AppUnblock

Guarantee & refunds Terms of service Right of withdrawal Privacy & GDPR Data processing (DPA) Legal notice Disclaimers

Privacy policy & GDPR notice

Last updated: 2026. This notice explains how AppUnblock processes personal data under the EU/UK General Data Protection Regulation (GDPR).

1. Who we are (data controller)

The controller of your personal data is CodifyAI SRL (Romania), trading as AppUnblock. Registered address: [registered address — to be completed in Settings]. Privacy contact: [email protected].

2. What data we process

  • Identity & contact: your email or messaging handle, name if provided.
  • Service data you give us: the store rejection message, your app/build/repository links, the app builder used, and any files or screenshots you send. This may incidentally contain personal data of your app's end users — you are the controller of that data and we act as your processor for it.
  • Access metadata: the least-privilege, time-boxed developer-account/repository access you grant us (we never receive your password).
  • Payment data: processed by our payment provider (Stripe). We receive confirmation and limited billing metadata, not your full card number.
  • Technical data: IP address, request logs, and a strictly-necessary session cookie for the admin area.

3. Why we process it, and the lawful basis (GDPR Art. 6)

Purpose Lawful basis
Diagnose and fix your rejection, deliver the service Performance of a contract (Art. 6(1)(b))
Take payment, keep accounting records Contract + legal obligation (Art. 6(1)(b),(c))
Security, fraud/abuse prevention, service operation Legitimate interests (Art. 6(1)(f))
Service emails (diagnosis, quote, delivery, support) Contract (Art. 6(1)(b))
Any marketing email Consent (Art. 6(1)(a)) — opt-in, withdrawable anytime

4. Who receives your data

We do not sell your data and never share it with advertisers. - Processors acting on our instructions (Art. 28 GDPR): Hetzner Online GmbH (EU hosting/infrastructure, Germany); our EU-based mail server. - Independent recipient acting as its own controller: Stripe, Inc., which processes your payment data to provide card/payment services under its own responsibility and privacy policy (PCI-DSS compliant; EU-U.S. Data Privacy Framework certified) — not as our sub-processor.

Where we process personal data belonging to your end-users contained in files you provide, we act as your processor under the Data Processing Agreement that forms part of our Terms. We are not affiliated with Apple or Google and never share your data with them beyond what you submit through your own developer accounts.

5. International transfers

We keep core data within the EU: hosting/infrastructure is provided by Hetzner Online GmbH (Germany) and our mail server is operated within the EU. Some recipients are outside the EEA — in particular payment processing by Stripe, Inc. (United States). Stripe is self-certified under the EU-U.S. Data Privacy Framework, and the European Commission's adequacy decision of 10 July 2023 (Implementing Decision (EU) 2023/1795) recognises an adequate level of protection for transfers to organisations certified under that framework — this is the primary safeguard for that transfer. As an additional safeguard, transfers to Stripe are also covered by the EU Standard Contractual Clauses. You can request a copy of the safeguards by emailing [email protected]. We do not transfer your data to any other third country without an adequacy decision or appropriate safeguards under Articles 44–46 GDPR.

6. How long we keep it

  • Client code, repository access and uploaded files (which may contain your end-users' personal data): deleted within 7 days of closing the engagement (or sooner on request).
  • Account and contact data (email, handle, name): for the duration of our relationship and up to 12 months after your last engagement, then deleted or anonymised.
  • Accounting, invoicing and tax records, including payment metadata from Stripe: retained for 10 years as required by Romanian accounting law (Legea contabilității nr. 82/1991) — lawful basis Art. 6(1)(c).
  • Server and access logs: retained up to 90 days for security and fraud prevention, then deleted.
  • Support correspondence: kept while we provide the service and for a reasonable period after, then deleted.
  • Marketing-consent records: kept until you withdraw consent, plus a record of the consent itself for as long as needed to demonstrate compliance.

For legitimate interests (Art. 6(1)(f)) our specific interests are service security, fraud prevention, and improving our diagnoses; you can object at any time under Art. 21 GDPR. Where we rely on consent, you can withdraw it at any time; withdrawal does not affect processing carried out before you withdrew.

7. Your rights (GDPR Art. 15–22)

You have the right to: access your data, rectify it, request erasure ("right to be forgotten"), restrict or object to processing, request data portability, and — where processing is based on consent — withdraw consent at any time. You also have the right to lodge a complaint with a supervisory authority: the Romanian authority ANSPDCP (B-dul G-ral. Gheorghe Magheru 28-30, Bucharest, [email protected]), or the supervisory authority in your own EU country of residence or work (Art. 77). (ANSPDCP — the Romanian National Supervisory Authority for Personal Data Processing (or your local EU authority))

To exercise any right, use our data request form or email [email protected]. We respond within one month.

8. Automated decision-making

The free triage tool classifies your rejection text to suggest a guideline and service tier. This is not a decision producing legal effects; a human reviews every case. We do not carry out Art. 22 automated decisions.

9. Cookies

We use a single strictly-necessary cookie to keep the admin operator signed in. We do not use advertising or third-party tracking cookies, so no cookie-consent banner is required for marketing — only this notice.

10. Is providing data required?

Providing your rejection message and contact details is necessary for us to provide the service; without them we cannot diagnose or fix your rejection.

11. Changes

We may update this notice; the "last updated" date shows the current version. Material changes affecting you will be communicated where appropriate.