Privacy Policy

Last updated: 3 July 2026

This policy explains what data AppsCyborg collects, why, how long it stays, and who it is shared with. AppsCyborg is a paid file-conversion service. There are no ads and no third-party trackers on the site.

Who runs AppsCyborg

AppsCyborg is operated by the company running the domain appscyborg.com. Contact: info@appscyborg.com. For data-protection questions specifically, the same address is monitored.

Data we collect

Account data

  • Email address and password hash when you register with email.
  • Google or Microsoft account identifier when you sign in with OAuth (the provider hands us a stable subject ID plus your email; we never receive your OAuth password).
  • Account timestamps: created_at, last_login_at, valid_till (subscription expiry).

Payment data

  • Payment records: transaction ID, plan (day pass / yearly / lifetime), price, timestamp, invoice number.
  • Country for VAT/tax purposes (from your IP at payment time, via a MaxMind GeoLite2 lookup — the IP itself is not stored).
  • We do NOT store card numbers, CVV, or bank details. Payments are processed by Stripe and PayPal. Their privacy policies apply to the payment step.

Usage data

  • Tool usage events: which tool you used (e.g. /video-cyborg), timestamp, outcome (accepted / auth-blocked / paywall-blocked / error). Tied to your account ID.
  • Anonymous visitor tracking: a daily-rotating hash (HMAC of IP + user-agent under a salt that rotates every 24 hours) counts unique daily visitors without linking you across days. Raw IPs are not persisted for this.

Attribution data

  • First-touch attribution cookie named _ft: a 30-day HMAC-signed cookie set on your first visit. It records the landing page path, UTM parameters, and the host portion of your referrer (not the full URL). Used to attribute new signups to acquisition channels. Cleared automatically after 30 days.
  • At signup, the cookie values above are copied to your account as fixed acquisition metadata (utm_source, utm_campaign, first_landing_page, first_referrer_host).

Communication data

  • Email send/click timestamps per campaign (cart-abandon, day-pass upsell, expired reminder, onboarding, winback, engage, yearly renewal). Per-campaign opt-out flags. A global marketing-email opt-out flag.
  • Session cookie to keep you logged in — a Redis-backed session ID, no personal data inside.

Legal basis for processing (EU/UK GDPR)

  • Contract: account, payment, and service-delivery data are processed to fulfil the paid subscription contract with you.
  • Legitimate interest: usage counts, first-touch attribution, and lifecycle emails to active subscribers — narrowly scoped to running the service, measurable via the per-campaign opt-outs.
  • Consent: marketing emails (all opt-in by default at signup, opt-out at any time via one-click unsubscribe in every email footer, or via the preferences page linked from every email).
  • Legal obligation: invoice retention for tax law compliance.

How long we keep it

  • Account data: kept while your account is active, plus 30 days after account deletion (grace period for reversal).
  • Invoice records: kept 10 years for tax-law compliance in the EU.
  • Tool usage events: kept 90 days for operational analytics, then aggregated (per-day totals only) and the row-level records are deleted.
  • Visitor tracking hashes: kept 90 days for the visitor→signup conversion dashboard, then deleted.
  • Email send/click timestamps: kept while the account exists, used for the send-once-per-user gates.
  • _ft attribution cookie: 30 days rolling.
  • Session cookies: expire when your session does or when you log out.

Who we share data with

We do not sell your data. The following processors receive the minimum data needed to run the service:

  • Stripe and PayPal — payment processing (card and bank details go directly to them, never to us).
  • Our SMTP provider — outbound email delivery (recipient email, subject, message body).
  • Google and Microsoft — only if you choose to sign in via OAuth. The provider learns you are using AppsCyborg; we learn your email and stable subject ID.
  • Our hosting and database provider — the servers that run the application store the data listed above.
  • MaxMind — the GeoLite2 country database is queried in-memory to determine your country at payment time. The lookup is a local database read; MaxMind does not receive your IP.

Non-processor disclosure only occurs where required by law (court order, regulatory investigation, or to protect the rights and safety of AppsCyborg or others).

Cookies

  • _ft — first-touch attribution, HMAC-signed, 30-day expiry, path=/, HttpOnly. Legitimate interest.
  • Session cookie — keeps you logged in, HttpOnly, expires on logout.
  • CSRF token cookie — anti-forgery protection on form submissions, HttpOnly.
  • No third-party cookies. No advertising cookies. No analytics beacons.

Your rights (EU/UK)

You can, at any time:

  • Access your data — email info@appscyborg.com and we will send a machine-readable export within 30 days.
  • Correct or update your data — most fields are self-service inside your account settings.
  • Delete your data — email us or use the account-deletion option in your account settings. Invoice records are retained 10 years for tax compliance; everything else is erased.
  • Object to marketing emails — one-click unsubscribe in every email footer, or manage granular opt-outs via the preferences page linked from every email.
  • Portability — request a JSON export of your account, invoices, and tool-usage records.
  • Complain to a data-protection authority (in France, the CNIL; in the UK, the ICO; elsewhere the equivalent).

Data location

Servers are located in the European Union. Sub-processors (Stripe, PayPal, OAuth providers, MaxMind, our SMTP provider) may transfer data outside the EU under standard contractual clauses.

Security

All connections to appscyborg.com use HTTPS. Passwords are stored as bcrypt hashes; we never see or store your plain-text password. OAuth-only accounts have no password stored at all. The _ft attribution cookie and email tokens are HMAC-signed with a server-side secret so they cannot be forged. Access to the production database is restricted to authorised administrators. Payment card data never touches our infrastructure.

Children

AppsCyborg is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you are a parent or guardian and believe your child has created an account, contact info@appscyborg.com and we will delete the account.

Changes to this policy

Material changes will be announced by email to active subscribers at least 30 days before taking effect. Non-material changes (formatting, clarifications) will be posted here with an updated timestamp at the top of this page.

Contact

Data-protection questions, access requests, complaints, and every other privacy topic: info@appscyborg.com.