1. Overview
The General Data Protection Regulation (GDPR) (EU) 2016/679 governs how organisations collect, use and store personal data of individuals in the European Economic Area (EEA). KorPush takes GDPR compliance seriously — both as a data controller (for our own users) and as a data processor (when processing subscriber data on behalf of publishers).
2. Roles and Responsibilities
| Role |
Party |
Responsibility |
| Data Controller | Publisher (you) | Determines why and how subscriber data is collected on your website. |
| Data Processor | KorPush | Stores and processes push tokens on behalf of the Publisher. |
| Data Subject | Website Visitor | The individual whose push subscription token is collected. |
3. Data We Process on Publishers' Behalf
- Browser push notification tokens (endpoint, p256dh key, auth key)
- Approximate geographic location at consent time: country, state, city (derived from IP, not exact GPS)
- Browser type, OS, device type
- IP address (for geo-lookup, not stored long-term)
- Subscription timestamp
We do not collect names, email addresses, or any other directly identifying information from end-users unless they submit a contact form on your website.
4. Lawful Basis for Processing Subscriber Data
Publishers are responsible for ensuring a valid lawful basis (typically
consent under GDPR Art. 6(1)(a)) before collecting push subscriptions. KorPush provides a customisable consent prompt to facilitate this. Publishers must:
- Display a clear opt-in prompt before subscribing users.
- Not pre-tick consent checkboxes.
- Honour unsubscribe requests promptly.
- Maintain records of consent.
5. Data Retention
- Active subscriptions: Push tokens are retained for as long as the publisher's account is active and the subscription remains valid.
- Expired/revoked tokens: Removed within 30 days of detection.
- Account closure: All subscriber data associated with a publisher account is deleted within 60 days of account closure.
6. Sub-processors
KorPush may engage sub-processors to assist in delivering our services (e.g., hosting providers). We ensure all sub-processors provide equivalent data protection guarantees. A current list of sub-processors is available upon request.
7. Your Rights Under GDPR
- Right of Access (Art. 15): Request a copy of your personal data.
- Right to Rectification (Art. 16): Correct inaccurate data.
- Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your data.
- Right to Restriction (Art. 18): Restrict processing in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful processing.
Submit requests to privacy@korpush.com. We respond within 30 days.
8. Data Processing Agreement (DPA)
Publishers who require a formal Data Processing Agreement to comply with GDPR Art. 28 may request one by emailing legal@korpush.com. The DPA outlines: the subject matter and duration of processing, nature and purpose of processing, type of personal data, categories of data subjects, and obligations and rights of the controller.
9. Data Breaches
In the event of a personal data breach affecting publisher subscriber data, we will notify affected publishers without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
10. International Data Transfers
If personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
11. Contact & Supervisory Authority
For any GDPR-related enquiries contact privacy@korpush.com. You also have the right to lodge a complaint with your national supervisory authority (e.g., the ICO in the UK, or your local DPA in the EU).