How we handle your data.

Your Apple App Store Connect API key and Google Play service-account JSON are encrypted at rest with AES-256-GCM before they are written to the database. The raw key material is never stored in plaintext. Key rotation happens in your Apple and Google consoles. Upload the new file in the Appolar credentials page and we replace the ciphertext.

Appolar runs on a dedicated KVM VPS. The PostgreSQL database binds to localhost only: no public port exposure. The server is accessible via SSH key authentication only. Password-based SSH login is disabled.

App binaries are built by Expo's EAS Build on Expo's infrastructure and delivered directly to your App Store Connect and Play Console accounts. Appolar does not host your compiled binaries.

All incoming Shopify webhooks are verified with HMAC-SHA256 against the Shopify shared secret before any processing occurs. EAS Build webhooks are verified with a separate HMAC secret. Unverified requests are rejected immediately, before any database read or write.

Catalog, customers, orders, and payment data stay in Shopify. Appolar never touches or stores transaction data. Push device tokens are scoped per store: your customers' devices only receive pushes from your store. A device token on your store has no relationship to anything on any other merchant's store.

Appolar implements all required Shopify mandatory webhooks: APP_UNINSTALLED, CUSTOMERS_REDACT, CUSTOMERS_DATA_REQUEST, and SHOP_REDACT.

Data deletion: 48 hours after uninstall, Shopify fires shop/redact and all store data (config, credentials, build history, device tokens) is deleted. Customer data deletion requests are processed within 30 days, in compliance with GDPR Article 17.

We do not sell merchant or customer data. We do not run ad networks. We do not share data with third parties beyond Expo (build infrastructure) and the review integrations you explicitly configure.

The marketing site (appolar.com) contains no third-party analytics trackers. What you read in the privacy policy is accurate.