Legal
Privacy Policy
Last updated: March 2026. This policy explains how YFOUNDERS (Apptimize) collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act (Loi Informatique et Libertés).
1. Data Controller
The data controller responsible for processing your personal data is:
- YFOUNDERS — Société par Actions Simplifiée Unipersonnelle (SASU)
- Company registration (SIRET): 900 145 327 00012 — RCS Montpellier
- EU VAT number: FR31900145327
- Data Protection Officer (DPO): hello@tryapptimize.com
2. Data We Collect
We collect the following categories of personal data:
- Account data: name, email address, password (hashed with bcrypt via Supabase Auth — never stored in plain text).
- Billing data: Stripe subscription metadata (customer ID, plan, status, renewal date). We never store full card numbers on our servers.
- Product usage data: interaction events with the application (pages visited, features used, errors) collected via PostHog for product improvement purposes.
- Configuration data: Apple App Store Connect and Apple Search Ads API keys voluntarily provided by the user, stored encrypted in the Supabase database. These keys are never transmitted in plain text to the browser after initial setup.
- Public App Store data: publicly available information from the Apple App Store (title, description, screenshots, ratings) scraped to power ASO analysis. This data does not constitute personal data under the GDPR.
- Technical data: IP address, browser type, access logs for security and diagnostic purposes.
3. Purposes and Legal Bases (GDPR)
Each processing activity rests on an identified legal basis under Article 6 of the GDPR:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Account creation and management | Performance of a contract (Art. 6.1.b) |
| Delivery of the SaaS service (access to features) | Performance of a contract (Art. 6.1.b) |
| Payment processing and subscription management | Performance of a contract (Art. 6.1.b) |
| Transactional emails (confirmations, invoices) | Performance of a contract (Art. 6.1.b) |
| Product analytics and service improvement (PostHog) | Legitimate interest (Art. 6.1.f) — product improvement |
| Security, fraud detection, and access logs | Legitimate interest (Art. 6.1.f) — service security |
| Retention of accounting and tax records | Legal obligation (Art. 6.1.c) — 10-year French requirement |
| Analytics cookies (where consent is obtained) | Consent (Art. 6.1.a) |
4. Sub-processors and Recipients
We engage the sub-processors listed below to operate the service. Each is bound by a Data Processing Agreement (DPA) compliant with the GDPR. We never sell your personal data.
| Sub-processor | Role | Location | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Database, authentication, Edge Functions | EU — Frankfurt (AWS eu-central-1) | Intra-EU — no transfer |
| Stripe Inc. | Payment processing, subscription management | US / EU | EU Standard Contractual Clauses (2021/914) |
| PostHog Inc. | Product analytics, usage events | EU — Frankfurt (PostHog Cloud EU) | Intra-EU — no transfer |
| OpenAI LP / OpenRouter | AI analysis of ASO content (text + screenshots) | US | EU Standard Contractual Clauses (2021/914) |
| Cloudflare Inc. | Web page rendering, crawl proxy | US / global network | EU Standard Contractual Clauses (2021/914) |
| RevenueCat Inc. | In-app subscription management (mobile apps) | US | EU Standard Contractual Clauses (2021/914) |
| Google LLC | OAuth authentication (Sign in with Google) | US / EU | EU Standard Contractual Clauses (2021/914) |
| Apple Inc. | App Store Connect API, iTunes Search API | US | EU Standard Contractual Clauses (2021/914) |
| Vercel Inc. | Web application hosting and deployment | US / global network | EU Standard Contractual Clauses (2021/914) |
5. International Transfers
Some sub-processors listed above are established in the United States. These transfers are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021 (Decision 2021/914), which constitute an appropriate safeguard under Article 46 of the GDPR. No data is transferred to third countries without such safeguards.
6. Data Retention
- Account and usage data: retained for the duration of the active subscription, then 3 years from the date of last activity (legitimate interest — legal limitation periods).
- Billing and accounting data: 10 years from the date of invoice issuance (legal obligation — Art. L123-22 French Commercial Code).
- Security and access logs: 12 rolling months.
- Deletion on request: processed within 30 calendar days of receiving the request, subject to mandatory legal retention obligations.
7. Security
We implement the following technical and organisational measures:
- Encryption of communications in transit via TLS 1.2+.
- Encryption of data at rest in Supabase (AES-256).
- Third-party API keys stored encrypted in the database; never exposed to the browser after initial setup.
- Multi-factor authentication available for user accounts.
- Principle of least privilege: each system component accesses only the data strictly required for its function.
- Regular review of access controls and dependencies.
8. Your Rights Under the GDPR
Under Articles 15 to 22 of the GDPR, you have the following rights over your personal data:
- Right of access (Art. 15): obtain a copy of your data and information about how it is processed.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17): request deletion of your data, subject to mandatory retention obligations.
- Right to restriction of processing (Art. 18): restrict processing in certain cases (contested accuracy, unlawful processing, etc.).
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format or have it transmitted to another controller.
- Right to object (Art. 21): object to processing based on legitimate interests, including for direct marketing purposes.
- Right to withdraw consent (Art. 7§3): withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact our DPO at hello@tryapptimize.com. We will respond within one month (extendable to three months for complex requests, with prior notice).
You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French supervisory authority: www.cnil.fr.
9. Cookies and Trackers
We use two categories of cookies:
- Strictly necessary cookies: authentication session management (Supabase). These cookies are essential to the operation of the service and do not require your consent.
- Analytics cookies (PostHog): audience measurement and usage behaviour analysis. These cookies are only placed after collecting your consent, in accordance with CNIL guidelines.
You can manage your cookie preferences at any time via your browser settings or the consent banner.
10. Minors
The Apptimize service is intended for professionals and adults. We do not knowingly collect personal data from individuals under the age of 16. If you are a minor, please do not use the service.
11. Changes to This Policy
If we make a material change to this policy (new processing purpose, new sub-processor, change of legal basis), we will notify you by email with at least 30 days' notice before the changes take effect. The date of last update is shown at the top of this page.
12. Contact — Data Protection Officer
For any question relating to this policy or to exercise your rights:
- Email: hello@tryapptimize.com