Privacy Policy

1. Who We Are

NagMe is operated by Number One Son Software Development, a sole proprietorship in the United States. We are the data controller responsible for the personal information we collect and process through our accountability reminder app at https://nagme.app.

Operator: Roger Grubb
Email: roger@grubb.net
Location: United States

We are committed to transparency and compliance with global privacy regulations including GDPR, CCPA/CPRA, TCPA, PIPEDA, LGPD, and POPIA.

2. Information We Collect and How

Information You Provide Directly

When you create and use your NagMe account, you provide us with:

• Full Name — for account identification and personalization
• Email Address — for authentication, account recovery, and notifications
• Phone Number — for SMS reminders and voice calls (SMS/voice opt-in only)
• Timezone — to deliver reminders at your preferred time

Information Collected Automatically

Our service automatically collects:

• Device Information — browser type, operating system, device type, and IP address
• Usage Data — pages visited, features accessed, and interaction timestamps
• Authentication Data — session tokens and login activity (managed by Clerk)
• Payment Information — subscription tier and billing history (tokenized by Stripe)

Information from Third Parties

When you authenticate via Clerk (our authentication provider), you may authorize us to receive limited profile information such as name and email from your social login provider. We do not automatically collect this data without your explicit consent.

3. How We Use Your Information

Service Delivery

We use your information to:

• Create, authenticate, and maintain your account
• Send scheduled accountability reminders via email, SMS, or voice calls
• Deliver our core accountability features and services
• Process payments and manage your subscription
• Customize the app to your timezone and preferences

Legal Basis for Processing (GDPR)

Contractual Necessity: Processing your name, email, phone, and timezone is necessary to perform our service contract with you.

Consent: SMS and voice reminders are sent only with your explicit opt-in consent. You may withdraw consent anytime.

Legal Obligation: We may process data when required by law (e.g., tax records, law enforcement requests).

Legitimate Interests: We process usage data to improve service quality, prevent fraud, and ensure platform security.

Communication

We use your email to send service-related notifications (e.g., account confirmations, password resets). You cannot opt out of essential service emails, but may opt out of optional emails.

Platform Improvement

We analyze aggregated, anonymized usage data to identify bugs, improve features, and optimize the user experience. This analysis does not profile or track individual users for marketing purposes.

Security and Fraud Prevention

We monitor for unauthorized access, suspicious activity, and security threats to protect your account and data.

4. SMS/Text Message Data and TCPA Compliance

SMS Opt-In and Consent

SMS reminders are sent only to users who have explicitly opted in to receive them. By providing your phone number and selecting SMS reminders, you consent to receive SMS messages from NagMe via our SMS provider, Telnyx. Standard SMS charges from your carrier may apply.

TCPA Compliance

We comply with the Telephone Consumer Protection Act (TCPA). We will not send SMS or voice messages to your number without your prior express written consent. You may withdraw consent anytime by:

• Replying STOP to any SMS message
• Adjusting notification settings in your NagMe account
• Contacting us at roger@grubb.net

What We Share with Telnyx

To send SMS and voice reminders, we share your phone number and reminder content with Telnyx, our SMS/voice provider. Telnyx processes this data solely to deliver the messages you requested.

Message Frequency and Content

The frequency of SMS messages depends on your reminder schedule. Messages contain your personalized accountability reminders. Standard message rates apply.

5. Third-Party Service Providers

We share your personal information with trusted third-party service providers who process data on our behalf under data processing agreements. These providers act as "data processors" and are prohibited from using your data for their own purposes.

Clerk (Authentication)

What we share: Name, email address, authentication credentials, and session tokens
Purpose: Secure account authentication and session management
Data location: Clerk processes data in compliance with GDPR (EU/EEA) and CCPA (California)
Privacy policy: https://clerk.com/privacy

Stripe (Payments)

What we share: Email address, subscription tier, and tokenized payment information (we never store full card details)
Purpose: Process subscription payments and manage billing
Data location: Stripe processes data in compliance with GDPR, CCPA, and PCI DSS
Privacy policy: https://stripe.com/privacy

Telnyx (SMS and Voice)

What we share: Phone number and reminder message content
Purpose: Deliver SMS and voice reminders to opted-in users
Data location: Telnyx processes data in compliance with GDPR and TCPA requirements
Privacy policy: https://telnyx.com/privacy

Vercel (Hosting and CDN)

What we share: Aggregated usage data, website logs, and performance metrics
Purpose: Host the NagMe application and deliver content globally
Data location: Vercel may store data in the US and EU
Privacy policy: https://vercel.com/privacy

Neon (Database)

What we share: Encrypted database records including name, email, phone, timezone, and usage data
Purpose: Store and secure your account data
Data location: Neon stores data in the US with compliance for GDPR and CCPA
Privacy policy: https://neon.tech/privacy

No Data Selling

We do not sell, rent, or share your personal information with third parties for marketing, advertising, or any purpose outside of service delivery. All third-party sharing is for operational purposes only.

6. Cookies and Tracking Technologies

What Are Cookies

Cookies are small files stored on your device that help us remember your preferences and authenticate your account. We use cookies solely for essential functionality; we do not use cookies for analytics or behavioral tracking.

Cookies We Use

• Authentication Cookies (Clerk): Session tokens to keep you logged in and secure your account
• Payment Cookies (Stripe): Data to facilitate secure payment processing
• Essential Site Cookies: CSRF protection and security headers

No Analytics or Tracking Cookies

We do not use Google Analytics, Facebook Pixel, or other third-party analytics or tracking cookies. We do not create user profiles for targeted advertising.

Cookie Management

You can disable cookies in your browser settings. However, disabling essential cookies may prevent you from accessing your account. Authentication and payment cookies are required to use NagMe.

7. Data Retention

Active Accounts

We retain your personal information for as long as your account is active. This includes your name, email, phone number, timezone, and usage history.

After Account Deletion

When you delete your account, we permanently erase your personal data within 30 days, except:

• Data required by law (tax records, invoices) is retained for the required period (typically 7 years)
• Aggregated, anonymized data used for platform improvement may be retained indefinitely
• Email addresses may be retained in a suppression list to honor your unsubscribe requests

Backup Data

Our database backups may contain your data for up to 30 days after deletion to ensure recovery capability. Backups are encrypted and retained only for disaster recovery.

8. Data Security

Security Measures

We implement industry-standard security practices to protect your data:

• Encryption in Transit: All data transmitted between your device and our servers uses TLS/SSL encryption (HTTPS)
• Encryption at Rest: Sensitive data in our database is encrypted at rest using AES-256 encryption
• Access Controls: Only authorized personnel with legitimate business needs can access personal data
• Payment Security: We do not store full credit card details; Stripe handles PCI DSS compliance
• Authentication: Clerk provides industry-standard authentication with multi-factor authentication (MFA) support
• Regular Security Updates: Our infrastructure and dependencies are regularly updated and patched

Security Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security from unauthorized access, data breaches, or hacking. You are responsible for maintaining the confidentiality of your account credentials.

Data Breach Notification

In the event of a confirmed data breach affecting your personal information, we will notify you without unreasonable delay as required by GDPR (72 hours), CCPA, PIPEDA, LGPD, and other applicable laws. Notification will be via email to your registered address or by other reasonable means.

9. International Data Transfers

Where Your Data Is Located

NagMe is operated from the United States. Your personal information is primarily stored and processed in the US. However, some third-party service providers (Clerk, Stripe, Vercel) may process data in multiple locations, including the EU and other regions.

GDPR and Data Transfers from the EU/EEA

If you are located in the EU or EEA, transferring your data to the US involves crossing borders with different privacy standards. We ensure adequate safeguards:

• Our service providers (Clerk, Stripe) implement Standard Contractual Clauses (SCCs) and comply with GDPR requirements
• We conduct Data Protection Impact Assessments (DPIAs) to assess transfer risks
• We minimize data transfers and pseudonymize data where possible

Data Localization for Other Jurisdictions

Users in jurisdictions with strict data localization requirements (e.g., Brazil under LGPD) should be aware that your data may be stored and processed in the US. We are working toward regional data storage options.

10. Your Privacy Rights

The privacy rights available to you depend on where you are located. Below are the specific rights granted by various privacy laws.

A. GDPR Rights (EU/EEA Residents)

If you reside in the EU or EEA, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal obligations)
• Right to Restrict Processing: Ask us to limit how we use your data
• Right to Data Portability: Receive your data in a structured, portable format to transfer to another service
• Right to Object: Opt out of processing for marketing or legitimate interests
• Rights Related to Automated Decision-Making: We do not make automated decisions that produce legal or significant effects without human review
• Right to Withdraw Consent: Withdraw consent for SMS/voice reminders or other optional processing anytime

B. CCPA/CPRA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

• Right to Know: Request what personal information we collect, use, and disclose
• Right to Delete: Request deletion of personal information we have collected (with limited exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information; this right is not applicable
• Right to Limit Use: Limit our use of sensitive personal information (we use minimal sensitive data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Designate an Agent: You may authorize an agent to submit requests on your behalf

C. PIPEDA Rights (Canadian Residents)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) grants you:

• Right to Access: Request access to your personal information
• Right to Correct: Request correction of inaccurate information
• Right to Understand Use: Know how your information is being used
• Right to Withdraw Consent: Withdraw consent for optional processing, including marketing communications
• Right to Request Deletion: Request deletion of personal information (subject to legal retention requirements)

D. LGPD Rights (Brazilian Residents)

If you are a Brazilian resident, the Lei Geral de Proteção de Dados Pessoais (LGPD) grants you:

• Right to Access: Request access to your personal data
• Right to Correct: Correct inaccurate personal data
• Right to Deletion: Request deletion of personal data (subject to legal obligations)
• Right to Portability: Receive your data in portable format
• Right to Opt-Out: Opt out of optional processing, including SMS reminders
• Right to Information: Know how your data is processed and its legal basis

E. POPIA Rights (South African Residents)

If you are a South African resident, the Protection of Personal Information Act (POPIA) grants you:

• Right to Access: Request a record of your personal information
• Right to Correct or Delete: Request correction or deletion of inaccurate information
• Right to Object: Object to the processing of your information
• Right to Withdraw Consent: Withdraw consent for SMS and voice reminders
• Right to Complain: Lodge a complaint with the Information Regulator

How to Exercise Your Rights

To exercise any of the rights above, please submit a request to roger@grubb.net with:

• Your full name and registered email address
• A clear description of the right you are exercising
• Proof of your identity (if necessary for verification)

We will respond to your request within 30 days (or as required by applicable law). For GDPR requests, we have 30 calendar days; for CCPA requests, 45 calendar days; for other jurisdictions, we follow the specified timelines.

Verification of Requests

We may request additional information to verify your identity before fulfilling your request. This protects your privacy and prevents unauthorized access to your information.

Right to Appeal

If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection authority (DPA for GDPR, Attorney General for CCPA, etc.).

11. Children's Privacy

NagMe is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are under 13, please do not create an account or provide information to NagMe.

If we become aware that a user is under 13 and has provided personal information, we will delete that information promptly and terminate the account. Parents or guardians who believe their child has provided information to NagMe should contact us immediately at roger@grubb.net.

This policy complies with the Children's Online Privacy Protection Act (COPPA) in the United States.

12. California Residents — Additional Disclosures

California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents have the right to request information about personal information we share with third parties for their direct marketing purposes. However, NagMe does not share personal information with third parties for their direct marketing purposes. We only share data with service providers who process information on our behalf.

California Consumer Privacy Act (CCPA) and CPRA

In addition to the CCPA/CPRA rights listed in Section 10, California residents should know:

• Categories of Personal Information: Name, email, phone number, timezone, usage data, device information, payment information
• Purpose of Collection: Service delivery, payment processing, account authentication, security
• We Do Not Sell or Share Data: Your information is not sold or shared for behavioral advertising or marketing purposes
• Retention Period: Data is retained while your account is active and for 30 days after deletion (except legally required data)

Metrics (CPRA)

Upon request, we will provide you with the following metrics about privacy requests from California residents:

• Number of requests received, completed, and denied
• Average time to respond to requests

Contact us at roger@grubb.net to request these metrics.

13. Do Not Sell or Share My Personal Information

NagMe does not sell, rent, or share personal information with third parties for marketing, advertising, or any purpose outside of direct service delivery.

Your personal information is shared only with service providers who help us operate the app (Clerk, Stripe, Telnyx, Vercel, Neon). These providers are contractually bound to use your information solely to provide the services we request.

We do not engage in targeted advertising, behavioral profiling, or cookie-based tracking for any commercial purpose.

If you have questions about this practice, contact us at roger@grubb.net. California residents may also use the "Do Not Sell or Share My Personal Information" link (if displayed) or contact us to opt out.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending you an email notification of significant changes
• Requesting your consent if required by applicable law

Your continued use of NagMe after changes indicates your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

Last updated: April 11, 2026

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

NagMe Privacy Contact
Operator: Roger Grubb
Email: roger@grubb.net
Location: United States

We will acknowledge your request within 5 business days and respond fully within 30 days (or as required by applicable law).

Data Protection Authorities

If you are in the EU/EEA and believe we have violated your privacy rights, you may lodge a complaint with your local Data Protection Authority:

• European Commission: https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
• Your Country's DPA: Find your local DPA through the above link

If you are in California and have a complaint about our privacy practices, you may contact the California Attorney General or file a complaint with the California Privacy Protection Agency (CPRA).