Privacy Policy

1. INTRODUCTION AND SCOPE

1.1 Who We Are

HMD Corp ("Company," "we," "us," or "our") operates Notify'n, an AI-powered multi-channel marketing platform. This Privacy Policy describes our practices regarding the collection, use, disclosure and protection of personal information when you visit our website, use our services, or otherwise interact with us.

1.2 Scope of This Policy

This Privacy Policy applies to:

• Our website at notifyn.net and all associated subdomains;
• The Notify'n platform and all related services, features and APIs;
• Our mobile applications (if any);
• Email communications we send you;
• Our interactions with you through customer support, sales, or marketing;
• Information collected from third-party sources as described herein.

1.3 Data Controller vs. Data Processor

Important distinction: We act in two different capacities depending on the data:

• Data Controller: For personal information we collect directly from you (account holders) and website visitors, we are the data controller and this Privacy Policy applies.
• Data Processor: For personal information in your contact lists and email campaigns (your end users' data), you are the data controller and we act as your data processor. This processing is governed by our Data Processing Agreement.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

2.1.1 Account Registration

• Full name and email address
• Password (stored in hashed, encrypted form)
• Company name and job title
• Phone number (optional)
• Profile photograph (optional)
• Industry and company size
• Time zone and language preferences

2.1.2 Billing Information

• Billing name and address
• Payment card information (processed by Stripe; we do not store full card numbers)
• VAT/Tax identification numbers
• Invoice history and transaction records

2.1.3 Customer Content and Data

• Contact lists and subscriber information you upload
• Email content, templates, and campaign materials
• Custom fields, tags, and segments you create
• Files, images, and attachments you upload
• API keys and webhook configurations

2.1.4 Communications

• Support tickets and chat transcripts
• Survey responses and feedback
• Email correspondence with us
• Comments and forum posts (if applicable)

2.2 Information Collected Automatically

2.2.1 Device and Browser Information

• IP address and approximate geographic location
• Device type, operating system, and version
• Browser type, version, and language settings
• Screen resolution and colour depth
• Unique device identifiers

2.2.2 Usage Data

• Pages visited, features used and actions taken
• Time and date of visits and duration of sessions
• Referring URLs and exit pages
• Click patterns and scroll depth
• Search queries within the Service
• Error logs and performance metrics

2.2.3 Multi-Channel Engagement Data

• Email open events (via tracking pixels), link clicks and click timestamps
• Email client and device information
• Bounce, spam complaint and unsubscribe events
• Geolocation of opens (approximate, IP-based)
• SMS delivery and read receipts, click-through events
• WhatsApp message delivery, read receipts and reply events
• Push notification delivery, display and tap events
• Voice call connection status, duration and opt-out events
• Cross-channel engagement patterns and response times

2.3 Information from Third Parties

• Authentication Providers: If you sign in via Google or Apple, we receive your profile information from those services.
• Payment Processors: Stripe provides us with transaction confirmations and payment status.
• Email Delivery Partner: AWS SES provides delivery status, bounces, and complaint data.
• Analytics Providers: Aggregated analytics from our service providers.
• Public Sources: Publicly available business information for enterprise leads.

2.4 Cookies and Tracking Technologies

We use cookies, web beacons, pixels and similar technologies to collect information and provide functionality. For full details, please see our Cookie Policy.

3. HOW WE USE YOUR INFORMATION

3.1 To Provide and Operate the Service

• Create and manage your account
• Process and deliver your campaigns across email, SMS, WhatsApp, push, and voice channels
• Provide analytics, reports and insights
• Process payments and manage subscriptions
• Enable team collaboration features
• Authenticate your identity and prevent fraud

3.2 To Improve and Personalise the Service

• Analyse usage patterns to improve features and user experience
• Train and improve our AI and machine learning models
• Personalise content recommendations and send time optimisation
• Develop new products, features and services
• Conduct research and statistical analysis (using aggregated data)

3.3 To Communicate With You

• Send transactional emails (receipts, confirmations, security alerts)
• Provide customer support and respond to inquiries
• Send product updates, feature announcements and tips
• Send marketing communications (with your consent where required)
• Notify you of changes to our terms or policies

3.4 For Security and Legal Compliance

• Detect, prevent and investigate fraud, abuse and security incidents
• Enforce our Terms of Service and Acceptable Use Policy
• Comply with legal obligations and respond to legal process
• Protect our rights, property and safety, and that of our users
• Maintain audit logs for security and compliance purposes

3.5 Legal Bases for Processing (GDPR)

If you are in the European Economic Area, our legal bases for processing include:

• Performance of Contract: Processing necessary to provide you with the Service.
• Legitimate Interests: Processing for security, fraud prevention, service improvement, and direct marketing (where allowed without consent).
• Legal Obligation: Processing required to comply with laws we are subject to.
• Consent: Where you have given specific consent for processing (e.g., marketing emails).

3.6 AI Behavioural Profiling and Automated Decisions

Notify'n uses artificial intelligence to build behavioural profiles of your contacts in order to optimise campaign delivery. This includes:

• Contact DNA Scoring: We assign each of your contacts a multi-dimensional behavioural score ("Contact DNA") based on their engagement history across channels. Scores are aggregated at demographic and overall tiers to improve prediction accuracy.
• Send Time & Channel Optimisation: Our AI predicts the optimal time and channel (email, SMS, WhatsApp, push, or voice) to reach each contact, based on historical response patterns.
• Continuous Learning: The system automatically adjusts predictions based on ongoing campaign outcomes using exponential moving averages.
• Content Recommendations: AI suggests subject lines, message body, and tone based on what has historically performed well for similar audiences.

Your rights under GDPR Article 22: Where these automated processes produce effects that significantly affect your contacts, you (as the data controller) are responsible for ensuring a lawful basis exists and for informing your contacts. You may request meaningful information about the logic involved by contacting privacy@notifyn.net. Aggregated and demographic-level DNA scores are anonymised and cannot be used to identify individual contacts. You may disable AI profiling features for your workspace at any time through your account settings.

4. INFORMATION SHARING AND DISCLOSURE

4.1 We Do Not Sell Your Personal Information

We do not sell, rent, lease, or trade your personal information to third parties for their marketing purposes. Period.

4.2 Service Providers (Sub-processors)

We share information with carefully selected third-party service providers who perform services on our behalf. These providers are contractually obligated to use your information only as necessary to provide services to us and must maintain appropriate security measures. See our complete list ofSubprocessors.

4.3 Legal Requirements

We may disclose your information when we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation, court order, or legal process
• Respond to lawful requests by public authorities (law enforcement, national security)
• Protect and defend our rights, property, or safety
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users or the public

4.4 Business Transfers

In connection with a merger, acquisition, bankruptcy, reorganisation or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website of any change in ownership and your choices regarding your information.

4.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

4.6 Aggregated and De-identified Data

We may share aggregated, anonymised or de-identified data that cannot reasonably be used to identify you. This data may be used for industry benchmarks, research, and marketing purposes.

5. DATA SECURITY

5.1 Security Measures

We implement thorough technical, administrative and physical security measures to protect your information, including:

• AES-256 encryption of data at rest
• TLS 1.3 encryption for all data in transit
• Secure, salted password hashing (bcrypt)
• Two-factor authentication options
• Regular security audits and penetration testing
• Intrusion detection and monitoring systems
• Access controls and principle of least privilege
• Employee security training and background checks
• Incident response and breach notification procedures

For more details, please see our Security page.

5.2 No Absolute Guarantee

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You use the Service at your own risk and are responsible for maintaining the security of your account credentials.

5.3 Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.

6. DATA RETENTION

6.1 Retention Periods

We retain your information for as long as necessary to:

• Active Account Data: Retained while your account is active and for a reasonable period thereafter.
• Campaign and Analytics Data: Retained for 3 years from the date of the campaign.
• Billing Records: Retained for 7 years to comply with tax and accounting requirements.
• Security Logs: Retained for 2 years for security and fraud prevention.
• Support Communications: Retained for 3 years after resolution.

6.2 Account Deletion

When you delete your account, we will delete or anonymize your personal information within 30 days, except for information we are required to retain for legal, tax, or audit purposes, or to resolve disputes and enforce our agreements.

6.3 Backup Retention

Data in our backup systems may be retained for up to 90 days after deletion from production systems. Backups are encrypted and access is strictly limited.

7. YOUR RIGHTS AND CHOICES

7.1 Rights Under GDPR (EEA Residents)

If you are in the European Economic Area, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Object: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Lodge Complaint: Lodge a complaint with your local data protection authority.

7.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

• Know: Request disclosure of personal information we collect, use and share.
• Delete: Request deletion of your personal information.
• Opt-Out of Sale: We do not sell personal information, but you can opt out of any future sales.
• Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise CCPA rights, email privacy@notifyn.net. We will verify your identity before processing requests.

7.3 Rights Under Other Jurisdictions

If you are located in Brazil (LGPD), Canada (PIPEDA), UK (UK GDPR) or other jurisdictions with privacy rights, please contact us to exercise your applicable rights.

7.4 How to Exercise Your Rights

To exercise your privacy rights, you may:

• Email us at privacy@notifyn.net
• Use the self-service options in your account settings
• Submit a request through our Privacy Request Portal (if available)

We will respond to verified requests within 30 days (or as required by law). We may request additional information to verify your identity before processing requests.

7.5 Marketing Opt-Out

You can opt out of marketing communications at any time by clicking the "unsubscribe" link in our emails or adjusting your preferences in account settings. Even if you opt out, we may still send transactional communications (billing, security, service updates).

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Mechanisms

Your information may be transferred to and processed in the United States or other countries where we or our service providers operate. We ensure appropriate safeguards for international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all processors and sub-processors
• Adequacy decisions where applicable
• Supplementary measures as recommended by data protection authorities

8.2 Data Residency

Enterprise customers may request specific data residency options. Contact our sales team for information about available data center regions.

9. CHILDREN'S PRIVACY

The Service is not intended for children under 16 years of age (or 13 in some jurisdictions). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe we may have information from a child, please contact us immediately at privacy@notifyn.net.

10. THIRD-PARTY LINKS AND SERVICES

The Service may contain links to third-party websites, services or content. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our Service. This Privacy Policy applies only to information collected by us.

11. DO NOT TRACK

Some browsers have a "Do Not Track" (DNT) feature that sends a signal to websites you visit indicating you do not wish to be tracked. There is no uniform standard for how to respond to DNT signals. Currently, our Service does not respond to DNT signals, but you can manage your cookie preferences as described in our Cookie Policy.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal or regulatory reasons. We will post the updated policy on this page and update the "Last Updated" date. For material changes, we will provide more prominent notice (e.g., email notification, in-app banner). Your continued use of the Service after changes take effect constitutes your acceptance of the revised Privacy Policy.

13. CONTACT US

If you have questions, concerns or requests regarding this Privacy Policy or our data practices, please contact us:

© 2026 HMD Corp. All rights reserved.