Built with GDPR Compliance at the Core

OnePush is fully committed to complying with the GDPR. All of our infrastructure is hosted within the EU / EEA by companies owned within the EU / EEA. We have taken appropriate security measures on a technical and organisational level to ensure the security of any personal data. We also sign Data Processing Agreements with all of our service providers.

If you have customers in the EU, the GDPR will likely affect you in some way. As a OnePush customer, you typically act as a data controller. This means you determine if, why, and for how long data will be stored on our service. It is your duty as a controller to demonstrate the same level of GDPR compliance as is expected.

If you're a customer and would like to sign our DPA, you can download it, sign it, and send it back to privacy@onepush.app.

OnePush acts as a data processor, meaning we process data on your behalf. We allow storage of personally identifiable information such as first name, last name and email addresses. Most of the data held by OnePush itself does not contain user-identifiable data. If you upload or add email list subscribers, you may collect personal data. Ensure your use complies with GDPR.

OnePush includes several features designed to help you comply with GDPR:

• **Double opt-in**: Required for email list subscriptions to ensure explicit consent
• **Tracking off by default**: Email tracking is disabled by default to protect privacy
• **Data retention limits**: Individual/personal tracking and email data is only kept for 30 days
• **Automatic unsubscribe**: Bounces & spam complaints are automatically unsubscribed from lists
• **Data export tools**: Export subscriber data in GDPR-compliant formats
• **Data deletion tools**: Easily delete subscriber data upon request
• **Consent management**: Built-in consent tracking and management features
• **Privacy policy templates**: GDPR-compliant privacy policy templates for your use
• **DPA available**: Data Processing Agreement available for all customers

OnePush uses the following sub-processors to provide our services:

• **Stripe**: Payment processing (EU-based, DPA in place)
• **EU/EEA Hosting Providers**: Infrastructure hosting (DPAs in place)
• **Google Fonts**: Font delivery (loaded from Google CDN - see Privacy Policy for details)

All sub-processors are bound by Data Processing Agreements that comply with GDPR Article 28 requirements. We maintain an up-to-date list of sub-processors and notify customers of any changes.

If you need a copy of our DPA or sub-processor list, please contact privacy@onepush.app.

As a OnePush customer (data controller), you are responsible for handling data subject requests from your subscribers. OnePush provides tools to help you comply:

• **Access Requests**: Export subscriber data to provide to data subjects
• **Rectification**: Update subscriber information directly in the platform
• **Erasure**: Delete subscriber records and associated data
• **Portability**: Export data in machine-readable formats (CSV, JSON)
• **Restriction**: Suspend processing for specific subscribers

We will assist you in responding to data subject requests related to data we process on your behalf. Contact privacy@onepush.app for assistance.