Privacy Policy

Account Information: When you register, we collect your name, email address, company name, and password (hashed).

Billing Information: Payment details are processed by our third-party payment processor (Stripe). NotifyKit does not store full card numbers.

API & Usage Data: We log API requests, notification delivery events, channel configuration, and usage statistics to operate and improve the platform.

Notification Content: When you use our platform to send messages (emails, SMS, push notifications, etc.), the content of those messages transits through or is temporarily stored on our infrastructure solely for the purpose of delivery.

End-User Data: If you use NotifyKit to communicate with your own end-users, you may transmit personal data about those individuals (such as phone numbers, email addresses, device tokens). You are the data controller for that data; we process it as a data processor on your behalf.

Technical Data: IP addresses, browser type, referring URLs, and device identifiers collected automatically when you access the platform.

• Providing, operating, and maintaining the NotifyKit platform and APIs.
• Routing and delivering notifications across Email (SMTP, SendGrid, SES), SMS (Twilio, Vonage, SNS), Push (FCM, APNs, Web Push), Webhooks, Slack, WhatsApp Business API, and other integrated channels.
• Authenticating your account and ensuring platform security.
• Billing and subscription management.
• Sending transactional communications (receipts, security alerts, service updates).
• Improving, personalizing, and developing new features of the platform.
• Complying with legal obligations, including telecommunications regulations applicable to SMS and voice messaging.
• Investigating abuse, spam, and violations of our Acceptable Use Policy.

Where our platform is used to send SMS or voice messages, we act as an intermediary between you and downstream carriers/aggregators (e.g., Twilio, Vonage). The following applies:

• Phone numbers and message content are transmitted to carrier networks solely for delivery purposes.
• We do not sell SMS opt-in data or phone numbers to third parties for marketing purposes.
• You are responsible for obtaining valid consent from recipients before sending SMS messages, in compliance with applicable laws (e.g., TCPA in the US, PECR in the UK, CASL in Canada).
• Delivery receipts and carrier-level metadata may be retained for up to 90 days for troubleshooting and analytics.
• Message logs containing content may be stored for up to 30 days unless you configure a shorter retention period in your dashboard.

NotifyKit may act as an SMTP relay or integrate with third-party email service providers (SendGrid, Amazon SES, Mailgun, etc.) on your behalf. When sending email:

• Email addresses of recipients are processed solely to deliver messages you initiate.
• We implement SPF, DKIM, and DMARC authentication on shared infrastructure and support custom domain authentication.
• Bounce, complaint, and unsubscribe events are recorded and surfaced in your analytics dashboard.
• You must not use NotifyKit's email infrastructure to send unsolicited commercial email (spam). Violations may result in immediate account suspension.
• Email content passing through our platform may be briefly buffered in memory or disk during delivery queuing but is not permanently stored beyond 30 days unless required for compliance.

We do not sell your personal data. We may share information in the following circumstances:

• Service Providers: We share data with sub-processors (cloud hosting, SMS/email carriers, analytics tools) under data processing agreements. A current sub-processor list is available upon request at legal@notifykit.io.
• Legal Requirements: We may disclose information if required by law, court order, or to protect the rights and safety of NotifyKit or others.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you prior to transfer.
• With Your Consent: We may share data for other purposes with your explicit consent.

• Account data is retained for the duration of your subscription plus 90 days after account closure, unless a longer period is required by law.
• Notification logs and delivery records: 30 days by default, configurable up to 1 year on paid plans.
• Billing records: 7 years, as required by financial regulations.
• You may request deletion of your data at any time by emailing legal@notifykit.io. We will process verified requests within 30 days.

We implement industry-standard technical and organizational measures to protect your data, including:

• TLS 1.2+ encryption in transit; AES-256 encryption at rest.
• API keys hashed and never stored in plaintext after creation.
• Role-based access controls (RBAC) and audit logging on our internal systems.
• Regular penetration testing and vulnerability assessments.
• SOC 2 Type II compliance (report available under NDA upon request).

No system is completely secure. In the event of a data breach affecting your data, we will notify you as required by applicable law.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your data ("right to be forgotten").
• Portability: Receive your data in a structured, machine-readable format.
• Restriction / Objection: Restrict or object to certain types of processing.
• Opt-out of Sale (CCPA): We do not sell personal data. No opt-out is required.

To exercise any of these rights, email legal@notifykit.io with your request and sufficient information to verify your identity.

We use cookies and similar tracking technologies on our website and dashboard for:

• Essential cookies: Session management and authentication.
• Analytics cookies: Aggregated usage statistics to improve the platform (e.g., page views, feature adoption). No personally identifiable information is shared with analytics providers.

You can control cookies through your browser settings. Disabling essential cookies may impair platform functionality.

NotifyKit's infrastructure is primarily hosted in the European Union and the United States. If you are located in the EEA, UK, or Switzerland, data transferred to the US is protected by Standard Contractual Clauses (SCCs) approved by the European Commission. By using our Services, you consent to the transfer of your data to countries where our sub-processors operate.

We may update this Privacy Policy periodically. We will notify you of material changes by email or via a prominent notice in the dashboard at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.