Privacy Policy
The short version
- Your notifications are end-to-end encrypted. Titles, message text, source apps, sender names, conversation details, and images are sealed on the sending device and can only be opened by your trusted receiving devices.
- The iOS app displays trusted-device notifications. It receives encrypted NotiSync pushes through APNs, decrypts them on your iPhone or iPad, and does not read unrelated notifications already on that iOS device.
- The Android iPhone bridge is optional. If you pair an iPhone to the Android app over Bluetooth ANCS, NotiSync only mirrors the iPhone apps you turn on after they are discovered.
- iPhone app icons may be fetched from Apple. For iOS-origin notifications, NotiSync may request public App Store artwork through Apple's iTunes Lookup API using the iOS app's bundle ID. Notification text is not sent to Apple for icon lookup.
- There is no account. No sign-up, no email, no password. We don't build a profile about you.
- The relay server cannot read your notification details. It forwards encrypted bodies/assets and the minimum device-routing information needed to deliver them through FCM, APNs, WebSocket, or relay fetch.
- We don't sell your data and there are no advertising or analytics trackers in the app.
1. Who we are
NotiSync ("the app", "we", "us") is developed and operated by Extrawdw. NotiSync mirrors notifications from the apps you choose to your other trusted devices. The Android app can capture local Android notifications and can optionally bridge notifications from a paired iPhone over Bluetooth ANCS. The iOS app receives and displays encrypted mirrored notifications from trusted devices, syncs dismissals, and helps manage trusted devices and notification filters. This policy explains what information the apps, this website, and our relay server handle, and why.
If you have any questions, contact us at privacy@extrawdw.net.
2. How NotiSync is built (and why it matters for privacy)
NotiSync follows a "clients are authoritative, the server is just a courier" design. Your devices hold the encryption keys and decide which other devices they trust. The relay server forwards encrypted messages and coordinates push delivery, but it is not able to decrypt notification content or the private notification details carried with it, such as source app, iOS bundle ID, iPhone origin, channel, conversation, and sender fields.
Notification bodies are encrypted on the sending device specifically for your receiving devices. The encryption keys are generated on your devices and are not shared with us. On iOS, the app and its Notification Service Extension decrypt NotiSync notifications locally before showing them.
When the optional iPhone bridge is enabled in the Android app, your Android device acts as the bridge: it pairs with your iPhone over Bluetooth, receives ANCS notification attributes from iOS, and then either shows those notifications locally or sends selected ones through the same end-to-end-encrypted NotiSync pipeline.
3. Information the app processes
a. Notification content
On Android, NotiSync reads notifications posted on your device using Android's notification listener access, which you grant explicitly. This can include the app name/package, notification title and text, channel or conversation names, message sender names, conversation/messaging details, and attached images.
If you enable the iPhone bridge, your Android device can pair with your iPhone over Bluetooth ANCS and receive iOS notification attributes. This can include the iOS app bundle ID and display name, notification title, subtitle, message text, notification date, category, and event state such as added or removed.
On iOS, NotiSync receives NotiSync messages sent by your trusted devices. Those messages may contain the source app, app label/package or iOS bundle ID, notification title, body, subtitle, channel or conversation details, sender names, device-origin details, and encrypted private assets such as icons, avatars, or images. The iOS app does not read unrelated notifications that are already on your iPhone or iPad.
Before any notification details are sent through NotiSync to another trusted device, they are encrypted on the sending device and are only ever decrypted on your trusted receiving devices. We never receive them in readable form, and we do not store plaintext notification content or private notification metadata on the server.
b. Your app selections
You choose which installed Android apps are mirrored. To show you a list, the app reads the labels and icons of apps on your device. Your selections and settings are stored locally on your device. When an enabled app posts a mirrored notification, the source app name/package is included only inside the end-to-end-encrypted notification body.
For the iPhone bridge, iOS does not provide a full app list in advance. NotiSync records iPhone apps as they post notifications over ANCS, then lets you turn mirroring on for the iPhone apps you choose. The discovered iOS bundle IDs, display names, last-seen times, and your per-app choices are stored locally on your Android device.
On iOS, NotiSync stores your display/filter choices for trusted source devices, apps, and Android notification channels. These choices are stored locally and may be sent end-to-end encrypted to the trusted source device so that it can stop or resume sending matching notifications to your iOS device. The relay server cannot read these filter rules.
c. iPhone app icons and Apple lookup
To show recognizable icons for iOS-origin notifications, NotiSync may fetch public app artwork from Apple's App Store / iTunes Lookup API and artwork CDN. The lookup uses the iOS app's bundle ID, and it does not send notification titles, messages, senders, or images to Apple. The returned public icon artwork is cached locally on your device.
For Android-origin notifications displayed on iOS, NotiSync may fetch the encrypted private launcher icon or image asset from the relay server, decrypt it locally, verify its hash, and cache it locally. Some common icons are bundled with the app or drawn as generic placeholders.
d. Device identity and pairing data
Each installation has a cryptographic identity. We use:
- A device name you choose (e.g. "My Phone"), shared only with devices you pair with.
- A client ID, derived from your device's public key, used to address messages to the right device.
- Public keys and a safety number exchanged during pairing so your devices can verify and trust each other.
Your private keys never leave your device. On Android, private keys are stored in the Android Keystore. On iOS, signing keys are stored in the Secure Enclave or Keychain where available, and encryption keys needed by the Notification Service Extension are stored in the iOS Keychain access group for the app. We do not receive your private keys.
If you use the iPhone bridge, Android's Bluetooth and Companion Device pairing systems handle the local association with your iPhone. NotiSync may keep the paired iPhone's display name and a hashed, internal origin identifier so bridged iPhone notifications can be grouped and dismissed correctly. That iPhone origin information is not sent to the relay server in readable form.
On iOS, QR pairing uses the camera only while the scanner is open. You can also paste or open a pairing link. Pairing material contains public keys, your chosen device name, and verification information; it does not contain private keys. If you start Experience Mode, your pairing link is sent to the relay server so a demo peer can be connected.
e. Push delivery tokens and routing
To wake your devices when a notification arrives, NotiSync uses platform push services: Firebase Cloud Messaging (FCM) on Android and Apple Push Notification service (APNs) on iOS. This requires a push token issued by Google or Apple for your device, which is relayed through our server as a signed "route claim" so messages can be delivered.
To route a message, the server necessarily sees limited delivery metadata such as sender and destination client IDs, message IDs, message type, route identifiers, APNs or FCM route tokens, delivery urgency, approximate timing, ciphertext size, and random private-asset IDs. It does not see the source app, package name, notification title or text, channel/conversation names, message sender names, plaintext image hashes, or asset decryption keys.
f. Local inbox, activity, and diagnostics
The app may keep a bounded local inbox of mirrored notifications, a bounded activity log, pending relay acknowledgements, notification filters, trusted-device records, and display maps used for dismissal sync. On iOS, these are stored with SwiftData, the app group container, and the Keychain as appropriate so the main app and Notification Service Extension can work together.
The app shows you connection and permission status, and an optional advanced view (client ID, key backing, transport, key-rotation status). These diagnostics are displayed on your device and are not collected by us.
g. Website visits
This website is a static GitHub Pages site. It does not set tracking cookies and does not include advertising or analytics scripts. Hosting and network providers may process standard request information such as IP address, user agent, requested URL, and time of request to deliver and protect the site.
4. What the relay server can and cannot see
| The server cannot read | The server does handle (to deliver messages) |
|---|---|
| Source app names/packages · iOS bundle IDs and iPhone origin names · notification titles & text · channel and conversation names · sender and contact names · conversation content · notification-filter rules · plaintext image hashes and keys · large icons, contact photos, and images · any private notification details | Encrypted message and asset blobs · sender and destination client IDs · message IDs/type/timing · route identifiers and FCM/APNs push tokens · delivery urgency · random asset IDs and ciphertext sizes · public key-epoch records · app-integrity verification state · short-lived delivery state |
Encrypted notification bodies are end-to-end protected with HPKE (X25519) key encapsulation and AES-256-GCM, and authenticated with ECDSA P-256 signatures. The server holds ciphertext and delivery metadata, not notification metadata like app names, iOS bundle IDs, iPhone names, filter rules, or conversation participants.
5. Permissions the app requests, and why
Android
- Notification access (notification listener) — so NotiSync can read notifications on this device in order to mirror them. You grant this in Android settings and can revoke it at any time.
- Show notifications (POST_NOTIFICATIONS) — so mirrored notifications from your other devices can appear here, and so the app can alert you to device-trust requests.
- Internet & network state — to connect to the relay server and send/receive encrypted messages.
- Camera (during QR pairing only) — when you scan a pairing code, NotiSync uses Google's on-device code scanner, which briefly uses the camera. Camera frames are processed on your device and are not collected or transmitted.
- NFC (during tap-to-pair only) — while the pairing screen is open, NotiSync can present the current pairing link to a nearby compatible Android device. NFC is not used to read notification content.
- Bluetooth connect, advertise, and scan (iPhone bridge only) — so your Android device can advertise as a Bluetooth LE accessory, pair with your iPhone, and receive ANCS notifications when you enable the bridge. Bluetooth scan is declared as
neverForLocation; NotiSync does not use Bluetooth scanning to derive location. - Connected-device foreground service and companion-device presence (iPhone bridge only) — so the bridge can stay connected while enabled and can resume when your associated iPhone comes back into range.
- Run at startup / after app update (iPhone bridge only) — so NotiSync can resume the bridge after reboot or app update if you left it turned on.
iOS
- Notifications and APNs — so mirrored notifications from trusted devices can appear on your iPhone or iPad, and so APNs can wake the app or Notification Service Extension to process encrypted NotiSync messages.
- Camera (during QR pairing only) — so you can scan another device's pairing code. Camera frames are processed on your device by the iOS scanner and are not collected or transmitted by us.
- Background refresh / remote notification background mode — so iOS can give NotiSync limited background time to fetch encrypted relay messages, acknowledge handled messages, sync dismissals, and maintain keys/routes.
- App Group and Keychain access — so the main app and Notification Service Extension can share the minimum local state needed to decrypt and display NotiSync notifications while preserving private keys on the device.
6. Third-party services
NotiSync relies on a small number of services to function:
- Firebase Cloud Messaging (Google LLC) — used on Android to wake your devices and deliver small encrypted messages. Google processes your device's push token and message delivery metadata under Google's Privacy Policy. Message payloads handled through FCM are end-to-end encrypted.
- Apple Push Notification service (Apple Inc.) — used on iOS to wake NotiSync, deliver encrypted NotiSync pushes, and display notifications after local decryption by the app or Notification Service Extension. Apple processes APNs tokens and delivery metadata under Apple's Privacy Policy. NotiSync APNs payloads do not contain readable notification content.
- Firebase App Check, Apple App Attest, and DeviceCheck — used by the iOS app to help the relay verify that requests come from a genuine app instance before issuing a short-lived broker token. These services process app/device integrity signals, not notification content.
- Google Play services / ML Kit code scanner (Google LLC) — provides the Android on-device QR code scanner used for pairing. Scanning happens on your device.
- Apple AVFoundation scanner — provides the iOS on-device QR scanner used for pairing. Scanning happens on your device.
- Apple App Store / iTunes Lookup API and artwork CDN (Apple Inc.) — used to fetch public app icons for iOS-origin notifications when the icon is not already bundled or cached. The request can include the iOS app bundle ID; notification content is not sent to Apple.
- Relay server hosting — our relay server (
notisync-api.extrawdw.net) is operated by Extrawdw and reached over an encrypted connection through Cloudflare, which provides network and proxy services.
NotiSync does not include third-party advertising SDKs, Firebase Analytics, or Crashlytics.
Advanced users may configure NotiSync to use a self-hosted relay server instead of ours. In that case, the delivery metadata described above is handled by the server you choose, under that operator's control.
7. Data retention
- On your device: your settings, trusted-device list, keys, Android app selections, iPhone app selections, discovered iPhone app list, iOS notification filters, paired-iPhone bridge state, local inbox/activity rows, local display maps, and locally cached public or decrypted icons remain until you change settings, remove/forget a device, clear app data, or uninstall the app. Mirrored notification history is bounded; the iOS app keeps up to 80 inbox rows and up to 640 activity rows.
- In platform key storage: private keys and broker tokens are stored locally in Android Keystore or iOS Keychain/Secure Enclave storage. iOS may preserve some Keychain items across reinstall according to Apple's platform behavior; these items remain device-bound and are not readable by us.
- On the relay server: encrypted messages awaiting delivery are retained for a short period (up to 48 hours) and then deleted; encrypted private-asset blobs are retained up to 30 days under random asset IDs; public key-epoch records, route claims, push tokens, and routing records are kept only as long as needed to authenticate and deliver to your devices. No plaintext notification content or private notification metadata is stored.
- At Apple and Google: APNs, FCM, App Check, App Attest, DeviceCheck, and App Store / iTunes icon lookup requests are handled by those providers. We do not operate their systems or control their retention of request, push-delivery, or integrity-check metadata.
- Uninstalling the app removes the local app containers on that device. Because keys are device-bound and are not shared with us, removing or losing the keys for a device makes that device's stored encrypted content unrecoverable.
8. How your information is shared
We do not sell your personal information and we do not share it for advertising. Information is only ever transmitted to:
- your own other trusted devices (end-to-end encrypted),
- Apple for APNs delivery and public iOS app icon lookup by iOS bundle ID, when needed,
- Google for Android FCM delivery and iOS Firebase App Check support, when used, and
- the other service providers listed in Section 6, strictly to operate notification delivery, app integrity checks, pairing support, and relay hosting.
We may disclose information if required by law, but the server holds only encrypted notification bodies/assets, public key material, route claims, app-integrity state, and limited delivery metadata — it cannot produce notification content, source apps, iOS bundle IDs, iPhone names, filter rules, or conversation sender details.
9. Security
NotiSync is designed around strong, modern cryptography:
- Per-device identity keys stored in the Android Keystore, hardware-backed (StrongBox or TEE) where available, and non-exportable.
- Per-device identity keys stored in the iOS Secure Enclave or Keychain where available, with app/extension access limited by iOS keychain access groups.
- End-to-end encryption of notification bodies, private assets, profile/trust/filter sync, and dismissals using HPKE (X25519) + AES-256-GCM with per-recipient sealing.
- Optional iPhone bridge over OS Bluetooth pairing and ANCS. Once your Android device receives iPhone notification attributes, any NotiSync mirroring uses the same end-to-end encryption as Android-origin notifications.
- Signed identity, membership, and routing records (ECDSA P-256) to prevent tampering and impersonation.
- Pairing by QR, NFC tap, or link carries signed public keys, so trust is established directly between your devices after you verify the safety number.
No system is perfectly secure, but the architecture is built so that a compromise of the relay server does not expose your notification content or private notification metadata.
10. Your choices and control
- Choose exactly which Android and iOS apps are mirrored, and change this at any time.
- Enable or disable the iPhone bridge, forget the paired iPhone, and choose whether bridged iPhone notifications show only on the bridge phone or mirror to your other trusted devices.
- On iOS, choose which trusted source devices, apps, and Android notification channels should alert or be filtered for this iPhone or iPad.
- Remove a trusted device to stop sharing with it.
- Revoke notification access, notification-posting permission, Bluetooth permissions, or companion-device permissions in Android settings.
- Revoke notification permission, camera permission, background refresh, or cellular/network access in iOS settings.
- Uninstall the app to remove its local app data from a device; platform key storage may follow the platform behavior described in Section 7.
11. Children
NotiSync is not directed to children and is not intended for use by anyone under the age of 13 (or the minimum age required in your country). We do not knowingly collect personal information from children.
12. International users
NotiSync can be used worldwide. Encrypted messages, delivery metadata, and app-icon lookup requests may be processed by service providers (such as Google, Apple, and Cloudflare) located in various countries. Notification content and private notification metadata remain end-to-end encrypted throughout.
13. Changes to this policy
We may update this policy as the app evolves. When we make material changes, we will update the "Last updated" date above and, where appropriate, note the change in the app or on this site. Continued use of NotiSync after an update means you accept the revised policy.
14. Contact
Questions, concerns, or requests about your privacy? Email us at privacy@extrawdw.net.