Privacy Policy

Effective date: March 25, 2026

PushWard ("we", "our", "us") is operated by mac-lucky, an independent developer based in Poland. We act as the data controller for personal data processed through the PushWard service. This policy explains what data we collect, how we use it, and your rights regarding that data.

1. What Data We Collect

When you use PushWard, we collect the following information:

Account Data

Apple subject identifier -- a unique, opaque ID assigned by Apple to identify your account. No email address is collected.
Nickname -- an optional display name you can set in the app.

Device Data

Device identifier -- a UUID generated locally by the iOS app, used to identify your device for push notification delivery.
Push-to-start token -- an Apple-issued token that allows the server to start Live Activities on your device via APNs.
Push-update tokens -- Apple-issued tokens for updating active Live Activities on your device.

Activity Data

Activities -- the activities you create, including their slug, name, state, template content, priority, and TTL settings.
Subscriptions -- records of which devices are subscribed to which activities.
Shared activities -- when you share an activity or join one via a share code, we store the sharing relationship (role and user IDs).

Subscription Data

App Store subscription -- your subscription status, original transaction ID, product ID, and expiration date. Payment processing is handled entirely by Apple.

Authentication Tokens

API tokens and integration keys -- generated upon sign-in or by user request. Only SHA-256 hashes are stored server-side; plaintext tokens are never retained.

2. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

Contract performance -- processing your account, device, activity, and subscription data is necessary to provide the PushWard service you signed up for.
Legitimate interest -- IP-based rate limiting and security measures to protect the service from abuse. IP addresses are processed in memory only and are not stored.

3. How We Use Your Data

We use the collected data solely to provide the PushWard service:

Authentication -- to verify your identity and authorize API requests.
Push notification delivery -- to send Live Activity updates to your devices via Apple Push Notification service (APNs).
Activity management -- to store and manage the activities and subscriptions you create.
Rate limiting -- IP-based rate limiting to protect the service from abuse (IP addresses are not stored).

We do not use your data for advertising, analytics, profiling, or any purpose other than delivering the PushWard service.

4. Data Storage and Security

All data is stored in a PostgreSQL database on secured infrastructure. All data at rest is encrypted with AES-256 at the infrastructure level.
API tokens and integration keys are stored as SHA-256 hashes only. Plaintext tokens cannot be recovered from the database.
Communication between the iOS app and the PushWard server is encrypted via HTTPS/TLS.
Push notifications are delivered through Apple's encrypted APNs infrastructure.
Your API token is stored locally on your device in the iOS Keychain.

5. Apple Push Notification Service

PushWard uses Apple Push Notification service (APNs) to deliver Live Activity updates to your iOS device. Push tokens are issued and managed by Apple. We send push payloads containing activity content (state, progress, template data) through APNs. Apple processes these payloads to deliver notifications to your device. Apple's privacy policy governs the APNs infrastructure.

6. Cookies and Tracking

The PushWard website and iOS app do not use cookies, analytics, or any form of tracking. We do not respond to "Do Not Track" browser signals because we do not track users in the first place.

7. Diagnostic Reports

The iOS app includes a diagnostic report feature (Settings > Support > Diagnostic Report) that generates a plain-text summary of recent app activity for troubleshooting purposes. The report includes:

App version, build number, iOS version, and device model (e.g. "iPhone17,3").
An anonymized device identifier (a one-way SHA-256 hash prefix — the original ID cannot be recovered).
Anonymized activity logs: push token values are truncated, user and device IDs are hashed.

The report is never sent automatically. It is generated only when you explicitly tap the share button and choose a destination (e.g. email, AirDrop, Files) via the system share sheet. PushWard has no server-side log collection. The diagnostic data is not linked to your identity because all identifiers are anonymized before the report is created.

8. Data Retention and Deletion

Account data is retained for as long as your account exists.
Activities with a delete_at timestamp are automatically removed when that time is reached. Stale activities (exceeding their stale_ttl) are automatically ended by the server.
Ended activities without a delete_at are retained until you delete them or delete your account.
API tokens are retained until you revoke them or delete your account.
Expired share codes are automatically cleaned up within 24 hours of expiration.
You can delete your account at any time through the iOS app's Settings screen. This permanently removes your user record, all devices, activities, subscriptions, API tokens, and integration keys within seconds.
API tokens and integration keys can be individually revoked without deleting your account.

9. Your Rights

Under the General Data Protection Regulation (GDPR) and similar laws, you have the following rights regarding your personal data:

Access -- you can request a copy of the personal data we hold about you.
Rectification -- you can update your nickname directly in the app; for other corrections, contact us.
Erasure -- you can delete your account at any time through the iOS app, which permanently removes all your data.
Portability -- you can request your data in a machine-readable format.
Restriction -- you can request that we limit processing of your data in certain circumstances.
Objection -- you can object to processing based on legitimate interest (e.g., rate limiting).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

10. Third-Party Services

PushWard does not integrate any third-party analytics, advertising, tracking, or data-sharing services. The only external service we interact with is Apple Push Notification service (APNs) for push notification delivery. We do not sell your personal information.

11. Data Sharing

We do not sell, rent, or share your personal data with third parties. Data may only be disclosed if required by law or to protect the security of the service.

12. Data Breach Notification

In the unlikely event of a data breach that affects your personal data, we will notify affected users via the app or email (if available) within 72 hours of becoming aware of the breach, as required by GDPR. We will also notify the relevant data protection authority where required.

13. Children's Privacy

PushWard is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with data, please contact us and we will promptly delete it.

14. Governing Law

This privacy policy is governed by the laws of Poland. If you are located in the EU/EEA, you also retain any mandatory protections provided by the laws of your country of residence.

15. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the service after changes constitutes acceptance of the updated policy.

16. Contact

If you have questions about this privacy policy or your data, you can reach us at [email protected] or via GitHub.