apppulse

AppPulse — Privacy Policy

Effective date: [TO BE SET ON LAUNCH DAY] Last updated: May 7, 2026 Version: 1.0

DISCLAIMER: This Privacy Policy is a starting template. Have it reviewed by a privacy attorney before publishing, especially if you serve EU/UK customers (GDPR) or California customers (CCPA/CPRA). Recommended: Termly, Iubenda, or a Fiverr privacy attorney for ~$200.

1. Who We Are

This Privacy Policy describes how Malon Global Tech LLC (a Delaware limited liability company, with operations in Lagos, Nigeria, operating the AppPulse service at apppulse.net) handles your personal data.

For purposes of GDPR and similar laws, Malon Global Tech LLC is the data controller for personal data you provide directly to us (account info, payment details, audit intake data) and a data processor for personal data within audited applications that we incidentally observe during scans.

Until Malon Global Tech LLC is formed, the controller is Olamide Omotere personally.

2. Personal Data We Collect

2.1 You Give Us Directly

  • Account data: name, email, company, optional profile photo
  • Audit intake data: target URL, stack hint, stated concerns, urgency
  • Payment data: handled by Stripe; we receive only confirmation tokens and last 4 digits of card
  • Communication data: email replies, support tickets, call transcripts (if you book a call)
  • Test credentials: throwaway test account credentials (deleted within 30 days)
  • Verification data: meta tag, DNS TXT, or domain email verification proofs

2.2 We Collect Automatically

  • Usage data: pages visited, features used, time on site, click patterns (via PostHog and Plausible)
  • Device data: browser type, OS, screen size, IP address
  • Cookies: see Section 6
  • Email engagement: opens, clicks, bounces (via Resend)

2.3 We Receive From Audits

When you authorize an audit, we incidentally observe:

  • Application source code (via GitHub App, ephemeral; not persisted)
  • Database schema and policy metadata (via read-only role)
  • Application content visible to logged-in test users
  • Third-party SDK identifiers in your code
  • Scanner outputs and findings

We do NOT retain source code or database contents beyond the scan duration. Only findings (text descriptions, severity, file references where relevant) are persisted.

2.4 We Receive From Third Parties

  • Stripe: payment status, customer ID
  • GitHub: repository metadata when you install our App
  • Email providers (your end): bounce/complaint signals on emails we send you

3. Why We Collect It (Lawful Bases under GDPR)

We process your data based on:

PurposeLawful basis
Provide the Service (run audits, deliver reports)Contract performance
Send transactional emails (delivery, billing)Contract performance
Send marketing emails (newsletter, follow-ups)Consent (you can opt out anytime)
Process paymentsContract performance + legal obligation
Comply with tax and accounting lawsLegal obligation
Prevent fraud and abuseLegitimate interest
Improve our product (anonymized analytics)Legitimate interest
Publish anonymized findings on /findingsLegitimate interest (with opt-out)
Defend against legal claimsLegitimate interest

4. How We Use Your Data

We use personal data to:

  • Run audits on the URLs you authorize
  • Deliver reports, notifications, and account communications
  • Process payments and prevent fraud
  • Provide customer support
  • Improve the Service (debugging, analytics)
  • Send marketing emails (with consent)
  • Publish anonymized findings (without identifying you)
  • Comply with legal obligations

We do NOT:

  • Sell your personal data to anyone, ever
  • Train AI models on your source code or database content
  • Share your audit findings with anyone outside your organization without your consent (unless legally compelled)
  • Use your test credentials for any purpose other than the audit you authorized

5. Who We Share Data With

We share data only as follows:

5.1 Service Providers (Sub-Processors)

We rely on the following service providers, each bound by data protection terms:

Sub-processorPurposeData sharedLocation
SupabaseDatabase, auth, storageAccount data, scan findingsUS
VercelFrontend hostingLimited PII (IP, cookies)Global edge
Fly.ioScanner workersEphemeral scan workloadsUS (selectable region)
Anthropic (Claude API)AI synthesis of findingsScanner outputs (no source code)US
OpenAI (fallback only)Backup AI synthesisSame as aboveUS
StripePayment processingPayment + billing dataUS
ResendTransactional + marketing emailEmail, nameUS
CloudflareDNS, CDN, DDoS protectionIP, basic request dataGlobal
PostHogProduct analyticsAnonymized usage dataUS/EU (selectable)
PlausibleMarketing analyticsAnonymized page viewsEU
SentryError trackingError context, user IDUS/EU (selectable)
GitHubRepository accessRead-only via GitHub AppUS

A current list is maintained at apppulse.net/legal/sub-processors.

5.2 Legal Requirements

We may disclose data when legally compelled (subpoena, court order, regulatory request) or to protect our rights, your rights, or others' safety. Where permitted by law, we will notify you in advance.

5.3 Business Transfers

In a merger, acquisition, asset sale, or bankruptcy, your data may be transferred to the acquirer subject to the same protections in this Policy.

5.4 With Your Consent

We share publicly only what you opt into (e.g., Verified Wall opt-in, testimonials).

6. Cookies and Tracking

We use the following cookies:

CookiePurposeDuration
Essential auth cookiesSign-in sessions30 days
Stripe session cookiesPayment processingSession
PostHog ph_*Product analytics1 year
Plausible (no cookies)Marketing analyticsN/A
Cookie consentRemember your preference1 year

You can manage cookies via the consent banner on first visit and via your browser settings. Essential cookies cannot be disabled while using the Service.

We do not use third-party advertising cookies, retargeting pixels, or fingerprinting beyond fraud-prevention purposes (FingerprintJS Pro for free-scan abuse detection).

7. Data Retention

Data typeRetention
Account dataWhile account is active + 90 days post-deletion
Free scan reports & findings30 days from delivery, then deleted
Paid one-time audit reports & findings12 months active + 12 months cold archive, then deleted
Monitoring dataThroughout subscription + 90 days post-cancellation
Test credentials30 days post-audit delivery, then deleted
Source codeEphemeral only (deleted immediately after scan completes)
Database contentsNever persisted
Payment records7 years (legal obligation)
Email logs12 months
Marketing email engagementWhile subscribed + 12 months post-unsubscribe
Anonymized aggregated analyticsIndefinite (no PII)

8. Your Rights

8.1 GDPR Rights (EU/UK Customers)

You have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Object to processing based on legitimate interest
  • Data portability (export in machine-readable format)
  • Withdraw consent at any time
  • Lodge a complaint with your local data protection authority

To exercise these rights: email omotereolamide@malonglobaltech.com or use the data export and deletion tools in your account settings.

We respond to verified requests within 30 days (or sooner where required by law).

8.2 CCPA / CPRA Rights (California Customers)

You have the right to:

  • Know what personal information we collect, use, share, and sell (we don't sell)
  • Delete personal information
  • Correct inaccurate information
  • Opt out of sale (we don't sell anyway)
  • Non-discrimination for exercising your rights

To exercise: email omotereolamide@malonglobaltech.com.

8.3 Universal Rights

Regardless of jurisdiction, all customers may:

  • Download a complete data export from account settings
  • Request deletion via account settings or email
  • Cancel marketing emails via the unsubscribe link in any marketing email
  • Adjust notification preferences in account settings

9. International Data Transfers

We are based in the United States and Nigeria. Customer data may be processed in either jurisdiction or in the regions of our sub-processors.

9.1 EU/UK to US Transfers

Where we transfer EU/UK personal data to the US or other regions without an adequacy decision, we rely on:

  • Standard Contractual Clauses (SCCs) with sub-processors
  • Supplementary measures (encryption in transit and at rest, access controls)
  • Data minimization (we collect only what we need)

EU customers can request a copy of our SCCs by emailing us.

9.2 Data Residency

By default, customer data is stored in our US Supabase region. EU customers requiring EU data residency for compliance reasons can request migration to our planned EU region (available post-launch).

10. Security

We implement industry-standard security measures:

  • Encryption in transit: TLS 1.3 for all communications
  • Encryption at rest: AES-256 for database storage
  • Access controls: role-based access, MFA required for all team members
  • Audit logging: all admin actions logged and reviewed
  • Vulnerability management: regular dependency scans, penetration testing post-launch
  • Source code isolation: ephemeral sandboxes, deleted post-scan
  • Backup: encrypted backups, point-in-time recovery
  • Incident response: documented runbook, breach notification within 72 hours per GDPR

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at omotereolamide@malonglobaltech.com.

11. Children

AppPulse is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, contact us and we will delete it.

12. Public Findings Feed and Verified Wall

12.1 Findings Feed

We publish anonymized findings from real audits. Anonymization includes:

  • Stripping URL, customer name, organization
  • Generalizing stack to category (e.g., "Lovable-built SaaS" instead of specific brand)
  • Redacting code excerpts that could identify the source
  • Aggregating numbers (e.g., "78% of similar apps...") rather than specifics

You may opt out by emailing us within 30 days of audit delivery.

12.2 Verified Wall

Verified Wall participation is opt-in only. By installing the Verified badge meta tag, you authorize public display per the Terms of Service Section 9.1.

13. Marketing Communications

If you opt into marketing emails (newsletter, follow-ups), you can:

  • Unsubscribe via the link in any marketing email
  • Adjust preferences in account settings
  • Re-subscribe anytime via apppulse.net/newsletter

Transactional emails (audit delivery, billing receipts, security alerts) cannot be unsubscribed from while you have an active account or subscription, as they are required for service delivery.

14. Changes to This Policy

We may update this Privacy Policy as our practices evolve. Material changes will be:

  • Posted on apppulse.net/legal/privacy
  • Communicated via email at least 30 days before taking effect (for material changes)
  • Logged in the version history at the bottom of the published policy

Your continued use of the Service after the effective date constitutes acceptance.

15. Contact and Complaints

Privacy questions: omotereolamide@malonglobaltech.com Data Protection Officer (DPO): Olamide Omotere (acting until volume justifies a dedicated DPO)

EU customers may also contact their local Data Protection Authority. UK customers may contact the Information Commissioner's Office (ICO). California customers may contact the California Attorney General.

16. Version History

VersionDateChanges
1.0[Launch date]Initial publication

End of Privacy Policy.