01 · Who we are
ASOScan is operated by a sole proprietor based in Germany. We provide app store optimization analytics. This page explains the personal data we hold to do that.
ASOScan ("we", "us", "our") is a service operated by Khalil Kitar trading as ASOScan (Einzelunternehmer), with its registered operating address at Messeler-Park-Straße 132a, 64291 Darmstadt, Germany. The operator is the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") for all personal data described in this policy, except where a sub-processor acts as an independent controller for its own purposes (see Section 05). The full operator details are set out in our Impressum.
We have not appointed a Data Protection Officer because the criteria of Article 37 GDPR do not apply to our processing activities. You can reach us about any privacy matter at [email protected].
02 · What we collect
Account info, the app URLs you ask us to track, billing identifiers from our payment provider, server logs, and — only if you accept the cookie banner — analytics about how you use the site.
The categories of personal data we process are:
- Account data — name, email address, salted password hash, registration timestamp, last login timestamp, and the refresh tokens that keep you logged in.
- App tracking data — store URLs of the apps and competitors you add, the keywords you choose to monitor, your custom tags, alert rules, AI generation history, and the content you submit to the AI panel.
- Billing data — your Polar customer ID, subscription status, plan tier, billing cycle, current period end, and the cancellation reason / comment you provide if you cancel. Card and bank details are processed exclusively by Polar Software Inc. ("Polar"); we never see them.
- Service telemetry — IP address (used for rate limiting and security), HTTP request logs, error reports, and a per-request correlation ID that links frontend events to backend logs. Stored in our application logs and forwarded to Sentry for error monitoring.
- Analytics data (consent-gated) — only if you grant analytics consent on the cookie banner: page views, button clicks, conversion events, and (for marketing consent) anonymised session replays. See Section 09 for the full list of providers.
- Public app store data — metadata, ratings, and reviews scraped from the public-facing pages of the apps you ask us to track. This is data about third-party apps, not about you, but we hold it in association with your account.
- Connected store-account data (optional) — only if you connect a Google Play Console, Apple App Store Connect, or Google Ads account: the data we access from your own account (your apps' metadata, reviews, ratings, install / performance analytics, and your Google Ads campaigns) together with the encrypted OAuth tokens or API keys that authorise that access. We access this only with your explicit authorisation and use it solely to provide the service to you — see Section 05b.
03 · How we use it
To run the service, bill you for it, keep it secure, send you transactional emails, and — if you opted in — improve the product through analytics. We do not sell your data and do not build advertising profiles.
We process the categories above for the following purposes:
- Providing the contracted service (account access, app tracking, AI generation, alerts, reporting, weekly digest emails).
- Billing, fraud prevention, and tax compliance for your subscription, executed by Polar as merchant of record (see Section 05).
- Service stability — error monitoring, capacity planning, abuse mitigation, rate limiting.
- Transactional communication (welcome email, password reset, email-change verification, billing failure notice, alert notifications, weekly digest).
- Product analytics and user research, only on the legal bases described in Section 04 and only where consent has been granted (see Section 09).
- Compliance with applicable law and lawful requests from competent authorities.
We do not sell personal data, share it with advertisers or data brokers, or use it to train any general-purpose machine learning model. AI features rely on third-party language models invoked per-request with the inputs you submit (see Section 10).
04 · Legal basis (GDPR)
We rely on contract for delivering the service, legitimate interest for security and core analytics, legal obligation for tax, and consent for marketing analytics and session replay.
Our lawful bases under Article 6(1) of the GDPR are:
- Article 6(1)(b) — performance of a contract: account, app tracking, AI generation, alerts, reporting, billing, transactional email.
- Article 6(1)(c) — legal obligation: retention of invoices and billing audit logs for German tax law (§ 147 AO, typically 10 years for invoices).
- Article 6(1)(f) — legitimate interest: security, abuse prevention, error monitoring, rate limiting, server-side billing-event analytics. We have carried out balancing tests for each; you may object at any time (see Section 07).
- Article 6(1)(a) — consent: all analytics SDKs loaded after the cookie banner accept (PostHog, GA4, Microsoft Clarity, GTM). You may withdraw consent at any time without affecting the lawfulness of prior processing.
05 · Sub-processors
Polar handles billing and is the legal seller of our subscriptions. Postmark sends our emails. Sentry receives error reports. Our AI providers process the prompts you send them. If you opted in to analytics, PostHog, GA4 and Clarity get usage data.
We rely on the following sub-processors. Each is contractually bound by a Data Processing Addendum to process your data only on our instructions and only for the purposes set out below:
- Polar Software Inc. (United States) — payment processing, subscription management, customer billing portal, invoice generation, EU VAT collection and remittance. Polar acts as merchant of record: it is the legal seller of ASOScan subscriptions, issues invoices in its own name, and is jointly responsible with us for billing-related personal data.
- Postmark (Wildbit LLC, United States) — outbound transactional email (welcome, password reset, email change verification, billing failure, alert notifications, weekly digest).
- Sentry (Functional Software, Inc., United States) — application error monitoring and request traces. We disable PII collection (
SendDefaultPii = false); only stack traces, route names, and our own correlation IDs are sent. - OpenRouter / Google Gemini (United States) — generative AI inference for metadata, keyword, and recommendation features. Only the prompt content you submit through the AI panel is sent (app metadata, target keywords, current tracked keywords, top competitors). Outputs are not retained by us beyond the AI usage history shown in your account.
- PostHog Cloud EU (PostHog Inc., data residency in Frankfurt) — product analytics. Loads only after analytics consent. Used for funnel analysis and feature-flag evaluation.
- Google Analytics 4 + Google Tag Manager (Google Ireland Ltd., EU) — web analytics and tag management. Loads after analytics consent. Operated under Google Consent Mode v2; without consent, no measurement hits are sent.
- Microsoft Clarity (Microsoft Corporation, United States) — anonymised session replay and heatmaps. Loads only after marketing consent. Subject to the limitation noted in Section 09.
- Hosting infrastructure — application servers, database (PostgreSQL), and cache (Redis) self-hosted on hardware located in Germany.
An up-to-date list is available at [email protected] on request. We will give reasonable advance notice of any new sub-processor in accordance with our DPA.
05b · Connected store accounts (Google Play, App Store Connect, Google Ads)
If you choose to connect your Google Play Console, Apple App Store Connect, or Google Ads account, we access only your own data from those accounts — your apps' listings, reviews, ratings, install / performance stats, and (for Google Ads) your campaigns — and use it only to power ASOScan's features for you. We never sell or share it, and we delete the connection and its data when you disconnect or close your account.
Connecting a store account is entirely optional. If you do, you authorise the access yourself — through Google's OAuth consent screen, or by pasting an Apple App Store Connect API key (.p8) — and you can revoke it at any time. We request the narrowest scopes each feature needs:
- Google Play Console (OAuth scopes
androidpublisher+playdeveloperreporting) — your list of apps, your store-listing metadata (read-only), your apps' reviews and ratings, and daily install / uninstall statistics. - Apple App Store Connect (a Team API key you paste) — your apps' metadata, reviews, ratings, and analytics, to the extent the key's role permits.
- Google Ads (OAuth scope
adwords) — your Google Ads campaigns: creating, editing, enabling / pausing, and reading performance for campaigns you build in ASOScan.
Changes we make on your behalf. The only writes we perform are ones you explicitly initiate inside ASOScan: posting your developer replies to your own app reviews, and creating / editing / enabling the ad campaigns you build here (campaigns are always created paused, so nothing spends until you activate it). We never modify your store listing — metadata access is read-only.
How we store the credentials. OAuth tokens and Apple API keys are encrypted at rest, separately from your password, and are used only to call the provider APIs on your behalf. We never see your Google or Apple account password.
Limited use. Our use of data obtained through these connections — including all data received from Google APIs — complies with the Google API Services User Data Policy, including its Limited Use requirements. We use connected-account data solely to provide and improve the ASOScan features shown to you, the connecting user. We do not sell it, transfer it to data brokers or advertising platforms, use it for advertising, or use it to train any machine-learning model. Private data such as your install / performance analytics is shown only to you and is never exposed to other users who track your app as a competitor.
Disconnecting and deletion. You can disconnect any account at any time from Settings → Connections; doing so revokes our access and deletes the stored credentials together with the data we synced from that account. Deleting your ASOScan account removes all of it. You can also revoke our access directly from your Google Account or your Apple ID account settings.
06 · Retention & deletion
We keep your data while your account is active. If your trial ends without subscribing you have 90 days to come back or export your data — after that we delete the account automatically. Tax-required billing records stay for 10 years.
Account, app tracking, AI generation, keyword history, alerts, and tags are retained for as long as your account is active or in a permitted lockout window (see below). When you delete your account from the settings page, all of the above is removed within thirty (30) days via cascade delete. The Polar customer record is preserved with Polar (we cannot delete it) so that historical invoices remain queryable for tax purposes; the link between that record and your identity in our database is severed at deletion.
Trial expiry & abandoned accounts.
If your trial or subscription ends and you do not have an active plan, you remain logged-in but locked out of product features. During this lockout you can still download your data, view your billing settings, and choose either to subscribe or to delete the account. Accounts that remain in this state for ninety (90) days without subscribing or self-deleting are deleted automatically by a scheduled cleanup job following the same procedure as a user-initiated deletion.
Apps you tracked and apps tracked by other users.
Each user's tracked apps and competitors are stored in separate database rows bound to that user's account. When you add an app — whether as your own product or as a competitor — we create your private copy of the app record, including an independent copy of any scraped public store data we collect on your behalf (title, description, screenshots, ratings, reviews, category rankings). When you delete your account, every row tied to your account is removed, including every private copy of public store data we held for you.
Other users who happen to be tracking the same publicly available app retain their own independent copies of the same public store data, scraped and stored for them under their own account. Those copies are not "your" data being retained — they are their data, collected and processed under their own relationship with us. Deletion of your account has no effect on them.
Shared, non-personal reference data — for example the canonical list of search keywords (term, country, platform) used by the keyword research engine — is retained because it does not identify you. Your tracking of any keyword (which you chose to monitor, your historical ranks for it, your tags, your alerts) is deleted in full.
Connected store accounts. If you connected a Google Play Console, App Store Connect, or Google Ads account, the OAuth tokens / API keys and the data we synced from that account (metadata, reviews, ratings, analytics, campaigns) are deleted when you disconnect the account in Settings → Connections, and in any case when you delete your ASOScan account. Disconnecting immediately stops all further access; you can additionally revoke our access from your Google or Apple account at any time.
The following data is retained beyond account deletion as permitted or required by law:
- Billing audit log (
billing_eventstable — Polar webhook payloads): retained for 10 years (German tax law, § 147 AO). - Application logs (Serilog rolling files including IP and correlation IDs): 30 days, then deleted.
- Sentry error reports: 90 days (default Sentry retention).
- Shared, non-personal reference data (canonical keyword list and similar): retained indefinitely because it contains no identifier of you.
07 · Your rights
Under the GDPR you can ask us for a copy of your data, correct it, delete it, or export it. The "Download my data" button on the settings page handles the first two clicks.
You have the following rights, exercisable free of charge and within 30 days of request:
- Access (Art. 15) — request a copy of the personal data we hold about you. The settings page exposes a one-click ZIP export covering profile, apps, keywords, alerts, tags, and AI usage.
- Rectification (Art. 16) — correct inaccurate data via account settings or by writing to us.
- Erasure (Art. 17) — delete your account from settings or by request, subject to the retention exceptions in Section 06.
- Restriction (Art. 18) — temporarily limit how we process your data.
- Portability (Art. 20) — the export ZIP is in JSON, a structured machine-readable format.
- Objection (Art. 21) — object to processing carried out under our legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
- Withdrawal of consent (Art. 7(3)) — re-open the cookie banner at any time via the "Cookie preferences" link in the footer.
- Lodging a complaint (Art. 77) — with your local supervisory authority. The competent authority for the operator is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Postfach 3163, 65021 Wiesbaden, Germany — datenschutz.hessen.de.
08 · US residents (CCPA / CPRA)
If you live in California, you have the same rights as EU users plus a right to opt out of "sale" or "sharing" of personal information. We do not sell or share — but you can confirm that here.
California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. In addition to the rights listed in Section 07, you may:
- Know what categories of personal information we collect and the purposes for which we use them — disclosed in Sections 02 and 03.
- Opt out of "sale" or "sharing" of your personal information for cross-context behavioural advertising. We do not sell or share personal information as those terms are defined in the CCPA, and we do not knowingly sell or share the personal information of consumers under the age of 16.
- Limit use of sensitive personal information — we do not collect or use sensitive personal information as defined in Cal. Civ. Code § 1798.140(ae) for any purpose requiring an opt-in or opt-out under the CCPA.
- Non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised any of these rights.
To exercise CCPA rights, email [email protected]. We will verify your identity by matching your request to the email associated with your account before responding.
09 · Cookies & tracking
We use one essential cookie (your login session). Everything else — analytics, session replay — only loads if you click Accept on the cookie banner. You can change your mind at any time.
ASOScan uses two categories of cookies and similar technologies:
- Strictly necessary (always on) — a first-party HTTP-only cookie containing your authentication token, plus a localStorage entry holding your refresh token. Required for the application to function. No consent needed under Art. 5(3) ePrivacy Directive / TTDSG § 25(2).
- Analytics & marketing (consent-gated) — loaded only after you accept the relevant category on the cookie banner. We use Google Consent Mode v2: the consent signals (
analytics_storage,ad_storage,ad_user_data,ad_personalization,functionality_storage,personalization_storage,security_storage) default to denied and are only flipped to granted if you accept.
The consent-gated providers and what they receive are:
- PostHog Cloud EU (analytics consent) — page views, button clicks, conversion events, anonymised user IDs.
- Google Analytics 4 via Google Tag Manager (analytics consent) — same event categories, with Consent Mode signals attached.
- Microsoft Clarity (marketing consent) — anonymised session replays and heatmaps. Limitation: if you grant marketing consent, then withdraw it mid-session, Clarity may continue recording the active session until it ends naturally; the next session respects the updated choice. This is a vendor-side limitation we cannot override.
You may re-open the consent banner and change your choice at any time via the "Cookie preferences" link in the footer.
10 · AI & automated decision-making
Our AI features make suggestions. They do not make decisions about you in the legal sense (Art. 22 GDPR). The prompts you submit are sent to third-party language models for inference and are not used to train them.
ASOScan offers AI-assisted metadata generation, keyword suggestions, ASO recommendations, and review sentiment analysis. These features call third-party large language models (currently Google Gemini via OpenRouter) per request with the inputs you submit and the relevant context (your tracked keywords, top competitors, app metadata).
We do not perform solely automated decision-making producing legal effects or similarly significant effects within the meaning of Art. 22 GDPR. AI outputs are suggestions intended for human editorial review; you remain responsible for any content you publish to the App Store or Play Store. Per our agreements with the AI providers, prompts are not retained for model training.
10b · Account access by ASOScan staff
To investigate bug reports and confirm the product is working for you, authorised ASOScan staff can briefly view your account through a read-only "view as user" mechanism. It is logged in an internal audit table, capped at 30 minutes per session, and cannot be used to write, change billing, or modify your data.
To investigate bug reports and verify our system is functioning correctly, authorised ASOScan staff may temporarily view your account through an internal "view as user" mechanism. Such access is:
- Logged in an internal audit table (admin id, session id, reason, timestamp).
- Scope-limited to read-only — no writes, no billing actions, no changes to your data are possible while the staff member is in this mode.
- Bounded to 30 minutes per session, after which the session ends automatically.
- Never used for purposes beyond support investigation or product debugging.
You will not be notified at the time of access. Audit records are retained for 90 days. If you would like to know whether your account has been accessed in this way, contact us using the details in section 15.
11 · Security & data breach
Passwords are hashed, traffic is encrypted, backups are encrypted at rest. If we ever have a breach affecting you, we will notify the supervisory authority within 72 hours and you without undue delay.
We follow industry-standard practices to protect personal data against unauthorised access, alteration, disclosure, or destruction. Specifically: passwords are stored as salted bcrypt hashes; all connections are TLS-encrypted; database backups are encrypted at rest; access to production systems requires SSH key authentication; per-request correlation IDs make incident investigation traceable; rate limiting (per-user and per-IP) bounds abuse. Critical errors trigger Sentry alerts.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware (Art. 33 GDPR) and notify affected users without undue delay where required by Art. 34 GDPR.
12 · International transfers
Several sub-processors are based in the United States. We rely on Standard Contractual Clauses for those transfers.
Where personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) signed with the relevant sub-processor, supplemented where appropriate by additional safeguards identified through transfer impact assessments. Polar, Postmark, Sentry, OpenRouter, and Microsoft Clarity are US-based; PostHog, GA4 and GTM are operated by EU entities with EU data residency.
13 · Children
ASOScan is a B2B tool for app developers and marketers. It is not intended for anyone under 16, and we do not knowingly collect data from minors.
ASOScan is not directed to children. We do not knowingly collect personal data from anyone under 16 years of age. If you believe a minor has provided personal data, contact us at [email protected] and we will delete the account and associated data without delay.
14 · Changes to this policy
If we change anything material, we will email you and bump the version number above.
We may update this Privacy Policy from time to time. Material changes (new categories of data, new sub-processors, new purposes, or significant changes to your rights) will be notified to you by email at least 14 days before they take effect, and the version number and "Last updated" date in the document meta strip above will be incremented. Non-material changes (clarifications, typo fixes) take effect immediately on publication.
15 · Contact
Email us. We answer within 30 days, usually faster.
For any question about this Privacy Policy, to exercise the rights described above, or to lodge a complaint, please contact:
- Email:[email protected]
- Postal address: Khalil Kitar — ASOScan, Messeler-Park-Straße 132a, 64291 Darmstadt, Germany
- Supervisory authority: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Wiesbaden — datenschutz.hessen.de