Privacy Policy
Last updated: April 4, 2026
1. Introduction and Scope
This Privacy Policy describes how Loheden AI Solutions AB, a company registered in Sweden ("Company", "we", "us", or "our"), collects, uses, processes, and protects information in connection with the RespectASO desktop application, this website (respectaso.com), and related services (collectively, the "Service").
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, you must not use the Service.
We reserve the right to modify this Privacy Policy at any time. Material changes will be communicated through the Service or via email. Your continued use of the Service after such modifications constitutes acceptance of the updated policy.
This Privacy Policy is provided for informational purposes and does not constitute legal advice. Privacy regulations vary by jurisdiction and change over time. We recommend consulting with your legal team to determine the specific requirements that apply to your situation.
2. Data Controller Information
The data controller responsible for your personal data is Loheden AI Solutions AB. Our contact information is provided at the end of this document.
All data processing activities described in this Privacy Policy for the website and purchase system are conducted within the European Union. Our website infrastructure, including servers and databases, is located exclusively within EU member states.
3. Categories of Data We Collect
3.1 Desktop Application — No Data Collected by Us
RespectASO is a native macOS desktop application that runs entirely on your computer. We designed it with privacy as a core principle. The desktop application does not transmit any data to us. Specifically:
- • No telemetry — the app sends zero usage data, crash reports, or analytics to us or any third party
- • No accounts — no registration, login, or account creation is required
- • Local storage — all keyword data, app rankings, search history, settings, and database files are stored exclusively on your device in
~/Library/Application Support/RespectASO/ - • API keys — Pro users' LLM API keys are stored locally on your device with restrictive file permissions (600). They are never transmitted to us.
- • License key — if you purchase a Pro license, the license key (a JWT containing your email and expiry date) is stored locally on your device
3.2 Network Requests Made by the Desktop Application
Although we do not collect data from the desktop application, the app makes network requests to third-party services that are not operated by us:
- • Apple iTunes Search API — to retrieve App Store keyword data and app rankings. These requests are governed by Apple's privacy policy.
- • LLM providers (Pro only) — if you use Pro AI features, the app sends prompts to your configured LLM provider (OpenAI, Anthropic, Google, or OpenRouter) using your own API key. If you use OpenRouter, your request is routed onward to the host of the model you select. These requests are governed by the respective provider's privacy policy and terms.
- • GitHub API — the app checks for new release versions via GitHub's public API. This request does not transmit any personal information or device identifiers.
- • License verification — at startup, the app may contact respectaso.com to verify license status (e.g., to detect refunds). Only a license identifier is transmitted; no personal usage data is sent. If the server is unreachable, the app falls back to local verification.
3.3 Purchase Data
When you purchase a Pro license through respectaso.com, we collect and store the following:
- • Email address — used to deliver your license key, send renewal reminders, and for license management
- • Stripe customer and payment identifiers — reference IDs used to link your purchase to your Stripe payment profile
- • License key and status — the issued JWT license key, purchase date, expiry date, and current status
We do not store credit card numbers, bank account details, or other sensitive payment information. All payment data is processed and stored by Stripe in accordance with their privacy policy and PCI-DSS compliance requirements.
3.4 Website Analytics
We use Simple Analytics to understand how visitors use this website. This service does not install any cookies on your browser, does not track visitors across websites, and does not collect personally identifiable information. Simple Analytics is fully compliant with GDPR, CCPA, and PECR without requiring a cookie consent banner.
3.5 Security and Operational Logging
Our web servers maintain standard access and error logs that may include IP addresses for the following purposes:
- • Detecting and preventing unauthorized access attempts
- • Identifying and blocking malicious actors and automated attacks
- • Rate limiting and abuse prevention
- • Investigating security incidents
- • Maintaining service integrity and availability
Security logs are retained on a rotating basis and automatically deleted within 30 days. This logging is based on our legitimate interest in protecting the Service and our users from security threats.
4. Data We Do Not Collect
The following categories of data are never collected, processed, or stored by us:
- • Your keyword research data, search history, or ASO strategies
- • Your LLM API keys or prompts sent to AI providers
- • Usage patterns, feature telemetry, or crash reports from the desktop application
- • Device identifiers, advertising identifiers, or hardware serial numbers
- • Precise geolocation data or GPS coordinates
- • Health, biometric, financial, or other sensitive personal data categories
- • Third-party tracking data or advertising identifiers
5. Purposes of Processing
We process the data described above for the following purposes:
- • License management — issuing, delivering, verifying, and renewing Pro license keys
- • Service communications — sending transactional emails including license key delivery, renewal reminders, and critical service notifications
- • Payment processing — processing purchases and managing billing records through Stripe
- • Website improvement — analyzing aggregate, anonymous website traffic patterns via Simple Analytics to improve the website
- • Security — detecting and preventing fraud, abuse, and unauthorized access
- • Legal compliance — fulfilling our legal obligations and responding to lawful requests from authorities
6. Email Communications
We send emails to customers in the following categories:
Transactional Emails (Always Sent)
These emails are essential for license delivery and are sent regardless of preferences:
- • License key delivery upon purchase
- • Renewal reminders (30 days before license expiry)
- • Payment confirmations and billing issues
- • Security alerts and critical service notifications
- • Legal notices and Terms of Service updates
We do not send marketing emails. Emails are delivered via Resend.
7. Legal Basis for Processing
We process personal data based on the following legal grounds, which are recognized by privacy regulations in many jurisdictions:
- • Performance of a contract — processing necessary to deliver the Pro license you have purchased and to fulfill our contractual obligations to you
- • Legitimate interests — processing necessary for our legitimate business interests, including security, fraud prevention, and service improvement, provided these interests are not overridden by your fundamental rights
- • Legal obligation — processing necessary to comply with applicable laws, regulations, or legal proceedings
- • Consent — where you have provided explicit consent for specific processing activities, which you may withdraw at any time
Where we rely on legitimate interests as a legal basis, we have assessed that our interests do not override your fundamental rights and freedoms, particularly given our privacy-by-design architecture that minimizes data collection and keeps all user workflow data local to the user's device.
8. Data Retention
We retain data for the following periods:
- • Purchase and license data — retained for the duration of your license validity plus the period required by tax, accounting, and legal compliance obligations
- • Email address — retained until you request deletion or until no longer needed for license management, subject to legal retention requirements
- • Payment references — retained as required for tax, accounting, and legal compliance purposes
- • Server logs — automatically deleted within 30 days
Upon receiving a valid deletion request, we delete or anonymize your data within 30 days, unless retention is required for legal compliance, dispute resolution, or enforcement of our agreements.
9. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data to third parties. We may share data only in the following circumstances:
- • Service providers — we engage third-party service providers who process data on our behalf to operate the Service. These providers are contractually bound to process data only as instructed by us and to maintain appropriate security measures.
- • Legal requirements — we may disclose data when required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
- • Business transfers — in the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your data.
- • With your consent — we may share data with third parties when you have given us explicit permission to do so.
10. Third-Party Services
The Service integrates with or relies upon the following third-party services:
- • DigitalOcean, LLC — infrastructure provider operating EU-based data centers. Our website servers and databases are deployed exclusively within DigitalOcean's EU regions.
- • Stripe, Inc. — payment processing and subscription management. Stripe processes payment data in accordance with their privacy policy and PCI-DSS standards. We share only your email address and purchase details with Stripe as necessary to process payments.
- • Resend, Inc. — email delivery service for transactional communications. We share your email address as necessary to deliver emails. Resend processes data in accordance with their privacy policy.
- • Simple Analytics — website analytics for respectaso.com. This service operates without cookies and without collecting personal data. See their privacy policy.
The desktop application connects directly to Apple's iTunes API, GitHub's API, and optionally to LLM providers (OpenAI, Anthropic, Google, OpenRouter). With OpenRouter, the request is routed onward to the host of the model you select. These connections are made from your device directly to those services — data does not pass through our servers.
11. International Data Transfers
Our website infrastructure and database are located exclusively in EU member states.
Some third-party service providers we engage may process data outside the European Economic Area. Where such transfers occur, we use appropriate safeguards recognized under applicable privacy regulations, which may include adequacy decisions by relevant authorities, standard contractual clauses, binding corporate rules, or other legally recognized transfer mechanisms.
12. Data Security
We implement technical and organizational security measures designed to protect your data, including:
- • Encryption of data in transit using TLS/HTTPS
- • License keys signed with Ed25519 cryptographic signatures to prevent tampering
- • Access controls and authentication requirements for system access
- • Rate limiting and abuse prevention mechanisms
- • Restrictive file permissions (600) for local API key storage in the desktop application
- • Regular security reviews and updates
While we implement these measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your data and you acknowledge this inherent limitation of data transmission and storage.
13. Cookies and Similar Technologies
This website uses the following cookies:
- • Session cookie — essential for maintaining your session during the purchase flow. This cookie expires when you close your browser.
- • CSRF token cookie — essential for security purposes to prevent cross-site request forgery attacks.
We do not use tracking cookies, advertising cookies, analytics cookies that track individual users, or third-party cookies for behavioral targeting.
14. Your Data Protection Rights
Depending on your location and applicable privacy regulations, you may have the following rights regarding your personal data:
- • Right of access — you may request a copy of the personal data we hold about you
- • Right to rectification — you may request correction of inaccurate or incomplete personal data
- • Right to erasure — you may request deletion of your personal data, subject to legal retention requirements
- • Right to restriction of processing — you may request that we limit our processing of your personal data in certain circumstances
- • Right to data portability — you may request to receive your personal data in a structured, commonly used, machine-readable format
- • Right to object — you may object to processing based on legitimate interests
- • Right to withdraw consent — where processing is based on consent, you may withdraw that consent at any time
- • Right to lodge a complaint — you have the right to lodge a complaint with a supervisory authority in your member state
To exercise these rights, please contact us using the information provided at the end of this document. We will respond to your request within the timeframes required by applicable law.
15. California Privacy Rights
For California residents whose personal information is subject to the California Consumer Privacy Act (CCPA), you have rights to know, delete, and opt-out of sales of your personal information. We do not sell personal information as defined by CCPA. To exercise CCPA rights if applicable, you can contact us by sending an email.
16. Children's Privacy
The Service is not directed to children under the age of sixteen, or under the age of digital consent in your jurisdiction, whichever applies. We do not knowingly collect personal data from children under these age thresholds. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately. If we become aware that we have collected personal data from a child without appropriate parental consent where required, we will take steps to delete that information.
17. Do Not Track Signals
Our website does not track individual users and therefore Do Not Track (DNT) signals have no practical effect on our data collection. We use Simple Analytics which is cookieless and does not track visitors across websites. Our privacy-by-design approach means we do not engage in the tracking behaviors that DNT signals are intended to prevent.
18. Automated Decision-Making
The Service does not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
19. Data Protection Officer
Given the nature and scale of our data processing activities, we have not appointed a formal Data Protection Officer. For all data protection inquiries, please contact us using the information provided below.
20. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When changes are made, we will update the "Last updated" date at the top of this page. We recommend that you review this page periodically to stay informed of any updates.
Your continued use of the Service after the updated date constitutes your acceptance of the revised Privacy Policy.
21. Contact Information
For questions about this Privacy Policy, to exercise your data protection rights, or for any other privacy-related inquiries, please contact us: