Privacy Policy

1. Data Controller Information

RalphNex OÜ, a company registered in Estonia under Registry Code 16932562, acts as the data controller for personal data collected through the Pushary platform and website. For inquiries regarding data processing, contact us at business@ralphnex.com.

When you use Pushary to send notifications to your end-users, you act as the data controller for your subscriber data, and we act as a data processor on your behalf.

2. Information We Collect

2.1 Account Information (Data We Control)

When you register for a Pushary account, we collect:

• Identity Data: First name, last name, email address, and profile image (provided through Clerk authentication)
• Account Data: User ID, authentication tokens, account preferences, and timezone settings
• Workspace Data: Workspace names, slugs, team member relationships, and role assignments (owner, admin, member, viewer)
• Billing Data: Stripe customer ID, subscription plan, payment status, and billing history (processed through Stripe; we do not store credit card numbers)

2.2 Site Configuration Data

For each site you create within your workspace, we store:

• Site name, domain, and configuration settings
• VAPID key pairs (public and private keys) generated uniquely per site for cryptographic push notification authentication
• API key hashes and prefixes (full API keys are shown only once upon generation)
• Site icons, logos, and branding assets you upload

2.3 Subscriber Data (Data We Process on Your Behalf)

When end-users subscribe to notifications through your site, we collect and process:

• Push Subscription Data: Endpoint URL, P256DH key, and authentication key required for Web Push protocol delivery
• Device Information: Browser type, operating system, device type (desktop/mobile/tablet), and user agent string
• Geographic Data: Country, city, and timezone derived from IP address geolocation (if enabled)
• Custom Attributes: Tags, external IDs, and custom metadata you assign to subscribers through our SDK or API
• Engagement Data: Subscription date, last active date, notification delivery count, click count, and subscription status

2.4 Analytics and Event Data

We collect analytics data to provide reporting and improve the Service:

• Notification events: impressions, clicks, dismissals, delivery successes, and failures
• Campaign performance metrics: total targeted, sent, delivered, clicked, and failed counts
• Daily aggregated statistics per site
• Action button interactions with associated action IDs

2.5 Technical and Log Data

We automatically collect technical information when you access our platform:

• IP addresses and request metadata
• Browser type, version, and language preferences
• Access times, pages visited, and referral URLs
• API request logs including endpoints, timestamps, and response codes
• Error logs and diagnostic information for troubleshooting

3. Legal Basis for Processing (GDPR Article 6)

We process personal data under the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including account management, notification delivery, and billing
• Legitimate Interests (Art. 6(1)(f)): Processing for platform security, fraud prevention, service improvement, and analytics where our interests do not override your rights
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including tax regulations, court orders, and regulatory requirements
• Consent (Art. 6(1)(a)): Where applicable, processing based on your explicit consent, which you may withdraw at any time

For subscriber data that you collect through our platform, you are the data controller and must ensure you have obtained appropriate consent or legal basis from your end-users.

4. How We Use Your Information

We process collected information for the following purposes:

• Service Delivery: Operating and maintaining our event-driven notification platform, processing notification delivery through our Kafka-based message queue, and providing real-time analytics
• Account Management: Creating and managing your account, authenticating access, processing workspace and team management operations
• Billing Operations: Processing subscription payments through Stripe, managing plan changes, and maintaining billing records
• Platform Security: Detecting and preventing fraud, unauthorized access, and abuse through Row-Level Security policies and access controls
• Customer Support: Responding to inquiries, troubleshooting issues, and providing technical assistance
• Service Improvement: Analyzing usage patterns, identifying performance issues, and developing new features
• Communication: Sending service updates, security alerts, and important notices related to your account
• Legal Compliance: Fulfilling legal obligations, responding to lawful requests, and protecting our legal rights

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data in the following limited circumstances:

5.1 Service Providers (Sub-Processors)

We engage trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Clerk (Authentication): User authentication and identity management - processes account credentials and session data
• Neon (Database): PostgreSQL database hosting - stores all platform data with encryption at rest
• Vercel (Hosting): Application hosting and CDN - processes request data and serves the dashboard application
• Stripe (Payments): Payment processing - handles billing data and payment transactions
• Upstash/Kafka Provider (Message Queue): Event streaming - processes notification delivery events
• Push Service Providers (Google FCM, Mozilla, Apple APNs): Notification delivery - receives push subscription endpoints and encrypted notification payloads

5.2 Legal Requirements

We may disclose information when required by law, including:

• Response to valid legal process (subpoenas, court orders, warrants)
• Compliance with applicable laws, regulations, or government requests
• Protection of our legal rights, property, or safety
• Prevention or investigation of possible wrongdoing

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such transfer and any changes to applicable privacy terms.

6. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

• Account Data: Retained while your account is active and for 30 days following deletion request to enable account recovery
• Subscriber Data: Retained according to your subscription plan (7 days for Free, 30 days for Starter, 90 days for Growth, custom for Enterprise)
• Analytics Data: Aggregated daily statistics retained according to your plan's data retention limits
• Notification Event Logs: Retained according to your plan limits; individual notification records may be purged after delivery confirmation
• Billing Records: Retained for 7 years as required by Estonian tax law and applicable accounting standards
• Security Logs: Retained for 90 days for security monitoring and incident investigation

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or necessary to protect our legitimate interests.

7. Data Security

We implement comprehensive technical and organizational measures to protect your data:

7.1 Technical Safeguards

• Encryption in Transit: All data transmitted to and from our platform is encrypted using TLS 1.2 or higher
• Encryption at Rest: Database storage encrypted using AES-256 encryption at the infrastructure level
• Row-Level Security (RLS): PostgreSQL RLS policies enforce multi-tenant data isolation at the database level
• VAPID Authentication: Unique cryptographic key pairs per site for secure push notification delivery
• API Key Security: API keys stored as secure hashes; full keys shown only once upon generation
• Secure Authentication: Authentication handled by Clerk with support for MFA and secure session management

7.2 Operational Safeguards

• Access controls limiting data access to authorized personnel
• Regular security assessments and vulnerability monitoring
• Incident response procedures for security events
• Secure development practices and code review processes

7.3 Infrastructure Security

• Hosting on SOC 2 Type II certified infrastructure (Vercel, Neon)
• Geographic redundancy and automated backups
• DDoS protection and rate limiting
• Isolated worker processes for notification delivery

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data.

8. Your Privacy Rights

We respect your rights regarding your personal data. Depending on your location and applicable laws, you may have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data where there is no compelling reason for continued processing
• Right to Restrict Processing: Request limitation of processing while we verify accuracy or assess objections
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at business@ralphnex.com. We will respond within 30 days. We may request verification of your identity before processing your request. business@ralphnex.com.

9. Data Location and Transfers

Our primary infrastructure is hosted in Germany within the European Union. Your data may be processed in the following locations:

• Primary Database: Germany (EU) - PostgreSQL database hosting
• Application Hosting: Global CDN with edge processing
• Authentication: Clerk processes authentication data
• Payments: Stripe processes billing data

Some of our service providers operate internationally. When your data is transferred outside the European Union, we work with providers who implement appropriate data protection measures.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our platform:

10.1 Essential Cookies

Required for platform functionality. These cannot be disabled:

• Authentication session cookies (managed by Clerk)
• CSRF protection tokens
• Load balancer session persistence

10.2 Functional Cookies

Enhance your experience by remembering preferences:

• Theme preferences (light/dark mode)
• Dashboard layout settings
• Language preferences

10.3 Analytics Cookies

Help us understand platform usage:

• Page view tracking
• Feature usage analytics
• Error tracking and diagnostics

You can control cookie preferences through your browser settings. Disabling certain cookies may affect platform functionality.

11. Data Processing Relationship

When you use Pushary to send notifications to your end-users, we process subscriber data on your behalf. Our commitments include:

• Processing data according to your instructions for notification delivery
• Maintaining confidentiality of subscriber information
• Implementing technical and organizational security measures
• Assisting with data subject requests upon your instruction
• Deleting or returning data upon account termination

Enterprise customers requiring formal data processing agreements should contact us at business@ralphnex.com.

12. Children's Privacy

The Pushary platform is designed for business use and is not directed to children under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at business@ralphnex.com, and we will take steps to delete such information.

If you use Pushary to send notifications, you are responsible for ensuring your service is appropriate for your audience and that you comply with applicable laws regarding children's privacy (including COPPA in the United States).

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information we have collected
• Right to Non-Discrimination: Exercise privacy rights without discriminatory treatment
• Right to Opt-Out: We do not sell personal information; therefore, there is no sale to opt out of

To exercise CCPA rights, contact us at business@ralphnex.com. We will verify your identity before processing requests.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We will notify you of material changes by:

• Posting the updated policy on our website with a new effective date
• Sending email notification to registered account holders for significant changes
• Displaying a notice in the dashboard interface

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our data protection team: