Privacy Policy — Tidings
Effective date: [Effective date] Last updated: 2026-06-20 (draft)
Tidings ("Tidings", "we", "us", "our") is a developer-first push notification service for iPhone and Mac. This Privacy Policy explains what personal data we collect, why, on what legal basis, how long we keep it, who we share it with, and the rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
This policy covers the Tidings apps (iOS, macOS), the web dashboard/console, the marketing website, and the ingestion API (POST /api/ingest).
1. Data controller
The data controller responsible for processing your personal data is:
[Legal name][Address][Country]Company / VAT number:[Company number / BCE]Contact:[Contact email]
If you have any question about this policy or about how we handle your data, contact us at [Contact email].
Data Protection Officer (DPO): [DPO email or “We have not appointed a DPO; for any data-protection question contact [Contact email].”]
Note for review: appointing a DPO is generally not mandatory under Art. 37 GDPR for an organisation of this profile, but the contact route above must be valid either way.
2. What data we collect
We deliberately collect as little as possible. We do not run advertising trackers, we do not sell personal data, and we do not build advertising profiles.
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, account identifier, Sign in with Apple identifier (if used) | You / Apple, at sign-up |
| Device tokens (APNs) | The Apple Push Notification service token for each iPhone/Mac you register, platform (ios/macos), environment (sandbox/production) | Your device, when you sign in |
| Notification & event content | The title, body, severity, status, url, sections, timeline, actions and related fields you (or your systems) send to the ingestion API | Sent by you / your integrations |
| Workspace & membership data | Workspace name, your role, invitations you send or accept (invitee email) | You |
| Source & API-key metadata | Source names/slugs, key name, key prefix, a one-way hash of each API key, last-used timestamp | You, via the web console |
| Read receipts & usage counters | Which notifications a member has read, monthly event counts, device/source counts | Generated by your use of the service |
| Technical/log data | IP address, timestamps, request metadata, error logs needed to operate and secure the service | Automatically |
| Dashboard cookies | Session/authentication cookie for the web dashboard (see §9) | Your browser |
About notification content. The body of the notifications you send may itself contain personal data (for example a customer email in a "new feedback" alert). When you send such content through Tidings, you decide what to include. For that content, you generally act as the controller and Tidings acts as your processor (see §3 and §11). Do not send special-category data (health, biometrics, etc.) unless you have your own lawful basis to do so. [REVIEW: confirm the controller/processor split and reflect it in the DPA / Terms.]
We do not intentionally collect special categories of personal data (Art. 9 GDPR).
3. Why we process it, and on what legal basis
| Purpose | Data used | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Create and operate your account and workspaces | Account data, workspace/membership | Contract (Art. 6(1)(b)) |
| Authenticate you (incl. Sign in with Apple) | Account data, dashboard cookie | Contract (Art. 6(1)(b)) |
| Register your devices and deliver push notifications | Device tokens, notification content | Contract (Art. 6(1)(b)) |
| Ingest, store and display the events you send | Notification/event content, source/key metadata | Contract (Art. 6(1)(b)); for the content you send, processing on your behalf as processor |
| Enforce plan quotas and retention | Usage counters | Contract (Art. 6(1)(b)) |
| Secure the service, prevent abuse/spam, debug | Technical/log data, key hashes | Legitimate interests (Art. 6(1)(f)) — operating a reliable, abuse-free service |
| Send essential service/transactional messages | Account data | Contract (Art. 6(1)(b)) |
| Comply with legal obligations (e.g. accounting once billing launches) | Account/billing data | Legal obligation (Art. 6(1)(c)) |
| Optional product emails / marketing (if/when offered) | Account data | Consent (Art. 6(1)(a)), withdrawable at any time |
We do not currently run paid billing; this section will be updated when billing launches (see §5 and the Terms). [REVIEW once Stripe/StoreKit is wired.]
4. Subprocessors and recipients
We use a small set of vetted providers to run the service. We share only the data each one needs, under appropriate data-processing terms.
| Provider | Role | What they process | Location |
|---|---|---|---|
| Supabase (database, auth) on Amazon Web Services (AWS) | Hosting, database, authentication | All stored data (account, tokens, notification content, metadata) | EU — AWS eu-central-1 (Frankfurt, Germany) |
| Apple — Apple Push Notification service (APNs) | Push delivery | Device tokens + notification payload required to deliver each push | Apple infrastructure (see §6) |
| Vercel | Web/API hosting (dashboard, ingestion API, marketing site) | Request data, log/technical data; transient notification payloads in transit | See §6 [REVIEW: confirm/region-pin the Vercel deployment region] |
We may also engage providers for error monitoring, email delivery, and (once launched) payment processing. This list will be kept current. [REVIEW: add monitoring/email/payment subprocessors when adopted, with links to their terms.]
We do not sell your personal data and do not share it with advertising networks.
A current subprocessor list is available on request at [Contact email].
5. How long we keep your data (retention)
Notification / event content is retained according to your workspace plan, then purged automatically:
| Plan | Notification/event retention |
|---|---|
| Solo | 7 days |
| Pro | 90 days |
| Team | 1 year |
Retention figures mirror the product spec; confirm before launch. [REVIEW vs final pricing.]
Other data:
- Account data: kept while your account is active.
- Device tokens: kept while the device is registered; removed when you sign out, remove the device, or when APNs reports the token as invalid.
- API-key hashes / metadata: kept while the key exists; on revocation, the key can no longer be used and is marked revoked.
- Logs / technical data: kept for a limited period for security and debugging, then deleted or aggregated. [REVIEW: set a concrete log-retention window, e.g. 30–90 days.]
- Backups: data may persist in encrypted backups for a short rolling window after deletion, then is overwritten. [REVIEW: state the backup window.]
Account deletion = effective purge. When you delete your account, we delete your account data, your device tokens, and the notification content of your personal workspace, and we trigger removal from active systems (subject to the short backup window above and any data we must retain by law, e.g. accounting records once billing exists). See §7 for how to request it.
6. International transfers
Our primary data store is hosted in the EU (AWS eu-central-1, Frankfurt). We aim to keep personal data within the EU/EEA.
Some processing may nonetheless involve providers organised outside the EEA:
- Apple / APNs: to deliver a push notification, the device token and payload are sent to Apple's push infrastructure. This delivery is inherent to the iOS/macOS push mechanism. Where this involves a transfer outside the EEA, it is governed by Apple's terms and, where applicable, Standard Contractual Clauses (SCCs). [REVIEW: confirm Apple's transfer mechanism / DPA reference.]
- Vercel: depending on deployment configuration, request processing may involve infrastructure outside the EEA. Where applicable, transfers rely on SCCs and additional safeguards. [REVIEW: pin Vercel region and confirm safeguards.]
Where we transfer personal data outside the EEA, we rely on an appropriate safeguard under Chapter V GDPR (typically the European Commission's Standard Contractual Clauses). You can ask us for more information at [Contact email].
7. Your rights under the GDPR
If your personal data is processed by us, you have the following rights:
- Access (Art. 15) — obtain confirmation and a copy of your data.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure / "right to be forgotten" (Art. 17) — delete your data (account deletion triggers this; see §5).
- Restriction (Art. 18) — limit how we process your data in certain cases.
- Data portability / export (Art. 20) — receive your data in a structured, machine-readable format, including an export of your account and events. [REVIEW: confirm the in-product export covers this.]
- Objection (Art. 21) — object to processing based on legitimate interests, and object at any time to direct marketing.
- Withdraw consent (Art. 7(3)) — where processing is based on consent (e.g. marketing emails), withdraw it at any time, without affecting prior lawful processing.
To exercise any right, contact [Contact email]. We will respond within the timeframe required by the GDPR (generally one month, extendable for complex requests). We may need to verify your identity first.
Right to lodge a complaint. You can complain to a supervisory authority. For Belgium this is the Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA), Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels — https://www.autoriteprotectiondonnees.be. You may also contact the supervisory authority of your EU country of residence.
Content you sent as controller. If you sent notification content that contains a third party's personal data, and that person asks us to action a request, we will generally refer them to you as the controller and assist you as your processor. [REVIEW with the DPA.]
8. Security
We take technical and organisational measures appropriate to the risk (Art. 32 GDPR), including:
- EU hosting of the primary data store (AWS
eu-central-1). - API keys are never stored in clear text — they are kept as a one-way hash; the full key is shown to you only once, at creation. Only a short non-secret prefix is retained for display. Keys can be revoked immediately.
- Row-Level Security (RLS) on the database so that each user/workspace can only access its own data; the ingestion path writes via a restricted service role and is never exposed to the client.
- Encryption in transit (HTTPS/TLS) for the API, dashboard and app.
- Access controls, logging, and least-privilege practices for our team and providers.
No system is perfectly secure. If we become aware of a personal-data breach likely to result in a risk to your rights, we will notify the competent authority and, where required, affected users, in line with Arts. 33–34 GDPR. [REVIEW: confirm encryption-at-rest details and breach process.]
9. Cookies (web dashboard & site)
The Tidings web dashboard/console uses a small number of strictly necessary cookies to keep you signed in and to operate the app securely (e.g. a session/authentication cookie). These are required for the service to function and do not require consent under the ePrivacy rules.
We do not use advertising or cross-site tracking cookies. If we later add any non-essential analytics, we will ask for your consent first and update this section. [REVIEW: confirm the exact cookie list and whether any analytics is used; add a cookie table if needed.]
10. Children / minors
Tidings is a developer tool and is not directed to children. It is intended for users who are at least the age of digital consent in their country (16 in many EU states, or as lowered to 13–15 by national law; [set the minimum age you enforce]). We do not knowingly collect personal data from children below that age. If you believe a child has provided us with personal data, contact [Contact email] and we will delete it.
11. Tidings as your processor (developers)
When you push notification content through Tidings, you may be acting as the controller of the personal data inside that content, with Tidings acting as your processor. In that case, the processing terms (a Data Processing Agreement / Art. 28 GDPR addendum) apply in addition to this policy. [REVIEW: provide a DPA and reference it here, and confirm the controller/processor allocation. Do not finalise without legal review.]
12. Changes to this policy
We may update this policy as the product evolves (notably when billing launches or when we add subprocessors). We will update the "Last updated" date and, for material changes, notify you by a reasonable means (e.g. in-app or by email).
13. Contact
Questions, requests, or complaints about this policy or your data:
[Legal name]—[Contact email][Address]
This document is a draft and does not constitute legal advice. It must be reviewed and adapted by a qualified professional before publication.