacy Law Rights

Residents of the following states have additional privacy rights under their respective laws: Colorado, Connecticut, Delaware, Indiana, Kentucky, Montana, Rhode Island, Texas, Utah, Virginia, and Washington.

These rights generally include:

  • Access to your personal data
  • Deletion of your personal data
  • Data portability (receiving your data in a portable format)
  • Opting out of targeted advertising, profiling, or data sales
  • Right to appeal a denied privacy request

To exercise any of these rights, contact us at [privacy@nudgewell.com]. We will respond within the timeframe required by your state’s law (typically 30–45 days).

7.3 Washington My Health My Data Act

NudgeWell acknowledges the Washington My Health My Data Act. At the SMB tier, NudgeWell does not collect consumer health data as defined by this Act. We do not sell or license health-related data, and we do not use health data for targeted advertising. If our data practices change in the future to include health data collection, we will update this policy and provide required notices and consent mechanisms.

8. Children’s Privacy

NudgeWell is a business-to-business service designed for adult employees and HR administrators. We do not knowingly collect personal information from children under 13 years of age. If we become aware that we have collected data from a child under 13, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at [privacy@nudgewell.com].

9. Third-Party Links

Our Service may contain links to third-party websites, including benefits provider portals, insurance carrier sites, and healthcare resources. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

10. Cookies & Tracking Technologies

We use cookies and similar technologies for the following purposes:

  • Essential cookies: Required for authentication, security, and basic platform functionality
  • Analytics cookies: Help us understand how visitors use our website (via Google Analytics)
  • Email tracking: We use pixel tracking in nudge emails to measure open rates and engagement

You can control cookies through your browser settings. Disabling cookies may affect some features of the Service. Most browsers allow you to block or delete cookies; consult your browser’s help documentation for instructions.

11. Contact Information

For questions about this Privacy Policy or to exercise your data rights, contact us:

[COMPANY LEGAL NAME]
[STREET ADDRESS]
[CITY, STATE ZIP]
Email: [privacy@nudgewell.com]
Support: [support@nudgewell.com]

We will acknowledge your request within 5 business days and respond substantively within the timeframe required by applicable law (typically 30–45 days).

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this page
  • Notify HR administrators via email at least 30 days before changes take effect
  • Post the revised policy on our website

Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.

See also: Terms of Service