Privacy Policy

1. Data Controller

The data controller responsible for your personal information is iAppLabs ("we", "us", or "our"), the company that operates Ditto ("the Service"). We are committed to protecting your privacy and handling your personal data transparently and in compliance with applicable data protection laws, including the Brazilian General Data Protection Law (LGPD) and the European General Data Protection Regulation (GDPR).

Contact: support@iapplabs.com

2. Information We Collect

We collect the following categories of information:

• Account Data: Name, email address, and password hash when you create an account.
• Feedback Content: Posts, comments, votes, and any other content you submit through feedback boards, changelogs, or the embeddable widget.
• Usage Analytics: Pages visited, features used, session duration, click patterns, and interaction data to improve the Service.
• Technical Data: IP address, browser type and version, operating system, device type, screen resolution, timezone, and referring URL.
• Payment Data: Billing information is processed by Stripe; we do not store credit card numbers on our servers. We only retain transaction IDs and plan details.

3. How We Use Your Data

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Process your account registration and manage your subscription.
• Display feedback, votes, and comments on public-facing boards and changelogs.
• Send transactional emails (account verification, password reset, billing receipts).
• Analyze usage patterns to improve performance, fix bugs, and develop new features.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations and respond to lawful requests.

We do not use your data for profiling, automated decision-making, or targeted advertising.

4. Information Sharing

We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:

• Service Providers: Third-party vendors who assist in operating the Service (hosting, payment processing, email delivery), bound by data processing agreements.
• Legal Compliance: When required by law, regulation, legal process, or enforceable governmental request.
• Safety: To protect the rights, property, or safety of iAppLabs, our users, or the public.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate notice to affected users.

5. Data Security

We implement industry-standard security measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256).
• Password hashing using bcrypt with appropriate salt rounds.
• Role-based access controls limiting employee access to personal data.
• Regular security audits and vulnerability assessments.
• Automated monitoring for suspicious activity and unauthorized access attempts.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will promptly notify affected users in the event of a data breach.

6. Cookies & Tracking

We use the following types of cookies:

• Essential Cookies: Required for authentication, session management, and language preferences (e.g., ditto_locale). These cannot be disabled.
• Functional Cookies: Remember your preferences and settings to enhance your experience.

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies. We do not participate in ad networks or share data with advertising platforms.

7. Third-Party Services

The Service integrates with the following third-party services, each with their own privacy policies:

• Stripe — Payment processing. Stripe is PCI DSS Level 1 certified. stripe.com/privacy
• Supabase — Database and authentication infrastructure. Data stored in SOC 2 compliant facilities. supabase.com/privacy
• Vercel — Application hosting and edge network. vercel.com/legal/privacy-policy

8. GDPR & LGPD Rights

Under the GDPR (for EU/EEA residents) and LGPD (for Brazilian residents), you have the following rights regarding your personal data:

• Right of Access: Request a copy of all personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data ("right to be forgotten").
• Right to Data Portability: Request your data in a structured, machine-readable format (JSON).
• Right to Restrict Processing: Request that we limit how we process your data.
• Right to Object: Object to processing of your data for specific purposes.
• Right to Withdraw Consent: Withdraw previously given consent at any time.

To exercise any of these rights, contact us at support@iapplabs.com. We will respond to your request within 15 business days (LGPD) or 30 calendar days (GDPR). You also have the right to file a complaint with your local data protection authority.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion:

• Personal data (name, email, preferences) is deleted within 30 days.
• Feedback content may be anonymized and retained for aggregate analytics purposes.
• Billing records are retained for up to 5 years as required by tax and accounting regulations.
• Server logs containing IP addresses are automatically purged after 90 days.

During the 30-day deletion window, you may request a full data export in JSON format.

10. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. For users in the European Economic Area, the minimum age is 16 (as required by GDPR). If we become aware that we have collected personal data from a child below the applicable age threshold, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@iapplabs.com.

11. International Data Transfers

Your data may be processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and compliance with LGPD transfer requirements. Our hosting infrastructure is primarily located in the United States (Vercel edge network) with data replicated across regions for performance and reliability.

12. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify registered users via email at least 14 days before changes take effect.
• Display a prominent notice on the Service.

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

13. Contact

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Email: support@iapplabs.com

Company: iAppLabs

Data Protection Officer: support@iapplabs.com