Privacy Policy — SaasToStore
Last updated: June 8, 2026
1. Data Controller
Méga Joule — Sole proprietorship (auto-entrepreneur) Represented by: Khalfallah MAHFOUD SIREN: 995 382 512 — SIRET: 995 382 512 00011 APE Code: 6201Z (Computer programming activities) Address: 3 allée Rouget de Lisle — 78300 Poissy, France Email: hello@saastostore.com
2. Data Collected and Purposes
2.1 Account Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Authentication, transactional notifications, billing | Contract performance |
| Password (bcrypt hashed, cost ≥ 12) | Account security | Contract performance |
| Registration date | Account management, fraud prevention | Legitimate interest |
| Language preference | Localized user interface | Legitimate interest |
2.2 Project Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Source PWA / website URL | Technical analysis, compilation, build pipeline | Contract performance |
| Application name | Store listing generation, build configuration | Contract performance |
| Android package name | Unique app identification on Google Play | Contract performance |
| App icon (uploaded by user) | Android, Desktop, and store assets | Contract performance |
| Screenshots (auto-generated) | Play Store / Microsoft Store listing | Contract performance |
| Generated icons | Android and Desktop artifacts | Contract performance |
| App description and store texts | Store listing (user-provided or AI-generated) | Contract performance |
| Target store(s) selected | Build routing and multi-store publishing | Contract performance |
| Desktop build configuration (width, height) | Tauri/Pake build parameters | Contract performance |
2.3 Build and Publishing Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Compiled AAB / APK file | Publication on Android stores | Contract performance |
| Compiled .msi / .dmg / .AppImage | Distribution via GitHub Releases | Contract performance |
| Android keystore (AES-256-GCM encrypted) | App signing for updates and re-submissions | Contract performance |
| Build logs | Debugging, support, security | Legitimate interest |
| Build status, timestamps, and history | Pipeline tracking, user dashboard | Contract performance |
| Platform build callback data (per-OS status) | Real-time progress reporting | Contract performance |
2.4 Store Connection Data
Google Play
| Data | Purpose | Legal Basis |
|---|---|---|
| OAuth 2.0 refresh token (AES-256-GCM encrypted) | Automated publishing to Google Play | Explicit consent |
| Associated Google account email | Connection identification | Explicit consent |
| Last use date | Security, anomaly detection | Legitimate interest |
The refresh token is never accessible in plaintext from the user interface. It is decrypted only in RAM on the build server at the moment of API call.
Amazon Appstore
| Data | Purpose | Legal Basis |
|---|---|---|
| Amazon client ID | API authentication for Appstore publishing | Explicit consent |
| Amazon client secret (AES-256-GCM encrypted) | API authentication for Appstore publishing | Explicit consent |
Samsung Galaxy Store
| Data | Purpose | Legal Basis |
|---|---|---|
| Samsung service account ID | API authentication for Galaxy Store publishing | Explicit consent |
| Samsung service secret (AES-256-GCM encrypted) | API authentication for Galaxy Store publishing | Explicit consent |
Microsoft Partner Center
| Data | Purpose | Legal Basis |
|---|---|---|
| Azure AD tenant ID | Microsoft Store API authentication | Explicit consent |
| Azure AD client secret (AES-256-GCM encrypted) | Microsoft Store API authentication | Explicit consent |
Snap Store
| Data | Purpose | Legal Basis |
|---|---|---|
| Snapcraft export-login credentials (AES-256-GCM encrypted) | Publishing to Snap Store | Explicit consent |
Flathub
| Data | Purpose | Legal Basis |
|---|---|---|
| GitHub personal access token (AES-256-GCM encrypted) | Flathub PR submission via GitHub API | Explicit consent |
| Flatpak application ID (generated) | Flathub manifest identification | Contract performance |
All third-party store credentials are encrypted using AES-256-GCM with a unique random initialization vector (IV) per entry and stored exclusively in the SaasToStore database. They are decrypted only in RAM on the build/publish server at the moment of the relevant API call.
2.5 Payment Data
Payments are processed exclusively by Stripe Inc. SaasToStore never stores banking data (card number, CVV, IBAN, bank account details). The following are retained for accounting and credit management: Stripe customer ID, subscribed plan identifier, transaction dates and amounts, and Stripe webhook event identifiers (for idempotency).
2.6 Navigation and Technical Data
SaasToStore may collect the following technical data:
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address (truncated to /24 for EU users) | Security, abuse prevention | Legitimate interest |
| Browser type and version | Compatibility, debugging | Legitimate interest |
| Operating system | Compatibility analytics | Legitimate interest |
| Pages visited, time on page | Performance analysis, feature usage | Legitimate interest |
| Referring URL | Traffic source analysis | Legitimate interest |
| Error logs and crash reports | Product stability | Legitimate interest |
No advertising cookies or third-party behavioral tracking tools are used.
3. Cookies and Local Storage
SaasToStore uses only functional cookies and local storage keys strictly necessary for the operation of the Service. No advertising, behavioral tracking, or third-party profiling cookies are used.
3.1 Cookies
| Name | Type | Duration | Purpose |
|---|---|---|---|
sb-<project>-auth-token | Essential | Session (up to 7 days) | Supabase authentication session token |
sb-<project>-auth-token-code-verifier | Essential | Session | OAuth PKCE code verifier (Google Play auth flow) |
3.2 Local Storage
| Key | Duration | Purpose |
|---|---|---|
sts_locale | Persistent | User's preferred language (EN/FR/DE/ES/PT-BR) |
sts_redirected | Session | Prevents redirect loop on initial locale detection |
3.3 Cookie Consent
Because SaasToStore does not deploy non-essential cookies (analytics, advertising, social media), no cookie consent banner is required under ePrivacy Directive 2002/58/EC and its national transpositions. Should non-essential cookies be introduced in the future, users will be informed and a consent mechanism will be added.
4. Retention Periods
| Data Category | Retention Duration |
|---|---|
| Active account data | Account lifetime |
| Project and build configuration | 12 months after last build |
| Compiled AAB / APK files | 30 days after compilation |
| Desktop build artifacts (GitHub Releases) | 90 days after build (GitHub may apply its own policy) |
| Android keystore | Account lifetime + 30 days after deletion |
| Store credentials (Google, Amazon, Samsung, Microsoft, Snap, Flathub) | Until revocation by user or account deletion |
| Payment data and transaction records | 10 years (statutory French accounting obligation — Art. L.123-22 C.com.) |
| Technical and build logs | 90 days |
| Navigation logs | 30 days |
After account deletion, all personal data is erased within 30 days, except:
- Payment data subject to statutory accounting retention
- Data that must be retained to comply with a legal obligation or defend against a legal claim
5. Data Recipients and Processors
5.1 Sub-processors
SaasToStore uses the following service providers. Data Processing Agreements (DPAs) are in place or SCCs/DPF compliance is confirmed where applicable:
| Provider | Role | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage, edge functions | Account data, project data, credentials (encrypted), build jobs | European Union (AWS eu-west-3, Paris, France) |
| Ionos SE | AAB/APK compilation server (Android builds) | Source URL, app name, icon, build parameters | Germany (EU) |
| GitHub Inc. (Microsoft Corp.) | Desktop build pipeline (GitHub Actions), artifact storage (GitHub Releases) | Source URL, app name, icon URL, build job ID | United States |
| Stripe Inc. | Payment processing, subscription management | Email, transaction amounts, plan identifiers | United States (PCI-DSS Level 1 certified) |
| Resend Inc. | Transactional email delivery (build notifications, receipts) | Email address, first name (if provided), build result data | United States |
| Anthropic PBC | AI text generation (store descriptions, AI-generated app T&Cs) | App name, URL, category | United States |
| Google LLC (Gemini API) | AI image generation (icons, visual assets) | App name, URL, color scheme | United States |
| Browserless Inc. | Automated PWA screenshots | Source URL | United States |
| Google LLC (Firebase) | Push notification delivery to end users of published apps | Push subscription tokens, notification payloads | United States |
| PWABuilder / Microsoft | .msix package generation for Microsoft Store | Source URL, app name | United States |
5.2 Transfers Outside the European Union
Several processors are established in the United States. These international transfers are conducted under one or more of the following mechanisms:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
- EU-US Data Privacy Framework (adequacy decision of July 10, 2023) where the processor is certified
- Compliance with GDPR Article 49 derogations where applicable
You may request information on the specific transfer mechanisms applicable to each processor by contacting hello@saastostore.com.
5.3 Third-Party Store APIs
When you authorize SaasToStore to publish to a store on your behalf, data required for publishing (compiled app binary, metadata, screenshots) is transmitted to the relevant third-party API (Google Play Android Developer API, Amazon Appstore Submission API, Samsung Galaxy Store API, Microsoft Partner Center API). These transmissions are carried out on your behalf, based on your explicit authorization, and are governed by each store's own privacy policies.
5.4 No Sale of Data
SaasToStore does not sell, rent, exchange, or transfer personal data to third parties for commercial or advertising purposes.
6. Data Security
SaasToStore implements the following technical and organizational security measures:
- Encryption in transit: HTTPS/TLS 1.3 on all communications between client, server, and third-party APIs
- Encryption at rest: All OAuth tokens, store API credentials, and Android keystores are encrypted using AES-256-GCM with a unique random IV per entry; encryption keys are stored separately from the data
- Password security: Passwords are hashed using bcrypt with a work factor ≥ 12; plaintext passwords are never stored or logged
- Row Level Security (RLS): Enforced at database level — each user can only access their own data; the database rejects unauthorized access regardless of application-level controls
- Least privilege: Each system component (Edge Functions, build workers, publish workers) only has access to the data strictly necessary for its operation
- Access control: Production infrastructure access is restricted to authorized personnel via SSH key authentication; no password-based access
- Log sanitization: Technical and build logs automatically filter and redact passwords, keystore credentials, tokens, and secrets
- Idempotent operations: Stripe webhook events are deduplicated by event ID to prevent double-processing
- Security incident response: In the event of a data breach likely to result in a risk to your rights and freedoms, SaasToStore will notify the competent supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Article 33-34
7. Your Rights Under GDPR (EU/EEA Residents)
In accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection legislation, EU and EEA residents have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain confirmation of processing and a copy of your personal data | Email request to hello@saastostore.com |
| Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Email or account settings |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") | Email request or account deletion |
| Restriction (Art. 18) | Request temporary suspension of processing | Email request |
| Portability (Art. 20) | Receive your data in a structured, commonly used, machine-readable format | Email request |
| Objection (Art. 21) | Object to processing based on legitimate interest | Email request |
| Withdrawal of consent | Revoke consent at any time without prejudice to prior processing | Account settings or email |
| Automated decision-making (Art. 22) | Not to be subject to solely automated decisions with significant effects | N/A — no such processing currently |
Response time: We respond to all requests within 30 days. Where requests are complex or numerous, this period may be extended by a further two months, with prior notice.
Supervisory authority: If you believe your rights are not being respected, you may lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés):
- Website: https://www.cnil.fr
- Address: 3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
EU/EEA residents may also contact the supervisory authority in their country of residence.
8. Your Rights Under UK GDPR (UK Residents)
Residents of the United Kingdom have equivalent rights under the UK General Data Protection Regulation and the Data Protection Act 2018. The competent supervisory authority is the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Phone: 0303 123 1113
9. Your Rights Under CCPA/CPRA (California Residents)
If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights, in addition to any rights above:
| Right | Description |
|---|---|
| Right to Know | Request disclosure of the categories and specific pieces of personal information collected about you, the categories of sources, the business/commercial purposes for collection, and the categories of third parties with whom it is shared |
| Right to Delete | Request deletion of personal information collected from you, subject to certain exceptions (legal obligations, security, etc.) |
| Right to Correct | Request correction of inaccurate personal information |
| Right to Opt-Out of Sale or Sharing | SaasToStore does not sell or share personal information for cross-context behavioral advertising within the meaning of CCPA/CPRA |
| Right to Limit Use of Sensitive Personal Information | SaasToStore does not use sensitive personal information for purposes other than those permitted under CCPA Section 1798.121 |
| Right to Non-Discrimination | You will not be discriminated against for exercising your CCPA/CPRA rights |
Shine the Light: California Civil Code § 1798.83 entitles California residents to request information about personal information shared with third parties for their direct marketing purposes. SaasToStore does not share personal information with third parties for direct marketing.
To exercise your California rights: Send a verifiable consumer request to hello@saastostore.com. We will respond within 45 days (extendable by 45 additional days with notice).
10. Your Rights Under Other US State Privacy Laws
Residents of the following states have privacy rights under applicable state law:
| State | Law | Supervisory Contact |
|---|---|---|
| Virginia | Consumer Data Protection Act (VCDPA) | Virginia Attorney General |
| Colorado | Colorado Privacy Act (CPA) | Colorado Attorney General |
| Connecticut | Connecticut Data Privacy Act (CTDPA) | Connecticut Attorney General |
| Texas | Texas Data Privacy and Security Act (TDPSA) | Texas Attorney General |
| Oregon | Oregon Consumer Privacy Act (OCPA) | Oregon Attorney General |
Residents of these states generally have rights to access, delete, correct, and obtain a portable copy of their data, and to opt out of sale/sharing for targeted advertising. SaasToStore does not engage in targeted advertising or sale of personal data.
To exercise these rights, contact hello@saastostore.com. We will respond within the timeframe specified by applicable law (generally 45 days, extendable by 45 additional days).
11. Artificial Intelligence
Some Service features use artificial intelligence models to generate content:
- Anthropic Claude Haiku: Generates store descriptions, keywords, and app privacy policy documents. Data transmitted: app name, URL, category, and brief description provided by the user.
- Google Gemini: Generates app icons and visual assets. Data transmitted: app name, URL, color scheme.
Important:
- Data transmitted to AI providers is limited to what is strictly necessary for content generation.
- No sensitive personal data (credentials, payment data, private communications) is ever transmitted to AI models.
- AI-generated content (descriptions, icons, privacy policies) is provided as a suggestion. The user is solely responsible for reviewing, validating, and ensuring the legal compliance of all AI-generated content before publishing to any store.
- SaasToStore does not use your data to train AI models.
12. Push Notifications
If you activate push notifications for apps published through SaasToStore, the push notification delivery service is provided by Google LLC (Firebase Cloud Messaging). Push subscription tokens generated by end users' browsers/devices are processed by Firebase for the purpose of message delivery. SaasToStore transmits notification content and target tokens to Firebase but does not retain end-user push tokens in its own database beyond what is necessary for immediate delivery.
13. Minors
The Service is intended exclusively for users who are at least 18 years of age (or the age of majority in their jurisdiction, if higher). SaasToStore does not knowingly collect personal data from children under 13 years of age. If we become aware that a minor has registered or provided personal data, we will promptly delete such data. If you believe a minor has created an account, contact us at hello@saastostore.com.
14. Third-Party Links and Integrations
The Service may contain links to third-party websites (Google Play Console, Stripe billing portal, GitHub, etc.) or integrate with third-party services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through SaasToStore.
15. Data Breach Notification
In the event of a personal data breach:
- SaasToStore will notify the CNIL (or competent EU supervisory authority) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to your rights and freedoms (GDPR Art. 33)
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay (GDPR Art. 34), by email to the address registered on your account
- US users will be notified in accordance with applicable state breach notification laws
16. Changes to This Policy
We may update this Privacy Policy from time to time. Any material changes will be communicated by:
- Email notification to registered users at least 15 days before the changes take effect
- Prominent notice on the Service
The updated policy will indicate the revision date at the top of this document. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
The current version of this policy is always accessible at https://saastostore.com/privacy.
17. Contact — Data Protection
For any questions or requests concerning the protection of your personal data:
Khalfallah MAHFOUD Data Controller — Méga Joule Email: hello@saastostore.com Address: 3 allée Rouget de Lisle — 78300 Poissy, France
We will respond within 30 days of receiving your request. For complex requests or where an extension is required under applicable law, we will notify you of the extended timeframe.