Privacy Policy
This Privacy Policy explains how Pushlane (“Pushlane”, “we”, “us”) collects and processes personal data when you use our website, our dashboard, and the Pushlane service. Pushlane is a push-only lifecycle-messaging platform for mobile applications. We process personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”), the French Data Protection Act (loi n° 78-17 “Informatique et Libertés”), and the ePrivacy rules as transposed in France.
1. Who we are (data controller)
The data controller for the processing described in this policy is Pushlane, the operator of the Pushlane service. You can reach us about any privacy matter at fray25031@gmail.com.
2. Scope — and our two roles
This policy covers the personal data for which Pushlane is the data controller: data about the people who visit our website, sign up for, administer, or are billed for a Pushlane account, and who contact our support.
It does not govern the end-user data that your mobile application sends to Pushlane (device push tokens, product events, user identifiers, delivery telemetry). For that data you are the controller and Pushlane acts as your processor, processing it only on your documented instructions to provide the service. That relationship is governed by our Data Processing Agreement (DPA) under Article 28 GDPR, available on request, not by this notice.
3. Personal data we collect, and its source
Account data — collected from you
Name, email address, password/authentication data (via Supabase), workspace and organisation details, and your role.
Billing data — collected from you and our payment provider
Billing name, billing country, subscription plan, and invoice history. Card details are collected and held by Lemon Squeezy as Merchant of Record; Pushlane receives confirmation of your subscription and entitlement status, not your full card number.
Usage, technical and support data — collected automatically
IP address, device/browser metadata, dashboard usage, request logs, and diagnostic/error data (via Sentry), plus any content you send us when you contact support.
Data obtained indirectly
Where you connect a third-party integration (for example RevenueCat), we may receive subscription/entitlement signals about your account from that provider. The categories and source are described in Section 5.
4. Why we process it, and on what legal basis
- Providing and operating the service, and billing you — performance of our contract with you, Art. 6(1)(b).
- Security, fraud and abuse prevention, and improving the product — our legitimate interests in running a secure, reliable service, Art. 6(1)(f).
- Meeting our legal, accounting and tax obligations — compliance with a legal obligation, Art. 6(1)(c).
- Non-essential cookies and marketing emails — your consent, Art. 6(1)(a), which you may withdraw at any time.
Providing account and billing data is necessary to enter into and perform the contract; without it we cannot create or maintain your account.
5. Recipients and sub-processors
We do not sell personal data. We share it with the service providers below, each bound by appropriate data-protection terms and processing personal data only as needed for its stated role. We update this list as our providers change.
- Cloudflare, Inc. — Edge compute, event ingestion, queues, Durable Objects, and push-delivery infrastructure. (USA / global edge (EU-US DPF))
- Supabase, Inc. — Authentication and the application database (accounts, workspaces, flows, consent records). (EU region / USA)
- ClickHouse, Inc. — Analytical storage for product events, decisions, and delivery telemetry. (EU region / USA)
- Vercel Inc. — Hosting and delivery of the Pushlane web dashboard. (USA (EU-US DPF))
- Functional Software, Inc. (Sentry) — Application error monitoring and diagnostics. (USA (EU-US DPF))
- RevenueCat, Inc. — Subscription and entitlement signals, when you connect RevenueCat to trigger flows. (USA (EU-US DPF))
- Apple Inc. (APNs) — Apple Push Notification service — delivery of push notifications to end-user devices. (USA / global)
- Lemon Squeezy, LLC — Merchant of Record — payment processing, tax (VAT/GST) handling, invoicing, and refunds for paid plans. (USA (EU-US DPF))
We may also disclose data where required by law, to enforce our terms, or in connection with a merger or acquisition (with notice where required).
6. International data transfers
Some of the providers above process data outside the European Economic Area, in particular in the United States. Where this occurs we rely on an adequate transfer mechanism: the European Commission’s EU-US Data Privacy Framework adequacy decision (10 July 2023) where the recipient is DPF-certified, and otherwise the European Commission’s 2021 Standard Contractual Clauses (Decision (EU) 2021/914) together with supplementary measures and a transfer-impact assessment. You can request a copy of the relevant safeguards at fray25031@gmail.com.
7. How long we keep it
- Account data — for the life of your account and a limited period afterwards, then deleted or anonymised.
- Billing and accounting records — retained for ten (10) years, as required by French commercial and tax law.
- Logs and security data — kept for a short operational period appropriate to security and debugging needs.
- Cookie consent proof and cookie lifetimes — capped at thirteen (13) months, per CNIL guidance.
8. Your rights
Subject to applicable law, you have the right to access, rectify, and erase your personal data; to restrict or object to certain processing; to data portability; and to withdraw consent at any time without affecting processing carried out before withdrawal. You may also give directives on the fate of your personal data after death (Art. 85 of the French Data Protection Act).
To exercise these rights, account holders can export and erase data from Settings → Privacy & GDPR in the dashboard, or write to fray25031@gmail.com. We respond within one month. We may ask you to verify your identity. End users of our customers’ apps should contact the relevant app, which is the controller of that data.
You also have the right to lodge a complaint with the French supervisory authority, the CNIL (Commission nationale de l’informatique et des libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr.
9. Cookies and trackers
Our dashboard uses strictly necessary cookies for authentication and session management; these do not require consent. We set non-essential cookies (for example analytics) only with your prior consent, collected through our consent banner where refusing is as easy as accepting. You can change or withdraw your choices at any time, and we re-collect consent at most every thirteen (13) months. We do not run third-party advertising trackers in the dashboard.
10. Security
We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR), including encryption in transit, per-app tenant isolation, access controls on a least-privilege basis, and logging and monitoring. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the CNIL and, where required, affected individuals in line with Articles 33 and 34 GDPR.
11. Automated decision-making
We do not make decisions about you that are based solely on automated processing and that produce legal effects or similarly significantly affect you within the meaning of Article 22 GDPR.
12. Children
Pushlane is a business product and is not directed to children. We do not knowingly collect personal data directly from children. In France, the age of digital consent is 15.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will change the “Last updated” date above and, for material changes, provide additional notice. The current version always governs.
14. Contact
For any privacy question or to exercise your rights, contact us at fray25031@gmail.com. See also our Terms of Service and our Refund Policy.