Privacy Policy

1. Introduction

OpenPushAPI ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our push notification API platform at openpushapi.com and related services (collectively, "the Service"). Please read this policy carefully. If you do not agree with its terms, please discontinue use of the Service.

Controller: OpenPushAPI is operated by the legal entity identified in customer invoices and agreements. For privacy questions before signup, contact privacy@openpushapi.com.

2. Information We Collect

Account data: When you register, we collect your name, email address, and password (hashed). If you upgrade to a paid plan, payment information is processed by Stripe — we store only a customer token reference, not your card details.

Usage data: We collect information about how you use the Service, including API requests, notification campaigns created, features used, and log data (IP address, browser, timestamps).

Subscriber data (your end-users): When your website or app integrates our SDK, we collect push subscription tokens and associated device information (browser, OS, device type, language, timezone) on your behalf. This data belongs to you and is processed by us solely to deliver notifications for your account. We also collect anonymous geo-location data (country/city) derived from IP addresses.

Communications: If you contact us by email, we retain those communications to respond to inquiries and improve our support.

3. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process payments and manage billing
• Send transactional emails (receipts, password resets, usage alerts)
• Monitor and analyze usage to improve the Service
• Detect, prevent, and address technical issues and abuse
• Comply with legal obligations

We do not sell your personal data or use it for advertising purposes.

4. Data Sharing & Subprocessors

We do not sell, trade, or rent your personal information to third parties. We use a small set of subprocessors solely to operate the Service:

• Payments: Stripe (PCI-compliant payment processing)
• Push delivery providers: Google Firebase Cloud Messaging (Android), Apple Push Notification service (iOS), and the browser-vendor Web Push endpoints (Chrome, Firefox, Edge, Safari). Your notification payloads are transmitted to these services for delivery.
• Infrastructure: Our own delivery infrastructure for the API, console, and worker pipeline.
• Transactional email: SMTP delivery for receipts, password resets, and usage alerts.
• Legal requirements: If required by law, court order, or governmental authority.
• Business transfers: In connection with a merger, acquisition, or sale of assets — with adequate privacy protections.

A Data Processing Agreement (DPA) is available on request — email privacy@openpushapi.com.

5. Cookies

We use only essential cookies necessary to operate the Service:

• Session cookie: Keeps you logged in to the console (HttpOnly, Secure, SameSite=Lax)
• CSRF token: Protects forms from cross-site request forgery

We do not use advertising cookies, tracking pixels, or third-party analytics on our platform. The public website may use minimal analytics (privacy-first, no personal data stored).

6. Data Retention

We retain your data for as long as your account is active. Notification delivery logs and analytics are retained based on your plan:

Upon account deletion, all personal data is removed within 30 days.

7. Security

We implement industry-standard security measures including:

• TLS encryption for all data in transit
• Bcrypt password hashing
• VAPID key encryption for web push subscriptions
• API key separation (public app key vs private app secret)
• Rate limiting and abuse detection
• Regular security audits

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@openpushapi.com.

8. GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under GDPR:

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to portability: Receive your data in a machine-readable format
• Right to restriction: Request restricted processing of your data
• Right to object: Object to processing based on legitimate interests

To exercise these rights — including requesting a data export or account deletion — email privacy@openpushapi.com from the address associated with your account. We will respond within 30 days. Data export is provided in JSON format.

9. CCPA (California Residents)

California residents have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of personal information
• Opt-out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising CCPA rights

To submit a CCPA request, contact privacy@openpushapi.com.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected such information, we will delete it immediately. If you believe a minor has submitted information to us, please contact privacy@openpushapi.com.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for cross-border transfers, including Standard Contractual Clauses where applicable for EU data. Our delivery infrastructure spans multiple regions to ensure performance and compliance.

12. Contact Us

For privacy-related requests or questions about this policy, contact our privacy team: