Privacy Policy

Last updated: April 29, 2026 · Effective immediately

Plain-English summary

ASOGrove is an iOS app store optimization tool. We collect the minimum data we need to deliver the features you signed up for. We do not sell your data, run ad tracking, or share data with brokers — ever.

We are based in Berlin, Germany 🇩🇪 and operate under the EU GDPR. This policy tells you what we collect, who else processes it on our behalf, and the rights you have over it.

1. Who we are (the controller)

ASOGrove is operated by Sunny T., Berlin, Germany.

Contact for any privacy matter: hello@asogrove.com. We aim to respond within 5 business days; under GDPR Art. 12(3) we will respond to formal requests within one month.

2. What we collect

Identity & account

Your email and a one-way password hash (Argon2id via Supabase Auth).
If you sign in via Google or Apple, the OAuth identifier and email from that provider.

Service data

Apps and keywords you choose to track (App Store public identifiers).
Reviews we fetch on your behalf from Apple's public RSS feed.
Apple Search Ads (ASA) private keys, only if you voluntarily connect your ASA account. Keys are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA-256) and decrypted only in worker memory for the duration of one API call.
Idea descriptions, project notes, and other text you type into ASOGrove. Free-text fields pass through a deterministic PII redactor before any third-party transfer (see §6).

Operational

Request logs and error traces for reliability — sanitized of PII before they reach our error tracker.
Stripe customer ID and billing email (Stripe holds the card details, not us).

What we never collect

Tracking cookies, third-party analytics SDKs, ad pixels.
Location, device fingerprints, or behavioral profiles.
Children's data — ASOGrove is not directed at users under 16.

3. Why we collect it (legal basis under GDPR Art. 6)

Contract performance (Art. 6(1)(b)) — to provide the features you signed up for: rank tracking, keyword research, AI metadata generation, billing.
Legitimate interest (Art. 6(1)(f)) — operational logs for security and reliability. We balance this against your rights and store no behavioral profiles.
Consent (Art. 6(1)(a)) — for explicitly opt-in features like AI suggestions and Apple Search Ads connection. Withdrawable at any time without affecting your account.
Legal obligation (Art. 6(1)(c)) — invoice retention for German tax law (10 years).

4. Who else processes your data (sub-processors)

We use these third-party services strictly to deliver the product. Each is bound by a Data Processing Agreement under GDPR Art. 28, and we never share data beyond what each one needs.

Sub-processor	Purpose	Location	Safeguards
Supabase	Auth + database	USA	DPA + SCCs (EU)
Render	Backend hosting	USA (Frankfurt EU optional)	DPA + SCCs
Vercel	Frontend hosting	USA	DPA + SCCs
Neon	Postgres database	USA	DPA + SCCs
Upstash	Cache + circuit-breaker state	USA	DPA + SCCs
Anthropic	AI text generation (verdict, PRD, metadata)	USA	DPA + SCCs + zero-retention header on every request
Google (Gemini)	AI text + vision (review clustering, OCR, scoring)	USA / EU	DPA + SCCs + Google Cloud privacy controls
Apple iTunes Search API	Public app store data only	USA	Public endpoint — no DPA needed
Apple Search Ads	Your own keyword data (only if you connect)	USA	You authorize via OAuth on your account
Stripe	Payments + billing	Ireland (EU)	DPA + SCCs
DeepL	Translation (only if used)	Germany (EU)	DPA
Sentry	Error tracking (operator opt-in)	USA	DPA + SCCs + PII scrubbed
Resend / Postmark	Transactional email	USA / EU	DPA + SCCs

We will notify you by email at least 30 days before adding a new sub-processor in a category we don't already use. Adding redundant providers in a category we already use (e.g. a second cache provider) is operational and does not require notification.

5. International transfers

Some sub-processors are based in the United States. We rely on the EU Standard Contractual Clauses (SCCs) of June 2021 plus any additional provider-specific safeguards (e.g. Anthropic's zero-retention beta header, Google Cloud's customer-managed encryption keys where used).

You can request the SCCs we hold for any sub-processor by emailing hello@asogrove.com.

6. AI processing — what we send and what we don't

When you use AI features (verdict generation, market analysis, metadata variants, review clustering, etc.) we send a prompt to Anthropic or Google Gemini. Before any prompt leaves our servers, it passes through a deterministic redactor that strips:

Email addresses, phone numbers, postal addresses, IBANs, credit card numbers (Luhn-validated), JWTs, and opaque tokens.
Field-level denylist: passwords, ASA private keys, API keys, payment details — never injected even when present in upstream data.

Apple Search Ads data, when present, is never sent raw. Spend, impressions, conversion rates and other commercial signals are aggregated into bucketed values (low / medium / high) before any prompt assembly. The provider sees enough to make a recommendation, never enough to reconstruct your ad economics.

Anthropic and Google Gemini do not train on our API traffic per their enterprise terms. Anthropic requests carry a zero-retention header on every call. We retain AI prompt logs for at most 30 days for debugging.

7. Cookies and similar technologies

We use one strictly-necessary cookie — your session token — to keep you signed in. It is set on the .asogrove.com domain so the same login works across our subdomains.

We do not use analytics cookies, advertising cookies, or any third-party tracking. The cookie banner you see is a consent control, not a tracker.

8. Data retention

Account data — kept while your account is active. On deletion, removed within 30 days except where retention is required by law.
AI prompt logs — 30 days, for debugging.
Error traces — 90 days.
Invoices — 10 years (German tax law obligation).
Backups — rolling 30-day window, encrypted at rest.

9. Your rights under GDPR

You have the following rights at any time. Most are self-serve in Settings — others require an email to hello@asogrove.com:

Access (Art. 15) — download your data as a ZIP from Settings.
Portability (Art. 20) — the export is CSV + JSON, machine-readable.
Erasure (Art. 17) — delete your account from Settings; cascades to all your data within 30 days.
Rectification (Art. 16) — edit your details in Settings.
Restriction (Art. 18) — pause processing without deletion; email us.
Objection (Art. 21) — to any legitimate-interest processing; email us.
Withdraw consent — disconnect ASA, disable AI features, etc., in Settings.
Lodge a complaint — with a supervisory authority. For us, that's the Berlin data protection authority (BlnBDI): datenschutz-berlin.de.

10. Security

ASA private keys are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA-256). Encryption keys rotate daily with a 30-day overlap window. Passwords are hashed with Argon2id by Supabase Auth. All traffic is TLS 1.2+.

We log every read of sensitive data (ASA tokens, exports) to an audit log you can request a copy of from Settings → Privacy.

If a security incident affects your data, we will notify you within 72 hours of becoming aware (GDPR Art. 33 / 34 timing).

11. Children

ASOGrove is not directed to users under 16. We do not knowingly collect data from children. If you believe a minor has signed up, email us and we will delete the account.

12. Changes to this policy

Material changes are emailed to your registered address at least 30 days before taking effect. Non-material changes (e.g. fixing a typo, adding an operational note) are made silently with the "last updated" date refreshed. You can always see the current version on this page.

13. Contact

Privacy & data requests: hello@asogrove.com

General support: hello@asogrove.com

EU users may lodge complaints with their local data protection authority. For German users, that's the BlnBDI in Berlin.