AppSprint dashboard overview

Privacy Policy

Effective Date: May 21, 2026

1. Introduction

This Privacy Policy describes how Tap & Swipe ("we", "us", "our") collects, uses, and protects information when you use AppSprint ("Service"), including our SDK, dashboard, API, signal links, and integrations.

AppSprint is mobile measurement infrastructure for app developers. For End-User Data, AppSprint acts as a data processor or service provider on behalf of our clients. Our clients (app developers) are the data controllers or businesses that decide why and how End-User Data is collected, which AppSprint features are enabled, which events are sent, and which integrations are configured.

AppSprint is not an ad network, data broker, or cross-app advertising network. We do not sell End-User Data, build cross-client end-user profiles, use End-User Data for AppSprint's own advertising or retargeting, or independently decide to share End-User Data with ad networks.

For clarity, this Policy distinguishes between Client Data (information about account holders and their apps) and End-User Data (device, click, install, event, and attribution data processed on behalf of our clients).

2. Data We Collect

2.1 Client Data (Account Holders)

When you create an account and use the dashboard, we collect:

  • Account information: Name and email address (via Google OAuth)
  • Company information: App name, bundle identifiers, and platform details
  • Billing information: Processed and stored by Whop (we store your Whop membership ID and subscription status only)
  • Dashboard usage data: Pages visited, features used, and session data for improving the Service

2.2 End-User Data (Collected via SDK)

When a client integrates our SDK into their mobile app, the SDK may collect device and attribution-related data from the app's end users, under the client's control, as necessary to provide the AppSprint features the client uses. This can include advertising identifiers when available and consented, app install identifiers, IP address, user agent, device model, operating system, app version, locale, timezone, screen size, device scale, coarse network/carrier attributes, and device capability signals used for click-to-install matching.

2.3 Signal Link Click Data

When an end user clicks a signal link or TikTok App Profile, we collect data necessary to match clicks to subsequent app installs for attribution, including request metadata and browser-side signals such as screen size, locale, timezone, and WebGL renderer when available.

2.4 Google OAuth and Google Ads Data

When a client connects Google Ads to AppSprint, Google asks the client to authorize AppSprint through OAuth. AppSprint requests the Google Ads API scope https://www.googleapis.com/auth/adwords so the client can use Google Ads reporting and offline conversion upload features inside AppSprint.

Depending on how the client configures the integration, we may collect or process the following Google user data and Google Ads account data on the client's behalf:

  • Google account data: The Google account identity needed to complete OAuth authorization and confirm that the client granted access
  • Google Ads account data: Accessible customer account identifiers, the configured Google Ads Customer ID, optional Manager Account ID, account status, and related account metadata needed to connect the correct advertiser account
  • Google Ads reporting data: Campaign, ad group, ad, click, cost, impression, conversion, and revenue metrics returned by the Google Ads API for dashboard reporting
  • Google Ads conversion action data: Conversion action identifiers, names, categories, and status used so clients can map AppSprint events to the correct Google Ads conversion actions
  • OAuth tokens: OAuth access tokens and encrypted refresh tokens used to keep the client-configured Google Ads integration connected until the client disconnects it or Google revokes access
  • Upload and API logs: Request identifiers, error codes, retry status, and delivery results for Google Ads offline conversion uploads

We use Google user data only to provide and maintain the Google Ads features requested by the client: connecting the client's Google Ads account, showing Google Ads reporting in the AppSprint dashboard, discovering eligible conversion actions, and uploading client-configured click-based offline conversions when AppSprint has captured a Google click identifier such as gclid, gbraid, or wbraid.

We do not sell Google user data. We do not use Google user data for advertising, retargeting, interest-based profiling, credit decisions, data brokerage, or training AI models. We do not transfer Google user data to third parties except as necessary to provide the AppSprint service, comply with law, protect security, or process data through our infrastructure providers described in this Policy. When clients configure Google Ads conversion uploads, AppSprint sends the configured conversion data back to Google Ads for the client's own Google Ads account.

Google Ads OAuth refresh tokens are encrypted before storage. Clients can disconnect Google Ads from the AppSprint dashboard at any time, which stops new Google Ads API access and removes the stored refresh token from AppSprint. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3. How We Use Data

We use data only to provide, secure, maintain, and improve the Service for our clients. For End-User Data, we process data under the client's instructions for the following purposes:

  1. Attribution matching: Matching ad clicks to app installs and in-app events to marketing Signal Campaigns
  2. Analytics dashboards: Displaying attribution data, Signal Campaign performance, and conversion metrics to clients in the dashboard
  3. Client-configured integrations: Sending selected attribution, event, or conversion data to ad networks and revenue platforms only when configured by the client
  4. Billing: Processing payments and managing subscriptions via Whop
  5. Security and reliability: Preventing abuse, debugging issues, maintaining uptime, and protecting the Service
  6. Service improvement: Analyzing aggregated or anonymized usage patterns to improve the Service
  7. Communication: Sending account-related notifications (billing, service updates, security alerts)

We do not sell End-User Data to third parties. We do not combine End-User Data from one client with End-User Data from another client to create cross-client profiles. We do not use End-User Data for AppSprint's own advertising, retargeting, lookalike modeling, or interest-based profiling.

4. Data Sharing

4.1 Ad Networks (Client-Configured)

Ad network integrations are disabled unless a client explicitly sets up and enables them. When a client configures an ad network integration, AppSprint sends selected attribution, install, event, or conversion data to the respective ad network at the client's direction, for the client's own advertising account or campaign measurement. Supported networks include:

  • Apple Search Ads
  • TikTok Ads
  • Meta Ads
  • Google Ads

No End-User Data is sent to ad networks unless the client explicitly configures the integration. The client is responsible for ensuring that their use of each ad network integration is allowed by applicable law, their own privacy disclosures, app store rules, and the ad network's terms.

4.2 Revenue Platforms (Client-Configured)

When configured by the client, we exchange data with revenue platforms such as RevenueCat and Superwall for revenue attribution. These integrations operate only for the client's app and only under the client's configuration.

4.3 Infrastructure Providers

We use Cloudflare for hosting, security, and infrastructure services. We use Neon Postgres as our managed database provider for AppSprint product, account, attribution, and analytics data. These providers process data on our behalf under their respective data processing terms.

4.4 Payment Processor

Whop processes all payment information. See Whop's privacy policy.

4.5 Email

We use self-hosted Plunk with Amazon SES for transactional email delivery (account notifications, billing alerts).

4.6 Legal Requirements

We may disclose data when required by law, regulation, legal process, or governmental request, or when necessary to protect the rights, safety, security, or integrity of AppSprint, our clients, end users, or others.

4.7 Business Transfers

If Tap & Swipe or AppSprint is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, Client Data and End-User Data may be transferred to the successor or acquiring entity as part of that transaction. We will require any successor to protect the data consistently with this Policy and applicable law, and we will notify clients if a transaction materially changes how data is processed.

5. Data Processor Role

AppSprint operates as a data processor under GDPR and as a service provider or processor under similar privacy laws:

  • Our clients (app developers who integrate the SDK) are the data controllers. They determine the purposes and means of processing End-User Data
  • AppSprint processes End-User Data solely on behalf of and under the instructions of our clients
  • Clients are responsible for obtaining appropriate legal basis, consent, notices, platform permissions, and app store disclosures for data collection and integration use
  • We process End-User Data only as necessary to provide the measurement, attribution, analytics, and integration features requested by the client
  • We do not independently monetize, sell, or repurpose End-User Data outside the client-directed Service

For details on our data processing practices and to request a Data Processing Agreement (DPA), contact us at arthur@appsprint.app.

6. Data Retention

  • Active accounts: Client Data and attribution data are retained for the duration of the active account
  • Account termination: Data is retained for a 90-day grace period after termination, during which clients may request data export. After 90 days, all Client Data is permanently deleted
  • Billing records: Retained for 5-10 years as required by French tax and accounting regulations
  • Click data: Raw click data used for attribution matching is retained for 30 days
  • Aggregated analytics: Anonymized, aggregated data may be retained indefinitely
  • Backups and logs: Deleted data may remain in encrypted backups or security logs for a limited period until those backups or logs rotate, unless longer retention is required by law

7. Opt-Out Mechanisms

End users can limit data collection through:

  • iOS App Tracking Transparency (ATT): The SDK respects ATT. When an end user denies tracking, the IDFA is not collected
  • Android Advertising ID: End users can reset or opt out of their advertising ID in device settings
  • SDK Configuration: Clients can configure the SDK to disable specific data collection features
  • Client deletion or suppression requests: Clients can ask us to delete, suppress, or export End-User Data when needed to honor a valid privacy request

Clients are responsible for deciding whether and when they must request ATT permission, show consent prompts, or update App Store and Google Play privacy disclosures for their specific use of AppSprint and any client-configured integrations.

8. Children

AppSprint does not knowingly collect data from children under the age of 13 (or 16 in the EU).

Our clients are prohibited from integrating the AppSprint SDK into apps that are directed at children (see our Terms of Service). If we become aware that a client is using our SDK in a child-directed app, we will terminate their access and delete the associated data.

If you believe we have inadvertently collected data from a child, please contact us immediately at arthur@appsprint.app.

9. Data Security

We implement appropriate technical and organizational measures to protect data:

  • All data in transit is encrypted using HTTPS/TLS
  • Data at rest is protected by provider-managed database and storage encryption where supported
  • Infrastructure is hosted on Cloudflare and Neon with industry-standard security controls
  • Access to production systems is restricted to authorized personnel with multi-factor authentication
  • API keys are hashed before storage. We never store plaintext API keys
  • Regular security reviews of our codebase and infrastructure

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we take commercially reasonable steps to protect your data.

10. International Transfers

Data may be processed in the following regions:

  • Cloudflare (global network): Hosting, security, and infrastructure services
  • Neon (US): Managed Postgres database hosting for AppSprint product data

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

11. Your Rights (GDPR)

For Clients (Account Holders)

As a client, you have the following rights regarding your personal data:

  • Right of access (Article 15): Request a copy of the personal data we hold about you
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Article 17): Request deletion of your personal data
  • Right to restriction (Article 18): Request that we limit how we use your data
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests
  • Right to lodge a complaint: File a complaint with the CNIL or your local supervisory authority

To exercise any of these rights, contact us at arthur@appsprint.app with "GDPR Request" in the subject line.

For End Users

If you are an end user of an app that uses AppSprint, your data is controlled by the app developer. To exercise your GDPR rights, please contact the app developer directly. As a data processor, we will assist the app developer in fulfilling your request.

Data Protection Authority

For users in France, the supervisory authority is:

CNIL (Commission Nationale de l'Informatique et des Libertés)

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Updating the "Effective Date" above
  • Notifying clients via email for material changes

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: arthur@appsprint.app
Entity: Tap & Swipe
Service: AppSprint
Location: France

By using AppSprint, you acknowledge that you have read and understood this Privacy Policy.