Privacy Policy

1.1 Mobile Application Files

When you upload your mobile application (APK for Android or IPA for iOS) for security scanning, we temporarily store these files on our secure cloud infrastructure. We do not require access to your source code - only the compiled application binary that you would distribute through app stores.

The compiled application binary you provide is the exact file distributed through app stores. It is all we need to perform comprehensive security analysis and PCI-DSS compliance assessment.

• Encrypted using AES-256 encryption during transit (TLS 1.3) and at rest
• Processed in secure, isolated analysis environments with no persistent storage
• Application files are only kept in temporary storage (RAM) during scanning, and are then securely deleted once the report is available
• Never shared with third parties except as required by law

1.2 Account Information

When you create an account, we collect:

• Email Address: Required for account creation, authentication, and communication
• Password: Stored using industry-standard hashing algorithms (bcrypt)
• Account Preferences: Settings and preferences you configure
• Subscription Information: Your selected pricing plan and subscription status

1.3 Scan Results and Reports

We store scan results and security reports associated with your account, including:

• Vulnerability findings and security assessments
• PCI-DSS compliance analysis results
• Historical scan data and trends
• Application metadata (name, version, package identifier)

1.4 Payment Information

For paid services, payment processing is handled by Stripe. We do not store complete credit card numbers or sensitive payment information on our servers. We receive only tokenized payment identifiers and billing records.

1.5 Usage Analytics

With your permission, we collect usage analytics such as page paths, referrers, browser and device information, country, IP address, and product events to improve our Service and understand where visitors drop off. We use PostHog for product analytics and first-party pageview logs for traffic monitoring. Marketing pixels are used only if you allow marketing cookies.

4.1 How We Use AI

AppAudix uses artificial intelligence to power certain features of our security analysis platform, including automated vulnerability assessment, compliance mapping, and AI-driven penetration testing. AI enhances the depth and accuracy of our analysis but operates under strict data isolation controls.

4.2 Application Binaries Never Leave Our Infrastructure

Your uploaded application files (APK, AAB, IPA) are processed exclusively on AppAudix-controlled infrastructure. Application binaries are never transmitted to any external AI service, API, or model provider under any circumstances. All static analysis, decompilation, binary inspection, and dynamic testing occurs entirely within our own secured servers and physical device lab.

4.3 AI Analysis Operates on Metadata Only

Where AI is used to assist with security analysis, it operates on structured metadata and scan findings — not raw application code or binaries. This includes:

• Categorized vulnerability findings (type, severity, location references)
• Configuration analysis results (e.g., "TLS pinning not detected")
• Compliance mapping data (framework requirement pass/fail status)
• Structured observations from dynamic testing (e.g., "application detects root on Device A but not Device B")

At no point does raw application source code, decompiled code, proprietary business logic, encryption keys, API credentials, or customer intellectual property get transmitted to any AI model or service.

4.4 No AI Training on Customer Data

No customer data of any kind is used to train, fine-tune, or improve any artificial intelligence model — whether operated by AppAudix or any third party. Specifically:

• No training on application binaries
• No training on scan reports
• No training on vulnerability findings
• No training on penetration test results
• No training on account or usage data
• No training on any customer metadata

Any external AI API usage is governed by enterprise-grade agreements that contractually prohibit the AI provider from retaining, logging, or using input/output data for model training or any other purpose beyond processing the immediate request.

4.5 Ephemeral Processing & Zero Retention

Where AI API calls are made as part of the analysis pipeline, they are processed ephemerally:

• Zero retention: AI providers are contractually prohibited from storing any request or response data beyond the duration of the API call
• Zero logging: No customer data from API calls is written to AI provider logs, telemetry, or monitoring systems
• No human review: Customer data processed via AI APIs is not subject to human review, quality assurance sampling, or trust and safety review by the AI provider
• Stateless processing: Each AI interaction is independent and stateless — no customer context, history, or data persists between requests at the AI provider

4.6 Public AI & Chatbot Exclusion

To be unambiguous: customer data is never processed by, sent to, or made available through any public-facing AI product. This includes but is not limited to ChatGPT, Claude, Gemini, Copilot, LLaMA, or any consumer AI chatbot, assistant, or search tool. Our AI usage is strictly limited to isolated, private API endpoints operating under enterprise data protection agreements with zero-retention guarantees.

4.7 Ongoing Commitment

We continuously review and audit our AI data handling practices. If we introduce new AI capabilities in the future, they will be subject to the same strict data isolation, zero-retention, and zero-training guarantees described above. We will update this policy to reflect any changes, and existing customers will be notified of material updates.