Privacy Policy

Controller

The controller for personal data processed by AppHafen is Sascha A. Carlin.

Hagelberger Straße 10, 10965 Berlin

Privacy contact: privacy@itst.net

Data protection officer contact: Sascha A. Carlin

Personal data we process

AppHafen processes account data such as email address, display name, password hash, saved timezone, account timestamps, and session state needed to sign you in and operate your account.

When you create provider connections, AppHafen stores connection names, provider type, connection status, sync timestamps, error messages, and encrypted provider credentials such as Apple App Store Connect key material, Google Play service account credentials, Chrome OAuth client credentials and refresh tokens, and Mozilla API credentials. Edge Add-ons public tracking stores configured extension IDs and optional fallback labels.

For monitored products, AppHafen stores product identifiers, bundle or extension identifiers, product names, public store URLs, provider backend URLs where available, distribution settings, normalized release states, provider-returned status values, version data, raw provider snapshots, sync jobs, audit events, IP addresses, user agents, and operational logs needed to run and secure the service.

Purposes and legal bases

We process account, session, provider connection, product, sync, and audit data to provide the AppHafen service, authenticate users, import and monitor store products, display dashboard and operations views, queue background checks, troubleshoot failures, and protect the service against misuse.

The legal basis is generally Art. 6(1)(b) GDPR where processing is necessary to provide the service you request. Security, audit, error logging, and service reliability processing may also rely on Art. 6(1)(f) GDPR, the legitimate interest in operating a secure and reliable application. Where a processing activity depends on consent, you may withdraw that consent at any time with effect for the future.

Provider access and recipients

AppHafen sends the provider credentials and product identifiers you configure to the relevant provider APIs, including Apple, Google Play, Google Chrome Web Store, Mozilla Add-ons, and Microsoft Edge Add-ons where enabled. Provider responses are stored so AppHafen can show current and recent product status.

The registration form uses Cloudflare Turnstile to help protect AppHafen against automated signups. Cloudflare may process technical request data such as IP address, browser information, and interaction signals for this verification. More information is available in the Cloudflare Turnstile Privacy Policy.

Personal data may also be processed by the infrastructure, hosting, database, logging, backup, and maintenance providers used by the AppHafen operator. AppHafen does not sell personal data and does not use monitored product data for advertising.

International transfers

Provider APIs and infrastructure providers may process data outside Germany or the European Economic Area. Where that happens, the AppHafen operator should use appropriate safeguards required by GDPR, such as an adequacy decision, Standard Contractual Clauses, or another permitted transfer mechanism.

Security

Provider credentials are encrypted per user with Sodium secretbox. Each user has a data key that is encrypted with the application master key. Passwords are stored as password hashes, and verbose debug output is gated behind the application debug setting.

No method of storage or transmission is completely risk-free. Keep provider credentials scoped to the minimum permissions needed for AppHafen and rotate them if you suspect unauthorised access.

Retention

Account, connection, product, snapshot, version, sync, and audit data is kept while your account or the relevant monitored item exists, unless a longer retention period is required for security, legal, backup, or operational reasons. Deleting products or provider connections removes related app-owned records according to the database relationships. The AppHafen operator should define and follow a concrete backup and log retention schedule for the deployment.

Your rights

Under GDPR, you may have the right to information, access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent where processing is based on consent. You also have the right to lodge a complaint with a data protection supervisory authority, including the authority responsible for your place of residence, workplace, or the place of the alleged infringement.

Automated decisions

AppHafen normalizes provider-returned product and release states to help users triage work. It does not make automated decisions that produce legal effects or similarly significant effects for users.

Changes

This policy should be updated when AppHafen starts processing new categories of personal data, uses new providers or processors, changes retention practices, or changes the identity or contact details of the controller.