Privacy Policy for App Sprint Attribution

Effective Date: April 13, 2026

1. Introduction

This Privacy Policy describes how Tap & Swipe ("we", "us", "our") collects, uses, and protects information when you use the App Sprint Attribution mobile attribution platform ("Service"), including our SDK, dashboard, and API.

App Sprint Attribution acts as a data processor on behalf of our clients (app developers), who are the data controllers for end-user data collected through the SDK. We are committed to GDPR compliance and transparent data practices.

2. Data We Collect

2.1 Client Data (Account Holders)

When you create an account and use the dashboard, we collect:

  • Account information: Name and email address (via Google OAuth)
  • Company information: App name, bundle identifiers, and platform details
  • Billing information: Processed and stored by Whop (we store your Whop membership ID and subscription status only)
  • Dashboard usage data: Pages visited, features used, and session data for improving the Service

2.2 End-User Data (Collected via SDK)

When a client integrates our SDK into their mobile app, the SDK may collect device and attribution-related data from the app's end users as necessary to provide attribution services. The specific data collected is limited to what is required for attribution matching and is documented in our SDK integration guide.

2.3 Tracking Link Click Data

When an end user clicks a tracking link, we collect data necessary to match clicks to subsequent app installs for attribution.

3. How We Use Data

We use the data we collect for the following purposes:

  1. Attribution matching: Matching ad clicks to app installs and in-app events to marketing campaigns
  2. Analytics dashboards: Displaying attribution data, campaign performance, and conversion metrics to clients in the dashboard
  3. Integration postbacks: Sending attribution data to ad networks and revenue platforms when configured by the client
  4. Billing: Processing payments and managing subscriptions via Whop
  5. Service improvement: Analyzing aggregated, anonymized usage patterns to improve the Service
  6. Communication: Sending account-related notifications (billing, service updates, security alerts)

We do not sell data to third parties. We do not use end-user data for advertising or profiling beyond the attribution services requested by our clients.

4. Data Sharing

4.1 Ad Networks (Client-Configured)

When a client configures ad network integrations, attribution data (install confirmations, event postbacks) is sent to the respective ad network. Supported networks include:

  • Apple Search Ads
  • TikTok Ads
  • Meta Ads
  • Google Ads

No data is shared with ad networks unless the client explicitly configures the integration.

4.2 Revenue Platforms (Client-Configured)

When configured by the client, we exchange data with revenue platforms such as RevenueCat and Superwall for revenue attribution.

4.3 Infrastructure Providers

We use Amazon Web Services (AWS) for all infrastructure, including servers, databases, and data storage. AWS processes data on our behalf under a data processing agreement.

4.4 Payment Processor

Whop processes all payment information. See Whop's privacy policy.

4.5 Email

We use Resend for transactional email delivery (account notifications, billing alerts).

4.6 Web Analytics

We use PostHog (EU-hosted) for web analytics on the dashboard to understand usage patterns and improve the Service.

4.7 Legal Requirements

We may disclose data when required by law, regulation, legal process, or governmental request.

5. Data Processor Role

App Sprint Attribution operates as a data processor under GDPR:

  • Our clients (app developers who integrate the SDK) are the data controllers. They determine the purposes and means of processing end-user data
  • App Sprint Attribution processes end-user data solely on behalf of and under the instructions of our clients
  • Clients are responsible for obtaining appropriate legal basis (consent, legitimate interest, etc.) for data collection from their end users
  • We process data only as necessary to provide the attribution services requested by the client

For details on our data processing practices and to request a Data Processing Agreement (DPA), contact us at [email protected].

6. Data Retention

  • Active accounts: Client Data and attribution data are retained for the duration of the active account
  • Account termination: Data is retained for a 90-day grace period after termination, during which clients may request data export. After 90 days, all Client Data is permanently deleted
  • Billing records: Retained for 5-10 years as required by French tax and accounting regulations
  • Click data: Raw click data used for attribution matching is retained for 30 days
  • Aggregated analytics: Anonymized, aggregated data may be retained indefinitely

7. Opt-Out Mechanisms

End users can limit data collection through:

  • iOS App Tracking Transparency (ATT): The SDK respects ATT. When an end user denies tracking, the IDFA is not collected
  • Android Advertising ID: End users can reset or opt out of their advertising ID in device settings
  • SDK Configuration: Clients can configure the SDK to disable specific data collection features

8. Children

App Sprint Attribution does not knowingly collect data from children under the age of 13 (or 16 in the EU).

Our clients are prohibited from integrating the App Sprint Attribution SDK into apps that are directed at children (see our Terms of Service). If we become aware that a client is using our SDK in a child-directed app, we will terminate their access and delete the associated data.

If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected].

9. Data Security

We implement appropriate technical and organizational measures to protect data:

  • All data in transit is encrypted using HTTPS/TLS
  • Data at rest is encrypted using AWS encryption services
  • Infrastructure is hosted on AWS with industry-standard security controls
  • Access to production systems is restricted to authorized personnel with multi-factor authentication
  • API keys are hashed before storage. We never store plaintext API keys
  • Regular security reviews of our codebase and infrastructure

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we take commercially reasonable steps to protect your data.

10. International Transfers

Data may be processed in the following regions:

  • AWS (US): Infrastructure hosting, data storage, and processing

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

11. Your Rights (GDPR)

For Clients (Account Holders)

As a client, you have the following rights regarding your personal data:

  • Right of access (Article 15): Request a copy of the personal data we hold about you
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Article 17): Request deletion of your personal data
  • Right to restriction (Article 18): Request that we limit how we use your data
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests
  • Right to lodge a complaint: File a complaint with the CNIL or your local supervisory authority

To exercise any of these rights, contact us at [email protected] with "GDPR Request" in the subject line.

For End Users

If you are an end user of an app that uses App Sprint Attribution, your data is controlled by the app developer. To exercise your GDPR rights, please contact the app developer directly. As a data processor, we will assist the app developer in fulfilling your request.

Data Protection Authority

For users in France, the supervisory authority is:

CNIL (Commission Nationale de l'Informatique et des Libertés)

  • Website: https://www.cnil.fr
  • Address: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Updating the "Effective Date" above
  • Notifying clients via email for material changes

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]
Entity: Tap & Swipe
Service: App Sprint Attribution
Location: France

By using App Sprint Attribution, you acknowledge that you have read and understood this Privacy Policy.