← Back to site

Privacy Policy

Last updated: March 2026

This policy describes how ASO++ collects, uses, and protects the personal data of service users, in compliance with Regulation (EU) 2016/679 (GDPR) and applicable data protection legislation.

1. Data Controller

The data controller is ASO++, reachable at: privacy@asopp.cc.

2. Data Collected

We collect the following categories of personal data:

  • Account data: email address, name (optional), OAuth provider (Google, GitHub) if used for registration — collected via Clerk at the time of sign-up.
  • Usage data: number of API calls made (quota), request timestamps, identifier of the API token used. This data is used for calculating and enforcing the monthly quota.
  • Configuration data: names of created API tokens, tracked keywords (keyword text, app identifier, country), ranking history.
  • Technical data: IP address (for rate limiting, not persisted beyond the request cycle), MCP client user agent.
  • Billing data: active subscription plan, transaction history — managed entirely by Polar.sh. We do not store credit card data.

Data NOT collected: we do not log the content of ASO queries made through the AI assistant (e.g. the app being analyzed, the keywords searched in a specific session), nor the content of conversations with Claude or Cursor. The principle of data minimization is strictly applied.

3. Purpose and Legal Basis

  • Service delivery (legal basis: performance of a contract, Art. 6.1.b GDPR) — authentication, account management, API token generation, quota counting, access to MCP tools.
  • Security and abuse prevention (legal basis: legitimate interest, Art. 6.1.f GDPR) — rate limiting, anomaly detection, revocation of compromised tokens.
  • Subscription and billing management (legal basis: performance of a contract) — plan upgrades/downgrades, payment processing via Polar.sh.
  • Legal obligations (legal basis: legal obligation, Art. 6.1.c GDPR) — retention of accounting and tax data for the period required by law.

4. Retention Period

  • Account and configuration data: for the duration of the contract and for 30 days following account deletion, to allow for accidental recovery.
  • Access and quota logs: 90 days from the time the event is recorded.
  • Billing data: 10 years from the transaction, in compliance with Italian tax obligations (Art. 2220 Civil Code and VAT regulations).
  • IP address for rate limiting: not persisted — used exclusively in memory for the single rate-limiting window (60 seconds) and not written to the database.

5. Sub-Processors and Data Recipients

To deliver the service, we rely on the following sub-processors. Each sub-processor is contractually bound to protect data in accordance with the GDPR and has adequate security measures in place:

  • Clerk — Identity management and user authentication. Based in the USA. Privacy Policy
  • Vercel — Application hosting, CDN, Fluid Compute. Based in the USA. Privacy Policy
  • Neon — Serverless PostgreSQL database (account data, tokens, keyword tracking). Based in the USA. Privacy Policy
  • Upstash — Serverless Redis for quota, rate limiting and API cache. Based in the USA. Privacy Policy
  • Polar.sh — Subscription management, payments and billing. Based in the USA. Privacy Policy

6. International Data Transfers

All sub-processors listed above are based in the United States. The transfer of personal data to the USA takes place in compliance with the GDPR through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
  • Data Processing Agreements (DPAs) compliant with the GDPR entered into with each sub-processor.

7. Your Rights

As a data subject, you have the right to:

  • Access (Art. 15 GDPR) — obtain confirmation of processing and a copy of the personal data concerning you.
  • Rectification (Art. 16 GDPR) — correct inaccurate or incomplete data.
  • Erasure (Art. 17 GDPR) — request the deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Portability (Art. 20 GDPR) — receive your data in a structured, commonly used and machine-readable format.
  • Restriction of processing (Art. 18 GDPR) — request the suspension of processing in certain cases provided for by the GDPR.
  • Objection (Art. 21 GDPR) — object to processing based on legitimate interest.
  • Complaint — lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • API tokens stored exclusively as SHA-256 hashes — the plaintext is never persisted.
  • Data transmission encrypted via TLS 1.2+ on all endpoints.
  • Apple Search Ads credentials stored exclusively as encrypted environment variables — never in source code or logs.
  • Database access restricted to authorized services only, with per-tenant isolation.

9. Contact and Exercise of Rights

To exercise your rights or for any questions regarding the processing of personal data, write to us at: privacy@asopp.cc. We will respond within 30 days of receiving the request, as required by Art. 12 GDPR.

Terms of ServiceHome