GDPR Compliance
Last Updated: May 21, 2026
1. Our Commitment to GDPR
AppSprint is operated by Tap & Swipe, a company based in France. We are fully committed to complying with the General Data Protection Regulation (GDPR) and ensuring that all personal data is processed lawfully, fairly, and transparently.
This page describes how AppSprint handles data protection in the context of our mobile measurement infrastructure for app developers.
2. Data Roles
AppSprint as Data Processor
AppSprint acts as a data processor under GDPR. Our clients (app developers) integrate our SDK into their mobile apps, configure signal links and integrations, and use our dashboard to view measurement and attribution data.
- Data Controller: The app developer (our client) who determines why and how end-user data is collected and which AppSprint features are enabled
- Data Processor: AppSprint, which processes end-user data on behalf of the client to provide measurement, attribution, analytics, and client-configured integrations
What This Means
- Clients are responsible for having a valid legal basis for collecting end-user data
- Clients must inform their end users about data collection through their own privacy policies
- AppSprint processes data strictly according to our clients' instructions and for the purposes defined in our agreement
- We do not independently determine the purposes of end-user data processing
- AppSprint is not an ad network, data broker, or cross-app advertising network
- We do not sell end-user data, build cross-client user profiles, or use end-user data for AppSprint's own advertising or retargeting
3. Legal Basis for Processing
Client Data (Account Holders)
We process client personal data (name, email, billing information) under the following legal bases:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the Service
- Legitimate interest (Article 6(1)(f)): Service improvement, security, and fraud prevention
End-User Data (via SDK)
As a data processor, we process end-user data under the legal basis established by the data controller (our client). Common legal bases used by our clients include:
- Consent (Article 6(1)(a)): End-user consent obtained through ATT prompts or consent management platforms
- Legitimate interest (Article 6(1)(f)): Marketing attribution as a legitimate business interest, with appropriate balancing tests performed by the client
It is the client's responsibility to ensure they have a valid legal basis for the data processing carried out through our SDK, signal links, API, dashboard, and any client-configured integrations. If a client enables an ad network or revenue platform integration, the client is instructing AppSprint to process and transmit selected data to that destination for the client's own account and purposes.
4. Data We Process
Through our SDK and platform, we process device and attribution-related data on behalf of our clients. This can include advertising identifiers when available and consented, IP address, user agent, device model, operating system, app version, locale, timezone, screen size, device scale, coarse network/carrier attributes, and other device capability signals needed to match ad clicks to installs. We do not collect names, email addresses, phone numbers, exact GPS location, contacts, photos, microphone data, or other directly identifying personal content about end users.
We do not combine end-user data across clients to create cross-app or cross-client profiles. End-user data is processed for the client whose app, signal link, workspace, or integration generated the data.
5. Sub-Processors
We use the following sub-processors to deliver the Service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, security, and infrastructure services | Global |
| Neon | Managed Postgres database hosting for AppSprint product, account, attribution, and analytics data | US |
| Whop | Payment processing for client subscriptions | US |
| Google (OAuth) | Client authentication | US |
| Plunk / Amazon SES | Transactional email delivery | EU / US |
All sub-processors are bound by data processing agreements that ensure GDPR-compliant handling of personal data. We will notify clients of any changes to our sub-processors.
Client-configured ad networks, app stores, analytics systems, and revenue platforms are not enabled by default. When a client enables a destination such as Apple Search Ads, TikTok Ads, Meta Ads, Google Ads, RevenueCat, or Superwall, AppSprint sends data to that destination only at the client's instruction and for the client's configured account. Those destinations process data under their own terms and privacy roles, and the client is responsible for the required notices, consents, ATT decisions, app store disclosures, and contractual permissions.
6. Data Subject Rights
How End Users Exercise Their Rights
Since AppSprint is a data processor, end users should exercise their GDPR rights by contacting the app developer (data controller) directly. The typical process is:
- End user contacts the app developer to exercise a right (access, erasure, etc.)
- App developer evaluates the request and contacts AppSprint if needed
- AppSprint assists the app developer in fulfilling the request (e.g., deleting the end user's data from our systems)
We are committed to assisting our clients in responding to data subject requests within the timeframes required by GDPR.
To help us locate relevant records, client requests should include the app identifier, the relevant AppSprint install or user identifier where available, any advertising identifier available with appropriate consent, the type of request, and the date the end user submitted the request. If an end user contacts us directly, we may redirect them to the app developer as the data controller unless we can safely verify the request and the controller relationship.
Rights of Our Clients
Clients (account holders) can exercise their GDPR rights directly with us by contacting arthur@appsprint.app. See our Privacy Policy for the full list of rights.
7. Data Processing Agreement
A formal Data Processing Agreement (DPA) is available on request for all clients. The DPA covers:
- Scope and purpose of processing
- Categories of data processed
- Duration of processing
- Obligations of both parties
- Sub-processor management
- Data breach notification procedures
- Assistance with data subject rights
- Data deletion upon termination
To request a DPA, contact us at arthur@appsprint.app.
8. SDK Privacy Controls
Our SDK is designed with privacy in mind:
- ATT Framework Support: On iOS, the SDK respects App Tracking Transparency
- Android Ad ID: The SDK respects the user's advertising ID preferences on Android
- Opt-Out Configuration: Clients can programmatically disable data collection for specific users
- Request Handling: Clients can ask us to delete, suppress, or export user-level data needed to honor valid GDPR rights requests
- Minimal Data Collection: The SDK collects attribution-focused device and network signals, avoids exact GPS and content data, and keeps optional identifiers consent-aware
- Client-Controlled Integrations: Ad network and revenue platform integrations operate only when configured by the client
Clients remain responsible for determining whether a specific use of AppSprint requires consent, ATT permission, or updated App Store / Google Play privacy disclosures.
9. Data Retention & Deletion
| Data Type | Retention Period |
|---|---|
| Attribution data (active account) | Duration of account |
| Attribution data (after termination) | 90-day grace period, then deleted |
| Raw click data | 30 days |
| Client account data | Duration of account + 90 days |
| Billing records | 5-10 years (French tax law) |
| Aggregated/anonymized data | Indefinite |
Clients can request data deletion at any time by contacting us. Upon receiving a valid deletion request, we will delete the data within 30 days.
10. Security Measures
We implement the following technical and organizational measures to protect personal data:
Technical Measures
- Encryption in transit (HTTPS/TLS for all communications)
- Provider-managed database and storage encryption where supported
- API key hashing (plaintext keys are never stored)
- Network isolation and firewall rules
- Regular security updates and patching
Organizational Measures
- Access to production systems restricted to authorized personnel
- Multi-factor authentication required for all infrastructure access
- Regular security reviews
- Incident response procedures
11. International Data Transfers
When personal data is transferred outside the European Economic Area (EEA), we ensure GDPR-compliant safeguards:
- Cloudflare: Data may be processed through Cloudflare's global network and services. Transfers are covered by Cloudflare's Data Processing Addendum and Standard Contractual Clauses where applicable
- Neon: Product database data is hosted in a US region. Transfers are covered by Neon's Data Processing Addendum and Standard Contractual Clauses where applicable
- Whop: Transfers to the US are covered by SCCs and the EU-US Data Privacy Framework
- Google: OAuth data transfers are covered by SCCs and the EU-US Data Privacy Framework
- Plunk / Amazon SES: Transfers are covered by SCCs where applicable
12. Breach Notification
In the event of a personal data breach:
- We will notify affected clients without undue delay and no later than 72 hours after becoming aware of the breach
- Notification will include the nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken
- Clients (as data controllers) are responsible for notifying their end users and the relevant supervisory authority as required by GDPR Articles 33 and 34
13. Contact
For any questions about our GDPR compliance or data protection practices:
Email: arthur@appsprint.app
Entity: Tap & Swipe
Location: France
For complaints, you may also contact the French data protection authority:
CNIL (Commission Nationale de l'Informatique et des Libertés)
- Website: https://www.cnil.fr/fr
- Address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France