LitePush

Privacy Policy

Last updated: 2026-05-26

1. Who we are

LitePush is a hosted Web Push notification service (the "Service"). The Service runs on globally-distributed infrastructure (see §6 and §7). For questions related to this policy contact support@litepush.dev. For the data we process on our customers' behalf (their end-user push subscribers), the customer is the data controller and LitePush is the processor — see our Data Processing Addendum.

2. What we collect about you (our customer)

  • Account email (used for sign-in via link)
  • Display name (if you set one)
  • Billing details — handled directly by Stripe; we do not see card numbers
  • Project metadata you create (project names, origins, broadcasts you compose)
  • Aggregate usage metrics (push counts, delivery success rates)
  • Service logs that may include your IP address for up to 30 days for security and abuse prevention

3. What we process about your end users

When your visitors subscribe via the LitePush SDK we store the following per subscriber:

  • The browser-issued push endpoint URL
  • The encryption keys (p256dh, auth) required by the Web Push protocol
  • The User-Agent header sent with the subscribe request, retained for diagnostics
  • The optional external_id you pass through the SDK; LitePush treats it as opaque
  • Group memberships you assign through the API or dashboard
  • Event metadata (delivery, click, dismissal, failure) tied to broadcasts you send

We do not store end-user IP addresses, names, or run any device-fingerprinting — the User-Agent string is logged as-is for diagnostics, not correlated to identify or track end users.

4. Legal basis for processing (GDPR Art. 6)

  • Contract — to provide the Service you signed up for (account, billing, dashboard, API access)
  • Legitimate interest — for security logging, abuse prevention, and aggregate usage metrics
  • Consent — for any future product-update emails (we do not currently send these)
  • Legal obligation — to retain billing records required by tax / accounting law

For end-user subscriber data, the lawful basis is your contract and DPA with LitePush. Obtaining consent from your end users to receive push notifications is your responsibility as the data controller.

5. Your rights under GDPR / UK GDPR

As a data subject you have the right to access, rectify, erase, restrict, port, or object to our processing of your personal data. You also have the right to lodge a complaint with a supervisory authority.

  • Access / portability — email support for a copy of your account data
  • Rectification — edit your name / email in the dashboard; for other corrections, email support
  • Erasure — delete your account from the Account page; cascade is immediate
  • Object / restrict — email support

For your end users' rights, you act as the data controller. LitePush provides tools so you can honour those requests: DELETE /v1/subscribers/by-endpoint and DELETE /v1/subscribers/by-external-id/:eid for erasure; GET /v1/subscribers/export and the dashboard's "Export CSV" button for portability.

6. Sub-processors

We rely on the following sub-processors to operate the Service:

  • Cloudflare — infrastructure provider that hosts and runs the Service
  • Stripe — billing and payment processing
  • Resend — transactional email (link sign-in, billing notices)
  • FCM / Apple Push / Mozilla autopush — push gateways chosen by the end user's browser at subscription time. We route encrypted payloads through them; they cannot read the content

We notify customers by email of material sub-processor changes before they take effect.

7. International transfers

Our infrastructure provider operates globally and may store and process data in any region where it operates. For transfers out of the EEA / UK we rely on Standard Contractual Clauses; see the DPA for details.

8. Retention

  • Account + project + subscriber data: until you delete it (cascading deletion is immediate)
  • Event history (delivered / clicked / failed): kept while the project exists; deleted on project deletion
  • Service logs (security / abuse): up to 30 days
  • Billing records: retained per Stripe's policies for legal / tax compliance

9. Security

All traffic is HTTPS. API keys are stored as SHA-256 hashes — we cannot recover the plaintext if you lose it (rotate from the project settings page). Sessions use signed cookies. Our infrastructure provider handles DDoS mitigation and at-rest encryption.

10. Cookies

We use a single first-party session cookie to keep you signed in. No third-party tracking cookies, no analytics scripts, no fingerprinting.

11. Children

The Service is not directed at children. Minors may use it only with parental or legal guardian consent under the eligibility section of the Terms of Service. If you believe a child has provided us with personal data without that consent, contact us and we will delete it.

12. Changes to this policy

We post material changes to this page and update the "Last updated" date above. Continued use of the Service after a change constitutes acceptance of the revised policy.

13. Contact

Privacy or data-subject requests: support@litepush.dev.