AppScreenStudio Logo
AppScreenStudio

Privacy Policy

Last updated: June 1, 2026

1. Introduction

AppScreenStudio ("we", "our", or "us") provides an online app store screenshot, store listing, and creative-asset generation tool that uses third-party Artificial Intelligence (AI) models. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, where it is stored, how long we keep it, and the rights you have under the GDPR, the UK GDPR, the CCPA/CPRA, the Turkish KVKK, and other applicable data protection laws. It applies to the appscreenstudio.com website, our editor, our APIs, and all related services (collectively, the "Service").

2. Data Controller

AppScreenStudio is the data controller for personal data processed through the Service. For all privacy questions, requests to exercise your rights, or to designate a Data Protection contact, write to us at the address in section 17 (Contact). If you live in the European Economic Area, the United Kingdom, or Switzerland and we are required to appoint a representative under Article 27 GDPR, the same contact details apply until a local representative is named.

3. Information We Collect

3.1 Information You Provide

You provide information directly when you:

  • Create an account or sign in (Google OAuth, X/Twitter OAuth, or email + password)
  • Use AI features (translate, screenshot enhance/elevate, background generation, asset generation, mascot generation, store-listing generation, logo generator, screenshot analysis)
  • Purchase credits or a Pro subscription through iyzico
  • Submit a showcase post, an export feedback review, or a bug report
  • Subscribe to our newsletter or contact support

Depending on which features you use, this can include:

  • Account data — name, email, profile image, hashed password (bcrypt), and tokens issued by the identity provider you sign in with (Google, X/Twitter)
  • Billing & buyer data required by our payment processor iyzico — full name, surname, GSM/mobile phone number, billing email, government identity number (for Turkish payments, T.C. Kimlik No), registration address, billing address, city, country, postal code, and currency
  • Content you upload or generate — screenshots, app icons, backgrounds, AI prompts you type, store listing text, mascot reference images, project metadata, and language data
  • Communications — bug reports (title, description, steps to reproduce, expected/actual behavior, severity, contact email), export feedback (rating, comment, optional project info, optional public-review opt-in), and any free-text you send us
  • Newsletter / marketing consent — email address, lead source, and your marketing consent flag
  • Showcase submissions — maker name, maker avatar, app name, short description, story, category, styles, app store / Play Store / website / social URLs, and primary screenshots, which become publicly visible if approved

3.2 Information Collected Automatically

When you use the Service we automatically collect:

  • Device and connection data — browser type, device type, operating system, screen size, language, time zone, and approximate location derived from your IP address
  • Usage data — pages visited, features used, AI prompts you submit and the AI responses returned, tokens consumed, credits deducted, errors, and timestamps
  • IP address — used to operate the Service, to prevent abuse and enforce free-tier quotas, to power referral-link analytics, and for fraud screening at checkout. For abuse-prevention and referral analytics we store only a one-way SHA-256 hash, not the raw IP
  • Cookies, local storage, and similar identifiers — see section 8 (Cookies)
  • Session replays and heatmaps — if you accept analytics cookies, Microsoft Clarity records a pseudonymous reconstruction of your interactions (mouse movement, scrolls, clicks) to help us debug and improve the UI

3.3 AI Inputs and Outputs

When you use any AI feature we collect and process:

  • The image(s) you upload (e.g., the screenshot you want to elevate, the mascot reference, the background source)
  • The text prompt and any custom directives you write
  • The system instruction we attach server-side
  • The model name, temperature, max tokens, and chat history we send to the AI provider
  • The AI response (text and/or generated image), token counts, and credits charged
  • A persistent record of the above in our LLMUsage and GeneratedImage / ElevatedScreenshot / AssetStripe / Image tables

4. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the EEA, the UK, or Switzerland, we rely on the following legal bases under Article 6 GDPR:

  • Contract (Art. 6(1)(b)) — to create your account, run AI features you request, deliver credits and subscriptions you purchase, and provide customer support
  • Legal obligation (Art. 6(1)(c)) — to keep tax and accounting records for payments, to respond to lawful authority requests, and to honor your data-subject rights
  • Legitimate interests (Art. 6(1)(f)) — to secure our Service, prevent abuse and fraud, enforce free-tier and Pro usage limits, maintain product analytics in aggregate, and improve the Service. You can object at any time (see section 11)
  • Consent (Art. 6(1)(a)) — to set non-essential cookies (Google Analytics, Google Ads/AdSense), to send marketing emails, and to publish showcase posts you submit. You can withdraw consent at any time without affecting prior processing

5. How We Use Your Information

We use the information we collect to:

  • Operate the Service — provide the editor, store your projects, render exports, and serve your assets
  • Run AI features — forward your prompts and reference images to Google Gemini and (when configured) OpenAI for inference, save the result to AWS S3, and write a usage record to our database
  • Process payments — pass your buyer information to iyzico to initialize a checkout form, verify the callback, allocate credits or activate your Pro subscription, and issue an invoice
  • Enforce quotas and abuse controls — apply daily free-tier export limits (per user and per hashed IP), apply Pro feature limits, and gate paid features until you have completed a successful payment
  • Communicate with you — send transactional emails, security notices, payment confirmations, and (only with your consent) marketing emails
  • Provide product analytics and A/B tests — analyze aggregate usage, route feature flags, and run experiments via PostHog
  • Show ads and measure conversions — operate Google AdSense and Google Ads (and optional rewarded ads via Google Ad Manager). We do not use AdSense for personalized advertising until you give cookie consent
  • Comply with law — keep payment, tax, and audit logs; respond to subpoenas and lawful requests; defend legal claims

6. Where Your Data Is Stored

Your data is stored across the following systems:

  • Application database (PostgreSQL) — your account, projects, credit and payment records, AI usage logs, subscriptions, bug reports, showcase posts, and exports usage counters
  • Browser local storage and IndexedDB — temporary editor state, the cookie-consent flag, an anonymous "temp-user-id" if you use the editor without signing in, and (for some assets) cached image data
  • AWS S3 (eu-central-1, Frankfurt, Germany) — your uploaded screenshots, AI-generated images (elevated screenshots, generated backgrounds, generated assets, mascots), screenshot-review strips, and a globally shared cache of App Store / Google Play listing images we fetch on your behalf
  • Server logs — limited request logs kept by our hosting provider for security and debugging

7. Third-Party Service Providers (Processors)

We share data with the following processors solely to provide the Service. Each is bound to confidentiality and to processing only on our documented instructions. Where they are located outside your country, transfers are made under appropriate safeguards (see section 9).

  • Google LLC — Sign-In with Google: Authenticates your account and returns your name, email, and profile picture. Subject to Google's Privacy Policy.
  • X (Twitter) — Sign-In with X: Authenticates your account via OAuth 2.0. Subject to X's Privacy Policy.
  • Google LLC — Gemini API (Generative AI): Receives the screenshot, reference image, and/or text prompt you submit, plus our system instructions, and returns AI text and/or images for screenshot enhancement, background generation, asset generation, mascot generation, translation, store listing generation, logo generation, and screenshot analysis.
  • OpenAI, L.L.C. — Image API: Used as an alternative AI image provider for screenshot elevate, background, and asset generation when configured. Receives the same kinds of inputs as Gemini above.
  • Amazon Web Services (AWS) — S3: Stores your uploaded and AI-generated images in the eu-central-1 region (Frankfurt, Germany). Object URLs are publicly readable so the editor and exports can load them, but the keys are not enumerable by third parties.
  • iyzico Ödeme Hizmetleri A.Ş.: Our payment processor for credit purchases and Pro subscriptions. Receives your buyer name, surname, email, phone number, billing address, government identity number (when collected for Turkish transactions), the price, the basket, your IP, and our internal conversation ID. Returns a payment result that we store.
  • Vercel Inc.: Hosts and serves the Service. Processes request logs.
  • PostgreSQL database provider: Hosts our application database (account, projects, payments, AI usage, showcase, etc.).
  • Google LLC — Google Analytics 4: Receives pseudonymous usage events (pages, sessions, conversions) to help us measure and improve the Service. Loaded only after you accept cookies. We deploy Google Consent Mode with default state "denied".
  • Google LLC — Google Ads & AdSense: Used to display advertising and measure ad conversions on free pages. Personalized advertising cookies are not set until you accept cookies. Some pages also use Google Ad Manager rewarded ads to unlock free exports.
  • Microsoft Corporation — Clarity: Records pseudonymous session replays, heatmaps, and interaction analytics. We use this to debug UI issues and improve usability. Clarity automatically masks input fields by default.
  • PostHog Inc.: Product analytics, feature flags, and A/B testing. We send an HMAC-hashed IP as the anonymous distinct ID before you sign in, and your account ID after you sign in. Raw IP is not sent.
  • Email / SMTP provider: Delivers transactional emails (account, password reset, payment receipts) and newsletter emails. Receives your email address and the message content.

8. Cookies and Similar Technologies

We use cookies, localStorage, and similar identifiers. We split them into four categories:

  • Strictly necessary: Required for the Service to work. Cannot be disabled.Examples: next-auth.session-token / __Secure-next-auth.session-token (sign-in session), temp-user-id (anonymous editor state), app-locale and locale-selection cookies (language preference), cookie-consent flag in localStorage.
  • Functional: Remember your preferences and improve usability.Examples: Editor settings stored in localStorage / IndexedDB, in-progress project data, share/referral identifiers.
  • Analytics: Help us understand how the Service is used. Loaded only after you accept cookies.Examples: Google Analytics (_ga, _ga_*), PostHog (ph_*), Microsoft Clarity (_clck, _clsk, MUID).
  • Advertising: Used to display Google AdSense / Google Ads and to measure conversions. Personalized advertising is gated by your cookie consent.Examples: Google Ads / DoubleClick / AdSense cookies.

When you first visit, our cookie banner lets you "Accept all" or "Decline". Until you accept, Google Consent Mode keeps analytics_storage and ad_storage set to "denied". You can change your choice at any time by clearing the "cookie-consent" entry from your browser storage or by using your browser's cookie controls.

9. International Data Transfers

Some of our processors (Google, OpenAI, Microsoft, AWS, PostHog, Vercel, iyzico) operate from or transfer data to the United States, the United Kingdom, Türkiye, or other countries outside the European Economic Area. When personal data leaves the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, the EU–US Data Privacy Framework where the recipient is certified, or other lawful transfer mechanisms. You can request a copy of the relevant safeguards by contacting us.

10. How Long We Keep Your Data

We retain personal data only as long as needed for the purposes it was collected, then delete or anonymize it. Typical retention periods:

  • Account data — kept for the life of your account; deleted within 30 days after account deletion, except where law requires longer retention
  • Projects, uploaded screenshots, and AI-generated images on S3 — kept for the life of your account or until you delete the project; orphaned images may be cleaned up automatically
  • Payment records and invoices — kept up to 10 years to comply with tax and commercial law (Türkiye and EU member states typically require 5–10 years)
  • AI usage logs (LLMUsage) — kept up to 24 months for billing, abuse-prevention, and quality review, then deleted or aggregated
  • Daily export usage counters (per user and per hashed IP) — kept up to 13 months to enforce rolling quotas
  • Share-visit records (hashed IP + user agent) — kept up to 12 months for referral analytics
  • Showcase posts — public until you ask us to remove them, then unpublished within a reasonable time; archival copies may persist for audit
  • Bug reports and feedback — kept up to 24 months
  • Server and security logs — kept up to 90 days
  • Marketing and newsletter records — kept until you unsubscribe, plus a suppression record so we do not contact you again

11. Your Rights

Subject to your local law, you have the following rights:

  • Right to access — request a copy of the personal data we hold about you
  • Right to rectification — ask us to correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations
  • Right to restrict processing — ask us to limit how we use your data while a request is investigated
  • Right to data portability — receive your data in a machine-readable format and/or have it transmitted to another controller
  • Right to object — object to processing based on legitimate interests, including profiling, and to direct marketing at any time
  • Right to withdraw consent — where processing is based on consent, withdraw it without affecting prior processing
  • Right not to be subject to solely automated decisions that produce legal or similarly significant effects
  • Right to lodge a complaint with a supervisory authority (in the EU/EEA, your local Data Protection Authority; in the UK, the ICO; in Türkiye, KVKK)

To exercise any right, email us at the address in section 17. We respond within 30 days (extendable by 60 days for complex requests, as permitted by GDPR Art. 12). We may need to verify your identity before acting.

12. California Residents (CCPA / CPRA)

If you live in California, you have specific rights in addition to those above:

  • Right to know what personal information we have collected, used, disclosed, or sold/shared about you in the prior 12 months
  • Right to delete personal information we collected from you (subject to legal exceptions)
  • Right to correct inaccurate personal information
  • Right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell personal information for money. Our use of Google AdSense and Google Ads may qualify as "sharing" for cross-context behavioral advertising under the CPRA; you can opt out by declining cookies in our banner or by sending us a request
  • Right to limit use of sensitive personal information — we do not use sensitive PI for purposes that require this disclosure
  • Right to non-discrimination for exercising these rights

Categories of personal information we have collected in the past 12 months: identifiers (name, email, IP, account ID), commercial information (purchases, credits), internet/electronic activity (usage, page views, session replays via Clarity), geolocation (approximate, from IP), audio/visual (the images you upload), professional or app-related information (your store listings), and inferences (feature usage, A/B variant).

13. Türkiye Residents (KVKK)

Under Law No. 6698 on the Protection of Personal Data (KVKK), Turkish data subjects have the right to learn whether their personal data is being processed, to request information on the processing, to learn the purpose and whether the data is used for that purpose, to know the recipients of disclosures (including transfers abroad), to request rectification or deletion, to object to outcomes of automated processing, and to claim damages for unlawful processing. To exercise your KVKK rights, contact us using the details in section 17. Identity number (T.C. Kimlik No) collected for iyzico payments is processed solely to fulfill the payment contract and to meet legal obligations (invoicing, anti-fraud).

14. Data Security

We implement administrative, technical, and physical safeguards designed to protect your personal information, including TLS in transit, encryption at rest for the database and S3 bucket, bcrypt password hashing, scoped IAM credentials, principle-of-least-privilege access for staff, and audit logging of administrative actions. No method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and notify affected users without undue delay where required by law.

15. Children's Privacy

The Service is not directed to children under 16 (or the equivalent minimum age in your jurisdiction — 13 in the United States under COPPA, 16 in many EU member states under GDPR). We do not knowingly collect personal information from children under that age. If you believe a child has provided us with personal data, contact us at the address in section 17 and we will delete it.

16. Do Not Track

Some browsers transmit "Do Not Track" (DNT) or Global Privacy Control (GPC) signals. We treat a GPC signal as a valid opt-out of "sale or sharing" for CCPA/CPRA purposes. We do not otherwise respond to DNT signals, because there is no consensus standard for how to interpret them.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes (for example, adding a new processor, a new AI provider, or a new category of personal data), we will update the "Last updated" date and, where required, notify you by email or by an in-product notice at least 30 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

18. Contact Us

If you have any questions about this Privacy Policy or wish to exercise any of your rights, contact us:

We respond to verified data-subject requests within 30 days. For urgent security or breach reports, please include "SECURITY" in the subject.

← Back to Home