Privacy Policy
Last updated: February 24, 2026
1. Who We Are
This Privacy Policy describes how dowhiletrue s.r.o. ("we", "us", or "Company"), the operator of AppMetaHub, collects, uses, and protects your personal data.
Data Controller:
dowhiletrue s.r.o.
Lipová 5001/15, 080 01 Prešov, Slovensko
VAT ID: SK2023243332
Email: info@dowhiletrue.co
We do not have a formally designated Data Protection Officer (DPO) as we are not required to appoint one under current GDPR rules. For any privacy-related queries, contact us at the address above.
2. What Data We Collect
We collect the following categories of personal data:
- Account data: Email address, display name, and (optionally) profile picture when you register an Account.
- Billing data: Billing name, billing address, and VAT number (if applicable). Credit card details are processed and stored exclusively by Stripe — we never see or store your full card number.
- App Store Connect credentials: API keys you provide to connect your Apple developer account. These are encrypted at rest using AES-256-GCM and are used solely to communicate with Apple's APIs on your behalf.
- Content data: App metadata, screenshots, localizations, and other assets you upload or generate through the Service.
- Automatic data: IP address, browser type and version, operating system, referral URLs, pages visited, session duration, and other standard web-server logs. If you accept analytics cookies, we also collect aggregated usage statistics via Google Analytics 4.
- Communications: Messages you send us via email or the in-app support chat (Crisp).
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing and operating the Service | Art. 6(1)(b) — performance of a contract |
| Processing payments and managing Subscriptions | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (receipts, alerts) | Art. 6(1)(b) — performance of a contract |
| Complying with legal obligations (e.g. VAT records) | Art. 6(1)(c) — legal obligation |
| Security monitoring and fraud prevention | Art. 6(1)(f) — legitimate interests |
| Product improvement and analytics | Art. 6(1)(f) — legitimate interests / Art. 6(1)(a) — consent (for analytics cookies) |
| Sending product updates and marketing emails | Art. 6(1)(a) — consent (opt-in required) |
| Responding to support requests | Art. 6(1)(b) / Art. 6(1)(f) — legitimate interests |
4. Data Sharing
We do not sell your personal data. We share data with the following sub-processors solely to the extent necessary to deliver the Service:
| Recipient | Purpose | Transfer basis |
|---|---|---|
| Stripe, Inc. (USA) | Payment processing | EU–US SCCs / Adequacy |
| Supabase, Inc. (USA) | Database, authentication, storage | EU–US SCCs |
| Vercel, Inc. (USA) | Application hosting and CDN | EU–US SCCs |
| Google LLC (USA) | Analytics (GA4) | EU–US SCCs / Consent |
| Sentry (Functional Software, Inc.) (USA) | Error monitoring | EU–US SCCs |
| Crisp IM SAS (France) | Customer support chat | Within EEA |
| Anthropic PBC (USA) | AI content generation | EU–US SCCs |
We may also disclose your data if required by law, court order, or governmental authority, or to protect the rights, property, or safety of the Company, our users, or the public.
5. Data Retention
| Data category | Retention period |
|---|---|
| Account data | Until Account deletion, then 3 years |
| Billing records & invoices | 10 years (Slovak Accounting Act No. 431/2002 Coll.) |
| App Store Connect API keys | Deleted within 30 days of Account deletion |
| Content data (metadata, assets) | Deleted within 30 days of Account deletion |
| Analytics data (Google Analytics) | 24 months (GA4 default) |
| Server logs | 90 days |
| Support chat history | 3 years after last interaction |
6. Your GDPR Rights
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing: Ask us to restrict how we use your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests (Art. 6(1)(f)), including profiling.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, email us at info@dowhiletrue.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority. In Slovakia, this is the Úrad na ochranu osobných údajov SR (UOOU).
7. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- HTTPS (TLS 1.2+) for all data in transit.
- AES-256-GCM encryption for App Store Connect API credentials stored at rest.
- Bcrypt hashing for user passwords (managed by Supabase Auth).
- Row-level security (RLS) in the database to enforce access control.
- Real-time error monitoring and alerting via Sentry.
Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.
8. Cookies
We use cookies and similar tracking technologies to operate and improve the Service. The following table describes the categories of cookies we use:
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Authentication sessions, security tokens, cookie-consent preference | No — always active |
| Analytics | Aggregate usage statistics via Google Analytics 4 (_ga, _ga_*) | Yes — opt-in |
| Functional | Live support chat preferences (Crisp) | Yes — opt-in |
| Marketing | Targeted advertising and retargeting (currently not used) | Yes — opt-in |
We use GA4 Consent Mode v2 — if you decline analytics cookies, no tracking cookies are set and no personally identifiable data is collected. You can change your cookie preferences at any time by clicking .
9. Children
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at info@dowhiletrue.co and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes we will give you at least 30 days' notice by email or by displaying a prominent notice within the Service. The updated policy will indicate the revised "Last updated" date at the top. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact
For any privacy-related questions, requests to exercise your rights, or concerns about how we handle your data, please contact us at:
dowhiletrue s.r.o.
Lipová 5001/15, 080 01 Prešov, Slovensko
Email: info@dowhiletrue.co
We do not have a formally designated Data Protection Officer. All data protection inquiries are handled directly by the company.