1. WHO WE ARE (DATA CONTROLLER)

html2app.dev is the controller of personal data processed in connection with operating the Service (account, security, support, and service delivery).

Notice: reCAPTCHA Processing Update (Effective April 2, 2026): Google's role in processing reCAPTCHA data changes from data controller to data processor. This means Google will process reCAPTCHA data only on our behalf and solely for the purpose of providing the reCAPTCHA service (security and fraud prevention). This change enhances user privacy by ensuring reCAPTCHA data is not used for other Google services or advertising purposes.

2. INFORMATION WE COLLECT

• Account Data (Authentication): We offer two authentication methods depending on the service:
  • Capacitor Service (Legacy): Users sign in with GitHub OAuth. We store a hash of your GitHub account ID for authentication purposes.
  • Flutter Service (Current): Users can sign in using:
    • Firebase Authentication with email/password (protected by Google reCAPTCHA Enterprise)
    • GitHub social login
    • Google social login
    We store your provider ID, username, fullname, primary email address, and avatar URL to support full account features.
• Uploaded Content: Files you upload (e.g., ZIP files and related build inputs) are stored in Amazon S3 to provide the Service. These files may contain your app assets and configuration.
• Signing Credentials (If You Choose to Store Them): If you upload signing materials (e.g., Android keystore, iOS certificates/profiles), the Service stores them to enable automated signing, subject to your Terms of Service.
• Usage / Technical Data: We may process technical data such as IP address, user-agent, timestamps, request identifiers, and security-related events for fraud prevention, abuse mitigation, and service reliability (e.g., WAF events, rate limiting, error logs).

3. COOKIES AND LOCAL STORAGE

The Service uses cookies and local storage technologies. Currently, we only use Strictly Necessary technologies that are essential for the operation of the Service.

• Authentication (JWT): We use local storage and/or cookies to store a JSON Web Token (JWT) to keep you logged in and secure your session.
• Security & Anti-Spam: We use different security measures depending on the service:
  • Capacitor Service (Legacy): Protected by AWS WAF with CAPTCHA challenges. AWS WAF may set cookies (such as aws-waf-token) to verify legitimate requests and manage CAPTCHA challenges.
  • Flutter Service (Current): Email/password authentication is protected by Google reCAPTCHA Enterprise, which may set cookies to distinguish humans from bots and assess risk.
• Google reCAPTCHA: We use Google reCAPTCHA (including reCAPTCHA Enterprise) to protect authentication, newsletter signups, and other forms from spam and abuse. This may set cookies to distinguish humans from bots. Effective April 2, 2026, Google processes reCAPTCHA data as a data processor on our behalf, using the data only to provide the reCAPTCHA service (threat detection and fraud prevention) in accordance with the Google Cloud Data Processing Addendum.

Opt-out: Because these technologies are strictly necessary to provide the Service you requested, they do not require prior consent under applicable law (e.g., ePrivacy Directive). You can block them via your browser settings, but the Service will cease to function correctly (e.g., you will not be able to log in or pass security checks).

Future Analytics and Advertising: We do not currently use third-party analytics or advertising cookies (such as Google Analytics, Google Ads, or Facebook Pixel). However, we may integrate such services in the future to analyze usage and deliver advertising. If we do so, we will:

• Update this Privacy Policy to disclose the new services and their data processing practices
• Implement a cookie consent banner or preference center to allow you to opt-in or opt-out of non-essential cookies
• Ensure compliance with applicable laws (such as the ePrivacy Directive and GDPR) by obtaining your explicit consent before deploying analytics or advertising cookies
• Provide clear information about each service's data retention, sharing practices, and your rights

4. HOW WE USE INFORMATION

• Provide the Service: create and manage accounts, process builds, deliver outputs.
• Security: detect and prevent abuse, fraud, hacking attempts, and bot traffic.
• Reliability: monitor performance, troubleshoot errors, and maintain availability.
• Support: respond to requests and communicate about the Service.
• Compliance: comply with legal obligations, enforce Terms of Service, and protect rights and safety.

5. LEGAL BASES FOR PROCESSING

We process your personal data based on the following legal grounds under the GDPR (and similar frameworks):

6. SHARING AND DISCLOSURE (SUBPROCESSORS)

We do not sell your personal data. We may share data with service providers (subprocessors) to operate the Service:

• Amazon Web Services (AWS): We use AWS services such as CloudFront (content delivery), AWS WAF (security/CAPTCHA for Capacitor service), Amazon S3 (file storage), AWS Lambda (serverless compute), Amazon EC2 (virtual servers), and Amazon CloudWatch (logging and monitoring). We may also utilize other underlying AWS infrastructure services as necessary to operate the Service. Data processed by these services may include request metadata, system logs, and user-uploaded files.
• GitHub: Used for authentication (OAuth) in both Capacitor (legacy) and Flutter (current) services. GitHub processes authentication data under its own privacy terms.
• Firebase (Google Cloud): We use Firebase Authentication for the Flutter service to manage user sign-ins via email/password (protected by Google reCAPTCHA Enterprise), GitHub social login, and Google social login. Firebase may send transactional emails (such as password reset and email verification) on our behalf. This may involve processing identifiers from third-party providers or email addresses. Firebase's use of data is governed by the Google Privacy Policy.
• Google reCAPTCHA Enterprise: Used to protect email/password authentication in the Flutter service from automated abuse. Effective April 2, 2026, Google acts as a data processor for reCAPTCHA, processing data only as necessary to provide the reCAPTCHA service (threat detection and fraud prevention) in accordance with the Google Cloud Data Processing Addendum. reCAPTCHA may set cookies to assess risk and distinguish humans from bots.
• Microsoft Azure DevOps / Azure Pipelines: App compilation is performed using Azure Pipelines. This involves processing build inputs on Microsoft-hosted or self-hosted runners and may utilize underlying Azure infrastructure services required to execute the build process and produce artifacts.
• Paddle: We use Paddle.com as our authorized reseller and Merchant of Record (MoR) for all payments and subscriptions. When you make a purchase, your billing data is processed directly by Paddle. We do not store full credit card details. Paddle's use of your data is governed by their Privacy Policy.
• Brevo (formerly Sendinblue): We use Brevo to manage our email newsletters and transactional emails. If you subscribe to our newsletter, your email address will be transferred to Brevo for processing in accordance with their Terms of Use. Our forms served by Brevo may be protected by Google reCAPTCHA.
• Mailgun (EU): We use Mailgun (EU region) to send transactional emails such as account notifications, password resets, and service updates. Your email address and related transactional data are processed by Mailgun in accordance with their Privacy Policy.

We may also disclose information if required by law, to respond to lawful requests, or to protect the rights, property, and safety of the Service and others.

7. INTERNATIONAL TRANSFERS

Our infrastructure and subprocessors may process data in multiple countries. This can include transfers outside your country of residence. Where required by law, we rely on appropriate safeguards for such transfers (e.g., contractual protections with service providers).

8. DATA RETENTION

We retain personal data only as long as necessary for the purposes described in this policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

• Account Data: retained while your account is active and for a reasonable period afterward as needed for compliance and dispute resolution.
• Uploads / Build Inputs: retained as needed to provide the Service. Currently, builds are set to expire after 48 hours, but this period may be extended in the future.
• Signing Credentials: retention and deletion are governed by the Terms of Service. Currently, signing credentials are set to expire automatically after 1 year, though this period may be extended or shortened in the future. You are responsible for maintaining your own backups, as we cannot store them forever.
• Security Logs: retained for a limited period to investigate abuse and maintain security

9. SECURITY

We use reasonable technical and organizational measures designed to protect information. However, no system can be guaranteed 100% secure, and we cannot guarantee absolute security.

10. YOUR RIGHTS

Depending on your location and applicable law, you may have rights such as access, correction, deletion, and portability of your personal data, and the right to object to or restrict certain processing.

You can request these by contacting us using the information below. We may need to verify your identity before fulfilling requests.

11. CHILDREN'S PRIVACY

The Service is intended for use by adults only. You must be at least 18 years of age to use html2app.dev. We do not knowingly collect personal data from children under 18. If we learn that we have collected personal data from a child under 18, we will take steps to delete that information as quickly as possible.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

13. CONTACT

For privacy-related questions or requests, please contact us via:

• Public Discussions: GitHub Discussions
• Email: You can find the contact email on the developer's profile page: https://yandeu.github.io/