Privacy friendly
Notifizz does not store your users’ personal data. Names, plans, segments, custom fields, profile graphs — none of it lives in the platform. When a campaign needs a recipient’s profile, the orchestrator fetches it live from your systems via an enricher, uses it to send the notification, and lets it go. The only customer data Notifizz retains is the strict minimum required to deliver the message and honour later requests (unsubscribe, right to erasure). That single rule — fetch live, don’t copy — is the core of the architecture. Everything below is what falls out of it: the email hashing story, the bounded cache, the retention curseurs. None of it is a configuration option you opt into; it’s how the platform is wired.TL;DR
- No warehouse sync. Customer profiles stay in your systems. The orchestrator fetches what it needs at notification time via enrichers — never copies it.
- Email is hashed by default. Plain email is kept encrypted only inside an operational window (default 14 days, configurable). After that, only an org-salted SHA-256 hash remains, sufficient for de-duplication and the suppression list.
- The enricher cache is bounded, not a sync. Per
(org, env, enricher, params)keying with a TTL declared at registration. Eviction is automatic; only recently used records exist. - Retention is configured per organisation, with conservative GDPR-aligned defaults and platform-enforced minima.
Why it matters
GDPR Article 5 — and the equivalent regimes everywhere else — require you to hold customer data only as long as you need it, for explicit purposes. Notification platforms in the Customer.io / Braze / Iterable lineage centralise all customer data in their own database, indefinitely, in case a campaign ever fires for that customer. Your DPO ends up auditing a parallel customer graph that exists only for “we might send something one day”. Notifizz’s design eliminates that parallel graph. The privacy surface you have to audit is the event payloads you control, plus the per-message delivery snapshots — not a copy of every customer.The three pillars
1. Enrichers — no warehouse copy
The platform doesn’t sync your customer database. Instead, the orchestrator calls enrichers — server-side functions you register that fetch live data from your systems at notification time.- Privacy surface stays in your systems. Notifizz processes; you store.
- No drift. The user’s email is whatever your DB returns at notification time, not what last night’s sync ran with.
- No schema migration. New attribute? Add a field to the enricher’s output. Renamed? One file changes.
2. Email hashing — plain text only when needed
The platform handles email in two distinct states: plain (encrypted at rest) during the operational window, hashed only outside it. Suppression lists store hashes only, so an unsubscribe survives forever without keeping the address forever.Normalisation, then hash
Every incoming email is normalised before hashing:+tag in the local-part) is opt-in per organisation — it improves de-duplication but risks merging addresses the user intentionally separated. Off by default.
The hash uses an organisation-specific salt stored in a KMS:
Plain email lifecycle
The plain (encrypted) email is held as long as a notification within the operational window references it — and purged automatically otherwise. When a new send arrives later for the same address, the hash matches the existing recipient, the plain email is reintroduced, and the history is continuous.| State | What’s stored |
|---|---|
| Active sending window | Plain email (encrypted, AES-GCM, per-org KMS key) + hash + delivery history |
| Outside the window | Hash only + delivery history (pseudonymised) |
| Suppression list entry | Hash only (no plain text — ever) |
3. Cache — bounded, not a sync
Enricher responses are cached server-side to keep latency low. This is not a sync. The differences are structural:| Sync (warehouse-sync platforms) | Cache (Notifizz enrichers) |
|---|---|
| Pre-fetches data before any notification fires | Fetches only when a notification needs it |
| Stores every customer in the platform’s DB | Stores only the records used recently |
| Holds data indefinitely | Evicts on TTL or invalidation |
| Privacy surface = full customer database | Privacy surface = records used in the last TTL window |
(organisationId, environmentId, enricherName, sha256(params)) — strict cross-tenant isolation, identical params from different organisations never collide. TTL precedence: per-call override → declared at registration → 1-hour default. An enricher declaring cache: false cannot be overridden upward.
is where the keying lives; enrichers protocol covers the policy in detail.
What Notifizz stores — and what it doesn’t
| Data | Stored? | Lifecycle |
|---|---|---|
Your external_id (your own user id) | Yes | Lives until you declare deletion |
| Plain email | Encrypted at rest | Held within the operational window (default 14 days), purged after |
| Email hash (org-salted SHA-256) | Yes | Lives with the recipient or in the suppression list |
| Notification delivery events (sent, opened, clicked) | Yes | Live with the recipient; pseudonymised once plain email is purged |
| User notification inbox | Yes | Lives with the recipient |
| Customer traits (name, plan, segment, custom fields) | No | Fetched live via enrichers, never persisted |
| Profile graph beyond identifiers | No | Stays in your systems |
Retention configuration
GDPR places retention under the responsible-party (you, the controller) — not the processor (Notifizz). Notifizz exposes configurable curseurs per organisation, with conservative defaults and platform-enforced minima:| Curseur | Default | Minimum | Notes |
|---|---|---|---|
email_retention_days | 14 | 7 | Below 7 days, Postmark bounce handling breaks. |
analytics_retention_days | unlimited (lives with recipient) | 30 | Below 30 days, dashboards lose value. |
suppression_list_retention_years | 3 | 3 (max 10) | Legal floor — Article 21 + ePrivacy obligation to honour past unsubscribes. |
Suppression and right to be forgotten
When a user unsubscribes, marks a message as spam, or asks to be deleted, the obligation is “never email again” plus (for deletion) “remove the record”. Notifizz handles both without keeping the address indefinitely:- Unsubscribe / spam complaint → the email is hashed, added to the per-org suppression list. Subsequent sends hash the incoming address and check the list before dispatch. The plain email is not retained.
- Right to erasure (
DELETE /v1/subjects/:external_id) → declared by your system as part of your own user-deletion flow. Notifizz purges the recipient, all delivery events, and the inbox immediately. - Inactive cookie subjects →
WebSubjectrecords (anonymous widget visitors) without activity for 90 days are purged automatically. Anonymous consent is ephemeral by design.
How this composes with the rest
- Enrichers — the no-copy primitive, the largest contribution to the minimisation story.
- Recipients — recipients carry only
id+email(plus arbitrary fields you control); never absorbed into a profile store. - Authentication — widget auth modes keep authenticated and anonymous traffic strictly separated, in line with the CNIL January 2026 recommendation.
- Activity log — retention curseur changes appear in the audit trail with full context.
FAQ
If you don't store profile data, how do you display a recipient's name in the dashboard?
If you don't store profile data, how do you display a recipient's name in the dashboard?
external_id — display degrades, the platform doesn’t block.Why hash the email instead of just deleting it?
Why hash the email instead of just deleting it?
Per-organisation salt — why not a global one?
Per-organisation salt — why not a global one?
The enricher cache holds data — isn't that a sync I have to audit?
The enricher cache holds data — isn't that a sync I have to audit?
cache: false at registration — the orchestrator will hit your endpoint on every call.What happens when I run a marketing campaign to 50,000 customers? You'd need their emails for hours.
What happens when I run a marketing campaign to 50,000 customers? You'd need their emails for hours.
Can I export everything Notifizz holds about a specific user?
Can I export everything Notifizz holds about a specific user?
GDPR puts retention on the controller — what's Notifizz's role exactly?
GDPR puts retention on the controller — what's Notifizz's role exactly?