Privacy Policy

Effective: 2026-05-06 · Version 1.0

This policy applies to the ThemeIt iOS app, the CreateIt creator iOS app, and the themeit.app web property. Operated by Apple Dsign Apps (the "Service"). For privacy questions or to file a Data Subject Access Request (DSAR) email [email protected].

1. Information We Collect

We collect the minimum data required to operate ThemeIt:

Category	Examples	Source
Account identifier	Apple Sign In `sub` token, optional first name/email at signup	You, via Apple
Purchase records	App Store transaction id, product id, environment (sandbox/production), purchase date	Apple StoreKit 2 — verified server-side
Device tokens	APNs device token + bundle id (for theme-release push)	You, via APNs registration
Anonymised analytics	Screen views, button taps, feature flags, locale, OS version, app version. No advertising identifier (IDFA), no precise location.	Firebase Analytics / Crashlytics
Creator content	Themes (icons, wallpapers, widgets, Live Activities) you submit for review and distribution	You, via CreateIt
Creator payout details	Stripe Connect account id, tax-form metadata (W-9 / W-8BEN). Encrypted at rest. We never store your bank or SSN/EIN — Stripe holds those.	You, via Stripe Connect

We do not collect: precise location, browsing history outside the app, contacts, photos beyond what you explicitly upload, IDFA, or any biometric data. We do not use third-party advertising trackers.

2. How We Use Your Information

Authenticate your account (Sign in with Apple).
Process and verify in-app purchases via StoreKit 2.
Deliver theme content to your device.
Send optional push notifications about new releases. You can disable these at any time in iOS Settings → Notifications.
Operate the creator marketplace: review submissions, calculate royalty splits, schedule monthly Stripe Connect payouts, generate IRS / EU tax reporting.
Detect abuse (rate-limit signals, fraud heuristics).
Aggregate, anonymised analytics to improve the product.

We never sell your personal information. We never use your data for behavioural advertising.

3. Lawful Basis (GDPR Article 6)

Processing	Lawful basis
Account creation, login, purchase verification, theme delivery	Contract performance (Art. 6(1)(b))
Tax / royalty / fraud-prevention recordkeeping	Legal obligation (Art. 6(1)(c))
Aggregated analytics, product-improvement telemetry	Legitimate interest (Art. 6(1)(f)) — balanced against your fundamental rights; opt-out available in Settings
Optional push notifications	Consent (Art. 6(1)(a)) — system-level prompt, withdrawable any time
Creator payouts	Contract performance (Art. 6(1)(b))

4. Sharing Your Information

We share your data only with the sub-processors strictly required to operate the Service:

Apple (Sign in with Apple, StoreKit 2, APNs) — governed by Apple's privacy policy.
Stripe (Connect onboarding, payout disbursement, KYC) — Stripe's privacy policy applies to the data they hold.
Firebase / Google (Analytics, Crashlytics, Remote Config). No IDFA. Data Processing Addendum executed; data hosted in EU + US regions.
Amazon Web Services (S3 asset storage, ECS hosting). Encryption in transit (TLS) and at rest (AES-256).

We do not transfer data outside the EU/US except to the sub-processors listed, all of whom are covered by Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

5. Data Retention

Account + creator records: retained while your account is active. Deleted within 30 days of account deletion (subject to legal-obligation tail — see §7).
Purchase records: retained for 7 years to satisfy Apple, EU VAT, and US tax recordkeeping requirements.
Anonymised analytics: aggregated; raw events retained 14 months in Firebase per Google's defaults.
Device tokens: rotated on each launch; stale tokens purged within 90 days.

6. Your Rights

EU / EEA / UK (GDPR + UK GDPR)

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with your supervisory authority. Email [email protected] to exercise any of these rights.

California (CCPA / CPRA)

California residents have the right to know what personal information is collected, request deletion, opt out of sale (we do not sell data — confirmed), correct inaccurate information, and limit use of sensitive personal information. We do not discriminate against you for exercising these rights.

India (DPDP Act, 2023 §6)

Indian users have the right to access, correction, erasure, grievance redressal, and to nominate a representative. Our Data Protection Officer (DPO) handles these requests at [email protected]. Consent is solicited via the system-level prompts described in §3 and may be withdrawn at any time.

7. Account Deletion

You can delete your account from within the app (Settings → Account → Delete Account) or by emailing [email protected]. Within 30 days we erase or anonymise your personal data; encrypted backups are purged on the standard 90-day rotation. We retain transaction-level records as required by tax and anti-fraud law.

8. Children

ThemeIt is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

9. Security

We use TLS in transit, AES-256 at rest, JWT-based session tokens with short expiry (72 hours), and rotation of all encryption keys at least annually. We disclose any breach affecting your data within 72 hours of discovery, as required by GDPR Art. 33.

10. Changes

We will post material changes here at least 14 days before they take effect. The change-log below records all revisions.

11. Contact

Privacy / DSAR: [email protected]
DPO (India + EEA): [email protected]
Postal: Apple Dsign Apps · the Netherlands (full address available on request).

Changelog

1.0 — 2026-05-06: Initial publication. GDPR + CCPA/CPRA + DPDP §6 covered.