Privacy Policy

1. Introduction

App2dev Ltd. ("App2," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered development platform at app2.dev (the "Services").

We comply with applicable data protection laws, including the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), United Kingdom, and Switzerland, and the California Consumer Privacy Act (CCPA) for California residents.

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

We collect several types of information from and about users of our Services:

Personal Information

• Identifiers: Name, email address, username, phone number (if provided)
• Account Credentials: Password (encrypted), authentication tokens
• Billing Information: Payment method details processed securely through Stripe (we do not store full credit card numbers)
• Payment History: Subscription details, credit purchases, invoices, transaction records
• Profile Information: Avatar, bio, preferences, workspace settings

Usage and Project Data

• Project Content: Code, files, designs, chat history, session data, and all content you create or upload
• Credit Usage: Consumption patterns, operation types, AI model selection
• Workspace Data: Team members, roles, shared projects, collaboration activity
• Sandbox Activity: Code execution logs, resource usage, deployment operations
• Chat Interactions: Prompts sent to AI, responses generated, chat mode selections, session organization
• Integration Data: Connected services (GitHub, Vercel, Supabase, Figma, Stripe), repository information, deployment configurations

Technical Information

• Device Information: IP address, browser type and version, operating system, device identifiers
• Usage Analytics: Pages visited, features used, time spent, click patterns, navigation paths
• Performance Data: Error logs, crash reports, response times, API latency
• Cookies and Tracking: Session cookies, preference cookies, analytics cookies (see Section 8)

Third-Party Integration Data

• GitHub: Repository names, commit history, branch information, organization membership
• Vercel: Deployment configurations, environment variables, custom domain settings
• Supabase: Project connection details, database schema information (when you connect your own project)
• Figma: Design file URLs, frame information, imported assets
• BYOK API Keys: When using Bring Your Own Keys (Lifetime tier), we store encrypted API keys for OpenAI, Anthropic, or Google. Keys are never stored in plain text or accessible to App2 staff.

Information We Do NOT Collect

• We do not collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data
• We do not track your activity outside of our Services
• We do not scan the content of your private GitHub repositories beyond what you explicitly connect to App2

3. Legal Bases for Processing (GDPR)

For users in the EEA, UK, and Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: To provide the Services you've subscribed to, process payments, and deliver features
• Legitimate Interests: To improve our Services, ensure security, prevent fraud, and analyze usage patterns
• Consent: For marketing communications, optional features, and non-essential cookies (you can withdraw consent anytime)
• Legal Obligations: To comply with tax, accounting, and legal requirements
• Protection of Vital Interests: In rare cases, to protect the safety of individuals

4. How We Use Your Information

We use the information we collect to:

• Provide and Operate the Services: Process your requests, generate code, manage projects, execute sandboxes, and deliver all platform features
• AI Code Generation: Send your prompts and project context to AI models (Claude, OpenAI, Gemini) to generate code responses
• Billing and Credits: Track credit consumption, process payments, manage subscriptions, generate invoices
• Team Collaboration: Enable workspace sharing, manage member permissions, track team usage
• Integration Management: Connect and sync with third-party services (GitHub, Vercel, Supabase, Figma, Stripe)
• Security and Fraud Prevention: Monitor for suspicious activity, prevent abuse, protect user data, enforce Terms of Service
• Service Improvement: Analyze usage patterns, identify bugs, optimize performance, develop new features
• Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance
• Communications: Send service updates, security alerts, product announcements, and (with consent) marketing emails
• Legal Compliance: Comply with applicable laws, regulations, and legal processes

5. How We Share Your Information

We do not sell your personal information to third parties. We share your information only in the following circumstances:

Infrastructure Service Providers

We rely on trusted third-party providers to operate our Services:

• Supabase: Database, authentication, storage, and edge functions. Supabase processes your project data, account information, and user content.
• Vercel: Deployment infrastructure for hosting and preview URLs. Vercel processes deployment configurations and code.
• Daytona: Sandbox environments for secure code execution. Daytona processes your code and project files temporarily.
• Upstash: Rate limiting and caching infrastructure. Upstash processes minimal data for performance optimization.
• Stripe: Payment processing for subscriptions and credit purchases. Stripe processes your billing information securely.
• Postmark: Transactional email delivery for account notifications, security alerts, and service updates.

AI Model Providers

• OpenAI, Anthropic, Google: We send your prompts, code context, and project information to AI models to generate code responses. Each provider has their own privacy policy and data handling practices.
• BYOK (Bring Your Own Keys): When you use your own API keys, your data is sent directly to your chosen AI provider. We facilitate the connection but the data relationship is between you and the AI provider.

User-Initiated Integrations

When you connect third-party services, we share data necessary for integration:

• GitHub: Code, commits, repository metadata for synchronization
• Vercel: Code, environment variables, deployment configurations
• Supabase: Schema information when connecting your own project
• Figma: Design file data for import and conversion
• Stripe: Payment implementation data when building payment features

Workspace Team Members

When you create or join a workspace, project data, chat history, credit usage, and collaboration activity are shared with workspace members according to their roles and permissions.

Public Projects

If you make a project public, its code, preview URL, and metadata are visible to anyone on the internet and displayed in our community showcase. Anyone can view and fork public projects.

Legal Disclosures

We may disclose your information when required by law or to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service and investigate violations
• Protect our rights, property, or safety, or that of our users
• Prevent fraud, security threats, or illegal activity
• Respond to emergency situations involving safety threats

Business Transfers

If App2 is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

App2 operates globally and processes data in the United States. If you are located outside the United States, your information may be transferred to, stored, and processed in the United States or other countries.

For users in the EEA, UK, and Switzerland, we ensure appropriate safeguards for international data transfers:

• EU-US Data Privacy Framework: We participate in and comply with the EU-US Data Privacy Framework
• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs with service providers
• UK and Swiss Addendums: We implement the required addendums for UK and Swiss data transfers
• Adequacy Decisions: We transfer data to countries recognized by the European Commission as providing adequate protection

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

Rights for All Users

• Access: Request copies of your personal data, including credit usage history and project information
• Correction: Update or correct inaccurate information in your account settings
• Deletion: Request deletion of your account and personal data (some data may be retained for legal compliance)
• Data Portability: Export your projects, code, and data in machine-readable formats
• Opt-Out of Marketing: Unsubscribe from promotional emails (you'll still receive essential service communications)

Additional Rights (GDPR - EEA, UK, Switzerland)

• Object to Processing: Object to processing based on legitimate interests
• Restrict Processing: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent for processing based on consent (doesn't affect lawfulness of processing before withdrawal)
• Lodge a Complaint: File a complaint with your local data protection authority
• Automated Decision-Making: Object to decisions based solely on automated processing (we don't make significant decisions this way)

Additional Rights (CCPA - California Residents)

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information (with certain exceptions)
• Right to Opt-Out: We do not sell personal information, but you can opt-out of data sharing for targeted advertising
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@app2.dev. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and use personal information about you. A cookie is a small file stored on your device.

Types of Cookies We Use

Strictly Necessary Cookies:

• Essential for authentication and security
• Enable core functionality of the Services
• Cannot be disabled without breaking the platform
• Examples: Session cookies, security tokens, CSRF protection

Analytics and Performance Cookies:

• Help us understand how users interact with our Services
• Track errors, crashes, and performance issues
• Anonymized and aggregated data
• Examples: Google Analytics, Sentry error tracking

Functional Cookies:

• Remember your preferences and settings
• Enable enhanced features and personalization
• Examples: Workspace selection, theme preferences, UI settings

Marketing Cookies:

• Optional cookies for marketing and advertising purposes
• Can be disabled through cookie preferences
• May be used for retargeting and conversion tracking

Managing Cookie Preferences

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete cookies. However, blocking strictly necessary cookies may prevent you from using our Services. To opt-out of analytics cookies, you can use browser extensions or privacy tools.

9. Data Security

We implement comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

Technical Security Measures

• Encryption in Transit: All data transmitted between your device and our servers uses TLS/SSL encryption
• Encryption at Rest: Sensitive data is encrypted in our databases using industry-standard encryption
• Row Level Security (RLS): Implemented in Supabase to ensure users can only access their own data
• API Key Encryption: BYOK API keys are encrypted at rest and never stored in plain text
• Secure Authentication: Password hashing with bcrypt, secure session management, optional two-factor authentication
• Sandbox Isolation: Code executes in isolated environments (Daytona) preventing cross-contamination

Operational Security Measures

• Access Controls: Role-based access controls limiting employee access to user data
• Security Audits: Regular security assessments and penetration testing
• Incident Response: Dedicated team and procedures for security incidents
• Monitoring: 24/7 monitoring for suspicious activity and potential threats
• Data Backup: Regular encrypted backups with secure storage

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to enhance our security practices.

10. Data Retention

We retain your personal information for as long as necessary to provide our Services and fulfill the purposes described in this Privacy Policy.

Active Accounts

• Account Data: Retained while your account is active
• Projects and Code: Retained indefinitely while account is active
• Chat History: Retained to provide context for future interactions
• Credit Usage Logs: Retained for billing and compliance purposes (minimum 7 years for tax compliance)
• Analytics Data: Anonymized and aggregated data may be retained indefinitely

Deleted Accounts

• Personal Data: Deleted within 90 days of account termination
• Anonymized Analytics: May be retained for service improvement
• Legal/Compliance Data: Billing records and tax information retained as required by law (typically 7 years)
• GitHub Repositories: Remain on GitHub under your ownership (not deleted by App2)
• Backup Systems: Data in backups may persist for up to 30 days after deletion

Retention for Legal Purposes

We may retain certain information beyond standard retention periods when required for legal compliance, dispute resolution, contract enforcement, or as necessary to protect our rights and interests.

11. Third-Party Services and Links

Our Services integrate with and link to third-party websites and services. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of these services.

Third-Party Privacy Policies

Please review the privacy policies of our key partners:

• Supabase: supabase.com/privacy
• Vercel: vercel.com/legal/privacy-policy
• GitHub: github.com/privacy
• Stripe: stripe.com/privacy
• Figma: figma.com/privacy
• OpenAI: openai.com/privacy
• Anthropic: anthropic.com/privacy

12. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@app2.dev. If we learn that we have collected personal information from a child under 18, we will delete that information promptly.

13. Your Choices and Controls

You have several choices regarding your information:

Account and Profile Settings

• Update your profile information, email, and preferences anytime
• Change your password or enable two-factor authentication
• Manage workspace settings and team member permissions

Project Privacy

• Toggle projects between public and private (Pro tier required for private)
• Control who can view and fork your projects
• Delete projects you no longer need

Integration Controls

• Connect or disconnect integrations anytime
• Revoke App2's access to GitHub, Vercel, Supabase, or Figma
• Manage BYOK API keys (Lifetime tier)

Email Communication Preferences

• Unsubscribe from marketing emails via the link in any marketing message
• You'll continue to receive essential service communications (billing, security alerts)
• Manage notification preferences in account settings

Account Deletion

• Delete your account anytime through account settings
• Your personal data will be deleted within 90 days
• GitHub repositories remain under your GitHub account ownership
• Some data may be retained for legal compliance

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email to your registered email address
• Display a prominent notice on our website or within the Services
• Provide at least 30 days' notice before material changes take effect

Your continued use of our Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you must stop using our Services and may delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy Email: privacy@app2.dev
• General Support: hello@app2.dev
• Mailing Address: App2dev Ltd., 4 Crown Pl, Liverpool Street, London, EC2A 4BT, United Kingdom

Response Time: We strive to respond to all privacy inquiries within 30 days. For urgent security matters, please mark your email as "URGENT" in the subject line.

EU Representative: If you are located in the European Economic Area and have concerns about our data practices, you may also contact your local data protection authority.