Privacy Policy

GDPR compliance

Pushpad and all our service providers are GDPR compliant.

This document includes the Privacy Policy and the Data Processing Agreement.


Pushpad is based in Italy (and thus is directly subject to the GDPR) and data is hosted mainly in Europe.

When we use sub-processors located outside Europe we always make sure that the companies are compliant with EU privacy laws (e.g. they include the Standard Contractual Clauses in their DPA).

Data we hold

Pushpad stores data about:

  1. Our users (i.e. the customers who sign up to Pushpad in order to add notifications to their website)
  2. Our users' end-users (i.e. the customers of our users that receive the notifications)

Pushpad does not share, or resell, any kind of user data (whether data described in point 1 or 2 above).

Data held on our users

Pushpad collects account information for each user, including:

Data held on our users' end-users

Data held on our users' end-users include:

We do not perform any kind of profiling. Data used for targeting are processed as strings by Pushpad and we don't extract any specific meaning.

Data persistence and rectification

Our users can use the account features to remove or update their data and data held on end-users.

Our users' end-users can contact our users if they want to remove or update their data. End-users can also remove their subscription to the push notifications from the browser settings: Pushpad automatically removes expired endpoints and associated data.

The notifications are stored for 35 days and then automatically removed from our database.

Backups and logs can have a duration up to 1 year.

Access to data and portability

Pushpad grants you the ownership on your data and on your users' data. You can access to your account and export your data at any time.

We strive for data portability. You can export all the endpoints and key pairs required for web push and move to a different solution at any time.

Data usage

Data collected is used for:

Data about our users' end-users, collected for example through the SDK, is used solely for technical purposes. Pushpad doesn't use, aggregate or resell it for marketing purposes. This doesn't limit what you can do with your user data through Pushpad.


Our users' consent is explicitly provided because they perform actions on Pushpad.

End-users' consent to receive push notifications is explicitly provided when they allow push notifications for a website in their browser settings. They can revoke their permission at any time from the browser settings.

Data protection and security

We care about security and we follow best practices to reduce the risk of data breaches: you can read more in the Security section.

When we design a new feature, security is the first citizen. For example, when we have designed a way to target specific users, we have decided to force the developer to include a user ID signature: in this way notifications are confidential by default and nobody can subscribe to notifications as if it was another user.

Data breaches

Data breaches will be notified to our users within 72 hours, after having become aware of it. It is then the responsibility of our users to report this data-breach to their end-users.

Data processors

Data is collected and manipulated both on our own devices and on third-party servers. Our web application servers are provided by Digital Ocean Inc. Data is also stored on Amazon Web Services. We also use other services suited for specific purposes: Cloudflare for security and performance, Sendgrid for emails, Google Workspace for support emails, Google reCAPTCHA for bot protection, Logz.io for logs, Chargebee for invoicing, Datadog for server monitoring, Statuspage.io for the status page, Stripe for payments. We also use Google Ads for improving the advertising for our users that visit the Pushpad website directly (Google Ads is not used to track our users' end-users).

Push notifications are delivered through proprietary services depending on the user browser (e.g. Firebase, Mozilla autopush, Windows Push Notification Services and Apple Push Notification service).

Analytics and cookies

We care about privacy and we never use tracking cookies or similar technologies on your website. The JavaScript SDK that you include on your website does not contain any tracking code and does not use any kind of cookies. Basically your end-users are not tracked with third-party services and you don't need a cookie consent banner for using Pushpad.

However, if you visit the Pushpad website directly (e.g. you visit a page on pushpad.xyz), then we use cookies. As most websites do, we use cookies for technical reasons. We also use cookies to improve our advertising (Google Ads), when you give your consent.

You can clear all your cookie preferences and all data stored on your device at any time by using your browser preferences to clear browsing data.

Data holder

Data holder is AbstractBrain srls unipersonale (P. IVA: 02516920036), located in Via G. B. Palletta, 11, 28865 Crevoladossola (VB), Italy.

For the data regarding our users (e.g. basic profile information, billing info, etc.) we are the data controller. For the purposes of the Data Processing Agreement and for the data regarding our users' end-users (e.g. push subscriptions) we are the data processor, since we collect and process the data coming from other websites only for their purposes.

Inside the company, the Data Protection Officer is Marco Colli, born in Domodossola, the 27th of february 1991 and residing in Crevoladossola (VB), Italy.