Pingfyr

Privacy Policy

Last updated: April 8, 2026

1. Information We Collect

We collect the following information when you use Pingfyr:

  • Account information — your email address and password hash, managed securely via Supabase Auth.
  • API usage data — reminder content, recipient addresses, delivery logs, channel types (email, webhook, Slack, Discord, Telegram, Google Calendar, OpenClaw), and timestamps.
  • Payment information — billing details are processed by Stripe. Pingfyr does not store credit card numbers or raw payment data.
  • Session data — authentication session cookies managed by Supabase.
  • Google Calendar credentials — if you connect Google Calendar, we store OAuth2 access tokens and refresh tokens, encrypted at rest using AES-256-GCM. We request only the calendar.events scope (https://www.googleapis.com/auth/calendar.events), which permits creating, updating, and deleting calendar events. We do not request access to your calendar settings, other calendars, or any Google data beyond individual events. During the connection process, we also retrieve and store your Google account email address solely to display which Google account is connected in your dashboard. You may revoke access at any time from your dashboard or from your Google Account settings at myaccount.google.com/permissions. Google OAuth tokens and the connected email address are deleted immediately when you disconnect Google Calendar from your dashboard or when you delete your account.
  • Telegram bot tokens — if you configure a Telegram delivery channel, your bot token is encrypted at rest using AES-256-GCM before storage.
  • Custom SMTP credentials — if you configure a custom email server, your SMTP host, username, password, and sender details are encrypted at rest using AES-256-GCM.

2. How We Use Your Information

We use your information to:

  • Provide and operate the reminder scheduling service.
  • Process payments for paid plans via Stripe.
  • Send transactional communications, including reminder delivery confirmations and account notifications, via Resend.
  • Generate delivery logs displayed in your dashboard.

We do not sell personal data to third parties.

3. Third-Party Services

Pingfyr relies on the following third-party service providers. Each processes data according to their own privacy policy:

  • Supabase — database and authentication hosting (AWS eu-west region, EU data center).
  • Stripe — payment processing (PCI DSS compliant).
  • Resend — transactional email delivery.
  • Telegram Bot API — Telegram channel reminder delivery.
  • Slack — Slack incoming webhook reminder delivery.
  • Discord — Discord incoming webhook reminder delivery.
  • Google Calendar API — calendar event creation for Google Calendar delivery channel. Event data (title, description, timestamps) is sent to Google. See Google Privacy Policy.
  • Sentry — error tracking and performance monitoring. Sentry receives error traces and diagnostic data to help us debug issues. No reminder content or personal data is intentionally sent to Sentry.

4. Google User Data

Pingfyr's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

If you connect your Google Calendar account, Pingfyr receives OAuth2 access tokens, refresh tokens, and your Google account email address solely to create calendar events on your behalf when a reminder is scheduled for Google Calendar delivery. This data is:

  • Used only to deliver your scheduled reminders to Google Calendar.
  • Not used for advertising, marketing, profiling, or any unrelated purpose.
  • Not shared with, transferred to, disclosed to, or sold to any third party — except to Google's own APIs as required to fulfill the calendar delivery you requested.
  • Not used for any purpose beyond operating the Google Calendar delivery feature you explicitly enabled.

OAuth tokens and the connected email address are stored encrypted at rest using AES-256-GCM in our database (Supabase, EU region). They are deleted immediately when you disconnect Google Calendar from your Pingfyr dashboard or when you delete your account. You can revoke access at any time at myaccount.google.com/permissions.

5. Data Retention

Account data is retained for as long as your account remains active. Reminder content and delivery log data is retained for 30 days after delivery or cancellation. Upon account deletion, your personal data is removed within 30 days.

6. Your Rights (GDPR / CCPA)

Depending on your location, you may have the following rights regarding your personal data:

  • Right to access and receive a copy of your personal data.
  • Right to correct inaccurate data.
  • Right to delete your personal data (right to erasure).
  • Right to data portability.
  • Right to opt out of non-essential communications.

To exercise any of these rights, contact us at support@pingfyr.com. EU residents may also lodge a complaint with their local data protection authority.

7. Cookies and Session Data

Pingfyr uses session cookies for authentication purposes only. We do not use advertising cookies, tracking cookies, or third-party analytics (no Google Analytics, no Meta Pixel). You can disable cookies in your browser settings, but this will prevent you from logging in.

8. Security

We implement the following security measures to protect your data:

  • Data encrypted in transit using TLS.
  • Data encrypted at rest using AES-256 via Supabase.
  • Sensitive credentials (Google OAuth tokens, Telegram bot tokens, SMTP passwords) encrypted at rest using AES-256-GCM with per-record initialization vectors.
  • API keys hashed with SHA-256 before storage — raw keys are never stored.
  • API key verification uses constant-time comparison to prevent timing attacks.
  • Per-user data isolation enforced via access controls.
  • Rate limiting and audit logging on all API authentication events.
  • Webhook endpoints verified against SSRF (Server-Side Request Forgery) attacks.

9. Children's Privacy

Pingfyr is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at support@pingfyr.com and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email with at least 30 days notice before the changes take effect. Continued use of the service after the notice period constitutes acceptance of the updated policy.

11. Contact

For privacy inquiries or data requests, please contact us at support@pingfyr.com.

12. GDPR Information

Data Controller

Anil Ozsoy, Meerbusch, 40670, Germany.
Email: anil@pingfyr.com

Legal Basis

We process your personal data on the basis of Art. 6(1)(b) GDPR — processing is necessary for the performance of the contract (providing the Pingfyr reminder service). No separate consent is required for data processing necessary to operate the service.

Data Location

Your data is stored on Supabase infrastructure hosted on AWS in the eu-west region (European Union).

Data Retention

Reminder content, delivery logs, and related operational data are automatically deleted 30 days after delivery or cancellation. Account data is retained for as long as your account is active.

Right to Lodge Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Related Documents

See our Terms & Conditions for service usage terms and our Impressum for company details.

Stay in the loop

New channels, API features, and developer guides — straight to your inbox. No spam.