Scope. This Privacy Policy applies exclusively to the AppTego Free plan. Paid plans (Team and Enterprise) are governed by separate privacy terms included in their subscription agreements, which cover additional data processing activities such as runtime threat telemetry collection, audit logging, and device-level analytics. If you upgrade to a paid plan, the privacy terms of that agreement will supersede this policy to the extent of any conflict.
1. Introduction
AppTego (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use the AppTego Free plan.
By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Service.
2. Our role and your data
2.1 When we act as a data controller
AppTego is the data controller for the personal data we collect directly from you — including your account information, platform usage data, device and technical data, and communications with us. We determine the purposes and means of processing this data to provide and improve the Service.
2.2 When we act as a data processor
When you upload mobile application binaries for processing, AppTego acts as a data processor on your behalf. You are responsible for ensuring that you have all rights, consents, and notices necessary for any personal data contained in the uploaded binaries, and you may not upload binaries containing prohibited, unlawful, or special-category personal data unless separate data processing terms have been agreed in writing. We process your application binaries solely according to your instructions (i.e., the security configuration you select) and for the sole purpose of delivering the protected binary back to you. If uploaded binaries contain personal data subject to applicable data protection laws, such processing is governed by separate data processing terms between you and AppTego.
2.3 No end-user telemetry on the Free plan
The Free plan does not include runtime threat telemetry, device logging, or any data collection from the end users of your protected applications. Applications built on the Free plan do not transmit any data back to AppTego’s infrastructure at runtime. End-user telemetry features are available only on paid plans and are governed by those plans’ separate privacy terms.
3. Information we collect
We collect the following categories of information on the Free plan:
3.1 Account information
When you create an account, we collect your name, email address, and company name (if provided). The Free plan does not require billing details.
Legal basis: Performance of our contract with you (our Terms of Service).
3.2 Usage data
We automatically collect information about how you interact with our platform, including pages visited, features used, build history, and timestamps.
Legal basis: Legitimate interest in improving and operating the Service.
3.3 Device and technical data
We collect IP addresses, browser type, operating system, and device identifiers when you access the platform.
Legal basis: Legitimate interest in platform security and fraud prevention.
3.4 Application binaries
When you upload compiled mobile app binaries (.apk, .aab, .ipa) for processing, we handle them solely for the purpose of applying the security protections you have configured. The Service operates on compiled binaries — we never require, access, or store your application source code. The build pipeline decompiles your binary to inject security controls at the binary level and then repackages it; no human reviews your application code during this process.
Legal basis: Performance of our contract with you.
3.5 Communications
If you contact us via email, support tickets, or other channels, we retain those communications to provide support and maintain records.
Legal basis: Legitimate interest in providing support and our contractual obligations.
4. How we use your information
We use the information we collect to:
- Provide, operate, and maintain the Service, including processing your application binaries and delivering protected builds.
- Manage your account and authenticate your access.
- Send administrative communications, such as security alerts, service updates, and account notifications. You may opt out of receiving marketing communications from us by clicking the ‘unsubscribe’ link in our emails or by contacting us directly.
- Improve, personalise, and expand our services based on aggregated usage patterns.
- Detect, prevent, and respond to fraud, abuse, and security incidents affecting the platform.
- Comply with legal obligations and enforce our Terms of Service.
We do not use your information for automated profiling or decision-making that produces legal or similarly significant effects on you.
5. Sharing of information
We do not sell, rent, or trade your personal information. We may share data with the following categories of recipients:
5.1 Sub-processors
We use trusted third-party service providers to help operate the Service. These providers are contractually obligated to protect your data and may only process it on our behalf. Our current sub-processors include:
- Amazon Web Services (AWS) — Cloud infrastructure, compute, storage, and managed services (including Amazon Cognito for authentication).
A complete and current list of sub-processors is available on request by emailing legal@apptego.com.
5.2 Legal requirements
We may disclose your information if required by law, regulation, subpoena, court order, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of AppTego, our users, or the public.
5.3 Business transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
6. International data transfers
The Service is operated from the United States. If you access the Service from outside the United States, your data — including personal data — will be transferred to, processed in, and stored in the United States and potentially other jurisdictions where our infrastructure providers operate.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following safeguards for international data transfers:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with sub-processors.
- AWS’s compliance with applicable data transfer frameworks, including EU–US data transfer mechanisms.
These jurisdictions may not provide the same level of data protection as your home jurisdiction. By using the Service, you acknowledge and consent to such transfers as necessary for the performance of the Service.
7. Data retention
| Data category | Retention period |
|---|---|
| Account information | Retained for the lifetime of your account, plus 30 days after deletion to allow for account recovery. |
| Application binaries | Automatically deleted from our processing infrastructure within 24 hours of protection delivery. |
| Build history and metadata | Retained for the lifetime of your account. |
| Usage data | Retained for up to 12 months in identifiable form, then aggregated or deleted. |
| Communications | Retained for up to 24 months after resolution, or longer if required for legal purposes. |
When your account is terminated, we will delete or anonymise your personal data within 90 days, except where retention is required by law.
8. Data security
We implement industry-standard technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction. This includes notifying you and any applicable regulators in accordance with our legal obligations in the event of a data breach. This also includes:
- Encryption at rest (AES-256 via AWS-managed keys) and in transit (TLS 1.2 or higher; TLS 1.3 negotiated with supported clients).
- Role-based access controls and the principle of least privilege.
- Ephemeral, isolated build environments destroyed after each build.
- Internal security review and dependency vulnerability scanning.
- Multi-factor authentication required for production console access.
For full details on our security practices, see our Security page.
9. Your rights
9.1 Rights under GDPR (EEA, UK, Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent local laws:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete personal data.
- Erasure: Request deletion of your personal data where there is no compelling reason to continue processing.
- Restriction: Request that we restrict processing of your personal data in certain circumstances.
- Portability: Request a copy of your data in a structured, commonly used, machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with your local data protection supervisory authority.
9.2 Rights under CCPA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know: Request the categories and specific pieces of personal information we have collected about you.
- Right to delete: Request deletion of your personal information.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioural advertising. No opt-out is necessary.
- Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
9.3 How to exercise your rights
To exercise any of these rights, please submit a written request to legal@apptego.com. To help us respond efficiently, please include: (a) the email address associated with your account; (b) the right(s) you wish to exercise; and (c) any details that will help us locate the relevant data. We may need to verify your identity before fulfilling the request.
We will acknowledge receipt of your request within 10 business days and respond to verified requests within the timeframes required by applicable law — generally up to 30 days under the GDPR (extendable by a further 60 days for complex requests, with notice) and up to 45 days under the CCPA (similarly extendable).
You may also delete your account at any time through the dashboard. Deletion from active production systems is typically completed within 30 days of the request; full removal from operational backups, archives, and replicated logs may take up to an additional 60 days. Certain data may be retained longer where required by law (for example, billing records, tax records, and fraud-prevention logs).
10. Children’s privacy
The Service is not directed to individuals under the age of eighteen (18), or the age of legal majority in their jurisdiction if greater than eighteen. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us at legal@apptego.com and we will promptly delete it.
11. Automated decision-making
The Free plan does not employ automated decision-making or profiling that produces legal or similarly significant effects on you.
Applications protected by the Free plan may include security controls that automatically respond to detected threats on end-user devices (for example, blocking app functionality when a rooted or jailbroken device is detected). These responses are configured by you (the developer) through the dashboard and are executed locally on the end-user’s device. AppTego does not receive data about these events on the Free plan, and these responses are your responsibility as the app publisher.
12. Cookies
We use cookies and similar technologies to enhance your experience. For full details, please see our Cookie Policy.
13. Contact and data protection enquiries
If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your data, please contact us:
- Email: legal@apptego.com
- Data protection enquiries: legal@apptego.com
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.
14. Governing law and dispute resolution
This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Wyoming, United States, without regard to its conflict of law principles. Any disputes arising out of or relating to this Privacy Policy are subject to the dispute-resolution provisions of our Terms of Service.
15. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date below and, for material changes, notify you by email or through a notice on the Service. We encourage you to review this page periodically.
Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the Service.
Version 2026.04 · Effective: 18 April 2026 · Owner: legal@apptego.com