Privacy Policy
Last updated: 2026-04-27
This Privacy Policy describes how GrayM Systems, LLC ("we", "us", "our") collects, uses, and shares personal data in connection with TipOff (the "Service"), available at tipoff.dev, app.tipoff.dev, and api.tipoff.dev.
1. Data we collect
We collect only what we need to operate the Service.
a. Account data
When you create an account, we collect your email address and an authentication credential (passkey or password, depending on configuration). We assign you an internal user identifier.
b. Service data
When you use the Service, we process and store: source labels and source keys
(sk_*), device tokens and device keys (dk_*), notification
payloads (titles, bodies, source-supplied metadata), action callbacks, and delivery state.
c. Technical data
Our server logs request metadata for security, debugging, and rate-limiting purposes: IP address, user agent, request path, response status, and timestamps. Logs are retained for 30 days unless required for security incident investigation.
d. Billing data
Payments are processed by our merchant of record (see Section 3). We do not see, store, or process your full payment card details. We receive only a customer identifier, a subscription identifier, the plan you are on, and the dates the subscription is active — the minimum required to grant or revoke paid features.
e. Analytics
Our marketing site uses Plausible Analytics for aggregate page-view counts. Plausible does not use cookies, does not track users across sites, and does not store IP addresses. No personal data is collected through analytics.
2. How we use data
- To deliver the Service: route notifications, persist state, deliver callbacks, enforce plan limits.
- To authenticate you and protect your account.
- To prevent abuse: rate limiting, fraud detection, security monitoring.
- To provide support when you contact us.
- To bill paying customers and reflect their plan status.
- To send service-related email (account confirmations, billing receipts via the merchant of record, security notices). These are essential to operating your account and cannot be opted out of while your account is active. Service email is sent via our email vendor Resend.
- We do not add your account email to any marketing list. We operate a separate, opt-in newsletter via Buttondown for product news and updates. You only receive it if you explicitly subscribe on our marketing site, and you can unsubscribe at any time via the link in every newsletter email.
We do not sell personal data, and we do not use it for advertising or behavioural targeting.
3. Subprocessors and third parties
We rely on a small set of vendors to operate the Service. Each receives only the data needed for their role.
| Vendor | Purpose | Data shared |
|---|---|---|
| Cloudflare, Inc. | CDN, DNS, edge hosting for tipoff.dev and app.tipoff.dev | Request metadata, IP address |
| Apple, Inc. (APNs) | Push notification delivery to Apple devices | Device token, notification payload |
| Plausible Analytics (Plausible Insights OÜ) | Aggregate page-view analytics on the marketing site | Page URL, referrer, country (no IP, no cookies) |
| Resend, Inc. | Sends transactional email (account, billing, security) | Recipient email, message subject and body |
| Buttondown | Hosts our opt-in newsletter (only if you subscribe) | Subscriber email, subscription metadata |
| Paddle.com Market Limited | Merchant of record; payment processing, tax, invoicing | Email, billing details, IP, internal user identifier |
| Fly.io (Hydrobyte, Inc.) | Hosts the api.tipoff.dev backend | All Service data at rest |
We update this list as our infrastructure changes. The current list is authoritative as of the date at the top of this page.
4. Cookies and local storage
The marketing site at tipoff.dev does not set cookies. It stores a single
starlight-theme value in your browser's localStorage to remember
your dark/light preference; this never leaves your device.
The dashboard at app.tipoff.dev sets a session cookie scoped to .tipoff.dev
to keep you logged in. The cookie is HTTP-only, Secure, and SameSite-Lax. It contains
only an opaque session identifier.
When you proceed to checkout, our merchant of record may set its own cookies on its own domain; their privacy policy applies there.
5. Data retention
- Account data: retained while your account is active and for 30 days after deletion, then permanently deleted.
- Notification payloads and delivery state: retained for the per-plan TTL — Free: 7 days, Paid: 30 days — then deleted.
- Server access logs: 30 days.
- Billing records: retained as long as required by tax law (typically 7 years).
6. Your rights
Depending on where you live (e.g., EEA/UK under GDPR, California under CCPA), you have rights to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing. You can exercise most of these directly from your account, or by emailing us at privacy@tipoff.dev.
We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
7. Security
We use TLS for all data in transit, encrypt sensitive credentials at rest, and follow standard hardening practices. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at security@tipoff.dev.
8. International transfers
Some of our subprocessors are located outside the country where you reside, including in the United States and the European Union. Where applicable, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers of personal data.
9. Children
The Service is not directed to children under 18. We do not knowingly collect personal data from children. If you believe we have, please contact us so we can delete it.
10. Changes
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will notify you by email or in the Service before the change takes effect.
11. Contact
Questions about this policy? Contact us at privacy@tipoff.dev.
GrayM Systems, LLC
North Carolina, USA