Legal

Privacy Policy

This policy explains how palumb handles personal data — both the data we collect as a controller (your account, billing and our website) and the data you entrust to us as your processor (the contacts and content of the notifications you send).

Last updated: 12 June 2026

Draft — pending legal review

This is a working draft, not yet reviewed by a lawyer. It is provided for transparency while palumb is finalised. Placeholders in [brackets] must be completed and the whole document reviewed before it is relied upon.

Who we are

palumb is an EU-sovereign notification platform operated by [palumb operator — legal name], [registered address], [jurisdiction] ("palumb", "we", "us"). For questions about this policy or your personal data, contact us at privacy@palumb.com.

Controller vs. processor — the important distinction

palumb plays two different roles. (1) For the data you send us to deliver notifications — your subscribers' contact details and the message content — you are the data controller and palumb is your processor, acting on your documented instructions under a Data Processing Agreement. (2) For your own account, billing and our website, palumb is the controller. This policy describes both; the processor relationship is governed primarily by the DPA.

What we process, and why

As controller we process: account data (your name, work email, organisation, hashed API-key metadata) to provide and secure the service; billing data (plan, invoices, limited payment metadata — see Payments) to take payment and meet tax obligations; product and operational logs (delivery metadata, error reports) to run, debug and secure the platform; and website data (privacy-friendly, cookieless analytics) to understand traffic. As your processor we store and transmit the subscriber contacts and notification content you send, solely to deliver your messages on your behalf.

Payments

Purchases are processed by Creem (Armitage Labs OÜ, Estonia, EU) acting as our Merchant of Record. This means your payment contract for the purchase is with Creem: Creem collects your payment details, issues invoices and handles VAT/sales tax. palumb does not receive or store your full card details — we receive limited billing metadata (e.g. plan, country for tax, invoice references) from Creem to manage your subscription. See Creem's own privacy notice for how it handles payment data.

Sub-processors

We use a small set of EU-based third parties to run the service (hosting, error monitoring, our own operational email, billing, analytics, CDN). Each is listed — with its purpose and the country where it processes data — on our Sub-processors page. We keep palumb EU-sovereign: infrastructure and your data are hosted in the EU by EU providers.

International transfers

palumb's infrastructure and your notification data are hosted within the European Union. We do not transfer your data outside the EU/EEA in the ordinary course of running the service. Note that any channel providers you connect (your own email, SMS or push accounts — including push via Apple APNs or Google FCM) are operated by you under your own accounts, and any transfer they involve is between you and that provider.

Retention

We keep account data for as long as your account is active and for [retention period — e.g. 12 months] afterwards, unless a longer period is required by law (e.g. invoices for tax). Notification content and delivery logs are retained for [retention period — e.g. 30–90 days] to support delivery, debugging and idempotency, then deleted or anonymised. You can ask us to delete your data sooner; some records (e.g. tax) must be kept for statutory periods.

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict or object to processing of your personal data, and the right to data portability. Where we rely on consent, you can withdraw it at any time. To exercise any right, email privacy@palumb.com — we respond within the statutory timeframe. If your personal data is held by palumb as a processor on a customer's behalf, please contact that customer (the controller); we will assist them in responding. You also have the right to lodge a complaint with your local supervisory authority.

Cookies & analytics

Our website uses privacy-friendly, cookieless analytics (Plausible) that do not track you across sites or set advertising cookies. We do not use third-party advertising or cross-site tracking. Strictly necessary cookies may be used to keep you signed in to the application.

Security

We protect data with encryption in transit and at rest, encrypt the channel credentials you store with us, scope access on a least-privilege basis, and monitor for errors and abuse. No system is perfectly secure, but security is a first-class concern of the platform.

Changes to this policy

We may update this policy as the service evolves. We post the current version here with its "last updated" date, and notify customers of material changes by email where appropriate.

Contact us

For any privacy question, to exercise your rights, or to request our Data Processing Agreement, email privacy@palumb.com.