1. WHO WE ARE (DATA CONTROLLER)

html2app.dev is the controller of personal data processed in connection with operating the Service (account, security, support, and service delivery).

2. INFORMATION WE COLLECT

• Account Data (OAuth Login): Users currently sign in with GitHub or Firebase Authentication (which may include Google, Apple, or Email/Password). At present, we only store a hash of your provider account ID. In the future, to support full account features, we will collect and store your provider ID, username, fullname, primary email address, and avatar url.
• Uploaded Content: Files you upload (e.g., ZIP files and related build inputs) are stored in Amazon S3 to provide the Service. These files may contain your app assets and configuration.
• Signing Credentials (If You Choose to Store Them): If you upload signing materials (e.g., Android keystore, iOS certificates/profiles), the Service stores them to enable automated signing, subject to your Terms of Service.
• Usage / Technical Data: We may process technical data such as IP address, user-agent, timestamps, request identifiers, and security-related events for fraud prevention, abuse mitigation, and service reliability (e.g., WAF events, rate limiting, error logs).

3. COOKIES AND LOCAL STORAGE

The Service uses cookies and local storage technologies. Currently, we only use Strictly Necessary technologies that are essential for the operation of the Service.

• Authentication (JWT): We use local storage and/or cookies to store a JSON Web Token (JWT) to keep you logged in and secure your session.
• Security & Anti-Spam (AWS WAF): We use AWS WAF to protect against bots and malicious traffic. This service may set cookies (such as aws-waf-token) to verify that a request is legitimate and to manage CAPTCHA challenges.
• Google reCAPTCHA: We use Google reCAPTCHA to protect our newsletter signups and other forms from spam and abuse. This may set cookies to distinguish humans from bots. Use of reCAPTCHA is subject to the Google Privacy Policy and Terms of Service.

Opt-out: Because these technologies are strictly necessary to provide the Service you requested, they do not require prior consent under applicable law (e.g., ePrivacy Directive). You can block them via your browser settings, but the Service will cease to function correctly (e.g., you will not be able to log in or pass security checks).

Future Analytics and Advertising: We do not currently use third-party analytics or advertising cookies (such as Google Analytics, Google Ads, or Facebook Pixel). However, we may integrate such services in the future to analyze usage and deliver advertising. We will update this policy accordingly and provide appropriate choices (such as consent banners) as required by applicable laws.

4. HOW WE USE INFORMATION

• Provide the Service: create and manage accounts, process builds, deliver outputs.
• Security: detect and prevent abuse, fraud, hacking attempts, and bot traffic.
• Reliability: monitor performance, troubleshoot errors, and maintain availability.
• Support: respond to requests and communicate about the Service.
• Compliance: comply with legal obligations, enforce Terms of Service, and protect rights and safety.

5. LEGAL BASES FOR PROCESSING

We process your personal data based on the following legal grounds under the GDPR (and similar frameworks):

6. SHARING AND DISCLOSURE (SUBPROCESSORS)

We do not sell your personal data. We may share data with service providers (subprocessors) to operate the Service:

• Amazon Web Services (AWS): We use AWS services such as CloudFront (content delivery), AWS WAF (security/CAPTCHA), Amazon S3 (file storage), AWS Lambda (serverless compute), Amazon EC2 (virtual servers), and Amazon CloudWatch (logging and monitoring). We may also utilize other underlying AWS infrastructure services as necessary to operate the Service. Data processed by these services may include request metadata, system logs, and user-uploaded files.
• GitHub: Used for authentication (OAuth). GitHub processes authentication data under its own privacy terms.
• Firebase (Google Cloud): We use Firebase Authentication to manage user sign-ins. This may involve processing identifiers from third-party providers (like Google or Apple) or email addresses. Firebase's use of data is governed by the Google Privacy Policy.
• Microsoft Azure DevOps / Azure Pipelines: App compilation is performed using Azure Pipelines. This involves processing build inputs on Microsoft-hosted or self-hosted runners and may utilize underlying Azure infrastructure services required to execute the build process and produce artifacts.
• Paddle: We use Paddle.com as our authorized reseller and Merchant of Record (MoR) for all payments and subscriptions. When you make a purchase, your billing data is processed directly by Paddle. We do not store full credit card details. Paddle's use of your data is governed by their Privacy Policy.
• Brevo (formerly Sendinblue): We use Brevo to manage our email newsletters and transactional emails. If you subscribe to our newsletter, your email address will be transferred to Brevo for processing in accordance with their Terms of Use. Our forms served by Brevo may be protected by Google reCAPTCHA.

We may also disclose information if required by law, to respond to lawful requests, or to protect the rights, property, and safety of the Service and others.

7. INTERNATIONAL TRANSFERS

Our infrastructure and subprocessors may process data in multiple countries. This can include transfers outside your country of residence. Where required by law, we rely on appropriate safeguards for such transfers (e.g., contractual protections with service providers).

8. DATA RETENTION

We retain personal data only as long as necessary for the purposes described in this policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

• Account Data: retained while your account is active and for a reasonable period afterward as needed for compliance and dispute resolution.
• Uploads / Build Inputs: retained as needed to provide the Service. Currently, builds are set to expire after 48 hours, but this period may be extended in the future.
• Signing Credentials: retention and deletion are governed by the Terms of Service. Currently, signing credentials are set to expire automatically after 1 year, though this period may be extended or shortened in the future. You are responsible for maintaining your own backups, as we cannot store them forever.
• Security Logs: retained for a limited period to investigate abuse and maintain security

9. SECURITY

We use reasonable technical and organizational measures designed to protect information. However, no system can be guaranteed 100% secure, and we cannot guarantee absolute security.

10. YOUR RIGHTS

Depending on your location and applicable law, you may have rights such as access, correction, deletion, and portability of your personal data, and the right to object to or restrict certain processing.

You can request these by contacting us using the information below. We may need to verify your identity before fulfilling requests.

11. CHILDREN'S PRIVACY

The Service is intended for use by adults only. You must be at least 18 years of age to use html2app.dev. We do not knowingly collect personal data from children under 18. If we learn that we have collected personal data from a child under 18, we will take steps to delete that information as quickly as possible.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

13. CONTACT

For privacy-related questions or requests, please contact us via:

• Public Discussions: GitHub Discussions
• Email: You can find the contact email on the developer's profile page: https://yandeu.github.io/