Last updated: March 29, 2026 · Your rights under EU/EEA data protection law
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all organizations operating within the EU/EEA or processing data of EU/EEA residents. It gives individuals strong rights over their personal data and requires organizations to handle data transparently and lawfully.
For data we collect about you (our customer) — your account details, billing info, and usage data — PushWave acts as the data controller, determining why and how your data is processed.
For the push subscriber data you collect from your website visitors — PushWave acts as a data processor, processing that data only on your documented instructions.
We process personal data only when we have a valid legal basis:
Request a full copy of all personal data we hold about you, including how we process it and with whom we share it.
Request correction of inaccurate or incomplete personal data. You can also update most data yourself in your account settings.
"Right to be forgotten." Request deletion of your personal data. We will comply within 30 days unless legal retention obligations apply.
Receive your personal data in a structured, machine-readable format (JSON or CSV) and transfer it to another service.
Request that we temporarily stop processing your data in specific circumstances, such as while a dispute is being resolved.
Object to processing based on legitimate interests. You can also opt out of marketing communications at any time.
To exercise any of your GDPR rights:
If you are using PushWave in a business capacity and are subject to GDPR, you may require a Data Processing Agreement (DPA) with us. Our DPA is available upon request and covers:
To request a DPA, email gdpr@pushwave.io.
Our servers are located in the European Union. If we transfer data outside the EU/EEA, we do so using adequate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.
We use the following subprocessors to operate our service, each bound by appropriate data processing agreements:
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and affected users within 72 hours where the risk is high.
If you believe we have not adequately addressed your GDPR concerns, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your authority at edpb.europa.eu.
For all GDPR-related matters, contact our Data Protection Officer: