Privacy Policy
AppDNA AI Privacy Policy
Version 2.3
Effective Date: 1st January 2026
AppDNA AI, Inc. ("AppDNA," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with our cloud-based platform (the "Console"), our mobile software development kit (the "SDK"), our website at https://appdna.ai (the "Site"), and any related services, documentation, or APIs (collectively, the "Services").
This Privacy Policy applies to information we process as a Controller — that is, where we determine the purposes and means of processing personal information. It does not apply to information we process as a Processor on behalf of our customers (such as data processed via the SDK from end users of customer applications); that processing is governed by the AppDNA Data Processing Agreement (the "DPA") at https://appdna.ai/legal/dpa, and end users should consult the privacy policy of the application operator. See Section 2 ("Our Roles") for a detailed explanation.
By using the Services, you acknowledge that you have read and understood this Privacy Policy. Your use of the Services is governed by our Terms of Service at https://appdna.ai/legal/terms.
Summary
AppDNA is a B2B service. Our customers are app developers and operators. Most personal data we process flows through our customers’ use of the Services and is governed by our DPA, not this Privacy Policy.
When you visit our Site or use the Console as a customer’s authorized user, we process limited personal information about you (account, login, billing, support).
We do not sell or share personal information for cross-context behavioral advertising.
We do not transmit personal data of customer end users to AI sub-processors. Data sent to AI providers is anonymized and aggregated.
We host data primarily in the United States today and may add EU/EEA hosting in the future.
We retain personal information for as long as needed to provide the Services and as required by law (typically up to 24 months after account termination).
You have rights to access, correct, delete, port, and (where applicable) restrict or object to our processing of your personal information.
Table of Contents
1. Who This Policy Applies To
2. Our Roles: Controller vs. Processor
3. Personal Information We Collect
4. How We Use Personal Information
5. Legal Bases (EEA / UK / Switzerland)
6. AppDNA SDK — Data Processing Disclosure
7. AI and Machine Learning — No Personal Data Transmitted
8. Disclosure of Personal Information
9. Sub-Processors
10. International Data Transfers
11. Data Retention
12. Security
13. Cookies and Tracking Technologies
14. Your Privacy Rights
15. U.S. State Privacy Rights (CCPA/CPRA and others)
16. EEA, UK, and Swiss Rights
17. Other Regions (Canada, Australia, NZ)
18. Children’s Privacy
19. Automated Decision-Making
20. Changes to This Policy
21. Contact and Data Protection Officer
1. Who This Policy Applies To
This Privacy Policy applies to:
Visitors to our Site and individuals who interact with our marketing, sales, or support communications;
Authorized users of our customers (e.g., employees of an app developer who log in to the Console);
Individuals who apply for jobs at AppDNA or otherwise correspond with us; and
Other individuals whose personal information we process as a Controller.
This Privacy Policy does not apply to end users of customer applications whose data is processed via the SDK; that processing is governed by the customer’s privacy policy and the DPA between AppDNA and the customer.
2. Our Roles: Controller vs. Processor
Understanding AppDNA’s role is critical to understanding which document governs your data:
Scenario | AppDNA’s Role / Governing Document |
You visit https://appdna.ai or interact with us as a prospect, customer’s authorized user, applicant, or correspondent. | AppDNA acts as Controller. This Privacy Policy applies. |
You are a customer’s end user (e.g., you use a mobile app that has integrated the AppDNA SDK). | AppDNA acts as Processor on behalf of the customer (the Controller). The customer’s privacy policy applies. AppDNA’s processing of your data is governed by the DPA between AppDNA and the customer. Contact the operator of the application for end-user privacy questions. |
You are a customer of AppDNA seeking information about how AppDNA processes data on your behalf. | See the DPA. The DPA controls over this Privacy Policy on data-protection matters. |
This distinction matters because Controllers (the customer, in the case of end-user data) determine the purposes and means of processing and are primarily responsible for end-user disclosures and consents. AppDNA, as Processor, follows the customer’s documented instructions and the DPA.
3. Personal Information We Collect
When AppDNA acts as Controller, we collect the following categories of personal information:
3.1 Information You Provide Directly
Account information: name, business email, business phone, job title, company name, password (hashed).
Billing information: billing address, VAT/tax ID. Payment-instrument numbers and security codes are processed by Stripe and are not stored by AppDNA on its own systems.
Communications: content of emails, support tickets, sales calls (where recorded with consent), demo recordings (where recorded with consent), and forms you submit.
Application/job information: information you submit if you apply for a position with AppDNA.
3.2 Information Collected Automatically (Site and Console)
Device and connection data: IP address, browser type and version, operating system, device identifiers, referring URLs, language preferences, time zone.
Usage data: pages viewed, features used, dates and times of access, clicks, error reports, performance data.
Cookies and similar technologies: see Section 13.
Approximate location derived from IP address (city/country level). We do not collect precise GPS location from Site or Console visitors.
3.3 Information from Third-Party Sources
We may receive information about you from public business databases, social and professional networks, sales-intelligence providers, and referrals, where permitted by applicable law. This information helps us identify potential business contacts and improve our outreach. You may ask us to remove information obtained from third-party sources by contacting privacy@appdna.ai.
3.4 Sensitive Personal Information
We do not knowingly collect or process sensitive categories of personal information (such as racial or ethnic origin, religious beliefs, health data, biometric data, or precise geolocation) about Site or Console users. If we receive such information inadvertently, we will delete it.
4. How We Use Personal Information
We use personal information for the following purposes:
To provide, maintain, and improve the Services, including authenticating accounts, delivering Console functionality, and providing customer support.
To process payments and manage billing.
To communicate with you about the Services, send service announcements, respond to inquiries, and (where you have opted in or where permitted by law) send marketing communications about AppDNA products and features.
To personalize your experience with the Services and Site.
To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
To comply with legal obligations and enforce our agreements.
To recruit and evaluate job applicants.
To produce Aggregated Data (de-identified and aggregated such that no individual is identifiable) for service improvement, benchmarking, and product development. Aggregated Data is not personal information and is not subject to this Privacy Policy.
5. Legal Bases (EEA / UK / Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing your personal information under the GDPR, UK GDPR, and Swiss FADP are:
Performance of a contract: to provide the Services and fulfill our obligations to you (e.g., account administration, billing, support).
Legitimate interests: to operate, secure, and improve the Services; prevent fraud and abuse; communicate with prospects and customers; and conduct B2B marketing where permitted by law. Where we rely on legitimate interests, we have assessed that our interests are not overridden by your interests, rights, or freedoms.
Consent: where required, including for certain marketing communications and non-essential cookies. You can withdraw consent at any time.
Legal obligation: to comply with applicable law, court orders, or regulatory requirements.
Vital interests: to protect the vital interests of any individual in narrow circumstances.
6. AppDNA SDK — Data Processing Disclosure
When our customers integrate the AppDNA SDK into their applications, the SDK may process the following categories of data of those applications’ end users, on behalf of the customer:
Pseudonymous identifiers: hashed device identifiers, IDFA/AAID where customer has obtained appropriate consent, install identifiers, and user identifiers assigned by the customer.
In-app event and behavioral data: screen views, conversion events, paywall interactions, A/B-test variant assignments, retention signals.
Subscription and transaction metadata: subscription state, plan, currency, value. We do not collect or store payment-card numbers in the SDK.
Device and technical data: operating system, device model, app version, language, time zone.
Approximate geolocation derived from IP address. The SDK does not collect precise GPS location by default.
Consent signals provided by the customer or its consent-management platform.
AppDNA processes this data as a Processor on behalf of the customer (Controller). The customer is responsible for end-user disclosures and consents. Detailed processing terms are in the DPA. End users seeking information about how their data is handled in a specific application should contact the operator of that application.
The SDK is configured by default to avoid the collection of direct personal identifiers. However, depending on customer configuration, data the SDK processes may constitute personal data under applicable law and is treated as such by AppDNA.
7. AI and Machine Learning — No Personal Data Transmitted
AppDNA does not transmit personal data of customer end users to third-party AI providers. AppDNA uses third-party artificial intelligence and machine-learning services (including, as of the Effective Date, services from Anthropic, Google Cloud AI, and OpenAI) to support certain Service features such as growth-strategy generation, copy and creative drafting, content analysis, and recommendation insights.
What we send to AI providers. Data transmitted to AI providers consists of de-identified and aggregated inputs (such that no individual end user can be re-identified by reasonably available means) — such as patterns of in-app behavior, summary metrics, structural characteristics of paywalls or onboarding flows, and aggregated cohort data — from which no individual end user, identified customer, or specific Licensed Application can reasonably be re-identified.
What we do not send. We do not send to AI providers: (a) personal data of end users; (b) pseudonymous identifiers tied to end users; (c) raw event streams that could be linked back to identifiable individuals; (d) Customer Confidential Information that has not been de-identified; or (e) payment-related data.
Why this matters. This architectural choice is intentional. It (i) keeps AI usage outside the scope of GDPR/UK GDPR personal-data processing, (ii) limits cross-border data flows, (iii) reduces our customers’ sub-processor disclosure burden, and (iv) protects against the legal uncertainty surrounding AI-provider data handling.
AI providers used by AppDNA in a non-personal-data capacity are not Sub-Processors of customer Personal Data for purposes of the DPA, but are listed in our public sub-processor list (see Section 9) for transparency. AppDNA may from time to time add, remove, or replace AI providers; we will update this Privacy Policy and the sub-processor list accordingly.
AppDNA does not use Customer Data or Aggregated Data to train foundation models of third-party AI providers. Where AppDNA fine-tunes or evaluates AI features, it does so using de-identified data only.
AppDNA Knowledge Base / Retrieval-Augmented Generation (RAG). AppDNA maintains an internal knowledge base of growth strategies, patterns, benchmarks, and recommendations derived from operating the Services across customers (the "AppDNA Knowledge Base"). The AppDNA Knowledge Base contains only de-identified and aggregated information at the cohort level; it does not contain personal data of any individual end user, and individual end users cannot be re-identified from it by reasonably available means. The AppDNA Knowledge Base is operated solely on AppDNA infrastructure and is not made available to third-party AI providers; AppDNA may, however, query the Knowledge Base internally and supply de-identified, aggregated context to AI providers as part of generating recommendations for customers, in accordance with the framework described above. Use of customer end-user data to derive de-identified, aggregated insights of this kind is permitted under the "Aggregated Data" provisions of the Terms of Service, the Data Processing Agreement, and the SDK End User License Agreement.
8. Disclosure of Personal Information
We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We disclose personal information in the following circumstances:
To Sub-Processors: third-party service providers acting on our behalf and under written contracts with appropriate data-protection terms (see Section 9).
To customers (where you are an Authorized User): to enable customer administrators to manage your account access.
For legal or safety reasons: to comply with applicable law, valid legal process, or government requests; to enforce our agreements; or to protect rights, property, or safety of AppDNA, our users, or others.
In a corporate transaction: to a successor or acquirer in connection with a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy. We will require the successor to honor this Privacy Policy.
With your consent: for any other purpose disclosed at the time of collection.
9. Sub-Processors
AppDNA engages third-party service providers ("Sub-Processors") to support the operation of the Services. Each Sub-Processor is engaged under a written contract with appropriate data-protection terms. AppDNA’s current Sub-Processors are listed below. AppDNA may add, remove, or replace Sub-Processors from time to time; for customers, AppDNA provides advance notice of such changes as set forth in the DPA, and customers have a right to object on reasonable data-protection grounds.
Sub-Processor | Function | Category | Location |
Google Cloud Platform (Google LLC) | Cloud infrastructure (compute, storage, networking) | Hosting / Infrastructure | United States |
Google Cloud Operations (Google LLC) | Application performance monitoring, logging, and error tracking | Operations / Monitoring | United States |
Upstash, Inc. | Managed Redis (in-memory data store) for session caching, rate limiting, and event queues | Caching / Infrastructure | United States |
Stripe, Inc. | Payment processing for customer billing | Payments | United States |
Resend, Inc. | Transactional email delivery | United States | |
Amazon SES (Amazon Web Services, Inc.) | Transactional email delivery (backup/secondary) | United States | |
Crisp IM SAS | Customer support and messaging | Support | European Union (France) |
Mixpanel, Inc. | Product analytics for the Console and Site | Analytics | United States |
Amplitude, Inc. | Product analytics for the Console and Site | Analytics | United States |
Google Analytics (Google LLC) | Web analytics for the Site | Analytics | United States |
Anthropic, PBC | AI / large language model services (no personal data transmitted; see Section 7) | AI Service Provider | United States |
Google Cloud AI (Google LLC) | AI / machine learning services (no personal data transmitted; see Section 7) | AI Service Provider | United States |
OpenAI, L.L.C. | AI / large language model services (no personal data transmitted; see Section 7) | AI Service Provider | United States |
As described in Section 7, AI Service Providers receive only de-identified, aggregated context and do not process personal data of Customer end users. They are listed here for transparency. AppDNA may also engage its Affiliates as Sub-Processors. International transfers to Sub-Processors located in the United States rely on the transfer mechanisms described in Section 10.
10. International Data Transfers
Hosting. As of the Effective Date, AppDNA hosts personal data exclusively in the United States. AppDNA may add additional hosting regions, including in the European Union/EEA, in the future. Material changes to data residency will be disclosed in advance and reflected in this Privacy Policy and (for customers) in the DPA.
Transfer mechanisms (EEA / UK / Switzerland). Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy determination, we rely on the following safeguards, in order of preference:
(a) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, where AppDNA is actively certified;
(b) the European Commission’s Standard Contractual Clauses (Module 2 — Controller to Processor, or Module 3 — Processor to Sub-Processor, as applicable, per Commission Implementing Decision (EU) 2021/914);
(c) the UK International Data Transfer Addendum to the EU SCCs (Version B1.0); and
(d) for Swiss transfers, the SCCs as adapted under Swiss law.
Full transfer terms (where AppDNA acts as Processor for customers) are set out in the DPA. Customers and data subjects may request a copy of the executed transfer documents by contacting privacy@appdna.ai.
AppDNA conducts and maintains transfer impact assessments (TIAs) for transfers under SCCs. We will provide a summary of our TIA on request.
11. Data Retention
We retain personal information for as long as necessary to fulfill the purposes set out in this Privacy Policy and to comply with our legal obligations. Specifically:
Account and billing data: for the duration of your account plus up to 24 months after termination, except where longer retention is required by law (e.g., tax records).
Customer Data (as Processor): per the retention provisions of the DPA, typically up to 24 months post-termination.
Marketing and prospect data: until you opt out, until we have not had meaningful contact for 36 months, or as otherwise required by law.
Communications and support records: typically 36 months from the last interaction.
Job applicant data: typically 12 months after the recruitment process closes, or longer with your consent for future opportunities.
Backups: backup copies are retained on a rolling cycle and are securely overwritten or deleted in due course.
Aggregated Data: may be retained indefinitely as it does not identify any individual.
When we no longer have a lawful basis to process your personal information, we will delete it or anonymize it.
12. Security
We implement and maintain commercially reasonable administrative, physical, and technical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS 1.2+), encryption at rest (AES-256 or equivalent), role-based access controls, multi-factor authentication for production systems, vulnerability management, secure development practices, third-party penetration testing, and incident-response procedures. Detailed technical and organizational measures (TOMs) are set out in the DPA for customers.
No system is perfectly secure. While we work hard to protect personal information, we cannot guarantee absolute security. If you suspect any unauthorized use of your account or any security issue, please notify us immediately at security@appdna.ai.
Personal Data Breach Notification: where a personal data breach occurs, we will notify affected customers without undue delay (within 72 hours of becoming aware) as required by GDPR Article 33 and the DPA. Where required by applicable law, we will notify affected individuals and regulators directly.
13. Cookies and Tracking Technologies
We use cookies and similar tracking technologies (such as web beacons, pixels, and local storage) on our Site and Console for the following purposes:
Strictly necessary: to authenticate users, maintain session security, and enable basic functionality.
Performance and analytics: to understand how users interact with our Site so we can improve it.
Functional: to remember preferences and settings.
Marketing (where you consent): to measure the effectiveness of our marketing and to deliver relevant content. We do not use cookies for cross-context behavioral advertising.
You can manage cookie preferences through our cookie banner or by adjusting your browser settings. Disabling certain cookies may limit functionality. For more information, see our Cookie Notice (where available) or contact privacy@appdna.ai.
Do-Not-Track signals: at this time, no industry standard for honoring DNT signals exists, so we do not respond to DNT browser signals. We honor Global Privacy Control (GPC) signals as required by applicable law.
14. Your Privacy Rights
Depending on your location, you may have rights under applicable privacy law to:
Access the personal information we hold about you.
Correct inaccurate or incomplete personal information.
Delete (erase) personal information, subject to legal exceptions.
Receive a copy of personal information in a portable format.
Restrict or object to certain processing.
Withdraw consent (where processing is based on consent).
Opt out of "sale" or "sharing" of personal information (we do not engage in either).
Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (see Section 19).
Lodge a complaint with a data-protection authority.
To exercise your rights, email privacy@appdna.ai with the subject line "Data Subject Request" and a description of the right you wish to exercise. We will verify your identity using the information we already hold and respond within the timeframe required by law (typically 30 days for GDPR, 45 days for CCPA, with possible extensions). We will not discriminate against you for exercising your rights.
Authorized agents: you may designate an authorized agent to make a request on your behalf, subject to verification of authority.
15. U.S. State Privacy Rights (CCPA/CPRA and Similar)
If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights under your state’s privacy law.
15.1 Categories of Personal Information We Collect
In the past 12 months, we have collected the following categories of personal information (CCPA terminology):
CCPA Category | Examples Collected |
A. Identifiers | Name, business email, business phone, IP address, account ID, online identifiers, billing address. |
B. Customer Records | Name, contact information, employment information, financial information (billing). |
C. Protected classification characteristics | Not collected. |
D. Commercial information | Subscription history, product usage, purchase records. |
E. Biometric information | Not collected. |
F. Internet or network activity | Browsing and feature-usage history within the Site and Console; device and browser characteristics. |
G. Geolocation | Approximate (city/country) only, derived from IP address. |
H. Audio, electronic, sensory | Recorded sales/support calls (with consent); demo recordings (with consent). |
I. Professional/employment | Job title, company name, work history (for applicants). |
J. Education information | Not collected. |
K. Inferences | Inferences drawn from usage patterns to provide and improve Services. |
L. Sensitive personal information | Not knowingly collected. |
15.2 Sources, Purposes, and Recipients
Sources: from you directly; automatically through use of our Services; from third-party business databases and referrals (Sections 3.1–3.3 above). Purposes: see Section 4. Recipients: Sub-Processors (Section 9) and other categories described in Section 8.
15.3 Sale or Sharing
We have not sold or "shared" (for cross-context behavioral advertising) personal information in the preceding 12 months and have no plans to do so.
15.4 Sensitive Personal Information
We do not knowingly use or disclose sensitive personal information for purposes that would trigger CCPA/CPRA limit-use rights.
15.5 Your CCPA/CPRA Rights
Right to know what categories and specific pieces of personal information we have about you.
Right to delete personal information (subject to exceptions).
Right to correct inaccurate personal information.
Right to portability.
Right to opt out of sale or sharing (we do not engage in either).
Right to limit use of sensitive personal information (we do not knowingly process such data).
Right to non-discrimination for exercising rights.
To exercise your rights or appeal a denied request: email privacy@appdna.ai. For appeals, we will respond as required by your state’s law.
15.6 California "Shine the Light"
California Civil Code § 1798.83 permits California residents to request, once per year, information about disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information for third-party direct marketing.
16. EEA, UK, and Swiss Rights
In addition to the rights described in Section 14, residents of the EEA, UK, or Switzerland have the right to lodge a complaint with their local supervisory authority:
EEA: contact the supervisory authority in your Member State of residence.
UK: the Information Commissioner’s Office (ICO).
Switzerland: the Federal Data Protection and Information Commissioner (FDPIC).
AppDNA has appointed a UK Representative under Article 27 of the UK GDPR:
Michael Mroz
124 City Road, London EC1V 2NX, England
Email: privacy@appdna.ai
Where required, AppDNA will appoint an EU Representative under Article 27 of the EU GDPR; until then, EU residents may contact privacy@appdna.ai.
17. Other Regions
17.1 Canada
We collect and process personal information under PIPEDA and applicable provincial laws. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting privacy@appdna.ai. You have the right to access, correct, and (in certain circumstances) request deletion of your personal information.
17.2 Australia
We process personal information consistent with the Australian Privacy Principles under the Privacy Act 1988 (Cth). You may complain to the Office of the Australian Information Commissioner (OAIC).
17.3 New Zealand
We process personal information consistent with the Privacy Act 2020. You may complain to the Office of the New Zealand Privacy Commissioner.
18. Children’s Privacy
The Services are intended for businesses and not for individuals under 18 years of age. AppDNA does not knowingly collect personal information directly from children under 18 (or the equivalent age in the applicable jurisdiction).
AppDNA does not directly collect data from children. AppDNA’s Services are intended for use by businesses, and our customers are responsible for ensuring that their applications comply with the Children’s Online Privacy Protection Act (COPPA), GDPR-K, the UK Age-Appropriate Design Code, and similar laws applicable to children’s data. Customer applications that target audiences under the relevant age threshold must obtain appropriate parental consents before transmitting children’s data to the AppDNA SDK; the customer’s privacy policy and the DPA between AppDNA and the customer govern such processing.
If we become aware that we have collected personal information directly from a child without appropriate consent, we will take prompt steps to delete it. If you believe we may have collected such information, please contact privacy@appdna.ai.
19. Automated Decision-Making
When AppDNA acts as Controller (e.g., for Site visitors and Console users), we do not make decisions about you that produce legal or similarly significant effects based solely on automated processing.
When AppDNA acts as Processor (e.g., for end-user data flowing through the SDK), the Console may perform automated experimentation, segmentation, and rollout decisions affecting end users on behalf of customers. The customer is the Controller of such processing and is responsible for any disclosures and consents required under GDPR Article 22, the EU AI Act, or other applicable law. End users seeking information about specific automated processing in a customer’s application should contact the operator of that application.
20. Changes to This Policy
We may update this Privacy Policy from time to time. The "Effective Date" at the top of this Policy indicates when it was last updated. For material changes that adversely affect your rights, we will provide reasonable advance notice (e.g., by email to your registered address or through a notice on the Site or Console) before the change takes effect. Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of that update. We will retain prior versions of this Privacy Policy for evidentiary purposes.
21. Contact and Data Protection Officer
For privacy questions, requests, or complaints, contact:
Privacy and DPA inquiries: privacy@appdna.ai
Data Protection Officer: dpo@appdna.ai
Security and incidents: security@appdna.ai
General inquiries: hello@appdna.ai
Legal notices: legal@appdna.ai
AppDNA AI, Inc.
Attn: Data Protection Officer
1007 N Orange St., 4th Floor Suite #4331
Wilmington, DE 19801, United States
UK Representative: Michael Mroz, 124 City Road, London EC1V 2NX, England (privacy@appdna.ai)