Privacy Policy
Last updated: April 27, 2026
1. Introduction
NativeSuite is operated by Volomn LLC ("NativeSuite", "we", "our", "us"). We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, store, share, and safeguard personal information when you use the NativeSuite platform, website, mobile application, APIs, and related services (collectively, the "Service").
This policy applies to two categories of individuals:
- Developers: Individuals and organisations that create accounts on NativeSuite to build and publish apps, configure widgets, notifications, and live activities.
- End-Users: Individuals who install and use the NativeSuite mobile application to interact with apps published by Developers.
This policy is designed to comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (CCPA/CPRA), other US state privacy laws, and the Nigeria Data Protection Act 2023 (NDPA).
By accessing or using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please discontinue use of the Service.
2. Information We Collect
2.1 Information Provided by Developers
- Account information: First name, last name, email address, and password (stored as a cryptographic hash).
- Organisation details: Organisation name, URL handle/slug, and custom domain (if configured).
- Team member data: Names, email addresses, and roles (Owner, Admin, Member) of individuals invited to your organisation.
- Payment and billing information: We use Stripe as our payment processor. When you subscribe to a paid plan, Stripe collects your payment card details directly. We store your Stripe customer ID, subscription ID, plan tier, billing interval, and payment status — but we never store full card numbers, CVVs, or bank account details on our servers.
- App configuration data: App names, descriptions, icons, privacy policy URLs, terms of service URLs, support email addresses, webhook URLs, and data source configurations you create within the Service.
- API credentials: Signing secrets and app secrets generated for authenticating API requests. These are stored securely and can be rotated at any time.
- Data source credentials: When you connect external APIs as data sources, we store the connection metadata, request configurations (headers, query parameters, URLs), and response schemas necessary to fetch data on your behalf.
- Communication data: Support requests, feedback, and correspondence you send to us.
2.2 Information Provided by End-Users
- Account information: Display name, email address, and avatar URL.
- Authentication identifiers: Google ID or Apple ID if you sign in via OAuth.
- Device information: Device identifier, platform (iOS or Android), push notification tokens (APNs or FCM), and push-to-start tokens for iOS Live Activities.
- App interaction data: Which apps you have installed, widgets you have added, notifications you have received, and live activities you have participated in.
2.3 Information Collected Automatically
- Usage data: Pages visited, features used, actions taken, timestamps, and interaction patterns.
- Device and browser data: Browser type and version, operating system, screen resolution, language preferences, and device type.
- Network data: IP address, approximate geographic location (derived from IP), and referring URL.
- Cookies and similar technologies: We use cookies, local storage, and similar technologies as described in our Cookie Policy.
2.4 Information from Third Parties
- OAuth providers: When you authenticate via Google or Apple Sign-In, we receive your name, email address, and unique provider identifier as authorised by you during the OAuth flow.
- Stripe: We receive subscription status updates, payment failure notifications, and invoice data from Stripe via webhooks.
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Service, including account management, widget delivery, push notifications, and live activities | Performance of contract |
| Processing payments and managing subscriptions | Performance of contract |
| Sending transactional emails (verification, password resets, billing receipts, security alerts) | Performance of contract |
| Delivering push notifications to End-User devices on behalf of Developers | Performance of contract / Consent |
| Monitoring and enforcing usage limits, rate limiting, and overage billing | Performance of contract / Legitimate interest |
| Analysing usage patterns to improve the Service | Legitimate interest |
| Ensuring the security and integrity of the platform | Legitimate interest |
| Detecting, preventing, and addressing fraud, abuse, or technical issues | Legitimate interest |
| Complying with legal obligations | Legal obligation |
| Communicating product updates and changes to terms | Legitimate interest |
We will not use your personal information for automated decision-making or profiling that produces legal effects concerning you.
4. Our Role as Data Controller and Data Processor
NativeSuite operates in a dual capacity:
- Data Controller: We are the data controller for the personal information of Developers (account data, billing data, usage data) and for End-User data we collect directly through the NativeSuite mobile app (account registration, device tokens, app installations).
- Data Processor: When Developers use NativeSuite to deliver widgets, notifications, and live activities to their End-Users, we act as a data processor on behalf of the Developer. In this capacity, the Developer is the data controller, and we process End-User data solely according to the Developer's instructions and our Data Processing Agreement.
Developers who use NativeSuite to reach End-Users are responsible for having their own privacy policies and legal bases for processing End-User data. Developers must ensure their use of NativeSuite complies with all applicable data protection laws.
5. How We Share Your Information
We do not sell your personal information. We share information only in the following circumstances:
5.1 Service Providers
We share data with third-party service providers who assist us in operating the Service, subject to contractual obligations to protect your data:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing and subscription management | Billing contact info, payment details (handled directly by Stripe), subscription events |
| Apple Push Notification service (APNs) | Delivering push notifications and live activities to iOS devices | Device push tokens, notification content |
| Firebase Cloud Messaging (FCM) | Delivering push notifications to Android devices | Device push tokens, notification content |
| Amazon Web Services (SES) | Sending transactional emails | Email addresses, email content |
| DigitalOcean | Infrastructure hosting and file storage | All data stored on the platform (encrypted at rest) |
| Google (OAuth) | Authentication | Authentication tokens during sign-in flow |
| Apple (Sign-In) | Authentication | Authentication tokens during sign-in flow |
5.2 Developers
When End-Users install and interact with a Developer's app on NativeSuite, the Developer may receive End-User data through webhooks and API calls, including display names, email addresses, and interaction events. Developers are bound by our Terms of Service and Acceptable Use Policy regarding how they handle this data.
5.3 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5.4 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred as part of the transaction. We will notify you via email or a prominent notice on our website before your information becomes subject to a different privacy policy.
6. Data Security
We implement industry-standard technical and organisational measures to protect your data, including:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored in our databases and file storage is encrypted at rest.
- HMAC request signing: API requests between Developers and our platform are authenticated using HMAC-SHA256 signatures to prevent tampering and replay attacks.
- Password hashing: User passwords are stored using industry-standard cryptographic hashing algorithms with salting.
- Access controls: Role-based access control within organisations, and strict internal access controls for our team.
- Credential rotation: Developers can rotate their signing secrets and app secrets at any time without service interruption.
- Secure infrastructure: Our infrastructure is managed through version-controlled infrastructure-as-code with restricted access.
While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly notifying affected users and relevant authorities in the event of a data breach, in accordance with applicable law.
7. Data Retention
We retain your personal information for as long as necessary to fulfil the purposes described in this policy:
- Active accounts: Data is retained for the duration of your account's existence.
- Deleted accounts: Upon account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., billing records for tax purposes, which are retained for up to 7 years).
- Webhook delivery logs: Retained for 30 days for debugging purposes, then automatically purged.
- Push notification logs: Delivery status records are retained for 90 days.
- Usage analytics: Aggregated, anonymised usage data may be retained indefinitely for service improvement purposes.
- Backup copies: Encrypted backups may contain your data for up to 30 days after deletion from live systems.
8. International Data Transfers
NativeSuite's infrastructure is hosted in data centres located in the United States and Europe. If you are accessing the Service from outside these regions — including from the United Kingdom, Nigeria, or other countries — your data will be transferred to and processed in these locations. We ensure appropriate safeguards for international data transfers through:
- EU/EEA: Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), where applicable.
- United Kingdom: The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the Information Commissioner's Office (ICO).
- United States: Compliance with the EU-U.S. Data Privacy Framework, where applicable, and contractual protections with all service providers.
- Nigeria: Compliance with the cross-border transfer requirements of the Nigeria Data Protection Act 2023 (NDPA), including ensuring that the recipient jurisdiction provides adequate data protection or that appropriate contractual safeguards are in place as required by the NDPC.
- Data processing agreements with all sub-processors that include adequate transfer mechanisms and data protection obligations.
9. Your Rights
9.1 Rights Under GDPR (EEA and Switzerland Residents)
If you are located in the European Economic Area or Switzerland, you have the following rights under the General Data Protection Regulation (EU) 2016/679:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to certain exceptions.
- Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
- Right to lodge a complaint: File a complaint with your local data protection supervisory authority.
9.2 Rights Under UK GDPR (United Kingdom Residents)
If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These include the same rights listed in Section 9.1 above. You may lodge complaints with the Information Commissioner's Office (ICO).
Where NativeSuite transfers your personal data outside the UK, we rely on UK International Data Transfer Agreements or other transfer mechanisms approved by the ICO.
9.3 Rights Under US Federal and State Laws (United States Residents)
9.3.1 California (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, purposes, and third parties with whom we share it.
- Right to delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt out of sale/sharing: We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
- Right to non-discrimination: We will not discriminate against you for exercising any of your rights.
- Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
In the preceding 12 months, we have collected the categories of personal information described in Section 2 of this policy. We do not sell personal information and have not done so in the preceding 12 months.
9.3.2 Other US State Privacy Laws
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or other states with comprehensive privacy legislation, you may have similar rights to access, correct, delete, and opt out of certain processing of your personal data. We honour these rights as required by applicable state law. To exercise your rights, contact us as described in Section 9.5.
9.4 Rights Under NDPA (Nigerian Residents)
If you are located in Nigeria, the Nigeria Data Protection Act 2023 ("NDPA") and regulations issued by the Nigeria Data Protection Commission ("NDPC") provide you with the following rights:
- Right to be informed: You have the right to be informed about the collection and use of your personal data, including the purposes of processing, retention periods, and with whom your data is shared. This Privacy Policy serves as our notice to you.
- Right of access: Request confirmation of whether we process your personal data and, if so, obtain a copy of that data.
- Right to rectification: Request the correction of inaccurate or incomplete personal data we hold about you.
- Right to erasure: Request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where there is no overriding legitimate ground for continued processing.
- Right to restrict processing: Request that we limit how we process your personal data in certain circumstances, including while we verify the accuracy of data you have challenged.
- Right to data portability: Receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller where technically feasible.
- Right to object: Object to the processing of your personal data based on our legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately.
- Right to withdraw consent: Where we process your data based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects concerning you, except where such decisions are necessary for a contract, authorised by law, or based on your explicit consent.
- Right to lodge a complaint: You may file a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated.
Lawful basis for processing: Under the NDPA, we process your personal data on the following lawful bases: consent (where you have given clear consent for us to process your data for a specific purpose), contractual necessity (where processing is necessary for the performance of a contract with you), legitimate interest (where processing is necessary for our legitimate interests and does not override your fundamental rights), and legal obligation (where processing is necessary for compliance with Nigerian or other applicable law).
Cross-border transfers: Where your personal data is transferred outside Nigeria, we ensure that the recipient country provides an adequate level of data protection or that appropriate safeguards are in place, as required by the NDPA and any regulations issued by the NDPC. We rely on contractual safeguards, including data processing agreements with our sub-processors, to protect your data when transferred internationally.
Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the NDPC and, where required, affected individuals, within the timeframe prescribed by the NDPA.
9.5 Exercising Your Rights
To exercise any of these rights, please contact us at privacy@nativesuite.io. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. Developers can also export and delete data through their account settings.
10. Children's Privacy
The Service is not directed to children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@nativesuite.io. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.
11. Push Notifications and Device Data
The NativeSuite mobile app requests permission to send push notifications to your device. If you grant permission:
- We collect and store your device push token (APNs token for iOS, FCM token for Android) to deliver notifications.
- For iOS devices running iOS 17.1 or later, we may collect push-to-start tokens to initiate Live Activities on your device.
- Push tokens are associated with your account and the apps you have installed.
- You can revoke notification permissions at any time through your device settings. Revoking permissions will stop notification delivery but will not delete previously stored tokens until your next app session.
- Developers who publish apps on NativeSuite send notification content through our platform; we deliver these on their behalf.
12. Widgets and Home Screen Data
When you add NativeSuite widgets to your device's home screen:
- Widget content is fetched from our servers based on the app and template configuration set by the Developer.
- Widget data may include dynamic content from the Developer's connected data sources.
- We track which widgets you have installed to ensure proper content delivery.
- Widget data is refreshed periodically by the operating system; the frequency is controlled by iOS and Android, not by NativeSuite.
13. Third-Party Links and Developer Apps
NativeSuite hosts apps created by third-party Developers. Each Developer app may have its own privacy policy and terms of service. We encourage you to review the Developer's privacy policy before installing their app. NativeSuite is not responsible for the privacy practices of third-party Developers, though we require all Developers to comply with our Acceptable Use Policy.
Our website and Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last updated" date at the top of this page.
- We will notify Developers via email at the address associated with their account.
- For material changes that affect End-Users, we will provide notice through the NativeSuite mobile app or website.
- We will provide at least 30 days' notice before material changes take effect, where practicable.
Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.
15. Contact Us
If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:
- Email: privacy@nativesuite.io
- General inquiries: legal@nativesuite.io
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:
- EEA: Your local Data Protection Supervisory Authority.
- United Kingdom: The Information Commissioner's Office (ICO) — ico.org.uk.
- United States: The Federal Trade Commission (FTC) or your state Attorney General's office.
- Nigeria: The Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng.