ST STATICS

Legal

Privacy Policy

This explains what we store, why we store it, and how to get it back or have it erased. It is written to be read, not to be survived.

Last updated: 14 July 2026

01Who we are

ST STATICS operates ST STATICS, a service for collecting and analysing the reviews your apps receive on Google Play and the Apple App Store.

For privacy questions, write to support@st-statics.com. We answer within 30 days, as the GDPR requires.

02Two very different kinds of data

This is the most important thing on the page, so it comes first. ST STATICS handles two kinds of personal data, and our role differs for each.

Your data, as our customer. You gave it to us directly. We decide what to do with it, so we are the controller.

Your app users' review data. We fetch it from the app stores on your instruction, and we only do with it what you tell us to. Here we are a processor and you are the controller. If a reviewer of your app asks you to erase their review data, that request comes to you, and we act on your instruction — you can delete it yourself at any time by removing the app from your workspace.

03What we store about you

  • Account: email address, name, and a hash of your password (never the password itself). If you sign in with Google or Apple, we store the identifier they give us instead.
  • Sessions: for each active login, the IP address and browser user-agent, so you can see and revoke your own sessions from Settings, and so we can spot someone else using your account.
  • Login attempts: the email tried, the IP and the user-agent — including for attempts that matched no account. We keep these to detect brute-force and account-enumeration attacks. This is our legitimate interest in keeping the service secure.
  • Workspace: your workspace name, team members, invitations, roles, and — if you enable it — an audit log of who did what.
  • Billing: your plan and its renewal date. We never see or store your card. Payments are handled by our merchant of record (see §6).

04Your store credentials

To sync reviews automatically, you can give us a Google Play service-account key or an App Store Connect API key. These are the keys to your developer account, and we treat them that way.

  • They are encrypted before they are written to the database, with AES-256.
  • They are used for one thing: calling the store APIs to read reviews, app metadata and versions, and to post the replies you write.
  • They are never shown back to you in full, never logged, and never shared with anyone.
  • Disconnect the source and the stored credential is deleted with it.

05Review data we fetch on your behalf

When you connect an app, we import its reviews from the store. A review can contain: the star rating, the review text, the reviewer's public display name, the country, the device, the app version, the date, and any reply. This is data your app's users published on a public store listing; we copy it so you can search, tag and answer it in one place.

We do not sell it, we do not share it between workspaces, and we do not use it to train anything.

06Who else touches the data

We use as few third parties as we can, and we host our own analytics specifically so that you are not tracked by someone else's. The full list:

  • Our hosting provider — runs the servers the application and database sit on.
  • Polar — our merchant of record. They handle checkout, card data, invoices and tax. We receive only your plan and its renewal date back.
  • An email provider (Resend, SendGrid or Mailgun, depending on configuration) — delivers verification, invitation, password-reset and notification email.
  • Object storage — holds the export files you generate, if S3-compatible storage is configured.
  • Google Play and the Apple App Store — the source of the review data, contacted with the credentials you supply.

Analytics are self-hosted (Umami) on our own domain, use no cookies, and record no personal identifiers.

07Cookies

One cookie, and it is strictly necessary: the session cookie that keeps you signed in. It is HTTP-only, marked SameSite=Lax, and set to Secure in production. There are no advertising, profiling or third-party tracking cookies, which is why this site does not nag you with a consent banner.

08How long we keep things

  • Review history: on the Free plan, the last 30 days. On paid plans, for as long as your workspace exists.
  • Account data: until you delete your account.
  • Sessions and login attempts: until they expire or you revoke them.

09Your rights, and the buttons that honour them

Under the GDPR you can access, correct, export, restrict, object to and erase your data. Two of those are self-service, right now, without asking us:

  • Export: Settings → Privacy → Export my data gives you a machine-readable copy.
  • Erasure: Settings → Privacy → Delete my account removes your account and its personal data.

For anything else, email support@st-statics.com. If you are in the EU or UK and you think we have got this wrong, you have the right to complain to your national data-protection authority.

10Security, honestly stated

Passwords are hashed, store credentials are encrypted at rest, traffic is served over HTTPS only, and sign-in endpoints are rate-limited. No system is perfectly secure, and we will not claim otherwise. If we ever suffer a breach affecting your personal data, we will notify the relevant authority within 72 hours and tell you directly when the law requires it.

11Changes

If we change this policy in a way that materially affects you, we will email you before it takes effect. The date at the top always reflects the current version.

See also our Terms of Service.