Privacy Policy for Notifly

Effective date: May 19, 2026

Notifly is an Android app for receiving custom push notifications through a small HTTP API. This Privacy Policy explains what information Notifly collects, how it is used, and the choices available to you.

This policy applies to the Notifly Android app (net.extrawdw.notifly) and the Notifly backend service.

Information Notifly Collects

Notifly collects the minimum information needed to register your device and deliver notifications.

Device registration information

When you register the app with the Notifly backend, the app sends:

a Firebase Cloud Messaging token, used to deliver push notifications to your device;
a randomly generated client ID, used to recognize the app installation;
the Android package name;
a Play Integrity token and related verification result, used to confirm that the app was installed from a trusted source and that the device meets integrity requirements;
generated Notifly credentials, including a device ID, user ID, and API key.

Notifly stores API keys and user keys locally on your device. The backend stores hashes of sensitive credentials where practical rather than storing the original secret value.

Why Notifly uses Play Integrity

Notifly uses the Google Play Integrity API to protect the notification service from abuse. Because Notifly allows API-triggered push notifications, the backend needs a way to confirm that a registering device is running the genuine Play-distributed Notifly app on a device that satisfies Google Play integrity checks. This helps prevent automated registrations, copied app builds, unauthorized clients, and misuse of Firebase Cloud Messaging tokens.

During registration and periodic reverification, Notifly requests a Play Integrity token from Google Play services and sends that token to the Notifly backend. The backend sends the token to Google for verification and stores the resulting integrity verdict with the device registration record. Notifly uses this verdict only for security, abuse prevention, and service eligibility. It is not used for advertising, profiling, or cross-app tracking.

Notification content

If you or an authorized caller use the Notifly API to send a notification, the notification title, body, channel ID, tag, actions, and related payload data are processed by the backend and by Firebase Cloud Messaging so the notification can be delivered.

Notifly stores recent received notifications locally on your device so you can view notification history in the app. This local history is limited to recent entries and can be cleared from the app.

App settings

Notifly stores app settings locally on your device, such as the backend URL and saved registration credentials.

Automatically processed technical information

The backend may receive standard technical information that is sent with network requests, such as IP address, request time, HTTP method, and user agent. Hosting providers and infrastructure services may process this information for security, abuse prevention, debugging, and service operation.

How Notifly Uses Information

Notifly uses the information described above to:

register and authenticate devices;
verify app and device integrity to prevent automated registrations, unauthorized clients, and notification delivery abuse;
deliver push notifications;
maintain notification channels and local notification history;
detect inactive, invalid, or stale device registrations;
secure the service and prevent unauthorized use;
debug, maintain, and improve reliability.

Notifly does not sell personal information. Notifly does not use collected information for advertising or cross-app tracking.

Notifly uses third-party infrastructure providers to operate the service:

Google Firebase Cloud Messaging, to deliver push notifications;
Google Play Integrity API, to verify app and device integrity;
Google OAuth and Google Cloud/Firebase services, to authenticate backend requests to Google APIs;
Cloudflare Workers and Cloudflare KV, to host the backend API and store registration records.

These providers may process information as needed to provide their services, comply with law, prevent abuse, and maintain security. Their handling of information is governed by their own terms and privacy policies.

Notifly may also disclose information if required by law, legal process, or to protect the rights, safety, and security of users, the app, or the service.

Data Retention

Notifly keeps device registration records while they are needed to operate the service. The backend marks inactive devices after a period of inactivity and deletes long-inactive device records after approximately 180 days.

Short-lived Play Integrity challenges expire after a few minutes. Local notification history is stored on your device and limited to recent entries.

You may remove locally stored Notifly data by clearing app data or uninstalling the app. If you need backend registration data deleted sooner, contact the developer using the contact information below.

Security

Notifly uses HTTPS for network communication with the backend and Google services. Registration credentials are generated randomly, and sensitive credential lookup values are stored on the backend as hashes where practical.

No method of transmission or storage is completely secure, but Notifly is designed to limit collection and protect the information needed to operate the service.

Your Choices

You can:

deny or disable notification permission in Android settings;
clear local notification history in the app;
clear app data or uninstall the app to remove local credentials and settings;
stop using the API key if you no longer want a device to receive API-triggered notifications;
contact the developer to request deletion of backend registration data associated with your Notifly credentials.

Children

Notifly is not directed to children under 13. The app is intended for users who configure custom notifications or manage their own notification workflows.

International Processing

Notifly and its service providers may process information in the United States and other locations where the providers operate.

Changes to This Policy

This Privacy Policy may be updated from time to time. If material changes are made, the effective date above will be updated.

Contact

For privacy questions or deletion requests, contact:

admin@extrawdw.net