Your data, handled with care.

We collect what we need to run Nudle for you and nothing else. We use trusted infrastructure partners to deliver the service. We never sell your data. You can ask for a copy or full deletion at any time, and we will respond within 30 days.

Nudle ("we", "us", "our") operates nudle.dev and the Nudle AI search visibility platform (the "Service"). Nudle is operated by an entity domiciled in the Republic of South Africa.

Your account. When you sign up we receive your email address, name (optional), and the domains you connect to Nudle.

Your website's public content. When you connect a site, we read the public pages you point us at to understand what your business does and propose changes you can ship. We do not collect or store your end-users' personal data through this process.

Search and analytics metrics. When you connect Google services, we read aggregated metrics (clicks, impressions, sessions, conversions) and write tags into the Google Tag Manager workspace you choose. Authentication tokens are encrypted at rest and we never see your Google password.

Cloudflare access. If you connect Cloudflare, we store your API token encrypted at rest and use it only to verify your zone, allow Nudle's crawler through your firewall, and optionally serve your llms.txt file.

Citation probes. To measure how AI search engines describe your brand, we send the queries you configure to a small number of AI providers. None of these probes contain your end-users' personal data.

Billing. Payments are processed by Paddle.com Market Limited as Merchant of Record. Paddle receives your card, billing address, and tax data on our behalf and acts as an independent data controller for those records.

Operational logs. We log requests, errors, and feature usage to keep the service running and to debug issues. IP address, browser, and timestamps are kept for up to 90 days.

Cookies on nudle.dev. We set essential cookies for session and authentication. We use Meta Pixel for advertising attribution if you opted in. We never set cookies on your customers' sites; the consent banner Nudle deploys for you is your own first-party implementation.

• To run, maintain, and improve the Service
• To generate citation insights, lift-test proposals, and structural recommendations for your site
• To deploy the changes you approve through Google Tag Manager and Cloudflare
• To bill you and collect VAT or sales tax where required
• To respond to your support requests
• To detect, prevent, and respond to fraud, abuse, and security incidents
• To meet our legal obligations

We use the following sub-processors to deliver Nudle. Each is bound by a data-processing agreement where applicable.

Personal information may be transferred to and processed in countries outside South Africa and the European Economic Area, including the United States. We rely on standard contractual clauses, vendor certifications such as SOC 2 and ISO 27001, and Section 72 of POPIA where applicable.

All traffic is encrypted in transit. Authentication tokens and connected-platform credentials are encrypted at rest. Access inside Nudle follows the principle of least privilege.

For more on the controls behind every deploy, see our security overview.

No method of electronic transmission or storage is completely secure. We maintain incident-response procedures and will notify affected users of material breaches without undue delay, as required by POPIA Section 22 and GDPR Articles 33 and 34.

Account data is retained while your account is active. Citation probe data, Search Console snapshots, and lift-test results are retained for the life of the account plus 12 months for support and audit purposes. Connected-platform credentials are deleted within 7 days of disconnect or account closure. Billing records held by Paddle follow Paddle's retention schedule. You may request earlier deletion at any time.

Under POPIA, GDPR, and similar laws you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Object to or restrict certain processing
• Receive your data in a machine-readable format
• Withdraw consent at any time
• Lodge a complaint with the South African Information Regulator (inforegulator.org.za) or your local supervisory authority

To exercise these rights, email privacy@nudle.dev. We respond within 30 days.

When you ask Nudle to deploy a cookie consent banner on your website, the banner is your own first-party implementation. It sets a single cookie on your domain to remember the visitor's choice and fires Google Consent Mode v2 events to your existing analytics tags. Nudle does not receive any data captured by the banner. You remain the data controller for your visitors' consent records.

Nudle is not directed at individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact privacy@nudle.dev.

We may update this policy from time to time. Material changes are communicated by email and reflected in the "Last updated" date above. Continued use after changes constitutes acceptance.

For privacy questions or to exercise any of your rights, contact our Information Officer at privacy@nudle.dev. For general support, email hello@nudle.dev.