Privacy Policy

This Privacy Policy explains how Jonathan Benay, trading as Hangeul Studio ("we", "us") collects and processes personal data in connection with the StoreShield macOS application and the website at storeshield.app.

We are the data controller for the personal data described in this policy. You can reach us at [email protected] for any privacy-related request.

Data Protection Contact: [email protected]

1. The short version

• The desktop App processes your .ipa files entirely on your Mac. We never receive, store or analyse your binaries.
• We collect only what we need to deliver the Service: checkout and license-delivery data for Direct purchases, StoreKit entitlement status for Mac App Store purchases, and basic technical logs of the Site.
• We do not sell your personal data, and we do not use it for advertising.

2. Data we process

2.1 Data you provide

• Email address — when you purchase a Pro license, contact support, or subscribe to product update notifications.
• Billing information (name, country, VAT number where applicable) — collected directly by Paddle for Direct purchases. For Mac App Store purchases, Apple handles billing and we do not receive your full payment details.
• Support correspondence — the content of any email you send us, kept for 24 months for follow-up and quality.

2.2 Data collected automatically

• Site server logs — IP address, user-agent, requested page, timestamp. Kept up to 30 days for security and abuse prevention.
• Direct license validation pings — when you activate Pro with a Direct license, the App contacts our license server with your license key and a hashed device identifier. We store the count and timestamp of activations to enforce the 3-Mac limit, but we do not log scans, file paths, file names or any data extracted from your .ipa.
• Mac App Store entitlement checks — the App uses Apple's StoreKit APIs to validate App Store subscriptions. We do not receive your Apple payment details through this process.

2.3 Data we do not collect

• The contents of any .ipa file you scan.
• Your scan history, scan results, or the names of apps you analyse.
• Any analytics, telemetry or usage tracking from the App.
• Cookies of any kind on the Site (we use no analytics or advertising trackers).

3. Why we process your data and on what legal basis

• To deliver and operate the Service (Art. 6(1)(b) GDPR — performance of a contract): processing your purchase, issuing and validating your license, providing support.
• To meet legal obligations (Art. 6(1)(c) GDPR): keeping invoices and accounting records for the period required by French law (typically 10 years).
• To secure the Service (Art. 6(1)(f) GDPR — legitimate interest): logging, abuse detection, and bug investigation.

4. Who has access to your data

We rely on a small set of carefully chosen sub-processors, all of them GDPR-compliant:

• Paddle.com Market Limited (Ireland & UK) — payments, invoicing and tax compliance for Direct purchases, acting as merchant of record.
• Apple Inc. — Mac App Store payments and subscription management, acting under Apple's own terms and privacy policy.
• Cloudflare, Inc. (USA, with EU edge presence) — hosting of the Site and the license-validation Worker.
• Resend, Inc. (USA) — transactional email delivery for license delivery and support replies.

These providers act as data processors and only handle your data on our instructions, under written data-processing agreements that include the EU Standard Contractual Clauses for any transfer outside the EEA.

4.1 Optional AI feature (Anthropic or OpenAI)

The App includes an optional "AI Enhanced" mode, disabled by default. When you explicitly enable it and provide your own Anthropic or OpenAI API key, the App sends a minimal payload (issue category, rule identifier, short context string) directly from your Mac to the selected provider. The request uses your API key, is billed to your provider account, and we never see, store, or proxy it.

In this configuration, the selected AI provider is not our sub-processor: it acts as an independent service provider chosen and contracted by you. Their handling of the metadata you choose to send is governed by the provider's own Privacy Policy or Privacy Policy, and usage policies, which you accept when you create that provider account. We do not transmit your .ipa file, source code, screenshots, license file, or any personal data to an AI provider. You can disable AI mode and return to fully offline operation at any time.

5. International transfers

Some of our processors are based outside the European Economic Area (notably in the United States). When personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses and additional safeguards as required by the GDPR.

6. Retention

• Customer record (email, license): kept while the subscription is active and for up to 12 months after the last activity, then deleted.
• Invoices and tax records: 10 years (French commercial code).
• Server logs: 30 days.
• Support emails: 24 months.

7. Your rights

Under the GDPR, you have the right to:

• Request access to your personal data;
• Request rectification of inaccurate data;
• Request erasure ("right to be forgotten") subject to our legal-retention obligations;
• Request restriction of processing or object to processing;
• Receive your data in a portable format;
• Withdraw consent at any time, where consent is the legal basis;
• Lodge a complaint with your national data-protection authority. In France, this is the CNIL — cnil.fr.

To exercise any of these rights, write to [email protected]. We respond within 30 days.

8. Children

The Service is intended for software developers and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us so we can delete it.

9. Changes to this policy

We will post any changes to this policy on this page and, for material changes, notify Pro customers by email. The "Last updated" date at the top reflects the current version.