Privacy Policy

PushTower is built for people who care about their data. We collect as little as possible, encrypt what matters, and never sell anything to anyone. Here's exactly what we do.

What we collect

Account information

When you create an account, we store your email address and a hashed password (or your OAuth identifier if you sign in with Apple or Google). We use this to authenticate you and to send you account-related emails — nothing else.

Device tokens

To deliver push notifications to your device, we store your APNs (Apple) or FCM (Google) device token. These tokens are used solely to route notifications to your device. We do not use them for tracking or analytics.

Notification metadata

When you send a notification, we store metadata required for delivery: timestamp, channel, delivery status, and the size of the payload. This is needed to operate the service and show you delivery history.

Anonymized usage data

We collect basic, aggregated usage statistics (number of notifications sent, API requests per day, etc.) to monitor service health and capacity. This data is not tied to individual users.

What we don't collect

• Notification content — When end-to-end encryption is enabled, payloads are encrypted with keys stored only on your device. The server cannot read them.
• Location data — We do not collect or process your location.
• Contacts — We do not access your address book.
• Browsing or app usage history — We do not track what apps you use or what you do outside of PushTower.
• Advertising identifiers — We do not use IDFA, AAID, or any cross-app tracking identifiers.

End-to-end encryption

PushTower supports end-to-end encryption using ECIES (Elliptic Curve Integrated Encryption Scheme) with AES-256-GCM. When enabled, your private key is generated on your device and stored in the iOS Secure Enclave. The PushTower server only sees ciphertext — it has no way to decrypt or read your notification content.

Data sharing

We do not sell your data. We do not share it with advertisers, data brokers, or third parties for marketing purposes. The only situations in which we share data are:

• Service providers — We use Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) to deliver notifications. These providers process the minimum data required to deliver your messages.
• Legal obligations — If required by law, court order, or valid legal process.

Data retention

Notification metadata is retained for 30 days for delivery history, then automatically deleted. Account data is retained until you delete your account. You can delete your account at any time from the app settings.

Your rights

You can request access to, correction of, or deletion of your personal data at any time by emailing [email protected]. If you're in the EU, UK, or California, you have additional rights under GDPR or CCPA — contact us and we'll honor them.

Self-hosting

If you self-host PushTower on your own infrastructure, this privacy policy does not apply to your instance. You are the data controller for your own deployment.

Children

PushTower is not directed at children under 13. We do not knowingly collect personal information from children.

Changes to this policy

If we make material changes to this policy, we'll notify you via email or an in-app notice before the changes take effect.

Contact

Questions about privacy? Email [email protected].