Privacy Policy

Location and GDPR compliance

Sendflow is based in Poland and data is hosted only in Europe. When we transfer data outside Europe we always make sure that the companies are compliant with EU privacy laws. As of May 2018, all our service providers are GDPR compliant.

Data we hold

Sendflow stores data about:

  1. Our users (i.e. the customers who sign up to Sendflow in order to add notifications to their website)
  2. Our users' end-users (i.e. the customers of our users that receive the notifications)

Sendflow does not share, or resell, any kind of user data (whether data described in point 1 or 2 above).

Data held on our users

Sendflow collects account information for each user, including:

  • Basic information like email address
  • Billing information required for invoices and payments (we rely on third-party services that are PCI compliant)
  • Data and configurations required for technical purposes (e.g. senders, projects and notifications created on Sendflow)
  • Log information required for debugging, security and development in general

Data held on our users' end-users

Data held on our users' end-users include:

  • Endpoints (i.e. browser IDs that are required to send push notifications)
  • Technical data (like tags and user IDs) that are used to target specific users or groups
  • Technical data related to the notifications
  • Log information required for debugging, security and development in general

We do not perform any kind of profiling. Data used for targeting are processed as strings by Sendflow and we don't extract any specific meaning.

Data persistence and rectification

Our users can use the account features to remove or update their data and data held on end-users.

Our users' end-users can contact our users if they want to remove or update their data. End-users can also remove their subscription to the push notifications from the browser settings: Sendflow automatically removes expired endpoints and associated data.

Backups and logs can have a duration up to 1 year.

Access to data and portability

Sendflow grants you the ownership on your data and on your users' data. You can access to your account and export your data at any time.

Data usage

Data collected is used for:

  • account and billing
  • delivering push notifications and technical purposes in general
  • logs and analytics, in order to improve Sendflow
  • sending account alerts or news about Sendflow to our users.

Data about our users' end-users, collected for example through the SDK, is used solely for technical purposes. Sendflow doesn't use, aggregate or resell it for marketing purposes. This doesn't limit what you can do with your user data through Sendflow.


Our users' consent is explicitly provided because they perform actions on Sendflow.

End-users' consent to receive push notifications is explicitly provided when they allow push notifications for a website in their browser settings. They can revoke their permission at any time from the browser settings.

Data protection and security

We care about security and we follow best practices to reduce the risk of data breaches.

When we design a new feature, security is the first citizen. For example, when we have designed a way to target specific users, we have decided to force the developer to include a user ID signature: in this way notifications are confidential by default and nobody can subscribe to notifications as if it was another user.

Data breaches

Data breaches will be notified to our users within 72 hours, after having become aware of it. It is then the responsibility of our users to report this data-breach to their end-users.

Data processors

Data is collected and manipulated both on our own devices and on third-party servers. Our web application servers are provided by Digital Ocean Inc. We also use many different services suited for specific purposes, for example: G Suite for support emails, Paylane for invoicing.

Push notifications are delivered through proprietary services depending on the user browser (e.g. Firebase, Mozilla autopush, Windows Push Notification Services).

Analytics and cookies

As most websites do, we use cookies for technical reasons.

The Javascript SDK that you include on your website is tracking code and use cookies. Your end-users are not tracked with third-party services.

Data controller

Data holder is Codeflow

Inside the company, the Data Protection Officer is Codeflow.