Do I need to eject from Expo?

No! BundleNudge works perfectly with Expo (bare workflow, dev clients, and CNG). You don't need to handle complex native linking manually.

How does this compare to CodePush?

CodePush is deprecated and will be shut down in March 2025. BundleNudge is a modern replacement with faster updates, better dashboarding, and predictable flat-rate pricing.

What happens if I push a broken update?

Our SDK monitors crash rates after updates. If crashes spike, we automatically roll back users to the previous stable version in under 60 seconds—no manual intervention required.

Does this violate App Store guidelines?

No. Apple explicitly allows over-the-air updates for interpreted code (JavaScript) as long as you don't significantly change the primary purpose of the app. This is outlined in App Store Review Guideline 3.3.2.

How is pricing calculated?

Simple: MAU (monthly active users that receive updates). No bandwidth charges, no per-seat pricing. $19.99/mo for up to 50K MAU on Pro. Free tier available for up to 5K MAU.

How long does migration take?

Most teams migrate in under 25 minutes. Our SDK is a drop-in replacement for CodePush, and we provide a step-by-step migration guide with code examples for common patterns.

Yes. All bundles are encrypted at rest and in transit using TLS. Every bundle is cryptographically signed with SHA-256, and the SDK verifies integrity before applying updates. We never have access to your source code.

Data Processing Agreement

Name: BundleNudge
Author: BundleNudge

Last updated: February 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between BundleNudge AB ("Processor", "we", "us") and the customer ("Controller", "you") using our services.

This DPA applies when we process personal data on your behalf as part of providing the BundleNudge service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR
"Data Subject" means the individual to whom Personal Data relates
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf
"GDPR" means the General Data Protection Regulation (EU) 2016/679
"UK GDPR" means the GDPR as incorporated into UK law

2. Scope and Roles

2.1 Controller and Processor

For the purposes of this DPA:

You (the Customer) are the Controller of Personal Data uploaded to or processed through the Service
BundleNudge is the Processor, processing Personal Data only on your documented instructions

2.2 Data Processed

The Personal Data processed under this DPA may include:

Category	Types of Data	Data Subjects
Device Data	Anonymous device identifiers, app version, OS version	Your end users
Usage Metrics	Update download counts, success/failure rates	Your end users (aggregated)
Technical Data	IP addresses (for CDN delivery), timestamps	Your end users

Note: BundleNudge is designed to minimize personal data collection. Device identifiers are anonymous and cannot identify individuals without additional information held by you.

3. Processing Instructions

3.1 Documented Instructions

We will only process Personal Data:

In accordance with your documented instructions
As necessary to provide the Service under the Terms of Service
As required by applicable law (we will inform you unless prohibited)

3.2 Purpose Limitation

We will process Personal Data solely for:

Delivering OTA updates to your end users
Providing usage analytics and metrics to you
Maintaining and improving the Service
Detecting and preventing abuse or security incidents

4. Security Measures

4.1 Technical Measures

We implement appropriate technical measures including:

Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
Access controls with role-based permissions
Multi-factor authentication for administrative access
Regular security assessments and penetration testing
Automated vulnerability scanning

4.2 Organizational Measures

We implement appropriate organizational measures including:

Employee confidentiality obligations
Data protection training for personnel
Access limited to personnel who need it
Documented security policies and procedures
Incident response procedures

For full details, see our Security Policy.

5. Sub-processors

5.1 Authorized Sub-processors

You authorize us to engage the following sub-processors:

Sub-processor	Purpose	Location	Safeguards
Cloudflare, Inc.	CDN, storage (R2), edge computing	USA / Global	EU-US DPF, SCCs
Fly.io, Inc.	Application hosting	EU / Global	SCCs, EU data centers
Railway Corporation	Database hosting	USA	SCCs
Stripe, Inc.	Payment processing	USA	EU-US DPF, SCCs

5.2 Sub-processor Changes

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to a new sub-processor by notifying us within 14 days of our notice.

5.3 Sub-processor Obligations

We ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

6. Data Subject Rights

6.1 Assistance with Requests

We will assist you in responding to Data Subject requests to exercise their rights under GDPR, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)

6.2 Response Time

We will notify you of any Data Subject request within 5 business days and provide reasonable assistance to fulfill the request within legal timeframes.

7. Data Breach Notification

7.1 Notification

We will notify you of any Personal Data breach without undue delay, and in any event within 72 hours of becoming aware of the breach.

7.2 Breach Notice Contents

Our notification will include, to the extent available:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for further information

7.3 Assistance

We will cooperate with you and provide reasonable assistance in investigating the breach and meeting your notification obligations to supervisory authorities and Data Subjects.

8. International Transfers

8.1 Transfer Mechanisms

When we transfer Personal Data outside the EEA/UK, we ensure appropriate safeguards through:

EU-US Data Privacy Framework (for US recipients that are certified)
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission

8.2 Additional Safeguards

Where required, we implement supplementary measures including:

Encryption of data in transit and at rest
Pseudonymization where feasible
Contractual commitments regarding government access requests

9. Data Retention and Deletion

9.1 Retention

We retain Personal Data only for as long as necessary to provide the Service and fulfill the purposes described in this DPA.

9.2 Deletion

Upon termination of the Service or your written request:

We will delete or anonymize Personal Data within 30 days
We will provide certification of deletion upon request
We may retain data where required by law, in which case we will inform you of the legal requirement

10. Audits and Compliance

10.1 Audit Rights

You have the right to audit our compliance with this DPA. We will:

Make available all information necessary to demonstrate compliance
Allow for and contribute to audits and inspections
Provide access to relevant documentation and personnel

10.2 Audit Process

Audits will be conducted:

With reasonable advance notice (at least 30 days, except in emergencies)
During normal business hours
In a manner that minimizes disruption to our operations
Subject to confidentiality obligations

10.3 Certifications

We may provide third-party certifications or audit reports (such as SOC 2) as an alternative to on-site audits, where available.

11. Liability

The liability provisions in the Terms of Service apply to this DPA. Each party remains liable for its own breaches of applicable data protection law.

12. Term and Termination

This DPA:

Comes into effect when you start using the Service
Remains in effect for the duration of your use of the Service
Survives termination with respect to any Personal Data we continue to process

13. Governing Law

This DPA is governed by the laws of Sweden. For disputes related to this DPA, the courts of Stockholm, Sweden shall have exclusive jurisdiction.

14. Contact

For questions about this DPA or to exercise your rights:

Email: dpa@bundlenudge.com
Address: BundleNudge AB, [Your Address], [City], Sweden

Enterprise Customers: If you require a signed DPA or custom data processing terms, please contact enterprise@bundlenudge.com.

Data Processing Agreement

Last updated: February 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between BundleNudge AB ("Processor", "we", "us") and the customer ("Controller", "you") using our services.

This DPA applies when we process personal data on your behalf as part of providing the BundleNudge service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR
"Data Subject" means the individual to whom Personal Data relates
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf
"GDPR" means the General Data Protection Regulation (EU) 2016/679
"UK GDPR" means the GDPR as incorporated into UK law

2. Scope and Roles

2.1 Controller and Processor

For the purposes of this DPA:

You (the Customer) are the Controller of Personal Data uploaded to or processed through the Service
BundleNudge is the Processor, processing Personal Data only on your documented instructions

2.2 Data Processed

The Personal Data processed under this DPA may include:

Category	Types of Data	Data Subjects
Device Data	Anonymous device identifiers, app version, OS version	Your end users
Usage Metrics	Update download counts, success/failure rates	Your end users (aggregated)
Technical Data	IP addresses (for CDN delivery), timestamps	Your end users

Note: BundleNudge is designed to minimize personal data collection. Device identifiers are anonymous and cannot identify individuals without additional information held by you.

3. Processing Instructions

3.1 Documented Instructions

We will only process Personal Data:

In accordance with your documented instructions
As necessary to provide the Service under the Terms of Service
As required by applicable law (we will inform you unless prohibited)

3.2 Purpose Limitation

We will process Personal Data solely for:

Delivering OTA updates to your end users
Providing usage analytics and metrics to you
Maintaining and improving the Service
Detecting and preventing abuse or security incidents

4. Security Measures

4.1 Technical Measures

We implement appropriate technical measures including:

Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
Access controls with role-based permissions
Multi-factor authentication for administrative access
Regular security assessments and penetration testing
Automated vulnerability scanning

4.2 Organizational Measures

We implement appropriate organizational measures including:

Employee confidentiality obligations
Data protection training for personnel
Access limited to personnel who need it
Documented security policies and procedures
Incident response procedures

For full details, see our Security Policy.

5. Sub-processors

5.1 Authorized Sub-processors

You authorize us to engage the following sub-processors:

Sub-processor	Purpose	Location	Safeguards
Cloudflare, Inc.	CDN, storage (R2), edge computing	USA / Global	EU-US DPF, SCCs
Fly.io, Inc.	Application hosting	EU / Global	SCCs, EU data centers
Railway Corporation	Database hosting	USA	SCCs
Stripe, Inc.	Payment processing	USA	EU-US DPF, SCCs

5.2 Sub-processor Changes

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to a new sub-processor by notifying us within 14 days of our notice.

5.3 Sub-processor Obligations

We ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

6. Data Subject Rights

6.1 Assistance with Requests

We will assist you in responding to Data Subject requests to exercise their rights under GDPR, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)

6.2 Response Time

We will notify you of any Data Subject request within 5 business days and provide reasonable assistance to fulfill the request within legal timeframes.

7. Data Breach Notification

7.1 Notification

We will notify you of any Personal Data breach without undue delay, and in any event within 72 hours of becoming aware of the breach.

7.2 Breach Notice Contents

Our notification will include, to the extent available:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for further information

7.3 Assistance

We will cooperate with you and provide reasonable assistance in investigating the breach and meeting your notification obligations to supervisory authorities and Data Subjects.

8. International Transfers

8.1 Transfer Mechanisms

When we transfer Personal Data outside the EEA/UK, we ensure appropriate safeguards through:

EU-US Data Privacy Framework (for US recipients that are certified)
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission

8.2 Additional Safeguards

Where required, we implement supplementary measures including:

Encryption of data in transit and at rest
Pseudonymization where feasible
Contractual commitments regarding government access requests

9. Data Retention and Deletion

9.1 Retention

We retain Personal Data only for as long as necessary to provide the Service and fulfill the purposes described in this DPA.

9.2 Deletion

Upon termination of the Service or your written request:

We will delete or anonymize Personal Data within 30 days
We will provide certification of deletion upon request
We may retain data where required by law, in which case we will inform you of the legal requirement

10. Audits and Compliance

10.1 Audit Rights

You have the right to audit our compliance with this DPA. We will:

Make available all information necessary to demonstrate compliance
Allow for and contribute to audits and inspections
Provide access to relevant documentation and personnel

10.2 Audit Process

Audits will be conducted:

With reasonable advance notice (at least 30 days, except in emergencies)
During normal business hours
In a manner that minimizes disruption to our operations
Subject to confidentiality obligations

10.3 Certifications

We may provide third-party certifications or audit reports (such as SOC 2) as an alternative to on-site audits, where available.

11. Liability

The liability provisions in the Terms of Service apply to this DPA. Each party remains liable for its own breaches of applicable data protection law.

12. Term and Termination

This DPA:

Comes into effect when you start using the Service
Remains in effect for the duration of your use of the Service
Survives termination with respect to any Personal Data we continue to process

13. Governing Law

This DPA is governed by the laws of Sweden. For disputes related to this DPA, the courts of Stockholm, Sweden shall have exclusive jurisdiction.

14. Contact

For questions about this DPA or to exercise your rights:

Email: dpa@bundlenudge.com
Address: BundleNudge AB, [Your Address], [City], Sweden

Enterprise Customers: If you require a signed DPA or custom data processing terms, please contact enterprise@bundlenudge.com.