1. Introduction

Welcome to PushFlow ("we," "our," or "us"). PushFlow is a push notification management platform that helps you send targeted notifications to your users through Firebase Cloud Messaging. We are committed to protecting your privacy and handling your data in an open and transparent manner.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site or use our services.

2. Information We Collect

2.1 Personal Information

We collect the following personal information when you register and use PushFlow:

• Account Information: Email address, name, and password (encrypted)
• Authentication Data: Multi-factor authentication (MFA/2FA) settings and tokens - 2FA is mandatory for all accounts
• Payment Information: Processed securely through our third-party payment processor, LemonSqueezy. We do not store your credit card information on our servers

Security Requirement: Two-Factor Authentication (2FA) is required for all PushFlow accounts to protect your sensitive Firebase and Supabase credentials. We collect and store your 2FA method (authenticator app, SMS, etc.) and backup codes.

2.2 Project and Technical Information

• Firebase Integration: Your Firebase project credentials, service account keys, and FCM tokens (stored encrypted)
• Supabase Integration: Project URL and anonymous keys for database access (stored encrypted using AES-256-GCM encryption)
• Notification Data: Message content, scheduling information, and delivery statistics
• Usage Data: IP addresses, browser type, device information, pages visited, time spent on pages, and other diagnostic data

2.3 Tracking Technologies

We use cookies and similar tracking technologies to track activity on our service:

• Google Analytics: To analyze website traffic and user behavior
• Microsoft Clarity: For session recordings and heatmaps to improve user experience
• Authentication Cookies: To maintain your logged-in session

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, operate, and maintain PushFlow services
• Notification Management: To send push notifications to your users through Firebase Cloud Messaging
• Payment Processing: To process your subscription payments through LemonSqueezy
• Customer Support: To respond to your inquiries and provide technical support
• Service Improvement: To analyze usage patterns and improve our platform
• Security: To detect, prevent, and address technical issues and fraudulent activities
• Communication: To send you service-related announcements, updates, and promotional materials (with your consent)
• Legal Compliance: To comply with applicable laws and regulations

4. Third-Party Service Providers

We share your information with the following third-party service providers to facilitate our services:

4.1 Infrastructure and Hosting

• Vercel: Hosting and deployment of our web application
• MongoDB Atlas: Database storage for user data, projects, and notification records
• Supabase: Authentication services and real-time database functionality

4.2 Payment Processing

• LemonSqueezy: Payment processing, subscription management, and billing. LemonSqueezy handles all payment card information in compliance with PCI DSS standards

4.3 Analytics and Monitoring

• Google Analytics: Website analytics and user behavior tracking
• Microsoft Clarity: Session replay and user experience analysis

4.4 Notification Delivery

• Firebase Cloud Messaging (FCM): Push notification delivery to end-users

These service providers have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use it for any other purpose.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information:

• Encryption: All sensitive data (Firebase credentials, Supabase keys) is encrypted at rest using AES-256-GCM encryption
• Secure Transmission: All data is transmitted over HTTPS with TLS 1.3
• Access Controls: Strict access controls and authentication mechanisms
• Mandatory 2FA: Two-Factor Authentication is required for all accounts to prevent unauthorized access
• Regular Audits: Regular security audits and updates to our infrastructure

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

5.1 Your Security Responsibilities

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: Data is retained while your account is active
• Deleted Accounts: Upon account deletion, personal data is removed within 30 days, except where we are required to retain it for legal or compliance purposes
• Notification Records: Notification delivery logs are retained for 90 days for analytics and support purposes
• Financial Records: Payment records are retained for 7 years for tax and legal compliance

7. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right to Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restrict Processing: Request restriction of processing your personal data
• Right to Data Portability: Request transfer of your data to another service
• Right to Object: Object to our processing of your personal data
• Right to Withdraw Consent: Withdraw consent at any time where we rely on consent

To exercise these rights, please contact us at the email address provided at the end of this policy.

8. Children's Privacy

PushFlow is not intended for use by children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately, and we will take steps to delete such information.

9. International Data Transfers

Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ. By using PushFlow, you consent to the transfer of your information to our facilities and those third parties with whom we share it as described in this policy.

10. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights regarding your personal information:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by businesses
• Right to opt-out of sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising CCPA rights

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have additional rights under GDPR. Our legal basis for processing your personal data includes:

• Contractual Necessity: Processing necessary to provide our services
• Legitimate Interests: For service improvement and security
• Consent: For marketing communications and non-essential cookies
• Legal Obligation: For compliance with applicable laws

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our service.

You can opt-out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. For Microsoft Clarity, you can manage your preferences through your browser settings.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. We will also notify you via email or prominent notice on our service prior to the change becoming effective.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at: