Privacy Policy

Who We Are

PushWave ("we", "us", "our") is a web push notification platform. We operate the PushWave service accessible at this domain. For GDPR purposes, PushWave is the data controller of account and usage data. For subscriber data collected on your behalf, you are the data controller and we act as your data processor.

What We Collect

Account Data

When you register, we collect: name, email address, hashed password, company name (optional), and payment details (processed by Stripe/PayPal — we never store card numbers).

Usage Data

We automatically collect: IP address, browser type, operating system, pages visited, feature usage, and API call logs. This data helps us improve the service and diagnose problems.

Subscriber Data (on your behalf)

When your website visitors subscribe to push notifications, we collect on your behalf: browser push endpoint URL, browser type, OS, device type, country, and language. This is the minimum data required to deliver push notifications.

How We Use Your Data

• Provide, maintain, and improve the PushWave service
• Process payments and send billing-related emails
• Send transactional emails (account updates, password resets)
• Send product updates and newsletters (you can opt out at any time)
• Detect fraud and prevent abuse
• Comply with legal obligations
• Respond to support requests

We never sell your data or use it for third-party advertising.

Who We Share Data With

We share data only with trusted service providers necessary to operate PushWave:

• Stripe / PayPal — Payment processing. Their privacy policies govern payment data.
• Cloud hosting providers — Server infrastructure. Bound by data processing agreements.
• Email service providers — Transactional email delivery.

We may disclose data if required by law, court order, or to protect the rights and safety of PushWave and its users.

Data Retention

We retain your account data for as long as your account is active. When you delete your account, we permanently delete all your data within 30 days, except where we are required to retain it for legal or tax purposes (up to 7 years for financial records).

Push subscriber data is deleted when a subscriber unsubscribes, or when you delete your account.

Your Rights

You have the right to:

• Access — Request a copy of all data we hold about you
• Rectification — Correct inaccurate personal data
• Erasure — Request deletion of your personal data
• Portability — Export your data in a machine-readable format
• Restriction — Request that we limit processing of your data
• Objection — Object to processing based on legitimate interest

For EU/EEA residents, see our GDPR page for additional rights and how to exercise them. To make a request, email privacy@pushwave.io. We will respond within 30 days.

Cookies

We use the following cookies:

• Session cookie — Required to keep you logged in. Expires when you close your browser or after 30 days (if "remember me" is selected).
• CSRF token — Security cookie to prevent cross-site request forgery. Session-scoped.

We do not use advertising cookies or third-party tracking cookies. We do not participate in cookie-based ad networks.

Security

We protect your data with industry-standard security measures: HTTPS encryption in transit, bcrypt password hashing, parameterized SQL queries to prevent injection attacks, and regular security updates. Sensitive API keys are stored encrypted.

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@pushwave.io.

Children

PushWave is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us data, contact us and we will delete it promptly.

Contact Us

For privacy-related questions or to exercise your rights:

• Email: privacy@pushwave.io
• Response time: Within 30 days