Privacy Policy

Effective date: April 20, 2026

This Privacy Policy explains how Appilio (“we,” “our,” or “us”) collects, uses, and protects personal information when you use our Service. It applies to you if you are a customer of Appilio (“Customer”) or an end user visiting an app published on our platform (“End User”).

1. Information We Collect

From Customers

• Account data: name, email, organization, authentication identifiers
• Billing data: handled by Paddle; we store only Paddle customer identifiers
• Content you create: app JSON, HTML, copy, configuration
• Usage data: logins, feature interactions, AI generation history

From End Users

• Anonymous event data: pageviews, clicks, scroll depth, hesitation timing
• Session identifiers: opaque random IDs (no cross-site tracking)
• Answers to questions / form submissions made in a Customer's app
• Device metadata: coarse region, user agent, referrer

2. How We Use It

• Provide and operate the Service (authentication, serving apps, billing)
• Meter usage and bill Customers for consumed resources
• Detect abuse, fraud, and security incidents
• Improve AI models and the Service using aggregated, anonymized performance data only
• Communicate service notices, billing receipts, and product updates

3. Legal Bases (GDPR)

Where GDPR applies we process personal data under the following legal bases: (a) performance of a contract (to provide the Service), (b) legitimate interests (to secure our platform and prevent abuse), (c) legal obligation (tax and accounting records), and (d) consent (where explicitly requested, e.g., for non-essential marketing emails).

4. Subprocessors

We use the following third-party services:

• Cloudflare — hosting, DNS, storage, analytics infrastructure
• Paddle — payment processing and Merchant of Record (tax, invoicing)
• Anthropic — AI (Claude) for app generation; inputs are not used to train Anthropic's general models per their enterprise terms
• Resend — transactional email delivery

5. Data Retention

Customer account data is retained while your account is active and for up to 30 days after account deletion (longer only where required by law, e.g., tax records up to 7 years). End User event data is retained for 90 days in hot storage and may be anonymized and archived for longer periods for analytics.

6. International Transfers

Data may be processed in regions where our subprocessors operate, including the EU, United Kingdom, and United States. Transfers outside the EEA are protected by Standard Contractual Clauses and Cloudflare's data processing commitments.

7. Your Rights

If you are in the EU, UK, California, or certain other jurisdictions you have the right to access, correct, delete, port, or restrict processing of your personal data. You can exercise these rights by emailing support@appilio.ai. We respond within 30 days.

8. Cookies

We use only essential first-party cookies for authentication and security. We do not use advertising or cross-site tracking cookies. Customers' published apps may set cookies as configured by the Customer.

9. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it.

10. Changes

We may update this Policy. Material changes will be announced via email and/or dashboard notice. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

11. Contact

Data protection questions: support@appilio.ai.