Legal
Privacy Policy
This policy explains how palumb handles personal data — both the data we collect as a controller (your account, billing and our website) and the data you entrust to us as your processor (the contacts and content of the notifications you send).
Last updated: 12 June 2026
Draft — pending legal review
This is a working draft, not yet reviewed by a lawyer. It is provided for
transparency while palumb is finalised. Placeholders in [brackets]
must be completed and the whole document reviewed before it is relied upon.
Who we are
palumb is an EU-sovereign notification platform operated by [palumb operator — legal name], [registered address], [jurisdiction] ("palumb", "we", "us"). For questions about this policy or your personal data, contact us at privacy@palumb.com.
Controller vs. processor — the important distinction
palumb plays two different roles. (1) For the data you send us to deliver notifications — your subscribers' contact details and the message content — you are the data controller and palumb is your processor, acting on your documented instructions under a Data Processing Agreement. (2) For your own account, billing and our website, palumb is the controller. This policy describes both; the processor relationship is governed primarily by the DPA.
What we process, and why
As controller we process: account data (your name, work email, organisation, hashed API-key metadata) to provide and secure the service; billing data (plan, invoices, limited payment metadata — see Payments) to take payment and meet tax obligations; product and operational logs (delivery metadata, error reports) to run, debug and secure the platform; and website data (privacy-friendly, cookieless analytics) to understand traffic. As your processor we store and transmit the subscriber contacts and notification content you send, solely to deliver your messages on your behalf.
Legal bases (GDPR Art. 6)
We rely on: performance of a contract (to provide the service you signed up for); legitimate interests (to secure, debug and improve the platform, and to run privacy-friendly analytics), balanced against your rights; legal obligation (to keep tax and accounting records); and, where required, consent (which you can withdraw at any time). As processor, our basis for handling your subscribers' data is your instruction under the DPA — you are responsible for having a lawful basis to message your subscribers.
Payments
Purchases are processed by Creem (Armitage Labs OÜ, Estonia, EU) acting as our Merchant of Record. This means your payment contract for the purchase is with Creem: Creem collects your payment details, issues invoices and handles VAT/sales tax. palumb does not receive or store your full card details — we receive limited billing metadata (e.g. plan, country for tax, invoice references) from Creem to manage your subscription. See Creem's own privacy notice for how it handles payment data.
Sub-processors
We use a small set of EU-based third parties to run the service (hosting, error monitoring, our own operational email, billing, analytics, CDN). Each is listed — with its purpose and the country where it processes data — on our Sub-processors page. We keep palumb EU-sovereign: infrastructure and your data are hosted in the EU by EU providers.
International transfers
palumb's infrastructure and your notification data are hosted within the European Union. We do not transfer your data outside the EU/EEA in the ordinary course of running the service. Note that any channel providers you connect (your own email, SMS or push accounts — including push via Apple APNs or Google FCM) are operated by you under your own accounts, and any transfer they involve is between you and that provider.
Retention
We keep account data for as long as your account is active and for [retention period — e.g. 12 months] afterwards, unless a longer period is required by law (e.g. invoices for tax). Notification content and delivery logs are retained for [retention period — e.g. 30–90 days] to support delivery, debugging and idempotency, then deleted or anonymised. You can ask us to delete your data sooner; some records (e.g. tax) must be kept for statutory periods.
Your rights
Under the GDPR you have the right to access, rectify, erase, restrict or object to processing of your personal data, and the right to data portability. Where we rely on consent, you can withdraw it at any time. To exercise any right, email privacy@palumb.com — we respond within the statutory timeframe. If your personal data is held by palumb as a processor on a customer's behalf, please contact that customer (the controller); we will assist them in responding. You also have the right to lodge a complaint with your local supervisory authority.
Security
We protect data with encryption in transit and at rest, encrypt the channel credentials you store with us, scope access on a least-privilege basis, and monitor for errors and abuse. No system is perfectly secure, but security is a first-class concern of the platform.
Changes to this policy
We may update this policy as the service evolves. We post the current version here with its "last updated" date, and notify customers of material changes by email where appropriate.
Contact us
For any privacy question, to exercise your rights, or to request our Data Processing Agreement, email privacy@palumb.com.