Privacy Policy
Effective: 21 April 2026 · Last updated: 21 April 2026
Unicorns Tracker Sp.o.o. ("Unicorns Tracker", "we", "us") provides the Unicorns Tracker app intelligence platform. This Privacy Policy explains what personal data we collect when you use unicornstracker.com (the "Service"), why we collect it, and the rights you have over it.
1. Who we are
The data controller is Unicorns Tracker Sp.o.o., based in Warsaw, Poland. You can reach us at contact@unicornstracker.com for any privacy-related request.
2. What data we collect
2.1 Account data
When you create an account we collect:
- First and last name
- Email address
- Company name and job title (for market-segmentation and support)
- Encrypted password (hashed, never stored in plain text) or Google OAuth identifier if you sign in with Google
2.2 Subscription and billing data
If you subscribe to a paid plan, payment is processed by Stripe. Stripe collects and stores your card details directly on their PCI-DSS-compliant infrastructure — we never see or store full card numbers. We retain the subscription status, plan, billing email, and Stripe customer ID returned to us.
2.3 Usage and technical data
We collect limited technical information automatically to operate and secure the Service: IP address, browser user-agent, pages visited, timestamps, and referrer. This is stored in aggregated server logs for a rolling 30-day window.
2.4 Public App Store data
Unicorns Tracker displays rankings and metadata from Apple's public App Store RSS feeds and public iTunes Search API. This data is not your personal data— it relates to third-party apps and publishers. Unicorns Tracker is not affiliated with Apple Inc.
3. Why we use your data (legal bases under GDPR)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Create and maintain your account, sign you in | Performance of a contract |
| Process subscription payments and invoices | Performance of a contract / legal obligation |
| Send service announcements (billing, security, outages) | Legitimate interest |
| Detect abuse, prevent fraud, and secure the Service | Legitimate interest |
| Comply with tax and accounting laws | Legal obligation |
| Product analytics (aggregate usage, see Cookies Policy) | Legitimate interest / consent where required |
4. Who we share data with (subprocessors)
We use a small number of trusted vendors to run the Service. Each is bound by a data processing agreement and processes data only on our instructions.
| Vendor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | EU (AWS eu-west-1 (Ireland)) |
| Vercel | Web hosting | EU |
| Stripe | Payment processing | EU / US (SCCs in place) |
| Google (Sign-In) | OAuth authentication when you choose "Sign in with Google" | Global |
| OpenAI | AI-assisted insight generation. Only public App Store data is sent — no personal user data. | US (SCCs in place) |
| Google Analytics | Aggregate product analytics | EU / US (SCCs in place) |
We do not sell your personal data, and we do not share it with advertisers.
5. International transfers
Primary storage is in the European Union (AWS eu-west-1 (Ireland)). Where a vendor processes data outside the EU/EEA (for example Stripe or OpenAI in the United States), transfers are covered by the European Commission's Standard Contractual Clauses (SCCs) and supplementary safeguards as required by GDPR.
6. How long we keep your data
- Account data — for the life of your account. Deleted within 30 days after you close it.
- Billing records — retained for 5 years after issuance to comply with Polish tax law.
- Server logs — 30 days, then deleted.
- Backups — rolling 30-day encrypted backups; deleted data is overwritten within this window.
7. Your rights
7.1 Under GDPR (EU/UK users)
You have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request erasure ("right to be forgotten")
- Request restriction of processing
- Request a machine-readable copy of your data (portability)
- Object to processing based on legitimate interests
- Withdraw consent at any time (where processing is based on consent)
- Lodge a complaint with your national Data Protection Authority. For Poland this is UODO (uodo.gov.pl).
7.2 Under CCPA/CPRA (California users)
California residents additionally have the right to:
- Know what categories of personal information we collect and the purposes of collection
- Request deletion of personal information
- Request correction of inaccurate personal information
- Opt out of "sale" or "sharing" — we do not sell or share personal information as those terms are defined under the CPRA
- Non-discrimination for exercising any of the above rights
7.3 How to exercise your rights
Email contact@unicornstracker.com. We will respond within 30 days.
8. Security
We use TLS 1.2+ for all traffic, store passwords using bcrypt, enforce row-level security in our database, and restrict internal access on a least-privilege basis. No system is perfectly secure — if we discover a breach affecting your data, we will notify you and the relevant authority within 72 hours as required by GDPR.
9. Children
Unicorns Tracker is a B2B product and not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
10. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced by email to account holders at least 14 days before they take effect. The current version is always available at /privacy.