How are my account password and other private information stored?

We use bcrypt for one-way password hashing. For device identifiers, we create a one-way hash of a stable device identifier available from the operating system together with a randomly generated identifier specific to each Pushover account. We do not use "UDIDs", advertising IDs, or other cross-app personal identifiers.

Access to our servers and databases is tightly controlled, logged, and monitored. Encrypted backups of our entire systems with separate database snapshots are done off-site every day. For increased security and privacy, we do not backup the contents of the temporary message queue database table (but we do backup all of the other tables, of course). We would much rather lose a few transient notifications that can be re-sent later than to accidentally lose control of a backup of those messages should one of them contain a password or other sensitive information.

Credit card information (for purchasing additional message capacity) is handled by our PCI-compliant payment processor and is never transmitted through or stored on our servers.