Privacy, Clearly Framed.

1. Introduction and General Information

Welcome to AppMockr ("we," "us," "our"). The protection of your personal data is a top priority for us. This Privacy Policy explains what personal data we collect, how we process it, and for what purposes. We are committed to treating your personal data confidentially and in accordance with the statutory data protection regulations, in particular the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data protection Regulation (GDPR).

This policy is designed to be transparent and easily understandable, avoiding unnecessary legal and technical jargon.

Responsible Party (Data Controller):

See the Legal-notice

For any data protection-related inquiries, please contact us at: [email protected]

2. Legal Basis for Data Processing

We process your personal data based on the following legal grounds:

• Performance of a Contract (Art. 6 para. 1 lit. b GDPR): The majority of our data processing is necessary for the fulfillment of our contract with you, which includes providing the AppMockr service, managing your user account, and processing your subscription.

• Legitimate Interests (Art. 6 para. 1 lit. f GDPR): We process certain data to protect our legitimate interests, such as ensuring the security and stability of our platform, preventing abuse, and analyzing service usage for improvement purposes.

• Legal Obligations (Art. 6 para. 1 lit. c GDPR): We are required to retain certain data for specific periods to comply with legal and regulatory obligations, such as commercial and tax laws.

3. Data We Collect and Process

We collect various types of personal data to provide and improve our service. This data is collected either directly from you or automatically through your use of the platform.

3.1. Data You Provide Directly

• Account Data: When you register for an AppMockr account, we collect your email address and a hashed password (using bcrypt). We also store your unique User ID (UUID), account creation date, and the timestamp of your last login.

• Subscription Data: If you subscribe to a paid plan, we process information related to your subscription, including the selected plan (Basic/Pro), the status of your subscription (active/canceled), and the start and end dates of the current billing period. Payment processing is handled by our partner, Stripe, which provides us with a Stripe Customer ID and a Stripe Subscription ID to manage your account.

• User-Generated Content (Pro Plan): For users of the Pro plan, we store project-related data to enable features like project history and versioning. This includes uploaded screenshots, project configurations (device selection, backgrounds, settings), and any drawings made on the canvas.

3.2. Data We Collect Automatically

• Anti-Abuse and Security Data: To protect our service from misuse and ensure its security, we collect certain data automatically. This includes:

  • IP Address: Your IP address is collected during registration and uploads to prevent abuse of our free plan limits.

  • Device Fingerprint: We generate a device fingerprint based on non-personally identifiable browser and device characteristics (e.g., screen resolution, timezone, language, platform, user-agent, CPU cores, device memory, canvas fingerprint, WebGL fingerprint) to identify unique devices for the purpose of enforcing usage limits on the free plan.

  • Usage Metrics: We track upload timestamps and maintain an upload counter for free users to enforce daily limits.

  • Behavioral Patterns: We may temporarily analyze mouse movements and click patterns to detect and prevent automated bots.

• Analytics Data: We use Vercel Analytics and Vercel Speed Insights to gather anonymized data about our website's usage and performance. This includes page views and performance metrics. This data is aggregated, does not use cookies, and cannot be used to identify individual users.

4. Purpose of Data Processing (Why We Use Your Data)

We process your data for the following specific purposes:

• To Provide and Maintain the Service: To operate the AppMockr platform, allow you to create mockups, manage your account, and access the features corresponding to your subscription plan.

• To Process Payments: To manage subscriptions and process payments securely via our payment provider, Stripe.

• To Ensure Security and Prevent Abuse: To protect our platform from fraudulent activities, spam, and circumvention of our service limitations.

• To Communicate with You: To send you important information about your account, subscription, or changes to our services and policies.

• To Comply with Legal Obligations: To meet our legal, tax, and regulatory requirements, particularly regarding data retention for business records.

• To Improve Our Service: To analyze anonymized usage data to understand how our service is used, identify areas for improvement, and enhance the user experience.

5. Data Sharing and Third-Party Services

We do not sell your personal data. We only share your data with trusted third-party service providers who are essential for operating our service. We have entered into data processing agreements with these providers to ensure they handle your data securely and in compliance with data protection laws.

Our key third-party services are:

• Supabase (Backend and Database): We use Supabase for our backend infrastructure, including user authentication (Supabase Auth) and database storage (Supabase PostgreSQL). All user account data and project data for Pro users are stored with Supabase. We have configured our Supabase instance to be located in an EU region to ensure compliance with GDPR.

  • Supabase Privacy Policy: https://supabase.com/privacy

• Stripe (Payment Processing): All payments and subscription management are handled by Stripe. When you subscribe, your payment details (e.g., credit card number) are sent directly to Stripe. We do not store your full payment card information on our servers. Stripe is a PCI-DSS compliant provider.

  • Stripe Privacy Policy: https://stripe.com/privacy

• Vercel (Hosting and Analytics): Our application is hosted on Vercel. Vercel also provides us with privacy-focused analytics (Vercel Analytics) and performance monitoring (Speed Insights), which do not use cookies and collect only anonymized, aggregated data. As part of its hosting function, Vercel may process IP addresses and other connection data.

  • Vercel Privacy Policy: https://vercel.com/legal/privacy-policy

• ipify.org (IP Address Service): We use the ipify.org API to retrieve a user's IP address during registration and uploads for the sole purpose of our anti-abuse mechanisms.

  • ipify.org Privacy Policy: https://geo.ipify.org/privacy-policy

6. International Data Transfers

Since some of our service providers (Vercel, Stripe) are based in the United States, your personal data may be transferred outside of Switzerland and the European Economic Area (EEA). To ensure your data is protected, we rely on the Swiss-U.S. and EU-U.S. Data Privacy Frameworks, under which both Vercel and Stripe are certified. This framework provides an adequate level of protection for personal data transferred to certified U.S. companies. Where necessary, we also rely on Standard Contractual Clauses (SCCs) to ensure data protection standards are met.

7. Data Security

We take the security of your data very seriously and implement appropriate technical and organizational measures to protect it from unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS (SSL/TLS).

• Password Hashing: User passwords are not stored in plain text but are securely hashed using the bcrypt algorithm.

• Access Control: We use Supabase's Row-Level Security (RLS) to ensure that users can only access their own data. Access to our backend systems is strictly limited to authorized personnel.

• Secure Authentication: User sessions are managed using secure JSON Web Tokens (JWTs).

• Input Validation: We perform both client-side and server-side validation to protect against common security vulnerabilities.

8. Data Retention

We store your personal data only for as long as necessary for the purposes for which it was collected. The specific retention periods are as follows:

• Account and Project Data: This data is retained as long as your account is active. Upon account deletion, this data is immediately and irretrievably deleted from our production systems.

• Subscription and Payment Data: Data related to your subscription and payment history (e.g., invoices) must be retained for 10 years to comply with Swiss commercial and tax law obligations.

• Anti-Abuse Data: IP addresses and upload timestamps for free users are retained for 30 days. Device fingerprints are retained for 90 days. This data is then automatically deleted.

9. Your Data Protection Rights

Under the FADP and GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at [[email protected]].

• Right to Access (Art. 25 FADP / Art. 15 GDPR): You have the right to request information about the personal data we process about you.

• Right to Rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data.

• Right to Erasure ('Right to be Forgotten') (Art. 17 GDPR): You have the right to request the deletion of your personal data, provided there are no overriding legal obligations for us to retain it.

• Right to Restriction of Processing (Art. 18 GDPR): You have the right to request a restriction on the processing of your data under certain conditions.

• Right to Data Portability (Art. 28 FADP / Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

• Right to Object (Art. 21 GDPR): You have the right to object to the processing of your data that is based on our legitimate interests.

• Right to Withdraw Consent (Art. 7 GDPR): If data processing is based on your consent, you can withdraw this consent at any time.

• Right to Lodge a Complaint: You have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).

10. Cookies

We use only technically necessary cookies on our website. These are small text files that are stored in your browser and are required for the basic functionality of the AppMockr service, such as keeping you logged in during a session. We do not use any tracking, advertising, or third-party analytics cookies. You can configure your browser to block these cookies, but this may impair the functionality of the service.

11. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information.

12. Changes to this Privacy Policy

We may amend this Privacy Policy at any time to adapt it to new service features or changed legal requirements. The current version published on our website is the one that applies. We encourage you to review this policy regularly.