Privacy Policy

1. Information We Collect

1.1 Personal Data

We collect the following personal information when you sign up and use AppFlight:

• Name: Used to personalize your experience
• Email address: Used for account management, authentication, and service-related communications
• Payment information: Processed securely through Stripe. We do not store credit card details on our servers
• OAuth provider data: When you sign in with Google or GitHub, we receive your name, email, and profile picture from these providers
• User ID: A unique identifier assigned to your account

1.2 Usage Data and Analytics

With your consent, we collect analytics data using PostHog (EU-hosted) to improve our services:

• Page views and navigation: Pages you visit and how you navigate through our site
• Click and interaction data: Buttons, links, and features you interact with
• Session recordings: Visual recordings of your browsing sessions (mouse movements, clicks, scrolls) to understand user experience. These recordings are anonymized and stored securely
• Error reports: JavaScript errors and exceptions to help us fix bugs
• Device and browser information: Browser type, operating system, screen resolution
• IP addresses: For analytics and security purposes (anonymized after processing)
• Search queries: App searches you perform to generate reports

1.3 App Store Data

Information you provide about your apps to generate ASO reports, including app names, app IDs, and metadata from public App Store listings.

2. Legal Basis for Processing

Under GDPR, we process your data based on the following legal bases:

• Contract necessity: Account creation, authentication, payment processing, and service delivery
• Consent: Analytics, session recordings, error tracking, and marketing communications (where applicable)
• Legitimate interest: Security, fraud prevention, and service improvements
• Legal obligation: Compliance with tax laws, payment regulations, and legal requests

3. Use of Information

3.1 Personal Data

We use your personal data to:

• Create and manage your account
• Process payments for ASO reports via Stripe
• Generate App Store Optimization reports
• Send service-related communications (e.g., report generation, account updates)
• Provide customer support
• Notify you of important changes to our service
• Detect and prevent fraud and abuse

3.2 Analytics Data

With your consent, analytics data is used to understand user behavior, improve our service, fix bugs, optimize user experience, and generate better ASO recommendations.

4. Cookies and Tracking Technologies

AppFlight uses cookies and similar tracking technologies. For detailed information about the cookies we use, please see our Cookie Policy.

We use the following types of cookies:

• Essential cookies: Required for authentication, security, and basic functionality (no consent required)
• Analytics cookies: PostHog analytics, session recordings, error tracking (consent required)

You can manage your cookie preferences through our cookie consent banner or in your browser settings. Note that disabling essential cookies may limit access to certain features.

5. Sharing of Data

We do not sell, trade, or rent your personal data. We share data only in the following circumstances:

5.1 Third-Party Service Providers

We work with trusted third-party providers who assist in operating our service. These providers are bound by data processing agreements and GDPR-compliant contracts:

• PostHog (EU instance): Analytics, session recordings, error tracking. Data is stored in the EU. Privacy policy: posthog.com/privacy
• Stripe: Payment processing. PCI-DSS compliant. Privacy policy: stripe.com/privacy
• Cloudflare: Hosting, CDN, and security. Privacy policy: cloudflare.com/privacypolicy
• Google & GitHub: OAuth authentication providers. Their respective privacy policies apply

5.2 Legal Requirements

We may disclose information if required by law, subpoena, court order, or other legal process.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change.

5.4 With Your Consent

We may share data with your explicit consent for specific purposes.

6. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. We ensure appropriate safeguards are in place:

• PostHog: Uses EU-hosted infrastructure for GDPR compliance
• Standard Contractual Clauses (SCCs): In place with all non-EU processors
• Adequacy decisions: We rely on EU Commission adequacy decisions where applicable

If you are located in the European Economic Area (EEA), UK, or Switzerland, we comply with GDPR requirements for international data transfers.

7. Your Rights Under GDPR

If you are in the EU/EEA, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure (right to be forgotten): Request deletion of your personal data
• Right to restriction of processing: Request limitation of how we use your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to certain types of processing, including profiling
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent
• Right to lodge a complaint: File a complaint with your local data protection authority

To exercise any of these rights, please contact us at privacy@appflight.ai. We will respond within 30 days.

You will see a cookie consent banner on your first visit where you can choose to accept or decline analytics cookies.

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

• Account data: Retained while your account is active
• Generated reports: Stored while your account is active and for 30 days after account deletion
• Payment records: Retained for 7 years for tax and legal compliance (Stripe stores payment data)
• Analytics data: Anonymized after 24 months; session recordings deleted after 12 months
• Support communications: Retained for 3 years

When you delete your account, we will remove your personal data within 30 days, except where retention is required by law.

9. Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption of data in transit using HTTPS/TLS
• Encryption of data at rest in our database
• Secure authentication via OAuth providers (Google, GitHub)
• Regular security audits and monitoring
• Access controls and role-based permissions
• Secure payment processing via PCI-DSS compliant Stripe

While we implement industry-standard security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but will notify you of any data breaches as required by law.

10. Children's Privacy

AppFlight is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly. If you believe we have collected data from a child, please contact us immediately.

11. Updates to Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated via:

• Email notification to registered users
• Prominent notice on our website
• Update to the "Last Updated" date at the top of this policy

Your continued use of AppFlight after changes are posted constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

12. Contact Information

For questions about this privacy policy, to exercise your rights, or to report privacy concerns:

Email: arminas@appflight.ai

13. Supervisory Authority

If you are located in the EU/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.