Privacy Policy
Effective date: June 4, 2026
This Privacy Policy explains how AppRoast collects, uses, and protects your personal data. AppRoast is operated by:
We process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Polish law.
1. What data we collect
Account data
When you register, we collect your email address, password (stored as a bcrypt hash), and optionally OAuth identifiers (Google or GitHub). We also store your subscription plan, usage counters, and account creation date.
Usage data
We store app identifiers you monitor (App Store IDs, Google Play IDs), roast history including app names and AI-generated reports, delta scan snapshots, and competitor analysis results. This data is tied to your account.
Payment data
Payments are processed by Stripe. We store your Stripe Customer ID and Subscription ID to manage your plan. We do not store card numbers or full payment details. See Stripe's Privacy Policy.
Analytics data
With your consent, we collect anonymized usage analytics via Google Analytics 4 and Google Tag Manager to understand how users interact with the service.
Newsletter
If you subscribe to updates, we store your email address with Brevo (our email service provider). You can unsubscribe at any time via the link in any email.
Technical logs
We may collect IP address hashes (not raw IPs), browser type, and request logs for security, rate limiting, and abuse prevention. These are not linked to personal identity.
2. How we use your data
- To provide and operate the AppRoast service
- To process payments and manage subscriptions
- To send transactional emails (account verification, password reset, scan alerts, invoices)
- To send newsletter updates where you have consented
- To analyze usage and improve the service
- To detect and prevent fraud and abuse
- To comply with legal obligations
3. Legal basis for processing (GDPR)
| Processing activity | Legal basis |
|---|---|
| Account creation and service delivery | Contract performance (Art. 6(1)(b)) |
| Payment processing and billing records | Contract performance + Legal obligation (Art. 6(1)(b)(c)) |
| Transactional emails (alerts, invoices, reset) | Contract performance (Art. 6(1)(b)) |
| Newsletter and marketing emails | Consent (Art. 6(1)(a)) |
| Analytics cookies (GA4, GTM) | Consent (Art. 6(1)(a)) |
| Fraud prevention and abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Infrastructure logs | Legitimate interest (Art. 6(1)(f)) |
4. Data processors and third-party services
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription management | USA (SCCs) |
| Brevo (Sendinblue) | Transactional and marketing emails | EU |
| Google Analytics 4 | Usage analytics (consent-gated) | USA (SCCs) |
| Google Tag Manager | Analytics tag management | USA (SCCs) |
| Cookiebot (Cybot) | Cookie consent management | EU |
| Anthropic | AI-powered review analysis (review text processed, no personal data sent) | USA (SCCs) |
| Hostinger | Web hosting and infrastructure | EU |
We do not sell your personal data to third parties.
5. International data transfers
Some service providers listed above process data outside the European Economic Area (EEA), including in the United States. Where applicable, such transfers rely on adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent safeguards as required by GDPR Chapter V.
6. Data retention
| Data type | Retention period |
|---|---|
| Account data (email, plan, usage) | Until account deletion. Deleted immediately upon request. |
| Roast history and monitoring data | Until account deletion. Deleted immediately upon request. |
| Payment records (Stripe IDs) | 5 years for accounting and legal compliance obligations |
| Newsletter subscription | Until unsubscribe |
| Analytics data (GA4) | 14 months (GA4 default, consent-gated) |
| Infrastructure / security logs | Up to 90 days |
7. Your rights under GDPR
You have the following rights regarding your personal data:
- Access — request a copy of your data
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and all associated data
- Restriction — request we limit processing in certain circumstances
- Portability — receive your data in a structured format
- Objection — object to processing based on legitimate interest
- Withdraw consent — for analytics and newsletter at any time
To exercise any of these rights, email support@approast.app. Account deletion requests are processed immediately — all account data is permanently deleted from our systems with no retention period.
Note: you currently cannot self-delete your account from the dashboard. Please contact us and we will process your request promptly.
You also have the right to lodge a complaint with your national data protection authority. In Poland: UODO (uodo.gov.pl).
8. Security
We take commercially reasonable technical and organizational measures to protect your data, including password hashing, HTTPS encryption, secure session management, and access controls. No online service can guarantee absolute security.
9. Children's privacy
AppRoast is not intended for users under 18. We do not knowingly collect data from minors.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or notice in the dashboard. The effective date at the top of this page will always reflect the latest version.
11. Contact
For privacy-related questions or data requests: support@approast.app