Privacy Policy
This policy explains what personal data Apuls collects, why, how it's stored and shared, and the rights you have over it. We've kept it as direct as legal accuracy allows. If you have questions after reading, email [email protected].
Contents
- Who we are
- Scope
- Key definitions
- What we collect
- Sources
- Purposes & legal bases
- Sharing & sub-processors
- Google API user data
- International transfers
- Retention
- Your rights
- How to exercise rights
- California rights (CCPA / CPRA)
- Cookies & tracking
- Marketing
- Children
- Security
- Breach notification
- Automated decision-making
- Deactivation & deletion
- Changes
- Contact
1. Who we are
Apuls is a service operated by Apuls LLC (referred to as "Apuls," "we," "us," or "our"). For all data-protection inquiries, including requests to exercise the rights described below, contact our privacy team at [email protected]. We respond to verified requests within 30 days, or 45 days for complex requests with a notification of the extension.
2. Scope
This policy applies to all personal data processed by Apuls in connection with our mobile applications (iOS and Android), our website at apuls.app, our backend systems, and any related services we provide (collectively, the "Service"). It does not apply to third-party services you may interact with through Apuls (such as Google, Turo, Telegram, or Pushover) — each of those is governed by its own privacy policy.
3. Key definitions
- Personal data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on personal data (collection, storage, use, deletion, etc.).
- Controller — the entity that determines the purposes and means of processing. For data you provide directly to Apuls, that's us.
- Processor — an entity that processes personal data on a controller's behalf (e.g., our cloud hosting provider).
- Sub-processor — a third party we engage to help deliver the Service.
4. What personal data we collect
We collect only the data necessary to operate the Service. The categories below cover everything we hold about you.
| Category | Examples | Source |
|---|---|---|
| Account | Email address, hashed password (or OAuth identifier if you sign in with Google), display name, account creation date. | You |
| Authentication tokens | Encrypted Google OAuth access & refresh tokens, scoped to gmail.readonly. |
|
| Email-derived data | Reservation IDs, trip dates, vehicle identifiers, guest names, earnings amounts — extracted from Turo notification emails. Original raw email bodies are not retained beyond the parse step. | Gmail (your messages from [email protected]) |
| Imported reservation data | CSV files you upload and the parsed reservation, vehicle, and revenue rows derived from them. | You |
| Notification preferences | Push device tokens (iOS/Android), Telegram chat IDs, Pushover user keys — only if you opt in to those channels. | You |
| Operational metadata | Timestamps of sign-in events, app version, device model, OS version, truncated IP address (last octet redacted), crash diagnostics. | Automatic |
| Support correspondence | Email content and metadata when you contact us at hello@, privacy@, security@, or [email protected]. |
You |
Special categories
We do not collect or process special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data, etc.). Please do not submit such data to us.
5. Sources of personal data
We collect personal data from three sources:
- Directly from you — when you create an account, upload a CSV, configure notifications, or contact support.
- From third parties on your behalf — Google (via OAuth), once you've authorized Apuls to read your Turo notification emails.
- Automatically — operational metadata generated by your interaction with the Service (timestamps, device info, etc.).
6. Purposes & legal bases for processing
Each purpose below is paired with the legal basis on which we rely (under GDPR Article 6 for EU users; analogous frameworks apply elsewhere).
| Purpose | Legal basis |
|---|---|
| Provide the core Service (account, dashboard, parsing, sync). | Performance of contract (Art. 6(1)(b)) |
| Authenticate users and prevent unauthorized access. | Performance of contract; legitimate interests in security (Art. 6(1)(f)) |
| Send opt-in notifications (push, Telegram, Pushover). | Consent (Art. 6(1)(a)) — withdrawable any time |
| Detect fraud, abuse, and operational issues. | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations (tax, regulatory, court orders). | Legal obligation (Art. 6(1)(c)) |
| Improve the Service via aggregated, anonymized analytics. | Legitimate interests (Art. 6(1)(f)) |
| Respond to and process your data-subject rights requests. | Legal obligation (Art. 6(1)(c)) |
7. Sharing & sub-processors
We do not sell, rent, or trade your personal data. We do not share it with advertisers, data brokers, or marketing networks.
We share personal data only with the sub-processors listed below, each engaged under a written data-processing agreement (DPA) consistent with GDPR Article 28 and equivalent frameworks. The list is current as of the Effective date above; we'll notify users of material changes 14 days before they take effect.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Amazon Web Services (AWS) | Server hosting, database, encrypted backups. | EU (eu-central-1, Frankfurt) |
| Google LLC (Gmail API + OAuth) | Fetching your Turo notification emails. | Global (Google infrastructure) |
| Apple Push Notification service (APNs) | Push delivery to iOS devices. | US |
| Firebase Cloud Messaging (FCM) — when applicable | Push delivery to Android devices. | Global |
| Telegram Messenger Inc. | Telegram bot notifications — only if opted in. | Global |
| Superblock Inc. (Pushover) | Pushover notifications — only if opted in. | US |
We may also disclose personal data to comply with legal obligations (court order, subpoena, lawful government request), to enforce our Terms of Service, or to protect the rights, property, or safety of Apuls, our users, or others. Where legally permitted, we'll notify affected users before complying.
In the event of a corporate transaction (merger, acquisition, sale of assets), personal data may be transferred to the successor entity. We'll notify users by email at least 30 days before any such transfer takes effect, giving you the opportunity to delete your account beforehand.
8. Google API user data — Limited Use disclosure
Apuls' use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, data obtained via Google APIs (Gmail messages from [email protected]) is used only to:
- Provide and improve user-facing features that are prominent in the Apuls app's UI.
- Allow humans to read this data only with your explicit consent (e.g., when you contact support and authorize us to inspect a specific email).
We do not:
- Use Google user data for advertising purposes.
- Transfer it to third parties except as necessary to provide or improve user-facing features.
- Sell it.
9. International data transfers
Apuls' primary data storage is in the European Union (AWS Frankfurt). When we transfer personal data outside the EU/EEA — for example, to Google or Apple's globally distributed infrastructure — we rely on one of the following safeguards:
- The EU–U.S. Data Privacy Framework for transfers to Framework-certified U.S. recipients.
- The Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by transfer-impact assessments.
- Your explicit consent for specific transfers, where applicable.
You can request a copy of the safeguards in place by emailing [email protected].
10. Data retention
We retain personal data only as long as necessary for the purposes for which it was collected. Specific retention periods:
| Data category | Retention period |
|---|---|
| Account record & credentials | While the account is active; deleted within 24 hours of an account-deletion request. |
| Reservations, vehicles, tasks, revenue | While the account is active; deleted alongside the account. |
| Google OAuth tokens | While Gmail integration is connected; revoked at Google and deleted on disconnect or account deletion. |
| Encrypted backups | Up to 30 days, then automatically rotated out and overwritten. |
| Operational metadata (logs, timestamps) | 90 days for diagnostic logs; 12 months for security-relevant audit logs. |
| Support correspondence | 3 years from last interaction (for warranty and complaint-handling purposes). |
| Aggregated, fully anonymized analytics | Indefinitely — no longer constitutes personal data. |
| Tax / accounting records (if applicable) | As required by applicable law (typically 7 years). |
11. Your rights
Depending on your jurisdiction, you have some or all of the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you, in a structured, machine-readable format.
- Rectification — correct inaccurate or incomplete personal data.
- Erasure ("right to be forgotten") — request deletion of your personal data, subject to limited exceptions (legal obligations, dispute defense, etc.).
- Restriction of processing — temporarily limit how we process your data while a dispute is being resolved.
- Data portability — receive your data in a commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
- Object — to processing based on legitimate interests, including profiling.
- Withdraw consent — for any processing based on consent, without affecting the lawfulness of prior processing.
- Not be subject to automated decision-making that produces legal or similarly significant effects (see Section 19).
- Lodge a complaint with a supervisory authority (for EU users, your local data-protection authority).
12. How to exercise your rights
Email [email protected] with a description of your request. To protect your data, we'll verify your identity before responding — typically by confirming you can receive email at the address registered to your account, or by asking you to take an action only the legitimate account holder could take.
Standard response time is 30 days. Complex requests may extend to 45 days, in which case we'll notify you of the extension within the initial 30 days. There's no charge for reasonable requests; manifestly excessive or repetitive requests may incur a reasonable administrative fee.
If we decline a request, we'll explain why and inform you of your right to lodge a complaint with a supervisory authority.
13. California privacy rights (CCPA / CPRA)
If you're a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information. The rights described in Section 11 cover the substantive equivalents of your CCPA/CPRA rights, including:
- The right to know what personal information we collect, use, disclose, and sell or share.
- The right to delete personal information collected from you.
- The right to correct inaccurate personal information.
- The right to opt out of the sale or sharing of personal information. Apuls does not sell or share personal information for cross-context behavioral advertising — there is no opt-out mechanism to enable because there is nothing to opt out of.
- The right to limit the use of sensitive personal information. Apuls does not collect sensitive personal information as defined under the CCPA.
- The right to non-discrimination for exercising your privacy rights.
Categories of personal information we have collected in the past 12 months
Identifiers (email, OAuth IDs); commercial information (reservation/revenue data you import); internet or other electronic activity (sign-in timestamps, device info); inferences only as derived from your own data (e.g., trip-day proration). We have not sold or shared any of these categories.
To exercise your California rights, email [email protected] with the subject "California privacy request." You may designate an authorized agent to make a request on your behalf, subject to verification of the agent's authority.
14. Cookies & tracking technologies
Our marketing website (apuls.app) uses only strictly necessary first-party cookies to remember preferences (e.g., closed banners). It does not use analytics cookies, advertising cookies, or third-party trackers. No consent banner is shown because no consent-requiring tracking takes place.
The Apuls mobile applications do not use cookies. They store essential session and preference data in the device's local storage (NSUserDefaults on iOS, SharedPreferences on Android), which is wiped if you uninstall the app or delete your account.
We honor Global Privacy Control (GPC) signals as a valid opt-out request from California residents.
15. Marketing communications
We do not send marketing emails. The only emails you'll receive from us are:
- Transactional emails (account verification, password reset, security alerts) — required to operate the Service.
- Service announcements (material policy changes, scheduled maintenance, security incidents) — required by law or by our contractual commitments.
- Replies to messages you send us.
16. Children's privacy
Apuls is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact [email protected] and we will delete it promptly. We do not use the Service to collect data for behavioral advertising directed at children.
17. Security measures
We protect personal data with administrative, technical, and physical safeguards appropriate to the sensitivity of the data:
- Encryption at rest: AES-256 for all primary database storage, separate keys for OAuth token storage.
- Encryption in transit: TLS 1.3 for all client-server and server-server communication.
- Access controls: Production data is accessible only by named engineers under the principle of least privilege. Every administrative action is logged.
- Network isolation: Database servers are not publicly addressable; access is gated through a hardened bastion.
- Dependency hygiene: Automated security updates and weekly dependency-vulnerability scans on all infrastructure components.
- Backups: Encrypted with separate keys, stored in a different availability zone, automatically tested for restorability.
- Incident response: Documented runbooks for breach detection, containment, eradication, and notification.
- Vendor due diligence: Each sub-processor is reviewed for security posture before engagement and reassessed annually.
Please email [email protected]. We respond within 48 hours, will not pursue legal action against good-faith researchers, and credit responsible disclosure with your consent.
18. Data breach notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (per GDPR Article 33). Where the breach is likely to result in a high risk, we will also notify affected users without undue delay, including:
- The nature of the breach.
- The categories and approximate number of data subjects and records concerned.
- The likely consequences.
- The measures taken or proposed to address the breach and mitigate its effects.
19. Automated decision-making & profiling
Apuls does not subject you to decisions based solely on automated processing that produce legal effects or similarly significant effects on you. Routine automated processing (parsing emails into structured data, calculating prorated daily revenue, sorting cards into Urgent / Pending / Done buckets) does not make decisions about you in this sense — you remain free to act on or override any of it.
20. Account deactivation & deletion
You can delete your Apuls account at any time:
- In-app: Settings → Account → Delete account.
- Via the web: apuls.app/delete-account.html.
- By email: from the address registered to your account, to [email protected].
Deletion is processed within 24 hours and removes all personal data described in Section 4, except backups (which rotate out within 30 days) and any data we are legally required to retain (e.g., tax records). On deletion, our access to your Gmail account is revoked from our side, and we recommend you also revoke it from your Google account permissions page.
21. Changes to this policy
We may update this policy as the Service evolves or as legal requirements change. We will notify you of material changes at least 14 days before they take effect, via email and an in-app banner. Non-material changes (typo fixes, clarifications that don't alter your rights or our obligations) take effect immediately. The "Last updated" date at the top of this page is always current. Prior versions are available on request.
22. Contact
For privacy questions or to exercise your rights:
- Privacy: [email protected]
- Security: [email protected]
- Legal: [email protected]
- General support: [email protected]
Apuls LLC. Postal address available on request.