1. Who we are
AppWolf is a mobile-game market intelligence platform operated at https://appwolf.io. This Privacy Policy explains what information we collect from users of our service ("you", "your"), how we use it, who we share it with, and the rights you have over it.
If you have questions, contact us at privacy@appwolf.io.
2. Information we collect
Account information (when you create an account)
- Email address
- Optional display name (if you choose to provide one)
- Authentication provider identifier (if you sign in via Google or another OAuth provider - we do NOT receive your password)
- Country (inferred from sign-in IP address; not stored persistently unless you opt in)
Usage data (when you use the service)
- Apps and developers you watchlist, bookmark, or compare
- Alert rules you configure and the deliveries they fire
- AI chat messages are transmitted to our model provider (DeepSeek) at request time but are NOT persisted in our database. DeepSeek's retention applies during processing.
- Server logs containing your IP address, browser user-agent, referring page, and request timestamps - retained for 30 days for abuse prevention and debugging
Billing data (when you subscribe)
Subscription billing is handled by Polar.sh (Polar Software, Inc.), our merchant of record. AppWolf does NOT receive or store your credit card number, CVV, billing address, or any other payment-card data. We receive only an opaque customer identifier from Polar plus your subscription tier and renewal status. Polar's privacy policy applies to the payment data they collect: polar.sh/legal/privacy.
Product analytics (PostHog)
We use PostHog (EU region) to understand how the product is used. We have deliberately narrowed the data we send:
- Identifier: only your Supabase user ID (a UUID). Your email address is never sent to PostHog.
- Events: a fixed list of seven product events (signup link sent / completed, checkout started, subscription created / canceled, API waitlist submitted, chat message sent) plus automatic page views.
- Event properties: structural data only - e.g. plan tier, prompt length, history depth. Never the content of a chat message, never a search query, never an email address.
- Anonymous visitors do not get a persistent person profile until they sign in (PostHog's identified-only mode).
- Autocapture is disabled. We do not log generic clicks, form interactions, or DOM events - only the fixed list above.
- Region: events are routed to PostHog's EU infrastructure (
eu.i.posthog.com).
Error monitoring (Sentry)
We use Sentry to capture application errors so we can fix bugs. Sentry receives error stack traces and a small amount of context about the request that triggered the error. We scrub the following from every event before it leaves our servers: Authorization headers, cookies, API keys, Supabase session tokens, URL query strings, and any user object (no email, no Supabase ID). Performance traces are sampled at 10% to limit data volume. Session replay is disabled.
What we do NOT collect
- Payment-card data (handled exclusively by Polar)
- Government identifiers
- Health data
- Biometric data
- Any data about minors (our service is not directed at people under 16)
- Browser fingerprints or third-party advertising identifiers
3. Public mobile-app data (data ABOUT apps and developers, not about you)
AppWolf's core service involves collecting and analyzing data from the Apple App Store and Google Play that store operators publish publicly: app metadata, screenshots, ratings, public reviews, chart positions, install buckets, and similar publicly- visible signals. This data is about mobile apps and the developers that publish them; it is not personal data about you as our user.
We do not collect, store, or analyze any data that requires authentication to access on either store. We do not bypass any technical controls put in place by either store. We respect their robots.txt and rate-limiting signals.
4. How we use information
- To provide, maintain, and improve the service
- To authenticate you and protect against fraud and abuse
- To process subscription payments (via Polar; we only receive customer/subscription metadata back)
- To send transactional emails (account confirmation, billing receipts, alerts you configure)
- To send marketing emails ONLY if you've opted in - you can opt out anytime from the email footer or in your account settings
- To comply with legal obligations, enforce our Terms, and respond to legitimate legal requests
5. Who we share information with
We share personal information only with the third-party service providers we use to operate AppWolf. Each provider is bound by data-processing terms restricting how they handle your data:
- Supabase - database, authentication, and file storage (data residency: ap-south-1 Mumbai)
- Vercel - application hosting and edge functions
- Polar.sh - subscription billing (merchant of record)
- Inngest - background job queue (no personal data flows through Inngest events)
- DeepSeek - AI/LLM provider used for sentiment analysis, publisher tier classification, and chat features. App metadata and public review text are sent to DeepSeek for processing; your account email or other directly-identifying personal data is not sent to DeepSeek.
- Resend - transactional email delivery (alerts, magic links, API waitlist notifications)
- Cloudflare - DNS, DDoS protection, and Email Routing for our
@appwolf.ioaddresses (incoming support email is forwarded to a private mailbox) - Sentry - error monitoring (EU region; PII scrubbed at the SDK level - see Section 2 above)
- PostHog - product analytics (EU region; identified-only person profiles - see Section 2 above)
We do NOT sell your personal information to anyone. We do NOT share your personal information with advertising networks.
6. International data transfers
AppWolf may transfer personal information across borders. Our primary database resides in India (Mumbai, ap-south-1). Other service providers may process data in the United States, the European Union, or other regions. Where required, we use the European Commission's Standard Contractual Clauses or equivalent safeguards for cross-border transfers.
7. Data retention
We retain account information for as long as your account is active, plus up to 90 days after deletion to satisfy backup cycles. Subscription billing records may be retained longer to comply with tax and accounting laws (typically 7 years). Server logs are retained for 30 days. Sentry error events are retained for 30 days by default. PostHog product-analytics events are retained per PostHog's defaults (7 years on the free tier; we do not extend that). AI chat messages are NOT persisted in our database; they pass through to the DeepSeek API at request time and are not stored after the response stream closes.
8. Your rights
Depending on where you live, you may have the following rights over your personal information:
- Access - request a copy of the data we hold about you
- Correction - request that we correct inaccurate data
- Deletion - request that we delete your data (we will, subject to legal retention requirements)
- Portability - request a machine-readable export of your data
- Objection / restriction - object to processing for direct marketing or legitimate-interest purposes
- Withdraw consent - where processing is based on consent, you may withdraw it at any time
- Lodge a complaint with your local data protection authority (e.g., the Information Commissioner's Office in the UK, your DPA in the EU, the California Privacy Protection Agency in California, the Data Protection Board of India under the DPDP Act 2023)
To exercise any of these rights, email privacy@appwolf.io. We will respond within 30 days.
9. Cookies
AppWolf uses a minimal set of cookies:
- Authentication session cookie - set by Supabase Auth. Strictly necessary; cannot be disabled while signed in.
- PostHog cookies - first-party cookies set on our domain by the PostHog SDK to maintain a stable distinct ID across page loads. No third-party cookies, no cross-site tracking, no advertising IDs.
We do not use any advertising, retargeting, or cross-site tracking cookies. We do not use Google Analytics, Facebook Pixel, or any similar third-party ad-tech.
10. Security
We use industry-standard practices to protect your data: TLS encryption in transit, encryption at rest in Supabase, Row Level Security on all per-user data, scoped service-role keys, and regular dependency updates. No system is perfectly secure; you are responsible for keeping your account credentials safe and for notifying us promptly at security@appwolf.io of any suspected unauthorized access.
11. Children
AppWolf is not directed at people under 16, and we do not knowingly collect data from anyone under 16. If we learn we have inadvertently collected data from someone under 16, we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify active users by email and post the updated policy here with a new "Last updated" date. Continued use of the service after a change constitutes acceptance of the updated policy.
13. Contact
For privacy questions, data-access requests, or any concerns: privacy@appwolf.io
This policy is provided in good faith and reflects how AppWolf currently operates. It is not legal advice. We recommend that users with specific compliance needs consult their own legal counsel.