Privacy Policy — GDPR

Last update: April 2, 2026

1. Data controller

The controller of personal data collected via the JustPush platform (available at just-push.com) is:

  • Business name: PUSH
  • Legal form: Sole proprietorship
  • SIRET: Registration pending
  • Registered office: France
  • Email: [email protected]

JustPush is a wallet marketing platform allowing merchants to send push notifications via Apple Wallet and Google Wallet to their customers.

2. Data collected

We collect different categories of data depending on the type of user:

2.1 Merchants (platform users)

  • First and last name of the representative
  • Professional email address
  • Phone number
  • Business address
  • SIRET number
  • Billing data (via Square)
  • Logo and brand visuals

2.2 End customers (wallet cardholders)

  • First name
  • Email address (optional)
  • Phone number (optional)
  • Date of birth (optional, for birthday offers)
  • Scan / visit data (timestamp, point of sale location)
  • Loyalty history (number of points, stamps, rewards)

2.3 Data collected automatically

  • IP address (anonymized in analytics)
  • Browser type and operating system
  • Pages visited and time spent (landing site only)

3. Processing purposes

Personal data is processed for the following purposes:

  • Account management: creation, authentication and administration of merchant accounts
  • Service delivery: generation of wallet cards, sending of push notifications via Apple Wallet and Google Wallet
  • Loyalty program: tracking of points, stamps and rewards for end customers
  • Wallet notifications: sending geofenced or manual push notifications to cardholders
  • Anonymized analytics: aggregated usage statistics to improve the service (number of scans, retention rate, etc.)
  • Billing: management of subscriptions and payments via Square
  • Customer support: handling of assistance requests

4. Legal basis for processing

Data processing is based on the following legal bases:

  • Performance of contract (Article 6.1.b GDPR): for merchants, processing is necessary for the performance of the subscription contract to the JustPush platform.
  • Consent (Article 6.1.a GDPR): for end customers, processing is based on free and informed consent when voluntarily adding the wallet card to their device. Consent can be withdrawn at any time by removing the card from their wallet.
  • Legitimate interest (Article 6.1.f GDPR): for anonymized analytics and service improvement.
  • Legal obligation (Article 6.1.c GDPR): for the retention of billing data in accordance with commercial law.

5. Retention period

Personal data is retained for the following periods:

Type of dataRetention period
Merchant account dataContract duration + 3 years after termination
End customer data (active)Merchant contract duration + 3 years
Deleted data (soft delete)30 days before final deletion
Billing data10 years (legal accounting obligation)
Technical / security logs12 months
Anonymized analytics25 months

Upon expiration of these periods, data is irreversibly deleted or anonymized.

6. Data recipients

Personal data may be communicated to the following recipients:

  • JustPush (PUSH): as data controller and technical subcontractor for merchants. A subcontracting agreement (DPA) compliant with Article 28 of the GDPR governs this relationship.
  • Apple Inc.: for the generation and update of Apple Wallet passes (Apple Push Notification service).
  • Google LLC: for the generation and update of Google Wallet passes (Google Wallet API).
  • Square Inc.: for secure processing of credit card payments. Square is PCI-DSS Level 1 certified.
  • Hetzner Online GmbH: infrastructure host (servers located in the European Union).

No personal data is sold, rented or transferred to third parties for commercial or advertising purposes.

7. Data transfers outside the European Union

Some of our subcontractors are located outside the European Union. These transfers are governed by the following safeguards:

  • Apple Inc. (United States): transfer governed by the Standard Contractual Clauses (SCC) of the European Commission and the EU-US Data Privacy Framework (DPF).
  • Google LLC (United States): transfer governed by the Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework (DPF). Google is DPF-certified.
  • Square Inc. (United States): transfer governed by the Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework (DPF). Square is PCI-DSS Level 1 certified.

The main infrastructure (servers, database) is hosted in the European Union at Hetzner Online GmbH. Only strictly necessary data for the operation of wallet and payment services is transmitted to U.S. providers.

8. Rights of individuals

In accordance with the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:

  • Right of access (Art. 15): obtain confirmation that data concerning you is being processed and receive a copy of it.
  • Right of rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your data under the conditions provided by the GDPR.
  • Right to portability (Art. 20): receive your data in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21): object to the processing of your data on legitimate grounds.
  • Right to restriction (Art. 18): obtain restriction of processing in certain cases.
  • Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of the processing carried out before withdrawal.

To exercise your rights, send your request by email to [email protected] specifying your identity and the right you wish to exercise. We commit to responding within one month.

In case of difficulty, you can file a complaint with the CNIL: www.cnil.fr

9. Cookies

The just-push.com site uses only strictly necessary cookies for the operation of the service. No advertising tracking cookies are used.

CookieTypeDurationPurpose
sessionFunctionalSessionUser authentication
jp_refFunctional90 daysReferral / affiliation tracking
themeFunctional1 yearTheme preference (light/dark)

In accordance with CNIL recommendations, strictly necessary cookies do not require prior consent. Therefore no cookie banner is displayed.

10. Data security

JustPush implements the following technical and organizational measures to ensure the security of your data:

  • Encryption in transit: all communications are encrypted via TLS 1.2+ (HTTPS)
  • Authentication: JWT tokens signed with the ES256 algorithm (elliptic curves)
  • Passwords: hashed with bcrypt (adaptive cost factor)
  • Database: PostgreSQL hosted on a dedicated Hetzner server in the European Union, restricted access via firewall
  • Backups: encrypted automatic daily backups
  • Access: principle of least privilege, multi-factor authentication for administrators
  • Monitoring: continuous monitoring of access and alerts in case of suspicious activity

11. Data Protection Officer (DPO)

For any question regarding the protection of your personal data or to exercise your rights, you can contact our GDPR officer:

  • Email: [email protected]
  • Postal address: PUSH — DPO, France
  • Response time: 1 month maximum (extendable by 2 months in case of complex request)

You also have the right to file a complaint with the French National Commission for Informatics and Liberties (CNIL): www.cnil.fr/fr/plaintes

12. Policy updates

This privacy policy may be modified at any time to adapt to legal, regulatory or technical changes. In the event of substantial modification, users will be informed by email or by notification on the platform.

The date of the last update is indicated at the top of this page. We invite you to consult this page regularly to stay informed of our data protection practices.

Change history:

  • April 2, 2026: initial version of the privacy policy