GDPR Compliance
Last Updated: April 13, 2026
1. Our Commitment to GDPR
App Sprint Attribution is operated by Tap & Swipe, a company based in France. We are fully committed to complying with the General Data Protection Regulation (GDPR) and ensuring that all personal data is processed lawfully, fairly, and transparently.
This page describes how App Sprint Attribution handles data protection in the context of our mobile attribution platform.
2. Data Roles
App Sprint Attribution as Data Processor
App Sprint Attribution acts as a data processor under GDPR. Our clients (app developers) integrate our SDK into their mobile apps and use our dashboard to view attribution data.
- Data Controller: The app developer (our client) who determines why and how end-user data is collected
- Data Processor: App Sprint Attribution, which processes end-user data on behalf of the client to provide attribution services
What This Means
- Clients are responsible for having a valid legal basis for collecting end-user data
- Clients must inform their end users about data collection through their own privacy policies
- App Sprint Attribution processes data strictly according to our clients' instructions and for the purposes defined in our agreement
- We do not independently determine the purposes of end-user data processing
3. Legal Basis for Processing
Client Data (Account Holders)
We process client personal data (name, email, billing information) under the following legal bases:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the Service
- Legitimate interest (Article 6(1)(f)): Service improvement, security, and fraud prevention
End-User Data (via SDK)
As a data processor, we process end-user data under the legal basis established by the data controller (our client). Common legal bases used by our clients include:
- Consent (Article 6(1)(a)): End-user consent obtained through ATT prompts or consent management platforms
- Legitimate interest (Article 6(1)(f)): Marketing attribution as a legitimate business interest, with appropriate balancing tests performed by the client
It is the client's responsibility to ensure they have a valid legal basis for the data processing carried out through our SDK.
4. Data We Process
Through our SDK and platform, we process device and attribution-related data on behalf of our clients. We collect only the data necessary for attribution. We do not collect names, email addresses, phone numbers, or other directly identifying information about end users.
5. Sub-Processors
We use the following sub-processors to deliver the Service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting, data storage, compute | US |
| Whop | Payment processing for client subscriptions | US |
| Google (OAuth) | Client authentication | US |
| Resend | Transactional email delivery | US |
| PostHog | Web analytics for the dashboard | EU |
All sub-processors are bound by data processing agreements that ensure GDPR-compliant handling of personal data. We will notify clients of any changes to our sub-processors.
6. Data Subject Rights
How End Users Exercise Their Rights
Since App Sprint Attribution is a data processor, end users should exercise their GDPR rights by contacting the app developer (data controller) directly. The typical process is:
- End user contacts the app developer to exercise a right (access, erasure, etc.)
- App developer evaluates the request and contacts App Sprint Attribution if needed
- App Sprint Attribution assists the app developer in fulfilling the request (e.g., deleting the end user's data from our systems)
We are committed to assisting our clients in responding to data subject requests within the timeframes required by GDPR.
Rights of Our Clients
Clients (account holders) can exercise their GDPR rights directly with us by contacting [email protected]. See our Privacy Policy for the full list of rights.
7. Data Processing Agreement
A formal Data Processing Agreement (DPA) is available on request for all clients. The DPA covers:
- Scope and purpose of processing
- Categories of data processed
- Duration of processing
- Obligations of both parties
- Sub-processor management
- Data breach notification procedures
- Assistance with data subject rights
- Data deletion upon termination
To request a DPA, contact us at [email protected].
8. SDK Privacy Controls
Our SDK is designed with privacy in mind:
- ATT Framework Support: On iOS, the SDK respects App Tracking Transparency
- Android Ad ID: The SDK respects the user's advertising ID preferences on Android
- Opt-Out Configuration: Clients can programmatically disable data collection for specific users
- Minimal Data Collection: The SDK collects only the data necessary for attribution
9. Data Retention & Deletion
| Data Type | Retention Period |
|---|---|
| Attribution data (active account) | Duration of account |
| Attribution data (after termination) | 90-day grace period, then deleted |
| Raw click data | 30 days |
| Client account data | Duration of account + 90 days |
| Billing records | 5-10 years (French tax law) |
| Aggregated/anonymized data | Indefinite |
Clients can request data deletion at any time by contacting us. Upon receiving a valid deletion request, we will delete the data within 30 days.
10. Security Measures
We implement the following technical and organizational measures to protect personal data:
Technical Measures
- Encryption in transit (HTTPS/TLS for all communications)
- Encryption at rest (AWS-managed encryption for databases and storage)
- API key hashing (plaintext keys are never stored)
- Network isolation and firewall rules
- Regular security updates and patching
Organizational Measures
- Access to production systems restricted to authorized personnel
- Multi-factor authentication required for all infrastructure access
- Regular security reviews
- Incident response procedures
11. International Data Transfers
When personal data is transferred outside the European Economic Area (EEA), we ensure GDPR-compliant safeguards:
- AWS: Data is hosted in US regions. Transfers are covered by Standard Contractual Clauses (SCCs)
- Whop: Transfers to the US are covered by SCCs and the EU-US Data Privacy Framework
- Google: OAuth data transfers are covered by SCCs and the EU-US Data Privacy Framework
- Resend: Transfers to the US are covered by SCCs
- PostHog: Hosted in the EU, no international transfer required
12. Breach Notification
In the event of a personal data breach:
- We will notify affected clients without undue delay and no later than 72 hours after becoming aware of the breach
- Notification will include the nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken
- Clients (as data controllers) are responsible for notifying their end users and the relevant supervisory authority as required by GDPR Articles 33 and 34
13. Contact
For any questions about our GDPR compliance or data protection practices:
Email: [email protected]
Entity: Tap & Swipe
Location: France
For complaints, you may also contact the French data protection authority:
CNIL (Commission Nationale de l'Informatique et des Libertés)
- Website: https://www.cnil.fr
- Address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France