← Back

Privacy policy

Last updated: May 31, 2026

Version française → (the French version remains legally binding)

This policy describes how Karei Studio, publisher of the OneStore service, processes your personal data when you use onestore.so and the OneStore application, in accordance with the GDPR.

Data controller: Karei Studio — contact: support@onestore.so.

1. Data we collect

  • Account: email, name, profile photo (via Google/GitHub OAuth), user ID, language preference.
  • Workspace: team name, role, invitations, audit log, subscription and billing (via Stripe).
  • Apps and stores: listing metadata, screenshots, releases, reviews, encrypted Apple/Google credentials, binaries (.ipa, .aab) stored temporarily for store delivery.
  • Support: messages sent through the feedback form or email, optional attachments.
  • Technical: server logs (IP, user-agent, timestamps), error events (Sentry), usage metrics on the public site if you accept the cookie banner; product analytics in the signed-in app (PostHog).

2. Purposes and legal bases

  • Providing the service, authentication, billing — contract performance.
  • Security, fraud prevention, logging — legitimate interest.
  • Customer support — contract / legitimate interest.
  • Product analytics (PostHog) — consent on the public site; legitimate interest / contract performance in the signed-in app.
  • Transactional communications — contract performance.

3. Retention

  • Account and workspace data: for the contract term, then deletion or anonymization within 30 days of closure.
  • Store credentials: until revoked or the workspace is deleted.
  • Uploaded binaries: as long as needed for delivery and troubleshooting (typically a few days).
  • Technical logs: 30–90 days.
  • Billing records: statutory accounting retention (typically 10 years).

4. Recipients and sub-processors

We use the following providers, with contractual safeguards (including EU Standard Contractual Clauses where applicable):

  • Vercel — application hosting (US / EU)
  • Neon — PostgreSQL database (EU / US by region)
  • Cloudflare R2 — file and binary storage
  • Stripe — payments and subscriptions
  • Resend — transactional and support email
  • Upstash — queues and scheduled jobs
  • PostHog — product analytics (public site with consent; signed-in app)
  • Sentry — error monitoring
  • Anthropic — AI text generation (review replies, suggestions)
  • Google / GitHub — OAuth authentication

An up-to-date list is available on request and in our DPA.

5. Transfers outside the EU

Some sub-processors are located in the United States. Transfers rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

6. Your rights

You have the rights of access, rectification, erasure, restriction, portability, and objection. To withdraw analytics consent on the public site, decline via the banner or remove os.analytics_consent from your browser. In the app, contact support@onestore.so. You may lodge a complaint with your supervisory authority (in Estonia, the Andmekaitse Inspektsioon; in France, the CNIL).

7. Cookies

  • Strictly necessary: authentication session cookie, language preference (os_lang). No consent required.
  • Analytics (PostHog): usage measurement, funnels, masked session recordings (sensitive fields excluded). On the public site (landing, legal pages, sign-in), enabled only after you accept the banner. In the signed-in app (/app, onboarding, admin), product analytics run without a separate banner.
  • Vercel Analytics: aggregated web performance metrics, no advertising profiling.

We do not use third-party advertising cookies.

8. Security

TLS encryption in transit, AES-256-GCM encrypted store credentials at rest, role-based access, audit log for sensitive actions. Details: Security page.

9. Changes

We update this policy as the service evolves. The date at the top indicates the latest revision. Material changes will be notified by email or in-app.