1.1 Information You Provide: When you create an account or use our services, we may ask for personal details such as your name and email address, as well as company or organization name if applicable. If you subscribe to a paid plan, we (or our payment processor) collect billing information like your payment card details and billing address. We also collect any app files you upload to our platform (e.g. APK, AAB or IPA files) in order to perform vulnerability scans and apply security hardening. These files may be stored temporarily on our servers (see Data Retention below).

1.2 Automated Device and Usage Data: When you use our website or platform, we automatically collect technical information about your device and browsing actions. This Usage Data includes your IP address, browser type, device type, operating system, referring URLs, and timestamps of visits. We log how you interact with our site and dashboard (pages visited, features used, error logs, etc.). This data helps us understand usage patterns and improve performance.

1.3 Cookies and Tracking Technologies: Like most online services, we use cookies and similar tracking technologies (such as web beacons or pixels) to collect information automatically. Cookies are small text files placed on your device that enable features and track usage. For example, we use cookies to remember your login session and to gather analytics information. We also utilize third-party analytics cookies (see Analytics below) to understand how users navigate our site. You have control over cookies – you can adjust your browser settings to refuse or delete cookies, though some parts of our service may not function properly without them. (See Cookies & Tracking below for more details.)

1.4 Communications: If you contact us directly (e.g. via email or support chat), we will receive the information you provide in your message (such as your name, email, and the contents of your inquiry). We may keep records of these communications to address your requests and improve our services.

1.5 Sensitive Personal Data: We do not actively collect any sensitive personal information such as government IDs, health data, or biometric data from users. Payment card information provided for purchases is handled securely by our payment processor (Stripe) and not stored on our systems (see Payments below). We do not intend to collect any personal data from any individuals under the age of 13 (and we do not target our services to children – see Children's Privacy).

2.1 To Provide and Maintain the Service: We process your personal data to create and manage your account, to run vulnerability scans on the app files you upload, and to apply security shielding to your apps as requested. This includes using your contact information to deliver scan reports or hardened app builds to you, and using the uploaded app files only for performing the security analysis and enhancements you requested.

2.2 To Process Payments: If you upgrade to a paid plan or make purchases, we use your provided information to process the transaction. Payment details (like credit card numbers) are transmitted directly to our third-party payment processor, Stripe, which processes the payment on our behalf. We do not store your full payment card information on our own servers. We may keep a record of your transactions (e.g. amount, date, product/service purchased) for invoicing, subscription management, and accounting purposes.

2.3 To Communicate with You: We use your contact information (email or phone) to send service-related communications. This includes confirmations of account actions, scan results, important updates, and security alerts. We may also send you newsletters or marketing emails about product features or promotions if you have opted in to receive them. You can unsubscribe from marketing communications at any time by clicking the “unsubscribe” link in the email or contacting us. (Transactional service emails, such as security notices or billing receipts, will still be sent as needed.)

2.4 To Improve and Personalize the Service: We analyze usage data and cookie data to understand how our services are used and to make improvements. This helps us troubleshoot issues, optimize our user interface, and develop new features. We may also use analytics to personalize your experience—for example, remembering your preferences and settings.

2.5 For Security and Fraud Prevention: Information (like IP addresses, device identifiers, and activity logs) is used to help monitor and protect the security of our platform, our users, and their data. We may use automated tools to detect fraudulent behavior or misuse of our services. This is important to maintain the integrity of our security platform and to prevent unauthorized access or attacks.

2.6 To Comply with Legal Obligations:: In some cases we need to process personal data to fulfill our legal or regulatory obligations. For example, we may retain transaction records for financial reporting and tax compliance, or disclose information if required by law enforcement or authorities (under proper process)

2.7 Other Legitimate Business Purposes: We may use data as necessary for other legitimate purposes such as enforcing our Terms of Service, defending legal claims, or in connection with a business transaction (see Data Sharing below). If we intend to use your information for any purpose that is materially different from those listed above, we will notify you and obtain your consent if required.

3.1 Cookies: We use cookies (small text files stored on your device) and similar technologies to make our website and services function properly and to gather information. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain for a set period or until deleted) for authentication, security, and user experience personalization. For instance, cookies enable you to stay logged in as you navigate our site and allow us to remember your preferences.

3.2 Analytics: We specifically use Google Analytics (a web analytics service provided by Google) to help us understand how users find and use our website. Google Analytics uses cookies and collects data such as your IP address, browser type, and pages visited. We utilize these analytics to compile reports and insights on user behavior, which helps us improve the content and functionality of our site. The information collected by Google Analytics is generally aggregated and does not directly identify individual users. Google may also set and read its own cookies on your device as part of this process. You can learn more about how Google Analytics works and how Google safeguards data in its [privacy documentation]. If you wish, you can opt-out of Google Analytics tracking by installing the [Google Analytics Opt-out Browser Add-on], or by adjusting your browser's cookie settings to block third-party cookies.

3.3 Other Tracking Technologies: In addition to cookies, we may use other common tracking tools like web beacons (tiny transparent image files) or pixels in our emails or website. For example, if we send you a newsletter email, it may contain a pixel that tells us if you opened the email. This helps us gauge the effectiveness of our communications. You can prevent this kind of tracking by disabling image loading in your email client. We may also use local storage (such as browser local storage or similar) for certain features.

3.4 Your Choices: Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies or alert you when cookies are being sent. Please note that if you disable cookies entirely, our website or services may not function correctly (for example, you might not be able to log in or use certain features). Our site currently does not respond to "Do Not Track" signals, but you can exercise other choices described in this section to control cookie and tracker behavior. For targeted advertising cookies, you can also visit [YourAdChoices] (for US users) or [Your Online Choices] in the EU for opt-out options.

4.1 Amazon Web Services (AWS): We host our application and store data on AWS cloud servers. AWS provides the physical infrastructure and cloud services that enable us to run our platform. This means that any information you provide to us (including personal data and uploaded app files) is stored in AWS data centers (we primarily use servers located in Germany and other European regions). AWS acts as our data processor and is bound by strict security and privacy commitments. Using AWS allows us to benefit from robust security measures and certifications (such as ISO 27001) to keep your data safe. However, AWS does not access your data except as needed for cloud operations – we remain in control of your data stored there.

4.2 Stripe: For handling payments and subscriptions, we rely on Stripe, Inc. Stripe is a certified Payment Card Industry (PCI) Level 1 service provider, which means it employs high security standards for processing payment information. When you make a purchase or enter payment details, that information is sent directly to Stripe over encrypted connections; we do not see or store your sensitive card details. Stripe may collect identifying information about you (such as name, email, billing address) and your payment method (card type, expiration, etc.) to process the transaction and for fraud prevention. Stripe may also set cookies on our checkout page to facilitate payment and prevent fraud. All such processing by Stripe is covered by Stripe's own privacy policy, which we encourage you to review. We only receive limited information back from Stripe (such as a confirmation that payment was completed, a tokenized ID for the transaction, and the last four digits of your card or similar) for record-keeping. We do not store or retain full credit card numbers on our systems, for your security.

4.3 Google Analytics: As noted in the Cookies section, we use Google Analytics to collect and analyze usage information. Google acts as an analytics provider. The data Google Analytics gathers (via cookies and scripts on our site) about your use of our website is transmitted to Google's servers (which may be outside your country, e.g. in the United States). Google then provides us with aggregated reports. Google may also use this data to improve their own services. We have configured Google Analytics to not collect more data than necessary for analytics (for example, we may have IP anonymization enabled to truncate your IP address within the EU). Google Analytics is used under Google's terms as a “service provider”/“processor”, meaning they are not allowed to use the data for any purpose other than providing analytics to us. Still, if you prefer to opt-out, please see the Cookies & Tracking section above for options.

4.4 Email and Customer Support Tools: We may use third-party platforms to send out email notifications and to provide customer support. For example, we might use an emailing service (like SendGrid or Mailchimp) to distribute newsletters or system emails, and a support CRM (like Zendesk or HubSpot) to manage user inquiries. These providers would have access to your contact info and any correspondence, solely to assist us in communicating with you. They are not permitted to use your data for their own purposes.

5.1 Service Providers: As described above, we share data with third-party vendors that perform services for us (hosting, payments, analytics, communications, etc.). They process data on our behalf and are obligated to keep it confidential.

5.2 Business Transfers: If AppShield or [Startup Name] is involved in a merger, acquisition, bankruptcy reorganization, or sale of all or part of its assets, your personal information may be transferred to the successor or acquiring entity as part of that transaction. In such cases, we will ensure the new owner continues to honor the privacy commitments we have made in this policy, or we will notify you and give an opportunity to opt out of the transfer of your personal information.

5.3 Legal Compliance and Protection: We may disclose your information if required to do so by law or in response to a valid subpoena, court order, or government request. We may also disclose information if we believe in good faith that it is necessary to investigate or prevent fraud, abuse of our services, potential security issues, or to protect the rights, property, and safety of [Startup Name], our users, or the public. This can include sharing information with law enforcement or regulatory authorities when legally permitted and necessary.

5.4 With Your Consent: In cases where you have explicitly given us consent to share your information with a third party (for example, if you participate in a joint marketing program, or you want us to share your testimonial on our site), we will share it as directed by you. You have the right to revoke such consent at any time.

6.1 Account Information: If you have an account with us, we will keep your profile information (like name, email, company) for as long as your account is active. If you choose to delete your account or request deletion, we will erase or anonymize your personal data associated with your account (unless we are required to keep it for legal reasons, such as fulfilling our financial, tax, or audit obligations). Backup copies may persist for a short period (e.g. in our secure backups), but will be deleted in the normal backup rotation.

6.2 Uploaded App Files: Files that you upload for scanning or shielding (such as APK/AAB/IPA packages) are stored on our servers to perform the service and to allow you to download results. We understand these files can be sensitive, so we limit how long we retain them. By default, uploaded app files and their associated scan results are retained for 3 months (90 days), after which they are permanently deleted from our systems. This retention period allows you to access reports and re-download protected versions for a reasonable time. We may delete the files sooner if you manually delete them via your account or request immediate deletion. Aggregated or anonymized data derived from scans (which no longer contain any personal or proprietary information) may be kept to improve our detection rules, but individual files are purged as stated.

6.3 Transaction and Payment Records: We keep records of transactions (payments, invoices, subscriptions) as long as needed for accounting and compliance purposes. Typically, financial records are retained for at least 7 years (or as required by applicable tax law). However, as noted, we do not store sensitive card details ourselves – those are held by our payment processor.

6.4 Logs and Analytics Data: Our server logs and analytics data are generally retained for a shorter period, typically a few months up to 1 year, unless we need to keep them longer. We use log data for debugging and security monitoring. For example, we may retain web server logs (including IP addresses) for about 6 months to analyze performance and security incidents, after which they are deleted or anonymized. Analytics data in Google Analytics may be retained for 14 months (a common default setting) or a similar period, after which it is automatically deleted by Google.

6.5 Communications: If you correspond with us (support emails, etc.), we may retain those communications and our responses for a period of time, in order to effectively manage our customer relations and in case we need to reference a past issue. These records will typically be purged after a few years unless needed for ongoing issues.

7.1 Standard Contractual Clauses (SCCs): We have agreements in place with our service providers that include EU Commission-approved Standard Contractual Clauses, which legally commit the recipients of the data to protect it according to EU privacy standards. For instance, both Google and Stripe have adopted SCCs for European data transfers.

7.2 Data Privacy Framework/Adequacy Decisions: Where applicable, we may rely on an adequacy decision by regulators. (For example, if a U.S. recipient is certified under the EU-U.S. Data Privacy Framework or similar schemes, or if the destination country has been deemed by the European Commission to provide adequate protection.)

8.1 Encryption: All network communications to our platform (including when you upload app files or enter personal details) are encrypted using HTTPS/TLS. Sensitive data (like passwords) is stored in encrypted form. We also encrypt data at rest where appropriate (for instance, stored files and backups on our servers are encrypted).

8.2 Access Controls: Access to personal data is restricted to authorized personnel who need it to operate our service or assist you. Our staff and contractors are bound by confidentiality obligations. We implement role-based access and require strong authentication for anyone accessing our systems. Administrative access to the cloud servers or databases that store personal data is logged and only granted on a least-privilege basis.

8.3 Security Testing and Audit: As a company specializing in security, we regularly test our own system for vulnerabilities. We use tools and undergo periodic reviews to identify and fix potential security issues. This includes code reviews, penetration testing, and monitoring for intrusions. We also maintain up-to-date security practices and stay informed of new threats.

8.4 Physical Security: Our servers are hosted in secure data centers (via AWS) that have 24/7 monitoring, controlled access, and other advanced protections. AWS data centers are certified for their security controls. We leverage those protections as part of our infrastructure security.

8.5 Organizational Policies: We have internal policies and training for our team to ensure personal data is handled correctly and securely. We swiftly respond to any incident or breach according to a predefined incident response plan.

9.1 Rights Under the GDPR (for EU/EEA Residents)

If you are in the European Union, United Kingdom, or another jurisdiction with similar laws, you have the following data subject rights under the GDPR and related regulations:

9.2 Rights Under the CCPA (for California Residents)

If you are a resident of California, you are protected by the California Consumer Privacy Act (as amended by the CPRA). Note: Even if you are not in California, we strive to extend similar controls to all our users when feasible. Under California law, you have the following rights regarding your personal information: