ScreenCraftScreenCraft

Privacy Policy

Last updated: April 14, 2026

Effective date: April 14, 2026

1. Who We Are

ScreenCraft is an app store screenshot designer built and operated by a solo developer. We help mobile developers create professional store listings for iOS and Android apps. This policy explains what data we collect, why we collect it, and how we protect it.

This Privacy Policy applies to the ScreenCraft web application accessible at screencraft.app (or any associated domain) and all related services. It does not apply to third-party websites or services we link to.

2. Data We Collect

2.1 Information You Provide

  • Account information — your email address when you sign up. Optionally, a display name and profile picture you set in your profile.
  • Project data — the screenshot projects you create and save, including layout configurations, text content, and element positioning.
  • Uploaded assets — images you upload (app screenshots, icons, background images, custom device frames) are stored in private storage buckets accessible only to your account.
  • Payment information — payments are processed by Xendit. We store only the transaction status, reference ID, and plan tier. We never see or store your card details, bank account, or e-wallet credentials.

2.2 Data Collected Automatically

  • Usage logs — we record export events (timestamp, plan tier, export count, file format) to enforce daily limits and detect abuse. No image content is logged.
  • Authentication tokens — session cookies and tokens required to keep you logged in securely.
  • Device information — browser type, screen resolution, and operating system for rendering optimization.

We do not use advertising cookies, third-party tracking scripts, or analytics services that profile you across websites.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Service operation — saving projects, processing exports, rendering previews, and enforcing plan limits.
  • Account management — authentication, password resets, and profile management.
  • Communication — transactional emails such as account confirmation, password reset links, and payment receipts. We do not send marketing emails unless you opt in.
  • Abuse prevention — export log analysis to detect and prevent rate-limit circumvention, credential stuffing, or other abusive behaviour.
  • Service improvement — aggregated, anonymized usage patterns to improve features, performance, and reliability.

4. Legal Basis for Processing

We process your data based on:

  • Contract performance — to provide the Service you signed up for.
  • Legitimate interest — to ensure security, prevent abuse, and improve the Service.
  • Consent — where required, we will ask for your explicit consent (e.g., marketing communications).

5. Data Sharing

We do not sell, rent, or share your personal data with any third party for marketing or advertising purposes.

We use the following sub-processors to deliver the service:

  • Supabase — database hosting, authentication, file storage, and edge function hosting. Data stored in Supabase is protected by Row-Level Security policies. Supabase operates data centres in multiple regions.
  • Xendit — payment processing for paid subscriptions. Subject to their own PCI-DSS-compliant privacy policy and Indonesian financial regulations.
  • Vercel — application hosting and serverless function execution. Vercel processes minimal personal data (HTTP request metadata) to serve the application.

We may also disclose data if required by law, regulation, or legal process, or to protect the rights, property, or safety of ScreenCraft, our users, or the public.

6. International Data Transfers

Your data may be processed and stored in servers located outside your country of residence. Supabase and Vercel operate data centres in various regions. By using the Service, you consent to the transfer of your data to these jurisdictions, subject to the protections described in this policy.

7. Data Retention

  • Account data — retained for as long as your account is active.
  • Project data & uploaded assets — retained until you delete the project or your account.
  • Export files — temporary files (PNG, PDF, ZIP) are automatically deleted within 7 days of generation.
  • Export logs — anonymized retention for up to 12 months for abuse detection and analytics.
  • Payment records — transaction status and reference IDs are retained as required by financial regulations.

If you delete your account, all associated data — projects, uploaded assets, and personal information — will be permanently deleted within 30 days.

8. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of your personal data (right to be forgotten).
  • Portability — export your project data in a portable format (JSON).
  • Objection — object to the processing of your data based on legitimate interest.
  • Withdrawal of consent — withdraw consent for marketing communications at any time via your profile settings.

To exercise any of these rights, please contact us via the email on our home page. We will respond to your request within 30 days.

9. Cookies & Local Storage

We use only essential cookies for session management (authentication tokens stored via Supabase Auth). We do not use advertising cookies, third-party tracking scripts, or analytics services that profile you across websites.

We use browser local storage to save your editor preferences (theme, tool sizes, last-used settings) for a better experience. This data stays on your device and is not transmitted to our servers.

10. Security

We implement the following measures to protect your data:

  • Encryption in transit — all data is transmitted over HTTPS with 256-bit SSL/TLS encryption.
  • Row-Level Security (RLS) — database access is protected by Supabase RLS policies, ensuring your data is never accessible to other users.
  • Secure file storage — uploaded assets are served through time-limited signed URLs.
  • Authentication — powered by Supabase Auth with support for email/password and OAuth providers (Google, Apple, GitHub).
  • Payment security — all payment processing is handled by Xendit, which is PCI-DSS certified.

While we take security seriously, no system is completely secure. We encourage you to use strong, unique passwords and enable two-factor authentication where available.

11. Children’s Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal data, please contact us immediately.

12. Third-Party Links & Services

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with any personal information.

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you via email within 72 hours of becoming aware of the breach, in compliance with applicable data protection laws. The notification will include the nature of the breach, the categories of data affected, and the measures we are taking to address it.

14. Changes to This Policy

We may update this policy as the Service evolves. When we make material changes, we will update the “Last updated” date at the top of this page. For significant changes that affect how we handle your data, we will provide notice via email or an in-app notification. We encourage you to review this page periodically.

15. Contact

If you have any questions about this policy, wish to exercise your data rights, or need to report a security concern, please reach out via the contact details on our home page.

← HomeTerms of Service