Privacy Policy

Last updated: 2026-05-08

apASO is a native macOS app. This page describes what data the app touches, who sees it, and why. The short version: almost everything stays on your Mac.

What apASO stores on your Mac

• App Store and Google Play metadata you fetch (titles, descriptions, keywords, locales, releases) in a local SwiftData database inside the app's sandbox.
• Snapshots, activity logs, and rank-scan history, also locally.
• Credentials in your Mac's keychain: App Store Connect API key (.p8), Google Play service-account JSON, OpenRouter API key, apASO license key, license activation ID.
• UserDefaults entries for your preferences and a first-launch timestamp.

What apASO sends, and to whom

• Apple — App Store Connect API: requests you initiate (sync metadata, push edits, list releases). Authenticated with your own .p8 key. We never see this traffic.
• Google — Play Developer API: same model — requests you initiate, authenticated with your own service-account credentials.
• Apple iTunes Search API: anonymous keyword-rank lookups when you run a scan. No personally identifying data is sent.
• OpenRouter: when you use AI features (drafting, translation, keyword discovery), prompts and the relevant context fields are sent to the model you selected, using your own OpenRouter API key. apASO is not an intermediary — traffic goes directly from your Mac to OpenRouter.
• Lemon Squeezy: license-key validation and activation requests. The server sees your license key, an activation instance ID, and a per-Mac fingerprint derived from IOPlatformUUID. No personal information beyond what you supplied at checkout (email, billing details Lemon Squeezy collected as Merchant of Record).
• apASO update server: the app periodically checks for and downloads new versions from dl.apaso.app. The fetch carries your IP address and a user-agent containing your app version, and is logged by our static-host CDN as standard access logs.
• apASO config server: a tiny JSON kill-switch is fetched from config.apaso.app on launch. Same logging as above.

What we do not do

• No analytics SDK. No crash reporter SDK. No tracking pixel.
• No accounts on our side. The license key is the only identifier.
• No copy of your App Store metadata or keywords ever leaves your Mac unless you push it to Apple/Google or send it to OpenRouter for AI processing — both of which you initiate.

Data we get from Lemon Squeezy

Lemon Squeezy is the merchant of record for subscriptions. They handle checkout, billing, and tax compliance. Their privacy policy applies to that flow: https://www.lemonsqueezy.com/privacy. We can see, in our Lemon Squeezy dashboard, your order email and license-key activations — used only to support license issues you write to us about.

Third-party services in summary

• Apple App Store Connect API — when you connect your ASC key.
• Google Play Developer API — when you connect your Play credentials.
• OpenRouter — when you use AI features.
• Lemon Squeezy — for purchase and license validation.
• Cloudflare — hosts the website, downloads, update feed, and config endpoint. Standard CDN access logs.

Children

apASO is a tool for app developers and is not directed at children under 13.

Changes to this policy

If we change anything material we'll bump the date at the top and note the change.

Contact

Questions: hello@apaso.app.