# Privacy Policy Effective 2026-05-05. Plain-language v1; a legal-reviewed version will supersede it. AppAttest is operated by Bault LLC. ## What this covers This policy describes information we collect about developers using appAttest. It does not cover end users of the apps you build with appAttest. ## What we collect - **Account data**: email, OAuth identifier and basic profile if applicable, account/team/role names. - **Billing data**: Stripe customer ID, subscription, plan, meter usage. Card details are stored by Stripe; appAttest never receives card numbers. - **Application configuration**: bundle IDs, app names, environment names, secret names (not values). - **Secret values**: encrypted at rest with envelope encryption (per-tenant data key wrapped by a dedicated master key in managed key infrastructure). Decrypted only when an attested device requests them. - **Attestation/usage data**: per-attestation metadata, hashed device identifiers from App Attest, API call counts, error rates, country derived from server-side IP processing. - **Website telemetry**: UTM parameters from inbound URLs, persisted only in your browser's sessionStorage. No cookies. No analytics or session-replay. ## How we use it - Run the service, deliver secrets to attested devices, meter usage. - Bill you (via Stripe). - Keep the service safe (rate limiting, abuse detection, audit log). - Communicate with you about your account. - Improve the service through aggregate, de-identified analysis. ## Subprocessors Stripe (billing), Resend (transactional email), Apple (App Attest). Plus managed cloud infrastructure for application hosting, encrypted storage, and key management. ## Retention - Account data: deleted within 30 days of account deletion. - Billing data: per tax law, typically seven years. - Secret values: destroyed within 30 days of deletion. - Attestation events: 90 days full fidelity, then anonymized counters. - Audit log: 365 days. ## Your rights Access, correct, delete, export, object, withdraw consent. Most can be done from the dashboard. Otherwise . ## Security Envelope encryption with per-tenant data keys wrapped by a dedicated master key in managed key infrastructure. TLS in transit. Logged admin access. Report vulnerabilities to . ## Changes Material changes communicated via email and dashboard banner ≥14 days in advance. ## Contact . AppAttest is a service of Bault LLC.