NotiAlarm

NotiAlarm Privacy Policy

Last updated: 2026-05-26

This policy describes what data NotiAlarm collects, how we use it, who it's shared with, and how to delete it. It applies to the NotiAlarm iOS app and our backend at *.supabase.co.

If you have questions, contact privacy@notialarm.com.

1. Who we are

NotiAlarm is operated as an independent app. We are the only "data controller" for the data described below. We do not sell user data, do not run advertising, and do not share data with analytics or marketing providers.

2. What we collect

We collect only what we need to deliver alarm-grade notifications. Everything is tied to your NotiAlarm account.

Account data

Email address. Required to sign up and recover your account. If you use Sign in with Apple and choose "Hide My Email," we receive Apple's private-relay address (e.g. random@privaterelay.appleid.com) instead of your real email.
Password hash. If you sign up with email + password. We never see your plaintext password — only the salted hash stored by our authentication provider.
Optional display name and timezone. Editable in Settings.

Notification delivery data

Push notification token. Issued by Apple Push Notification service (APNs). Stored against your account so the backend knows where to deliver your alarms. Refreshed automatically by iOS.
Per-device "Critical Alerts enabled" flag. True/false, set by you when you grant the Critical Alerts permission (only available if Apple has granted us the entitlement; pending as of this writing).

Webhook event metadata

When a third-party service (e.g., TradingView) posts a webhook to your unique NotiAlarm ingest URL, we record:

The source name (e.g., tradingview)
The alert tag the source sent (e.g., NQ1! Crossing 29,102.25)
A SHA-256 hash of the raw request body (for de-duplication only)
The timestamp the request landed
The result of any signature verification
The remote IP address that posted the webhook

We do not retain the raw webhook body past the lifetime of the HTTP request that delivered it. The body is parsed for the alert tag and discarded.

Alarm configuration and fire history

Alarms you create: name, source, match pattern, sound choice, vibration choice, dismissal-challenge settings, presentation mode, quiet hours.
Alarm fires: when each alarm fired, which devices received the push, delivery success per device, when (and how) you dismissed it.

User-uploaded audio

Custom sound files (m4a, mp3, wav) you upload, up to 5 MB each. If you upload a video file (mp4, mov, m4v), only the audio track is extracted and stored — the video frames are discarded before upload.
Stored under a path tied to your account ID. Only you (and our backend, when sending you an alarm push that uses the sound) can access them.

Logs

Our backend writes operational logs to detect abuse, debug delivery failures, and meet platform reliability requirements. Logs may include request IDs, timestamps, error messages, and IP addresses. They do not include webhook bodies or alarm contents.

3. What we do NOT collect

NotiAlarm does not access:

Your location
Your contacts
Your photo library contents beyond a single video you explicitly choose to upload for audio extraction (and that file is processed on-device using Apple's out-of-process picker — we don't receive your photo library catalog)
Your microphone
Your camera
Health data
Your browsing or app-usage history outside of NotiAlarm
Any data from other apps on your device

We do not include analytics SDKs, advertising SDKs, or any third-party tracking code in the iOS app.

4. How we use your data

We use the data above only to:

Authenticate you and let you sign in across devices.
Deliver alarm notifications to devices you've registered.
Match inbound webhooks to the alarms you've configured.
Show you your alarm history and let you debug missed matches.
Operate, secure, and improve the service (e.g., detecting abuse, fixing bugs, planning capacity).

We do not use your data for marketing, profiling, or sale to third parties.

5. Who we share data with

Your data is stored on infrastructure provided by these third parties, each of which acts as a processor under our direction:

Supabase (supabase.com). Hosts our database, authentication, file storage, and serverless functions. All NotiAlarm data lives here.
Apple Push Notification service (push.apple.com). Delivers iOS notifications. We send your APNs token + a short payload; Apple does the rest.
Apple Sign in with Apple (if you use it). Apple issues us an identity token containing your Apple user ID and email. We verify the token, then store your account in Supabase as above.
Firebase Cloud Messaging (firebase.google.com). Reserved for the future Android version; not used by the current iOS app.

We do not share data with TradingView or other webhook sources. Those services post to us; we don't send anything back.

We will disclose data only when legally required (e.g., a valid subpoena) and only the specific data requested.

6. How long we keep data

Data	Retention
Account, alarms, devices, custom sounds	Until you delete your account
Alarm fire history	Until you delete your account
Webhook event log (metadata only)	30 days, then automatically purged
Operational logs	Up to 30 days
Raw webhook bodies	Not retained beyond the request itself

When you delete your account (Settings → Delete Account inside the app), everything tied to your account is purged immediately, including your custom sound uploads. The cascade is enforced at the database level via auth.users on delete cascade.

7. Your rights

You can:

Access your data: everything we hold is visible inside the app.
Correct your data: edit account fields, alarms, and sounds in the app at any time.
Delete your account: Settings → Delete Account inside the app. The deletion is immediate and irreversible. If you also want our operational logs purged on a faster timeline than the 30-day default, email us.
Export your data: not yet available in v1. Email us if you need a copy of what we hold.

If you are in the EU/EEA, UK, or California, you have additional statutory rights (data portability, restriction of processing, etc.). Email us and we will honor them.

8. Security

All traffic between the app and our backend uses HTTPS / TLS 1.2+.
Passwords are stored as salted hashes by our authentication provider (never plaintext).
Webhook ingest URLs contain 128 bits of randomness, are unique per user, and can be rotated from the app at any time (old URL returns 410 Gone).
Database access is governed by row-level security: every query is scoped to the authenticated user. The service role key never ships in the iOS app.

No system is perfectly secure. If you believe your account has been compromised, rotate your webhook URLs from the Sources screen and email us so we can investigate.

9. iOS permissions we request

Permission	Why
Notifications	Required to deliver alarms. Without this you receive nothing.
Time Sensitive notifications	Lets alarms break through Focus / Do Not Disturb when you've added NotiAlarm to a Focus's allowed apps.
Critical Alerts (when granted by Apple)	Lets alarms bypass hard silent mode and sleep silence. Disabled by default; you opt in per device.
Background audio mode	Required so the alarm sound can start playing from a background push, before you tap the notification.

We never request location, contacts, camera, microphone, or health permissions.

10. Children

NotiAlarm is intended for users 13 and older (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect data from children under 13. If you believe a child has signed up, email us and we'll delete the account.

11. Changes to this policy

We may update this policy from time to time as the app evolves. When we do, we'll revise the "Last updated" date at the top of this page, and any material changes will be reflected here before they take effect. Please review this page periodically for the latest version.

12. Contact

Privacy questions, deletion requests, or anything else: privacy@notialarm.com.