Back to Home

PRIVACY POLICY

Effective Date: January 24, 2025
Last Updated: January 24, 2025

1. INTRODUCTION

This Privacy Policy ("Policy") governs the data collection, processing, and privacy practices of the Paddle Notifications mobile application ("App," "Service," "we," "us," or "our") developed and operated by the Developer ("Company"). By installing, accessing, or using the App, you ("user," "you," or "your") expressly consent to the collection, use, disclosure, and retention of your information as described in this Policy.

This Policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable privacy laws. We reserve the right to update this Policy at any time, and continued use of the App after changes constitutes acceptance of those changes.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

When you use our App, you voluntarily provide the following information:

  • Account Information: Email address and name (collected via Clerk authentication service)
  • Paddle API Credentials: Encrypted Paddle API keys for authentication with Paddle services (stored using AES-256-GCM encryption)
  • Webhook Configuration: Encrypted webhook secrets for receiving Paddle event notifications
  • Push Notification Tokens: Expo push tokens for delivering real-time notifications to your device
  • Subscription Information: RevenueCat subscription status, entitlement data, and subscription expiration dates
  • User Preferences: App settings and notification preferences

2.2 Information Collected Automatically

The App automatically collects certain information through your use:

  • Payment Event Data: Transaction details received from Paddle webhooks including transaction IDs, amounts, currency, payment methods (card type and last 4 digits), invoice numbers, product names and descriptions, pricing information, and subscription billing periods
  • Customer Information: Customer names, email addresses, and geographic locations (country, city, region) received from Paddle payment events
  • Subscription Data: Subscription IDs, billing period start and end dates, subscription status changes, and renewal information
  • Device Information: Device model, operating system version, unique device identifiers, screen resolution
  • Usage Analytics: App usage patterns, feature interactions, session duration, crash reports
  • Performance Data: App performance metrics, network latency, error logs

2.3 Information We Do NOT Collect

We explicitly do not collect:

  • Full payment card numbers (we only receive last 4 digits from Paddle)
  • CVV/CVC security codes or card expiration dates
  • Social Security numbers or government identifiers
  • Biometric data beyond Face ID/Touch ID authentication (stored locally only)
  • Precise GPS coordinates or real-time location tracking
  • Contact lists or address books
  • Photos or media files
  • Browsing history or search queries

3. HOW WE USE YOUR INFORMATION

3.1 Primary Purposes

We use collected information for the following purposes:

  • Service Provision: To enable core App functionality including Paddle webhook integration and push notifications
  • Authentication: To securely connect to your Paddle account and validate API credentials
  • Notification Delivery: To send real-time alerts about Paddle events (subscriptions, payments, refunds, etc.)
  • Security: To protect against unauthorized access and maintain service integrity
  • Performance Optimization: To improve App performance and user experience
  • Technical Support: To diagnose issues and provide customer support

3.2 Legal Basis for Processing (GDPR)

We process personal data based on the following legal grounds:

  • Contractual Necessity: Processing necessary to perform our contract with you
  • Legitimate Interests: Our legitimate business interests that do not override your rights
  • Consent: Where you have provided explicit consent
  • Legal Obligation: To comply with applicable laws and regulations

3.3 Push Notifications

The App uses push notifications to deliver real-time payment event alerts. Push notification tokens (Expo push tokens) are considered personal data under GDPR and are processed with your consent.

What We Send:

  • Payment transaction notifications (amounts, customer names, product names)
  • Subscription status updates (new subscriptions, renewals, cancellations)
  • Refund and chargeback alerts
  • Free tier quota notifications (when approaching 15 notification/month limit)
  • Upgrade prompts (after reaching free tier limits)

Notification Frequency:

  • Free users: Up to 15 payment event notifications per month
  • Premium users: Unlimited payment event notifications
  • Notifications are sent in real-time when Paddle webhook events are received

Managing Push Notifications:

  • You can disable notifications entirely in iOS Settings → Paddle Notifications → Notifications
  • Disabling notifications will prevent all push alerts but the App will continue to store event data
  • Push tokens are automatically deleted when you uninstall the App
  • You can revoke push notification consent at any time through iOS Settings

4. DATA STORAGE AND SECURITY

4.1 Storage Location and Duration

  • Database Storage: Account information, encrypted API credentials, webhook secrets, and payment event data are stored in NeonDB (PostgreSQL database) using AES-256-GCM encryption
  • Push Token Storage: Expo push tokens are stored on Expo's notification servers for delivering push notifications
  • Local Storage: App preferences and notification quota tracking are stored locally on your device using MMKV storage with encryption
  • Retention Period: Account data is retained for 30 days after account deletion. Financial records (payment events) are retained for 7 years for tax and compliance purposes. Push tokens are deleted immediately upon app uninstall

4.2 Security Measures

We implement industry-standard security measures including:

  • Encryption: AES-256-GCM encryption for sensitive data at rest, TLS 1.3 for data in transit
  • Authentication: Clerk provides secure user authentication with email verification and session management
  • Database Security: NeonDB PostgreSQL with encryption at rest, SSL connections, and access controls
  • iOS Security Features: Biometric authentication (Face ID/Touch ID), App Transport Security
  • Regular Updates: Security patches and vulnerability fixes

4.3 Data Breach Procedures

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours via the App and/or email, as required by GDPR Article 34.

5. DATA SHARING AND DISCLOSURE

5.1 Third-Party Services

We share data only with the following essential service providers:

  • RevenueCat, Inc.: Subscription management, purchase verification, and entitlement tracking. Privacy Policy
  • Stripe, Inc.: Payment processing infrastructure used by RevenueCat for subscription billing. Privacy Policy
  • Clerk, Inc.: User authentication, session management, and account security. Privacy Policy
  • Neon (Neon, Inc.): PostgreSQL database hosting for encrypted storage of account data, API credentials, and payment events. Privacy Policy
  • Expo (Expo, Inc.): Push notification delivery infrastructure and React Native development platform. Privacy Policy
  • Paddle.com Market Limited: Webhook event delivery for payment notifications, subscription updates, and transaction data. Privacy Policy

Each service provider is contractually obligated to protect your data and use it only for the specific purposes outlined in this Policy.

5.2 Legal Disclosures

We may disclose your information when:

  • Required by law, subpoena, or court order
  • Necessary to protect our rights, property, or safety
  • Investigating suspected fraud or security issues
  • Part of a merger, acquisition, or asset sale (with notice)

5.3 No Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. YOUR PRIVACY RIGHTS

6.1 Rights Under GDPR (EU/EEA Residents)

You have the right to:

  • Access (Article 15): Obtain copies of your personal data
  • Rectification (Article 16): Correct inaccurate data
  • Erasure (Article 17): Request deletion ("right to be forgotten")
  • Restrict Processing (Article 18): Limit how we use your data
  • Data Portability (Article 20): Receive data in a portable format
  • Object (Article 21): Object to certain processing activities
  • Withdraw Consent: Revoke consent at any time

6.2 Rights Under CCPA/CPRA (California Residents)

California residents have the right to:

  • Know what personal information is collected, used, shared, or sold
  • Delete personal information held by us
  • Opt-Out of sale or sharing of personal information
  • Non-Discrimination for exercising privacy rights
  • Correct inaccurate personal information
  • Limit Use of sensitive personal information

6.3 Exercising Your Rights

To exercise any of these rights, contact us at:

  • Email: Contact via App
  • Response Time: Within 30 days (GDPR) or 45 days (CCPA)

7. CHILDREN'S PRIVACY

The App is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover we have collected information from a child under 13, we will promptly delete such information. Parents believing we have information about their child should contact us immediately.

8. INTERNATIONAL DATA TRANSFERS

If you access the App from outside the United States, your information may be transferred to and processed in the United States. We ensure appropriate safeguards are in place including:

  • Standard Contractual Clauses approved by the European Commission
  • Compliance with EU-US Data Privacy Framework principles

9. COOKIES AND TRACKING

The App does not use cookies or web-based tracking technologies. The App may collect anonymous usage analytics and crash reports to improve performance and user experience. All analytics are anonymized and cannot be used to identify individual users.

10. THIRD-PARTY LINKS

The App may contain links to Paddle.com or other third-party services. We are not responsible for the privacy practices of these external sites. Review their privacy policies before providing personal information.

11. CHANGES TO THIS POLICY

We reserve the right to modify this Policy at any time. Material changes will be notified via:

  • In-app notifications
  • Email (if provided)
  • Prominent notice in the App

Continued use after changes constitutes acceptance of the modified Policy.

12. LIMITATION OF LIABILITY

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE DEVELOPER BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, DATA, USE, OR OTHER INTANGIBLE LOSSES ARISING FROM YOUR USE OF THE APP OR THIS PRIVACY POLICY.

OUR TOTAL LIABILITY FOR ALL CLAIMS RELATED TO THIS PRIVACY POLICY SHALL NOT EXCEED FIFTY DOLLARS ($50.00 USD).

13. DISPUTE RESOLUTION

13.1 Governing Law

This Policy shall be governed by the laws of the State of Delaware, United States, without regard to conflict of law principles.

13.2 Mandatory Arbitration

Any dispute arising from this Policy shall be resolved through binding individual arbitration under the American Arbitration Association rules, not in court, except for small claims court if eligible.

13.3 Class Action Waiver

You waive any right to bring claims on a class, representative, or collective basis. Claims may only be brought individually.

14. CONTACT INFORMATION

For privacy-related questions, concerns, or to exercise your rights, contact:

Data Protection Officer
Email: Contact via App
Address: Contact via App

For EU/EEA residents, you may also contact your local Data Protection Authority.

15. CALIFORNIA PRIVACY RIGHTS DISCLOSURE

California Civil Code Section 1798.83 permits users who are California residents to request certain information regarding disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information for direct marketing purposes.

16. SEVERABILITY

If any provision of this Policy is held invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be replaced with a valid provision that comes closest to the intent of the original.

17. ENTIRE AGREEMENT

This Privacy Policy constitutes the entire agreement between you and the Developer regarding privacy practices for the App and supersedes all prior agreements and understandings.

By using the Paddle Notifications App, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.