LitePush

Data Processing Addendum

Last updated: 2026-05-26

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer") and LitePush ("Processor") and governs the processing of personal data of Customer's end users (push subscribers) through the LitePush Service. It is automatically incorporated into your agreement when you subscribe end users via the LitePush SDK or API. No signature is required, though Customer may request a countersigned copy by emailing support@litepush.dev.

1. Definitions

Terms not defined here have the meaning given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). "Customer Data" means personal data of Customer's end users that Customer transmits to LitePush through the Service.

2. Roles and scope

  • Customer is the data controller for Customer Data
  • LitePush is the data processor acting on Customer's documented instructions
  • This DPA applies for as long as LitePush processes Customer Data on Customer's behalf

3. Nature and purpose of processing

LitePush processes Customer Data solely to provide the Web Push notification Service: accepting subscribe / unsubscribe requests, storing endpoint URLs and encryption keys, delivering notifications you trigger, recording delivery / click / failure events, and exposing aggregated counts through your dashboard.

4. Categories of data subjects and data

  • Data subjects: Customer's end users who subscribe to push notifications
  • Categories of data: push endpoint URL, p256dh / auth encryption keys, User-Agent string, optional external_id provided by Customer, optional group memberships, and event metadata (delivery / click / failure timestamps)
  • Special categories: LitePush does not knowingly process special-category data under GDPR Art. 9; Customer agrees not to transmit such data through the Service

5. Customer instructions

LitePush will process Customer Data only on Customer's documented instructions. The Service and this DPA constitute Customer's standing instructions. LitePush will inform Customer if it considers an instruction to infringe applicable data protection law.

6. Confidentiality

LitePush ensures that personnel authorised to process Customer Data are bound by an obligation of confidentiality.

7. Security (Art. 32)

  • All transport encrypted via TLS 1.2+
  • At-rest encryption provided by our infrastructure provider
  • API keys stored only as SHA-256 hashes
  • Database access restricted to LitePush personnel via authenticated CLI
  • Service logs retained no longer than 30 days
  • Incident response procedures documented internally

8. Sub-processors

Customer authorises LitePush to engage the following sub-processors:

  • Cloudflare, Inc. — infrastructure provider that hosts and runs the Service
  • Stripe, Inc. — billing (does not receive end-user data)
  • Resend, Inc. — transactional email to Customer (does not receive end-user data)
  • FCM, Apple Push Notification service, Mozilla autopush — push delivery gateways selected by the end user's browser

LitePush will notify Customer at the support email on file at least 30 days before engaging a new sub-processor. If Customer objects in writing on reasonable data-protection grounds, Customer may terminate the agreement and receive a pro-rated refund of prepaid fees for the remaining term.

9. International transfers

Where Customer Data is transferred outside the EEA / UK, the parties rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 — controller to processor) which are incorporated into this DPA by reference. For UK data, the UK International Data Transfer Addendum applies in addition.

10. Data-subject requests

LitePush provides Customer with the technical means to satisfy data-subject access, portability, and erasure requests:

  • Erasure (Art. 17):DELETE /v1/subscribers/by-endpoint or DELETE /v1/subscribers/by-external-id/:eid
  • Portability (Art. 20):GET /v1/subscribers/export for CSV export
  • Restriction / objection: setting a subscriber's status to unsubscribed via POST /v1/unsubscribe halts further delivery

If LitePush receives a data-subject request directed at Customer Data, LitePush will forward it to Customer rather than respond directly.

11. Breach notification

LitePush will notify Customer at the support email on file without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Customer Data, and will provide reasonably available information to support Customer's own notification obligations.

12. Audits

LitePush will make available to Customer the information necessary to demonstrate compliance with Art. 28 GDPR. Audits may be conducted by emailing support@litepush.dev with a documented audit plan. Audits are limited to once per 12-month period unless a regulator requires otherwise, and are at Customer's cost when LitePush is not in material breach.

13. Deletion or return of data

On termination of the agreement, LitePush will, at Customer's choice, delete or return all Customer Data within 30 days, except where storage is required by law. Customer may at any time delete projects and their subscriber rows from the dashboard; deletion cascades immediately.

14. Liability

Each party's liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

15. Contact

Data-protection contact: support@litepush.dev.