Pushpad Logo Pushpad

Privacy Policy

Location and GDPR compliance

Pushpad is based in Italy and data is hosted mainly in Europe. When we transfer data outside Europe we always make sure that the companies are compliant with EU privacy laws. As of May 2018, all our service providers are GDPR compliant.

Data we hold

Pushpad stores data about:

  1. Our users (i.e. the customers who sign up to Pushpad in order to add notifications to their website)
  2. Our users' end-users (i.e. the customers of our users that receive the notifications)

Pushpad does not share, or resell, any kind of user data (whether data described in point 1 or 2 above).

Data held on our users

Pushpad collects account information for each user, including:

Data held on our users' end-users

Data held on our users' end-users include:

We do not perform any kind of profiling. Data used for targeting are processed as strings by Pushpad and we don't extract any specific meaning.

Data persistence and rectification

Our users can use the account features to remove or update their data and data held on end-users.

Our users' end-users can contact our users if they want to remove or update their data. End-users can also remove their subscription to the push notifications from the browser settings: Pushpad automatically removes expired endpoints and associated data.

The notifications are stored for 35 days and then automatically removed from our database.

Backups and logs can have a duration up to 1 year.

Access to data and portability

Pushpad grants you the ownership on your data and on your users' data. You can access to your account and export your data at any time.

We strive for data portability. You can export all the endpoints and key pairs required for web push and move to a different solution at any time. If you care about data portability make sure that you use Pushpad Pro; if you use Pushpad Express the subscriptions are bound to a Pushpad subdomain, so you cannot move to a different service due to technical limitations. Additional technical limitations apply to Safari desktop and to legacy products.

Data usage

Data collected is used for:

Data about our users' end-users, collected for example through the SDK, is used solely for technical purposes. Pushpad doesn't use, aggregate or resell it for marketing purposes. This doesn't limit what you can do with your user data through Pushpad.

Consent

Our users' consent is explicitly provided because they perform actions on Pushpad.

End-users' consent to receive push notifications is explicitly provided when they allow push notifications for a website in their browser settings. They can revoke their permission at any time from the browser settings.

Data protection and security

We care about security and we follow best practices to reduce the risk of data breaches: you can read more in the Security section.

When we design a new feature, security is the first citizen. For example, when we have designed a way to target specific users, we have decided to force the developer to include a user ID signature: in this way notifications are confidential by default and nobody can subscribe to notifications as if it was another user.

Data breaches

Data breaches will be notified to our users within 72 hours, after having become aware of it. It is then the responsibility of our users to report this data-breach to their end-users.

Data processors

Data is collected and manipulated both on our own devices and on third-party servers. Our web application servers are provided by Digital Ocean Inc. Data is also stored on Amazon Web Services. We also use many different services suited for specific purposes, for example: Mailchimp for email marketing, Sendgrid for transactional emails, G Suite for support emails, Logz.io for logs, Chargebee for invoicing, Userecho for feedback, Datadog for server monitoring, Statuspage.io for the status page, Stripe for payments, SiteGround for the blog.

Push notifications are delivered through proprietary services depending on the user browser (e.g. Firebase, Mozilla autopush, Windows Push Notification Services and Apple Push Notification service).

Analytics and cookies

As most websites do, we use cookies for technical reasons.

Beside that we use third party services (Google Analytics) for analytics. Data collected by those services is anonymized (IP anonymization) and it is not merged with data from other sources (i.e. it is used only for analytics and not shared to other services like Adwords).

The Javascript SDK that you include on your website does not contain any tracking code and does not use cookies. The same apply the subscription pages provided by Pushpad Express. Basically your end-users are not tracked with third-party services.

Data controller

Data holder is AbstractBrain srls unipersonale (P. IVA: 02516920036), located in Via G. B. Palletta, 11, 28865 Crevoladossola (VB), Italy.

Inside the company, the Data Protection Officer is Marco Colli, born in Domodossola, the 27th of february 1991 and residing in Crevoladossola (VB), Italy.