Privacy Policy
Last Updated: December 19, 2025
Introduction
NexoLab Igor Barkowski operates the notifer.io website and mobile applications (collectively, the "Service"). This Privacy Policy explains how we collect, use, and protect your personal information when you use our Service.
We are committed to transparency and protecting your privacy. This policy is written in plain language to help you understand exactly what data we collect and why.
Data We Collect
1. Account Information
When you create an account, we collect:
- Email address - for login and important service notifications
- Username - your chosen display name
- Password - stored as a secure hash (we cannot see your actual password)
- OAuth data - if you sign in with Google (provider ID and email)
2. Device Information (Mobile Apps)
When you use our mobile apps, we collect:
- Push notification token - required to send notifications to your device
- Device ID - unique identifier from your device manufacturer
- Platform - iOS or Android
- Device name - (optional) e.g., "iPhone 14 Pro"
- App version - to provide support and fix bugs
3. Usage Data
When you use the Service, we automatically collect:
- Messages - content you publish to topics (stored for up to 60 days depending on your plan)
- Topics - names of topics you create or subscribe to
- Timestamps - when you create topics, send messages, or log in
- IP address - temporarily logged for security and debugging (typically deleted within 7 days)
4. Cookies and Analytics
We use:
- Essential cookies - for authentication (JWT tokens) - required for the Service to work
- Live chat cookies - Crisp chat widget uses cookies to maintain your chat session and identify returning users
- Google Analytics - to understand how people use our Service (anonymized data)
You can control analytics cookies through our cookie banner.
How We Use Your Data
We use your data solely to provide and improve the Service. Under GDPR, we process your data based on the following legal bases:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Deliver notifications - send messages to your devices | Contract performance |
| Authentication - verify identity, secure your account | Contract performance |
| Service functionality - topics, subscriptions, history | Contract performance |
| Customer support - respond to your inquiries | Contract performance / Legitimate interest |
| Service improvement - analytics, bug fixes | Legitimate interest |
| Security - fraud prevention, abuse detection | Legitimate interest |
| Legal compliance - respond to legal requests | Legal obligation |
| Marketing emails - product updates (optional) | Consent (opt-in) |
We never:
- ❌ Sell your data to third parties
- ❌ Use your message content for advertising
- ❌ Share your data except as described in this policy
Data Sharing and Third Parties
We share your data only with service providers necessary to operate Notifer:
Expo Push Notifications
- Purpose: Send push notifications to iOS and Android devices
- Data shared: Push tokens, device IDs, message content (temporary)
- Location: United States
- Legal basis: EU-US Data Privacy Framework
- More info: Expo Privacy Policy
Cloud Infrastructure
- Providers: OVHCloud or similar hosting services
- Purpose: Host our servers and databases
- Data shared: All Service data (encrypted at rest)
- Location: European Union
Payment Processing (Paid Plans)
- Provider: Paddle.com (Merchant of Record)
- Purpose: Process subscription payments, handle VAT/sales tax, issue invoices
- Data shared: Email, billing information, country (for tax calculation)
- Note: Paddle acts as the seller of record - your payment relationship is with Paddle
- Privacy: See Paddle's Privacy Policy
Important: Under GDPR, buyer data received from Paddle may only be used for:
- ✅ Order fulfillment and product delivery
- ✅ Order and product support
- ✅ Fraud prevention
- ❌ Marketing requires your separate consent
Customer Support (Live Chat)
- Provider: Crisp IM SARL (France)
- Purpose: Provide live chat support and personalized assistance
- Data shared: Email, username, avatar, subscription plan, account creation date
- Location: European Union (France)
- Legal basis: Legitimate interest (customer support)
- Privacy: See Crisp Privacy Policy
Note: Your chat history with our support team is stored by Crisp. You can request deletion by contacting us.
Analytics
- Provider: Google Analytics
- Purpose: Understand Service usage
- Data shared: Anonymized usage data (no message content)
- Control: You can opt-out via cookie settings
International Data Transfers
We are based in Poland (European Union).
Some of our service providers are located outside the EU:
- Expo Push Service: United States (covered by EU-US Data Privacy Framework)
We ensure adequate protection through:
- Standard Contractual Clauses (SCCs)
- EU-US Data Privacy Framework participation
- Encryption in transit and at rest
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until you delete your account | Service functionality |
| Messages | Up to 60 days (varies by plan) | Storage optimization |
| Device tokens | Until you unregister device | Push notifications |
| IP addresses | 7 days | Security and debugging |
| Analytics data | 26 months | Google Analytics default |
After deletion, data may remain in backups for up to 90 days before permanent deletion.
Your Rights (GDPR)
Under European data protection law (GDPR), you have the right to:
1. Access Your Data
Request a copy of all personal data we hold about you.
How: Settings → Account → Download My Data
2. Rectification
Correct inaccurate or incomplete data.
How: Settings → Account → Edit Profile
3. Erasure ("Right to be Forgotten")
Request deletion of your account and all associated data.
How: Settings → Account → Delete Account
Note: After deletion, we cannot recover your data.
4. Data Portability
Download your data in JSON format.
How: Settings → Account → Download My Data
5-8. Other Rights
You may also:
- Restrict processing of your data
- Object to processing
- Withdraw consent (e.g., for marketing emails)
- File a complaint with UODO (uodo.gov.pl)
Contact: support@notifer.io
Data Security
We take security seriously:
- ✅ Encryption: HTTPS for all connections, encrypted database storage
- ✅ Authentication: Secure password hashing (bcrypt), JWT tokens
- ✅ Access control: Private topics protected by authentication
- ✅ Regular updates: Security patches applied promptly
- ✅ Monitoring: Automated alerts for suspicious activity
However, no system is 100% secure. We recommend:
- Use strong, unique passwords
- Enable two-factor authentication (coming in v1.1)
- Don't publish sensitive data to public topics
Children's Privacy
Notifer is not intended for users under 16 years old. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us at support@notifer.io.
Changes to This Policy
We may update this Privacy Policy occasionally. Changes will be posted on this page with an updated "Last Updated" date.
Material changes will be communicated via:
- Email notification
- In-app announcement
- Banner on notifer.io
Continued use of the Service after changes constitutes acceptance.
Contact Us
Questions or concerns about privacy?
- Company: NexoLab Igor Barkowski
- Email: support@notifer.io
- Phone: +48 739 567 348
- Location: Gdańsk, Poland
We do not have a Data Protection Officer (DPO) as we are a small business not engaged in large-scale data processing. For privacy inquiries, contact us at the email above.
Summary: We collect only what's necessary to provide Notifer. Your message content is yours, stored for up to 60 days, and never used for advertising. You can export or delete your data anytime.