What we collect, why, and how to make us forget.

01 · Who we are

ASOScan ("we", "us", "our") is a service operated by Khalil Kitar trading as ASOScan (Einzelunternehmer), with its registered operating address at Messeler-Park-Straße 132a, 64291 Darmstadt, Germany. The operator is the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") for all personal data described in this policy, except where a sub-processor acts as an independent controller for its own purposes (see Section 05). The full operator details are set out in our Impressum.

We have not appointed a Data Protection Officer because the criteria of Article 37 GDPR do not apply to our processing activities. You can reach us about any privacy matter at [email protected].

02 · What we collect

The categories of personal data we process are:

• Account data — name, email address, salted password hash, registration timestamp, last login timestamp, and the refresh tokens that keep you logged in.
• App tracking data — store URLs of the apps and competitors you add, the keywords you choose to monitor, your custom tags, alert rules, AI generation history, and the content you submit to the AI panel.
• Billing data — your Polar customer ID, subscription status, plan tier, billing cycle, current period end, and the cancellation reason / comment you provide if you cancel. Card and bank details are processed exclusively by Polar Software Inc. ("Polar"); we never see them.
• Service telemetry — IP address (used for rate limiting and security), HTTP request logs, error reports, and a per-request correlation ID that links frontend events to backend logs. Stored in our application logs and forwarded to Sentry for error monitoring.
• Analytics data (consent-gated) — only if you grant analytics consent on the cookie banner: page views, button clicks, conversion events, and (for marketing consent) anonymised session replays. See Section 09 for the full list of providers.
• Public app store data — metadata, ratings, and reviews scraped from the public-facing pages of the apps you ask us to track. This is data about third-party apps, not about you, but we hold it in association with your account.

03 · How we use it

We process the categories above for the following purposes:

• Providing the contracted service (account access, app tracking, AI generation, alerts, reporting, weekly digest emails).
• Billing, fraud prevention, and tax compliance for your subscription, executed by Polar as merchant of record (see Section 05).
• Service stability — error monitoring, capacity planning, abuse mitigation, rate limiting.
• Transactional communication (welcome email, password reset, email-change verification, billing failure notice, alert notifications, weekly digest).
• Product analytics and user research, only on the legal bases described in Section 04 and only where consent has been granted (see Section 09).
• Compliance with applicable law and lawful requests from competent authorities.

We do not sell personal data, share it with advertisers or data brokers, or use it to train any general-purpose machine learning model. AI features rely on third-party language models invoked per-request with the inputs you submit (see Section 10).

04 · Legal basis (GDPR)

Our lawful bases under Article 6(1) of the GDPR are:

• Article 6(1)(b) — performance of a contract: account, app tracking, AI generation, alerts, reporting, billing, transactional email.
• Article 6(1)(c) — legal obligation: retention of invoices and billing audit logs for German tax law (§ 147 AO, typically 10 years for invoices).
• Article 6(1)(f) — legitimate interest: security, abuse prevention, error monitoring, rate limiting, server-side billing-event analytics. We have carried out balancing tests for each; you may object at any time (see Section 07).
• Article 6(1)(a) — consent: all analytics SDKs loaded after the cookie banner accept (PostHog, GA4, Microsoft Clarity, GTM). You may withdraw consent at any time without affecting the lawfulness of prior processing.

05 · Sub-processors

We rely on the following sub-processors. Each is contractually bound by a Data Processing Addendum to process your data only on our instructions and only for the purposes set out below:

• Polar Software Inc. (United States) — payment processing, subscription management, customer billing portal, invoice generation, EU VAT collection and remittance. Polar acts as merchant of record: it is the legal seller of ASOScan subscriptions, issues invoices in its own name, and is jointly responsible with us for billing-related personal data.
• Postmark (Wildbit LLC, United States) — outbound transactional email (welcome, password reset, email change verification, billing failure, alert notifications, weekly digest).
• Sentry (Functional Software, Inc., United States) — application error monitoring and request traces. We disable PII collection (SendDefaultPii = false); only stack traces, route names, and our own correlation IDs are sent.
• OpenRouter / Google Gemini (United States) — generative AI inference for metadata, keyword, and recommendation features. Only the prompt content you submit through the AI panel is sent (app metadata, target keywords, current tracked keywords, top competitors). Outputs are not retained by us beyond the AI usage history shown in your account.
• PostHog Cloud EU (PostHog Inc., data residency in Frankfurt) — product analytics. Loads only after analytics consent. Used for funnel analysis and feature-flag evaluation.
• Google Analytics 4 + Google Tag Manager (Google Ireland Ltd., EU) — web analytics and tag management. Loads after analytics consent. Operated under Google Consent Mode v2; without consent, no measurement hits are sent.
• Microsoft Clarity (Microsoft Corporation, United States) — anonymised session replay and heatmaps. Loads only after marketing consent. Subject to the limitation noted in Section 09.
• Hosting infrastructure — application servers, database (PostgreSQL), and cache (Redis) self-hosted on hardware located in Germany.

An up-to-date list is available at [email protected] on request. We will give reasonable advance notice of any new sub-processor in accordance with our DPA.

06 · Retention & deletion

Account, app tracking, AI generation, keyword history, alerts, and tags are retained for as long as your account is active or in a permitted lockout window (see below). When you delete your account from the settings page, all of the above is removed within thirty (30) days via cascade delete. The Polar customer record is preserved with Polar (we cannot delete it) so that historical invoices remain queryable for tax purposes; the link between that record and your identity in our database is severed at deletion.

Trial expiry & abandoned accounts.

If your 14-day trial ends and you do not subscribe, you remain logged-in but locked out of product features. During this lockout you can still download your data, view your billing settings, and choose either to subscribe or to delete the account. Accounts that remain in this state for ninety (90) days without subscribing or self-deleting are deleted automatically by a scheduled cleanup job following the same procedure as a user-initiated deletion.

Apps you tracked and apps tracked by other users.

Each user's tracked apps and competitors are stored in separate database rows bound to that user's account. When you add an app — whether as your own product or as a competitor — we create your private copy of the app record, including an independent copy of any scraped public store data we collect on your behalf (title, description, screenshots, ratings, reviews, category rankings). When you delete your account, every row tied to your account is removed, including every private copy of public store data we held for you.

Other users who happen to be tracking the same publicly available app retain their own independent copies of the same public store data, scraped and stored for them under their own account. Those copies are not "your" data being retained — they are their data, collected and processed under their own relationship with us. Deletion of your account has no effect on them.

Shared, non-personal reference data — for example the canonical list of search keywords (term, country, platform) used by the keyword research engine — is retained because it does not identify you. Your tracking of any keyword (which you chose to monitor, your historical ranks for it, your tags, your alerts) is deleted in full.

The following data is retained beyond account deletion as permitted or required by law:

• Billing audit log (billing_events table — Polar webhook payloads): retained for 10 years (German tax law, § 147 AO).
• Application logs (Serilog rolling files including IP and correlation IDs): 30 days, then deleted.
• Sentry error reports: 90 days (default Sentry retention).
• Shared, non-personal reference data (canonical keyword list and similar): retained indefinitely because it contains no identifier of you.

07 · Your rights

You have the following rights, exercisable free of charge and within 30 days of request:

• Access (Art. 15) — request a copy of the personal data we hold about you. The settings page exposes a one-click ZIP export covering profile, apps, keywords, alerts, tags, and AI usage.
• Rectification (Art. 16) — correct inaccurate data via account settings or by writing to us.
• Erasure (Art. 17) — delete your account from settings or by request, subject to the retention exceptions in Section 06.
• Restriction (Art. 18) — temporarily limit how we process your data.
• Portability (Art. 20) — the export ZIP is in JSON, a structured machine-readable format.
• Objection (Art. 21) — object to processing carried out under our legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
• Withdrawal of consent (Art. 7(3)) — re-open the cookie banner at any time via the "Cookie preferences" link in the footer.
• Lodging a complaint (Art. 77) — with your local supervisory authority. The competent authority for the operator is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Postfach 3163, 65021 Wiesbaden, Germany — datenschutz.hessen.de.

08 · US residents (CCPA / CPRA)

California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. In addition to the rights listed in Section 07, you may:

• Know what categories of personal information we collect and the purposes for which we use them — disclosed in Sections 02 and 03.
• Opt out of "sale" or "sharing" of your personal information for cross-context behavioural advertising. We do not sell or share personal information as those terms are defined in the CCPA, and we do not knowingly sell or share the personal information of consumers under the age of 16.
• Limit use of sensitive personal information — we do not collect or use sensitive personal information as defined in Cal. Civ. Code § 1798.140(ae) for any purpose requiring an opt-in or opt-out under the CCPA.
• Non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised any of these rights.

To exercise CCPA rights, email [email protected]. We will verify your identity by matching your request to the email associated with your account before responding.

09 · Cookies & tracking

ASOScan uses two categories of cookies and similar technologies:

• Strictly necessary (always on) — a first-party HTTP-only cookie containing your authentication token, plus a localStorage entry holding your refresh token. Required for the application to function. No consent needed under Art. 5(3) ePrivacy Directive / TTDSG § 25(2).
• Analytics & marketing (consent-gated) — loaded only after you accept the relevant category on the cookie banner. We use Google Consent Mode v2: the consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization, functionality_storage, personalization_storage, security_storage) default to denied and are only flipped to granted if you accept.

The consent-gated providers and what they receive are:

• PostHog Cloud EU (analytics consent) — page views, button clicks, conversion events, anonymised user IDs.
• Google Analytics 4 via Google Tag Manager (analytics consent) — same event categories, with Consent Mode signals attached.
• Microsoft Clarity (marketing consent) — anonymised session replays and heatmaps. Limitation: if you grant marketing consent, then withdraw it mid-session, Clarity may continue recording the active session until it ends naturally; the next session respects the updated choice. This is a vendor-side limitation we cannot override.

You may re-open the consent banner and change your choice at any time via the "Cookie preferences" link in the footer.

10 · AI & automated decision-making

ASOScan offers AI-assisted metadata generation, keyword suggestions, ASO recommendations, and review sentiment analysis. These features call third-party large language models (currently Google Gemini via OpenRouter) per request with the inputs you submit and the relevant context (your tracked keywords, top competitors, app metadata).

We do not perform solely automated decision-making producing legal effects or similarly significant effects within the meaning of Art. 22 GDPR. AI outputs are suggestions intended for human editorial review; you remain responsible for any content you publish to the App Store or Play Store. Per our agreements with the AI providers, prompts are not retained for model training.

11 · Security & data breach

We follow industry-standard practices to protect personal data against unauthorised access, alteration, disclosure, or destruction. Specifically: passwords are stored as salted bcrypt hashes; all connections are TLS-encrypted; database backups are encrypted at rest; access to production systems requires SSH key authentication; per-request correlation IDs make incident investigation traceable; rate limiting (per-user and per-IP) bounds abuse. Critical errors trigger Sentry alerts.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware (Art. 33 GDPR) and notify affected users without undue delay where required by Art. 34 GDPR.

12 · International transfers

Where personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) signed with the relevant sub-processor, supplemented where appropriate by additional safeguards identified through transfer impact assessments. Polar, Postmark, Sentry, OpenRouter, and Microsoft Clarity are US-based; PostHog, GA4 and GTM are operated by EU entities with EU data residency.

13 · Children

ASOScan is not directed to children. We do not knowingly collect personal data from anyone under 16 years of age. If you believe a minor has provided personal data, contact us at [email protected] and we will delete the account and associated data without delay.

14 · Changes to this policy

We may update this Privacy Policy from time to time. Material changes (new categories of data, new sub-processors, new purposes, or significant changes to your rights) will be notified to you by email at least 14 days before they take effect, and the version number and "Last updated" date in the document meta strip above will be incremented. Non-material changes (clarifications, typo fixes) take effect immediately on publication.

15 · Contact

For any question about this Privacy Policy, to exercise the rights described above, or to lodge a complaint, please contact:

• Email:[email protected]
• Postal address: Khalil Kitar — ASOScan, Messeler-Park-Straße 132a, 64291 Darmstadt, Germany
• Supervisory authority: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Wiesbaden — datenschutz.hessen.de