Legal · GDPR
Data Processing Agreement (DPA)
user_id feature (Pro plan) to track
whether your app users received a notification. Without user_id,
Pushproof only processes aggregated technical data and acts as controller for your
developer account.
1. Scope
This Data Processing Agreement (“DPA”) governs processing of personal data by Pushproof on behalf of the Customer as a processor under Article 28 GDPR. It supplements the Terms of use and prevails on data protection matters for end-user data.
Acceptance occurs upon account creation and/or first use of the user_id feature.
2. Roles
Processor: Christophe Surbier (Pushproof)
NIF: Y3258958X · ESY3258958X
Riera Blanca 45-47, 08028 Barcelona, Spain
Email: contact@pushproof.dev
Controller: the Customer (developer or organisation holding the Pushproof Account), who determines purposes and means regarding their end users.
3. Data processed
- Opaque user ID (
user_id) — hashed at ingestion (user_id_hash), never stored in plain text - Device identifier — hashed (
device_id_hash) - Delivery metadata: campaign ID, platform, receipt timestamp
Data subjects: end users of the Customer’s mobile application.
4. Documented instructions
Pushproof processes data only on documented instructions from the Customer via dashboard configuration, SDK integration and voluntary user_id submission, plus export/deletion requests to contact@pushproof.dev.
5. Confidentiality
Persons authorised to process data are bound by appropriate confidentiality obligations.
6. Security measures
- TLS encryption for all communications;
- hashing of device and user IDs at ingestion;
- logical isolation per Customer account;
- access controls on production systems;
- regular database backups.
7. Sub-processors
| Sub-processor | Service | Location |
|---|---|---|
| OVH | Application hosting | France |
| Clever Cloud | Database, ingestion queue, object storage | France |
| Resend | Transactional email (Customer account only) | EU / US (SCCs) |
We will notify the Customer of intended sub-processor changes, allowing objection on legitimate grounds.
8. Data subject rights
Pushproof assists the Customer in responding to access, rectification, erasure, restriction, portability and objection requests from end users.
The Customer may request deletion for a given user_id_hash via contact@pushproof.dev or admin API when available.
9. Data breaches
Pushproof will notify the Customer without undue delay and within 72 hours of becoming aware of a personal data breach affecting the Customer’s data, with available information to support the Customer’s notification duties.
10. End of contract
Upon termination, Pushproof deletes or returns all personal data processed for the Customer, except where legal retention applies. Cold archives (Cellar) are deleted per the retention policy of the subscribed plan.
11. Audits
Pushproof provides information demonstrating DPA compliance. The Customer may audit or appoint a third-party auditor on reasonable notice, subject to confidentiality and a once-per-year limit unless an incident occurred.
12. Contact
- Data / DPA: contact@pushproof.dev
- Privacy policy
- Terms of use