Privacy Policy

Version 2026-05-09 · Last updated 9 May 2026

This Privacy Policy describes how Pushoney handles personal data and is provided for general information; it is not legal advice. It is intended to align with Moroccan Law 09-08 and the EU General Data Protection Regulation (GDPR). For deployments with specific regulatory obligations, please review it with your own counsel.

1. Who we are

Pushoney is operated from Casablanca, Morocco and is the data controller for personal data of account holders (the customers who register at portal.pushoney.com).

For personal data of subscribers (the end users of websites operated by our customers, who receive push notifications), Pushoney acts as a data processor on behalf of the customer who operates the originating website. The customer is the data controller for that data.

2. Data we collect

2.1 From account holders (controller role)

Data	Why	Legal basis
Email address, password hash	Authentication, account recovery, transactional email	Contract performance (Art. 6(1)(b) GDPR)
Hub configuration (domain, branding, settings)	Operating the Service for you	Contract performance
Login IP, user-agent, session timestamps	Security: detecting unauthorised access; "Active sessions" feature	Legitimate interest (Art. 6(1)(f))
Audit log entries (signups, logins, password changes, campaign sends, API key creation, etc.)	Security, dispute resolution, regulatory compliance	Legitimate interest + legal obligation
2FA secret (AES-256-GCM encrypted) and recovery codes (bcrypt-hashed)	Two-factor authentication	Contract performance + your explicit opt-in
PayPal email (only if monetisation enabled)	Routing payouts	Contract performance

2.2 From subscribers (processor role on behalf of customer)

Data	Why
Browser push endpoint (a unique URL issued by the subscriber's browser)	The technical address required to deliver a push notification
Public encryption keys	End-to-end encryption of push payloads (Web Push protocol)
IP address, user agent, browser, OS, device type (collected at subscribe time)	Geo-targeting, device-type filtering, abuse detection
Country, region, city (derived from IP via MaxMind GeoLite2)	Geo-targeting + analytics
UTM parameters and source attribution	Acquisition channel attribution
Send / delivery / click / conversion events	Campaign analytics + advertiser attribution

We do not collect, derive, or store the content of the messages a subscriber receives outside of what the originating customer pushes. We do not collect names, email addresses, or other directly-identifying information about subscribers.

3. Cookies and similar technologies

The portal at portal.pushoney.com uses two cookies, both classified as strictly necessary under the EU ePrivacy Directive:

pp_portal — your authenticated session. HttpOnly, Secure, SameSite=Lax, 30-day TTL.
pp_attr — UTM/source attribution captured for the iOS-PWA install flow so attribution survives the standalone-mode subscribe. HttpOnly, Secure, SameSite=Lax, 24-hour TTL.

Customer-operated hubs (the websites that integrate the Pushoney embed snippet) may set additional cookies; that is governed by each customer's own cookie policy.

See Cookie Policy for the full list.

4. How we share data

We do not sell personal data. We share it only with:

Sub-processors we engage to operate the Service: Web Push gateways operated by browser vendors (Google FCM, Mozilla, Apple, Microsoft); our hosting provider Dokploy; our transactional email provider Resend; Cloudflare for CDN / DNS / Turnstile bot protection; Google Analytics on the marketing surface (loaded only after visitor consent via the cookie banner). The authoritative list with role + location is in DPA Annex III; updates available at [email protected].
Authorities when required by law, court order, or to enforce our Terms of Service.
An acquirer in the event of a merger, acquisition, or asset sale, with notice to you.
Advertisers and ad-network partners — only if and when monetisation is enabled on a customer's hub. Subscriber data shared in that context is limited to anonymised geo / vertical / device-type aggregates used to match inventory; the subscriber's push endpoint and encryption keys are never shared outside Pushoney.

5. International transfers

Pushoney's infrastructure is hosted in Europe. When personal data is transferred from the European Economic Area to Morocco or other jurisdictions, we rely on appropriate safeguards including the European Commission's adequacy decision for Morocco (where applicable) or Standard Contractual Clauses.

6. Retention

Data	Retention
Account data (email, hubs, settings)	Until you delete your account
Audit log entries	3 years from event date, then deleted
Subscriber data	Until the subscriber unsubscribes or the customer's hub is deleted, whichever comes first
Send / Click / Conversion events	2 years from event date
Active sessions	30 days of inactivity, then expired automatically
Email verification / password reset tokens	24 hours from issuance

7. Your rights

Under the GDPR, Morocco Law 09-08, and equivalent regimes, you have the rights to:

access your personal data — use the data export tool in your account dashboard or contact us;
rectify inaccurate data — most fields are editable directly in the dashboard;
delete your data — close your account from the dashboard, or contact us;
restrict processing — contact us;
data portability — use the data export tool, which produces a structured JSON dump;
object to processing based on legitimate interests — contact us;
withdraw consent at any time where processing is based on consent — for example, by disabling 2FA or removing your monetisation opt-in;
lodge a complaint with the Moroccan supervisory authority (Commission Nationale de contrôle de la protection des Données à caractère Personnel — CNDP) or, if you are in the EEA, with your local data protection authority.

To exercise any of these rights, email [email protected] from the address registered to your account. We respond within 30 days.

8. Subscribers — exercising your rights

To stop receiving notifications on this device: use the “Stop notifications” action on any recent push notification, or visit https://<the-site-domain>/unsubscribe while using the same browser you originally subscribed in. Either flips your device's subscription to “gone” and we stop sending. Re-subscribing later is a one-click action from the originating site.

If you are a subscriber (an end user who receives push notifications from a website that uses Pushoney) and you wish to exercise data-subject rights, please contact the operator of the originating website first; they are the data controller. If they do not respond within a reasonable time, you may also contact us at [email protected] and we will forward your request and, where possible, act on it directly.

The simplest way to stop receiving notifications is to revoke push permission in your browser settings — that immediately invalidates the push endpoint and we mark your subscription as gone.

9. Security

We apply industry-standard security controls: encrypted transport (TLS), encrypted secrets at rest (AES-256-GCM for 2FA secrets, bcrypt for passwords and recovery codes), audit logging, two-factor authentication for accounts, role-based access control, regular dependency updates, and active abuse-detection systems. No system is perfectly secure; if we become aware of a personal-data breach affecting you, we will notify the relevant authorities and affected individuals without undue delay as required by applicable law.

10. Children

Pushoney is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has registered an account, contact us and we will delete the account.

11. Changes to this Policy

We may revise this Policy from time to time. Material changes will be communicated by email or through the account dashboard at least fourteen (14) days before they take effect, except where the change is required for legal or security reasons.

12. Contact

Privacy questions, data-subject requests, and breach reports should be sent to [email protected]. Mail and in-person inquiries can be addressed to our operations base in Casablanca, Morocco.

← Back to Pushoney