Legal
Privacy Policy
Last updated: May 17, 2026
The short version — because we know you're busy
RNPush is a Bring Your Own Storage (BYOS) platform. Your application bundles are stored in and served from your own cloud storage (AWS S3, Google Cloud Storage, or Cloudflare R2). They never pass through our servers. We only collect the minimum operational data required to run the control plane — update routing, telemetry, and authentication.
1. Who We Are
RNPush (“we”, “us”, or “our”) operates the RNPush platform, accessible at rnpush.com. We provide enterprise over-the-air (OTA) update infrastructure for React Native applications.
For any privacy-related questions, contact us at: privacy@rnpush.com
2. Data We Collect
2.1 Account Data
When you create an account, we collect your name, email address, and organization name. This is used to authenticate you, send service notifications, and manage your subscription.
2.2 Usage & Telemetry Data
We collect operational data to run the platform, including:
- Update deployment metadata: timestamp, target channel, rollout percentage, diff size
- SDK telemetry: anonymous device identifiers, update download success/failure status, crash rollback events
- API request logs: endpoint, response code, latency — retained for 30 days
- Dashboard activity: page visits, feature usage counts
We do not collect, store, or process your application bundles. Bundles are transferred directly between your storage bucket and your users' devices. Our servers only see signed manifest URLs, never the bundle content.
2.3 Payment Data
Billing is handled by Stripe. We store your billing plan and subscription status. Full payment card data is processed and stored by Stripe under their own privacy policy and PCI DSS compliance.
2.4 Communication Data
If you contact our support team, we retain your messages and email to provide assistance and improve our service.
3. How We Use Your Data
We use collected data to:
- Provide and operate the RNPush control plane
- Authenticate API requests and enforce rate limits
- Send transactional emails (deployment alerts, billing receipts, security notifications)
- Monitor platform health and debug incidents
- Calculate billing based on your subscription plan
- Comply with legal obligations
We do not sell your data to third parties. We do not use your data for advertising.
4. Bring Your Own Storage & Your Data Sovereignty
When you use BYOS (the default and recommended configuration), your application bundles are stored in your cloud storage account. This means:
- Your source code and compiled bundles reside in your infrastructure, under your access controls
- Your existing cloud security, encryption, and audit logging apply automatically
- Data residency requirements (GDPR Article 44–49, HIPAA, etc.) are satisfied by your storage configuration, not ours
- RNPush only processes the signed URL manifest, which contains no bundle content
Enterprise customers using RNCloud (our managed CDN option) should refer to their Data Processing Agreement (DPA), available on request, for GDPR Article 28 compliance.
5. Data Sharing
We share data only with the following categories of sub-processors:
| Sub-processor | Purpose |
|---|---|
| Stripe | Subscription billing and payment processing |
| AWS | Platform infrastructure (control plane, API) |
| Cloudflare | CDN and DDoS protection for the dashboard |
| Resend | Transactional email delivery |
| PostHog | Anonymous product analytics (opt-out available) |
We do not share your data with any third party for marketing or advertising purposes. We will disclose data if required by law or court order, and will notify you where legally permitted to do so.
6. Data Retention
- Account data: retained for the lifetime of your account plus 90 days after cancellation
- API logs: 30 days rolling retention
- Telemetry events: 90 days rolling retention
- Billing records: 7 years (legal requirement)
- Support conversations: 2 years
You may request deletion of your account and associated data at any time by contacting privacy@rnpush.com. Deletion is processed within 30 days.
7. Security
All data transmitted to and from RNPush is encrypted in transit using TLS 1.3. Update manifests are HMAC-signed to prevent tampering. Our control plane infrastructure is SOC 2 Type II certification in progress.
If you believe you've discovered a security vulnerability, please report it to security@rnpush.com. We operate a responsible disclosure policy and will respond within 48 hours.
8. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data. To exercise any of these rights, email privacy@rnpush.com with your request. We respond within 30 days.
EU/UK residents have additional rights under GDPR/UK GDPR, including the right to lodge a complaint with your local supervisory authority.
9. Cookies
We use strictly necessary cookies for session authentication. We do not use tracking cookies or third-party advertising cookies. Our analytics (PostHog) use first-party cookies only and can be opted out of in your account settings.
10. Changes to This Policy
We will notify you of material changes to this policy by email at least 14 days before they take effect. The current version is always published at rnpush.com/privacy with its effective date.