Skip to content

Legal Β· Privacy

Privacy Policy

EffectiveMay 4, 2026 Read the Terms of Service Questions?

This Privacy Policy describes how Aethos Solutions ("we", "us", "our") collects, uses, and shares information when you use RevTrakkr (the "Service") β€” includingrevtrakkr.com, app.revtrakkr.com, and the RevTrakkr iOS app.

The short version

  • We see your revenueeventsβ€” purchases, renewals, refunds, etc. β€” not card numbers, CVCs, or banking details.
  • Provider credentials (Apple p8 keys, Stripe API keys) live in Google Cloud Secret Manager, separate from the application database, and are decrypted only at use.
  • We don't sell your data, run advertising profiles on it, or use it to train AI models.
  • You can export or delete your account from inside the app at any time.

1. Who this applies to

This Privacy Policy applies to people who visit our marketing site, sign up for an account, use the iOS app or the web dashboard, or contact us for support. Where we act as acontrollerunder GDPR, we decide why and how your personal data is processed. Where we act as aprocessorfor revenue events that originate with your end customers, you are the controller and we process those events on your behalf to deliver the Service.

2. What we collect

2.1 Account information

  • Email address (required for sign-in).
  • Display name (taken from your sign-in provider or set in the app).
  • Authentication identifier fromApple Sign In, Google Sign In, or a one-time email magic link / 6-digit code. We do not store passwords β€” Firebase Authentication handles credential verification.
  • Optional profile fields: phone number, timezone, home currency.

2.2 Provider credentials

To fetch your revenue events you supply API credentials for the providers you connect:

  • Apple App Store Connectβ€” issuer ID, key ID, and the .p8 private key file you generate in App Store Connect.
  • Stripeβ€” a restricted API key with read access plus the Webhook Endpoint scope.

These credentials are stored in Google Cloud Secret Manager with envelope encryption, indexed by short references in our database. We use them solely to fetch revenue events and (for Stripe) to register the webhook endpoint that delivers events to us.

2.3 Revenue event metadata

What Apple and Stripe send us via their APIs and webhooks. This includes:

  • Event type (purchase, trial start, trial converted, renewal, cancel, refund, dispute, fraud warning, subscription expired, payment failed, grace period, paused, resumed).
  • Product identifier, currency, amount, and event timestamp.
  • An opaque platform user identifier (Apple'soriginalTransactionIdor Stripe'scustomer_id) plus optionally an email and country code if your provider attaches them.

We donotreceive card numbers, CVCs, banking details, or your customers' full personal records. Those remain with Apple and Stripe.

2.4 Device and session data

To support session revocation and basic security, we record per-device sessions when you sign in:

  • A randomly generated session identifier stored on your device.
  • Platform (iOS, Android, web), device label (e.g. "iPhone 16 Pro Β· iOS 26"), user agent string, and the app version.
  • Sign-in method used (Apple, Google, email).
  • Country derived from your IP at sign-in, plus aSHA-256 hashof the IP itself (not the raw IP) so we can detect abuse without keeping IP addresses.
  • Timestamps for last seen, signed-in at, and signed-out at.

2.5 Push notification tokens

If you enable push notifications, we store the Expo push token your device generates. This token is rotated by the operating system and cannot be used to identify you outside the Service. We remove tokens automatically when Apple's push service tells us a device has uninstalled or signed out.

2.6 Data stored on your device

The mobile app stores small amounts of data locally to make the experience snappier and to support the iOS widget:

  • App preferences (theme, onboarding progress, your MRR goal, the email you most recently entered for a magic link).
  • An "App Group" UserDefaults entry containing the most recent today-revenue, MRR, and home currency values, so the iOS home-screen widget and Live Activity can display your numbers without launching the app. This data never leaves your device.

2.7 Diagnostic logs

Our backend records short-lived logs for debugging, including request paths, error messages, and provider response codes. These logs may incidentally include user IDs but never include credentials, token payloads, or card details.

3. What we don't collect

  • Card numbers, expiration dates, CVCs, or banking details.
  • Your end customers' full personal records β€” only the metadata Apple and Stripe send for each event.
  • Browsing or app-usage data from outside RevTrakkr.
  • Behavioural advertising profiles β€” we don't run ads or build ad audiences from your data.
  • Biometric data, precise location, or contacts.

4. Cookies and analytics

4.1 Cookies

We use Google Analytics 4 onrevtrakkr.comandapp.revtrakkr.comto understand which pages and features get used. The mobile app reports the same events through Firebase Analytics. This is product analytics only β€” we do not run advertising profiles, do not sell analytics data, and do not allow Google to use it for cross-site advertising. IP addresses are anonymised at collection.

For visitors in the EU, UK, EEA, and Switzerland, analytics cookies aredenied by defaultuntil you explicitly allow them via the cookie banner. You can change your choice at any time by clearinglocalStorage.rt-consentin your browser, or by emailingprivacy@revtrakkr.com.

Cookies set by Google Analytics:_ga, _ga_*(13-month retention). We do not set tracking cookies for advertising purposes.

4.2 Server-side analytics

For lifecycle events (account created, trial started, subscription converted, payment failed, account deleted, weekly recap delivered) we send an event from our Cloud Functions to the Google Analytics 4 Measurement Protocol. The event includes an anonymous client identifier and the event payload β€” no personal data, no email, no provider keys. This lets us attribute paid conversions to the original marketing source even when a magic-link sign-in happens on a different device.

5. How we use your data

We use the data above to:

  • Provide the Service β€” fetch your events, render your dashboard, deliver the alerts you opted into.
  • Authenticate you and protect your account against unauthorised access.
  • Send transactional email (magic links, trial reminders, payment failures, weekly recaps you opted into).
  • Improve reliability and detect abuse.
  • Respond to support requests.
  • Comply with legal obligations.

We do not sell your data, rent it, share it with data brokers, or use it to train AI models.

6. Legal basis for processing (GDPR)

For EU/UK/EEA/Swiss residents, we rely on the following legal bases:

  • Performance of a contractβ€” to deliver the Service you signed up for, including fetching revenue events and sending alerts you've enabled.
  • Legitimate interestsβ€” to detect abuse, secure the platform, and run product analytics on the marketing site (subject to your consent in the EU/UK).
  • Consentβ€” for analytics cookies in the EU/UK and for the optional weekly recap email. You can withdraw consent at any time.
  • Legal obligationβ€” when we must comply with applicable law.

7. Sharing and subprocessors

We share data only with the subprocessors listed below, all of whom act on our written instructions and are bound by contractual confidentiality and security obligations.

  • Google Cloud / Firebase(USA) β€” application hosting, Firestore database, Cloud Functions, Authentication, Cloud Messaging, Secret Manager, and Google Analytics 4.
  • Apple Inc.(USA) β€” Apple Push Notification service for delivering alerts to iOS devices, App Store Server Library for receipt validation, and the App Store for in-app purchase processing.
  • Stripe, Inc.(USA) β€” to process your subscription to RevTrakkritselfwhen paying via the web. This is separate from the Stripe accounts you connect for revenue monitoring.
  • Resend(USA) β€” transactional email delivery (magic links, alerts, weekly recaps, retention nudges).
  • Expo(USA) β€” push-notification dispatch infrastructure that fans out to Apple Push Notification service.
  • Google Cloud Logging(USA) β€” short-lived diagnostic logs.

We may also disclose information when legally compelled (subpoena, court order, or other valid legal process), to protect rights and safety, or as part of a merger or acquisition. If RevTrakkr is acquired we'll notify users by email before any change in data handling takes effect.

8. International data transfers

All Service data is stored in Google Cloud's US data centres. If you are located in the EU, UK, EEA, or Switzerland, your data is transferred to the United States. Transfers rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the EU-U.S. Data Privacy Framework where our subprocessors are self-certified. Copies of the relevant clauses are available on request.

9. Retention

  • Account recordβ€” kept while your account is active.
  • Provider credentialsβ€” kept while the source is connected; deleted when you unlink the source or delete your account.
  • Revenue eventsβ€” kept while your account is active so historical metrics remain accurate. You can request earlier deletion in writing.
  • Device sessionsβ€” kept until you sign out or revoke them.
  • Analytics eventsβ€” Google Analytics retains them for 14 months.
  • Encrypted backupsβ€” Firestore daily backups roll off within 30 days.
  • Diagnostic logsβ€” 30 days.

On account deletion we delete account record, provider credentials, revenue events, transactions, subscribers, subscriptions, sessions, push tokens, and notification settings immediately. Encrypted backups roll off within 30 days.

10. Security

  • All traffic is served over TLS.
  • Provider credentials are stored in Google Cloud Secret Manager with envelope encryption, separate from the application database, decrypted only at the moment of use.
  • Authentication is handled by Firebase Authentication; we never see your password.
  • Production access is limited to named engineers with two-factor authentication on Google Cloud.
  • We log security-sensitive operations (key rotations, account deletions, session revocations) and review them on a rolling basis.

No system is bulletproof. If we ever experience a personal-data breach that affects you, we'll notify you and applicable regulators within the timeframes required by law.

11. Your rights

You can exercise the rights below at any time. Most are available self-service fromSettings β†’ Accountinside the app. Anything we can't service in-app can be requested by emailingprivacy@revtrakkr.comand we'll respond within 30 days.

  • Accessβ€” see what we hold about you.
  • Exportβ€” receive a copy of your account and revenue event data in a machine-readable format.
  • Correctionβ€” fix anything inaccurate (most fields are editable in-app).
  • Deletionβ€” delete your account and the associated data. Deletion is immediate and irrevocable; encrypted backups roll off within 30 days.
  • Restriction or objectionβ€” limit how we use your data.
  • Withdraw consentβ€” for any processing based on consent.
  • Lodge a complaintβ€” with your local data-protection authority (in the EU/UK), without contacting us first if you prefer.

App Store subscriptionsmust be cancelled separately inSettings β†’ Apple ID β†’ Subscriptions. We can't cancel or refund Apple-billed subscriptions on your behalf. Web subscriptions paid via Stripe are cancelled before deletion runs.

12. California residents (CCPA / CPRA)

If you live in California, you have the right to know what personal information we collect (see Section 2), to access and delete it (Section 11), and to opt out of "sales" or "sharing" of personal information.We do not sell or share personal information for cross-context behavioural advertising.You also have the right not to be discriminated against for exercising your rights β€” we won't change your pricing or service quality if you do.

13. Children

RevTrakkr is intended for adult developers and businesses. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we'll delete it.

14. Changes to this policy

If we change this policy materially, we'll notify you by email and update the effective date above. We keep an archive of past versions available on request. Continuing to use the Service after a change means you accept the updated policy.

15. Contact

Privacy questions, data requests, and complaints:privacy@revtrakkr.com. General support:support@revtrakkr.com. Postal address available on request.

Aethos Solutions is the controller for the personal data described in this policy.

Plain English, but if anything's unclear, ask: privacy@revtrakkr.com

Terms of Service