Albright Apps

Privacy Policy

This Privacy Policy describes how Albright Labs LLC ("we", "us", "our") collects, uses, shares, and protects personal information in connection with Albright Apps — the suite of software products consisting of Toggley, Sendly, Pulsey, and Scanley, together with the central account and billing services hosted at albright.software (collectively, the "Service"). This policy applies to (a) individuals who create an Albright Apps account and Users authorized under a customer organization (together, "Account Users"); (b) visitors to our marketing websites; and (c) End Users whose data is processed by the Service on a Customer's behalf, except as the relevant Customer's own privacy notice may govern.

Effective May 4, 2026 · Last updated May 4, 2026

1. Our Roles: Controller and Processor

For information we collect about Account Users when they create and manage an Account or visit our marketing websites, we act as the data controller (or "business" under U.S. state privacy laws). For End User personal data that Customers upload to or generate through their use of the Service — including subscriber records uploaded to Sendly, scan and click activity collected by Scanley, IP addresses logged by Toggley API requests, and any personal data flowing through Pulsey monitoring — we act as a processor (or "service provider") on the Customer's behalf. Customers determine the purposes and means of processing End User data; our processing is governed by our Terms of Service, this Privacy Policy, and where applicable a Data Processing Addendum.

2. Information We Collect

2.1 Account & Profile Information (controller)

When you create or use an Albright Apps account, we collect:

  • Name, organization name, and email address;
  • An account password (stored only as a salted hash);
  • Optional phone number;
  • Multi-factor authentication state and recovery codes (the latter stored hashed);
  • Marketing and product preferences and communications history;
  • Email verification status and timestamps.

2.2 Authentication, Session & Security Data (controller)

  • IP address of your last sign-in and current sessions, plus session metadata (device, browser, timestamps);
  • OAuth/OIDC tokens and refresh tokens necessary to keep you signed in across the Apps;
  • Audit logs of security-relevant events (password changes, MFA changes, federation actions, administrative impersonation by Albright Labs staff for support, where used).

2.3 Billing Information (controller, with Stripe as processor for payment data)

  • Stripe customer identifier, subscription identifiers, plan, billing cycle, status, and renewal date;
  • Billing email and country (collected by Stripe and surfaced to us);
  • The last four digits, brand, and expiration of the payment card on file (we do not store full payment card numbers — Stripe does).

2.4 Customer Content (processor)

Each App processes content that Customers and Users submit:

  • Toggley: feature flag definitions, environment configurations, API keys, and per-call API request logs (timestamp, endpoint, HTTP method, IP address, response code, flag key, and result value).
  • Sendly: subscriber records (first name, last name, email address, IP address recorded at collection or confirmation, opt-in timestamps, custom metadata fields), subscriber list membership, message content and templates, sender profiles and SMTP server credentials Customer configures, and per-recipient delivery/engagement records (delivered, bounced, opened, clicked, replied, unsubscribed timestamps; bounce reason; click counts).
  • Pulsey: monitored endpoint URLs, heartbeat tokens, SSL certificate metadata, response status codes, response times, incident records, on-call rotations, and notification destinations Customer configures.
  • Scanley: dynamic QR codes and short links (destinations, customizations, scheduling), and scan/click activity logs that may include IP address, approximate geographic location derived from IP, user-agent string, device class, browser, operating system, and referrer.

2.5 Usage & Telemetry Data (controller)

  • Application logs covering page or endpoint accessed, response times, and error events;
  • Aggregated, de-identified statistics about feature use and performance;
  • Browser type, device type, operating system, and language for the Service's own administrative pages.

2.6 Cookies & Similar Technologies

We use a small number of strictly necessary cookies to keep you signed in across albright.software and the four App backends, to maintain session state, and to operate CSRF protection. We do not use third-party advertising or cross-site tracking cookies, and we do not deploy advertising pixels on the Service. Marketing websites may use a privacy-respecting analytics tool to count aggregate visits; details are disclosed on the relevant site's cookie banner where one is shown.

2.7 Information from Other Sources

If you accept an invitation to join an existing organization, we receive your email address and intended role from the organization administrator who invites you. We may also receive limited information from Stripe in connection with billing.

3. How We Use Information

We use the information described above to:

  • Provide, operate, maintain, and secure the Service, including authenticating you across the Apps;
  • Process and manage subscriptions, payments, refunds, and tax;
  • Send transactional communications, including email-verification, password-reset, billing-receipt, plan-change, security, and incident notifications;
  • Respond to support requests and, where you ask us to or where authorized internal staff investigate a reported issue, troubleshoot or impersonate accounts for support purposes;
  • Detect, prevent, investigate, and respond to fraud, abuse, security incidents, and violations of our Terms of Service, including the Acceptable Use Policy;
  • Improve the Service through aggregated, de-identified analysis;
  • Send service updates and, with your consent or where otherwise permitted by law, marketing communications you can unsubscribe from at any time;
  • Comply with applicable law, lawful government requests, and our legal obligations.

4. Legal Bases (EEA / UK Account Users)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

  • Performance of a contract (GDPR Art. 6(1)(b)) — to provide the Service you have requested or are using under your organization's account;
  • Legitimate interests (GDPR Art. 6(1)(f)) — for security, fraud prevention, product improvement, and direct marketing to existing customers, balanced against your rights;
  • Compliance with a legal obligation (GDPR Art. 6(1)(c)) — for tax, accounting, and lawful-request response;
  • Consent (GDPR Art. 6(1)(a)) — for marketing communications where required and for any optional features that ask you to opt in.

For End User data we process on a Customer's behalf, the Customer is responsible for establishing and documenting the legal basis.

5. How We Share Information

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act). We disclose personal information as follows:

  • Within the Suite. Account and authentication data is shared between albright.software and each App you provision so that one sign-in works across the Suite.
  • Sub-processors. We engage the following sub-processors to operate the Service. Each processes personal data on our documented instructions and is bound by contractual data-protection obligations equivalent to those required by GDPR Art. 28:
    • DigitalOcean, LLC (United States) — application, database, and storage hosting for the Service;
    • Laravel Forge / Laravel LLC (United States) — server provisioning, configuration, and administration;
    • Envoyer / Laravel LLC (United States) — code deployment orchestration to the application servers;
    • Stripe, Inc. (United States) — payment processing, subscription management, customer portal, invoicing, and tax;
    • Sendinblue SAS, d/b/a Brevo (France) — transactional email delivery (account verification, password reset, billing notices, security alerts) and, where Customer uses Sendly's default sending infrastructure rather than Customer-configured SMTP, campaign email delivery.
    We maintain this list current and will provide reasonable advance notice (via email to the Account billing contact and/or a notice on this page) before adding or replacing a sub-processor that materially affects the processing of personal data. The full Data Processing Addendum describes the controller-processor framework and Customer's right to object to a new sub-processor.
  • Customer's organization. If you join an organization, the organization's administrators can see your name, email, role, and authentication metadata associated with your participation in that organization.
  • Legal and safety. We may disclose information when we believe in good faith that it is required by law or legal process, to protect the rights, property, or safety of Albright Labs LLC, our users, or the public, or to enforce our Terms.
  • Corporate transactions. We may transfer information in connection with a merger, acquisition, reorganization, financing, or sale of all or substantially all of our assets, subject to standard confidentiality protections and to this Privacy Policy.

6. International Data Transfers

Albright Labs LLC is based in the United States and our infrastructure is operated primarily in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions where our sub-processors operate. Where required, we rely on Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum, where applicable) to provide an adequate level of protection for transfers from the EEA, UK, or Switzerland.

7. Data Retention

We retain account, billing, and authentication data for as long as your Account is active and for a reasonable period thereafter to comply with legal, tax, accounting, and audit obligations and to resolve disputes. Customer Content is retained according to the active subscription on the relevant App; on cancellation or account termination we make Customer Content available for export for thirty (30) days, after which we delete it from production systems and purge it from backups in the ordinary course in accordance with our standard retention schedule (typically within ninety (90) days). Logs and aggregated, de-identified data may be retained for longer for security, capacity-planning, and analytics purposes.

8. Security

We implement reasonable administrative, technical, and physical safeguards to protect personal information, including encryption of data in transit (TLS) and at rest, hashed storage of credentials and recovery codes, access controls and least-privilege provisioning for staff, multi-factor authentication for administrative access, audit logging, regular dependency and vulnerability monitoring, and infrastructure segmentation. No system is perfectly secure, however, and we cannot guarantee the absolute security of any information transmitted to or stored by us.

9. Your Rights and Choices

Depending on where you live and the nature of our role with respect to your data, you may have rights to:

  • Access the personal data we hold about you and receive a copy in a portable format;
  • Correct or update inaccurate or incomplete personal data;
  • Delete personal data, subject to legal retention requirements;
  • Restrict or object to certain processing, including direct marketing;
  • Withdraw any consent you previously gave (without affecting the lawfulness of prior processing);
  • Lodge a complaint with a supervisory authority (EEA / UK), the California Privacy Protection Agency, or the attorney general of your state.

To exercise rights regarding your Account, sign in and use the account-management pages, or contact us at support@albrightlabs.com. If you are an End User whose data we process on a Customer's behalf, please direct your request to the relevant Customer; we will assist that Customer in responding as required by law.

Marketing communications. You can opt out of marketing emails by clicking the unsubscribe link in any such email or by emailing support@albrightlabs.com. Transactional and security emails are essential to operate the Service and cannot be opted out of while your Account is active.

Cookies / Do Not Track / Global Privacy Control. Because we do not use third-party advertising cookies or sell personal information, "Do Not Track" and "Global Privacy Control" signals do not change our processing in a material way. We honor browser cookie controls for non-essential cookies where applicable.

10. Region-Specific Disclosures

10.1 California (CCPA / CPRA)

In the preceding 12 months we have collected the categories of personal information described in Section 2 (identifiers, customer records, commercial information, internet/network activity, geolocation derived from IP, professional information, and inferences in limited contexts). We use these categories for the purposes described in Section 3 and disclose them for business purposes to the categories of recipients described in Section 5. We do not sell personal information and do not "share" personal information for cross-context behavioral advertising. California residents have the rights described in Section 9 and may designate an authorized agent to make a request on their behalf. We will not discriminate against you for exercising these rights.

10.2 EEA, UK, and Switzerland (GDPR / UK GDPR)

The legal bases for our processing are set out in Section 4. The data controller for Account Users is Albright Labs LLC, PO Box 1537, Albrightsville, PA 18210-1537. You have the rights set out in Section 9, including the right to lodge a complaint with your local supervisory authority. For transfers, see Section 6.

10.3 Other U.S. State Privacy Laws

If you are a resident of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive privacy law, the rights described in Section 9 apply to you to the extent provided by your state's law. We do not engage in "targeted advertising" as defined under those laws and do not conduct profiling that produces legal or similarly significant effects.

11. Children's Privacy

The Service is not directed to children under 13 (or under 16 in the EEA, where applicable), and we do not knowingly collect personal information from children. If you become aware that a child has provided us personal information without appropriate parental consent, please contact us at support@albrightlabs.com and we will take steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to the Account billing contact or by a prominent notice within the Service at least thirty (30) days before they take effect, except that changes required by law or for security may take effect sooner. The "Last updated" date at the top of this policy reflects the most recent revision.

13. Contact Us

For privacy questions, requests, or to exercise any of the rights described above:

Albright Labs LLC
Attn: Privacy
PO Box 1537, Albrightsville, PA 18210-1537
Email: support@albrightlabs.com