End-Users Privacy Policy

This End-Users Privacy Policy (“Policy”) describes how Adapty Tech Inc., 2093 Philadelphia Pike #9181 Claymont, DE 19703 (“Adapty”, “we”, “us”) collects and otherwise processes the personal data we receive from Customers (as specified bellow) in the course of providing Services (as specified below).

For Adapty, the privacy of personal data we receive from our Customers is a key value. As a high-tech company, Adapty strives to be transparent about how we process the personal data obtained from our Customers. We believe that ensuring transparency in data processing is fundamental to building trustful relationships with our Customers. Adapty is committed to providing an exceptional user experience when providing Services to Customers while ensuring the complete confidentiality of the personal data we receive from them.

Capitalized terms not otherwise defined herein shall have the meaning given to them in Adapty Terms of Service available at https://adapty.io/terms/.

In this Policy, you will find the following information:

1. Whose personal data is processed?

When Customers use Adapty Services, Adapty processes limited personal data related to the following categories of data subjects:

End-Users of our Сustomers (the “End-Users”) – meaning individuals who have interacted with Customer’s mobile application(s).
Our Customers – registration and Service usage information of users of the Service (e.g. Customer’s employees and authorized representatives). Personal data of Customers are processed in accordance with the Privacy Policy available at a link.

2. Who we are and in what capacity we process the personal data of the End-User?

Adapty provides a cloud-based platform that enables Customers to manage, analyze, and optimize in-app subscriptions and monetization for mobile applications (the “Services”). By using Adapty, Customers can track subscriber behavior, conduct A/B testing on subscription offers and pricing, automate revenue management, and gain detailed insights into user retention and revenue performance. Adapty’s Services support multiple platforms including iOS and Android, and is designed to be flexible and scalable to meet the specific monetization strategies and business requirements of its users while preserving the privacy of their End-Users.

While providing the Services, we collect certain personal data about the End-Users of our Customers’ mobile application(s) and products. When processing End-Users personal data, Adapty acts as a data processor or service provider under various global privacy laws and regulations.

The personal data of End-Users is controlled by the Customer. The Customer (either the app developer or their partners) independently manages the processing of End-Users personal data, namely:

determines the purposes of processing the personal data of End-Users,
defines the scope of personal data that Adapty collects,
decides when Adapty may disclose End-Users personal data to third parties, as well as which data may be disclosed, etc.

Adapty does not use the collected personal data of End-Users for its own purposes and acts strictly within the scope of instructions provided by the Customer.

To ensure compliance with applicable data protection laws, Adapty enters into a Data Protection Agreement when processing End-Users personal data on behalf of and in the interests of its Customer. This agreement provides additional information about Adapty’s role and obligations as a data processor.

3. What personal data about End-Users do Adapty collect and process?

Since the Customer is the data controller for the processing of End-User personal data, it is the Customer who determines the scope of personal data related to End-Users that Adapty will collect for the purpose of providing the Services. These parameters are defined by the Customer through the Adapty account via the Service interface and various developer tools made available by Adapty to Customers (e.g., SDKs, APIs).

As a result, the categories of personal data collected about End-Users may vary depending on the specific Customer and the configurations selected or the features of our Services that the Customer decides to use.
The data categories processed by Adapty in the course of providing its Services may include the following, subject to the Customer’s configuration and instructions:

Technical Information

This category includes technical data related to the device used by the End-User to access the Customer’s mobile application(s). Such information may include, for example, IP address, device model, operating system, and language settings.

Identifiers

This category includes various identifiers associated with the End-User’s device or application instance. Such identifiers may include, for example, Apple Identifier for Advertisers (IDFA), Identifier for Vendors (IDFV), Google Advertising ID, and other similar identifiers.

Usage Data

This category refers to information about how End-Users interact with the Customer’s mobile application(s). It includes, but not limited the following data: in-app events; End-Users actions such as clicks on Customer advertisements; views (impressions) of Customer ads; app download and installation timestamps; app launches; in-app purchases (including purchase time and amount); any additional event or interaction data the Customer chooses to track and analyze based on the nature of their mobile application(s).

Contact Information

This category includes personal data that directly identifies or relates to an individual End-User and is necessary for communication or user-specific functionality. Such data may include, for example, email address, first name, last name, and other attributes that the Customer intentionally transmits to Adapty.

Children Privacy.

When processing personal data of children (as described in applicable data protection laws), Customers are also required to comply with additional requirements set by platform policies, regulations, and laws designed to protect children. Some of these laws are specifically focused on children (such as COPPA), while others are broader but include specific protections for children (such as GDPR and similar regional laws).

Additionally, the Customer, as the data controller, must take into account iOS and Android-specific policies and rules that aim to enhance safety and privacy for children.

Adapty strives to simplify the Customer’s use and configuration of the Services by enabling an anonymous mode, which uses only a de-identified online identifier. This allows the collection of information necessary to provide the Services without linking that information to any specific data subject.

4. To whom do we disclose the personal data of End-Users?

Adapty, as a data processor, transfers personal data of End-Users only when required to fulfill the instructions of the Customer, who is the data controller, or when such transfer is necessary in accordance with applicable legal requirements for Adapty.

Adapty Services allow for the configuration of integrations that may involve the transfer of personal data of End-Users to third parties. At the same time, Adapty Services also provide the option to configure the parameters of such data transfers, including the selection of third parties to whom Adapty may transfer the personal data of End-Users. Therefore, the companies to whom Adapty may transfer personal data of End-Users may vary depending on the settings chosen by the Customer. Customers can select partners from a list of available integration options and configure Adapty Services accordingly.

To understand how a particular Customer handles the personal data of End-Users, we strongly recommend to review their personal data processing policies before using Customer’s mobile application(s).

Adapty does not sell personal data of End-Users to third parties. The transfer of End-Users data is only possible in the following cases:

(i) based on written instructions from the Customer

Since the Customer controls the processing of personal data of End-Users, the Customer can configure integrations as described above. In this case, Adapty may transfer personal data of End-Users to partners with whom the Customer has set up the integration.

(ii) to our affiliates or in case of M&A

Adapty may share End-Users personal data with parent company or companies, affiliates or subsidiaries and keep some of End-Users personal data in business records for the accounting and compliance purposes. Among other things, Adapty may disclose End-Users personal data to a third party if it decides to transfer the Services and/or business in general. The transfer of End-Users personal data in this case will allow Adapty to provide the Services uninterrupted. Similarly, Adapty will transfer End-Users’ personal data in the event of a merger, acquisition, reorganization, bankruptcy or other similar event, personal data may be transferred to Adapty’s successor or assignee.

(iii) to sub-processors who help Adapty provide the Services

We always strive to improve our Services to provide Customers with the best user experience. In some cases, to achieve processing goals, we collaborate with partners who assist us in various aspects of our Services, thereby enhancing their quality. In each case, we carefully select partners to collaborate with and ensure that such companies implement adequate legal, organizational, and technical measures to protect personal data from unauthorized access. However, despite Adapty’s careful vetting of partners, it is important to understand that Adapty cannot guarantee absolute compliance with data protection laws in all cases.

For example, Adapty transfers End-Users personal data to hosting providers. Adapty as diligent in safeguarding personal data and only use trusted partners to store personal data. Although hosting providers may have access to the personal data we store, we enter into personal data processing agreements with them that require them to treat it in accordance with relevant privacy laws and regulations.

(iv) to third parties as required by law

Adapty may share End-Users personal data in cases where Adapty is required to do so by law, by court order, or in other situations where Adapty has reasonable grounds to believe that the transfer of personal data is necessary to initiate legal proceedings in the event of a violation of the any applicable laws or agreement. Adapty may also share End-Users personal data if Adapty has reasonable grounds to believe that it is necessary to prevent fraud or other activities that are contrary to applicable law.

5. How do we protect personal data?

As a high-tech company, we understand and recognize the importance and necessity not only of implementing organizational measures to protect personal data but also of deploying the most advanced technical measures to safeguard the personal data of End Customers from unauthorized access or leaks.

We implement the following personal data protection measures:

Measures for

Measures taken (Y/N)
If Yes, please provide specific details

pseudonymization and encryption of personal data

Personal data is encrypted during transfer.

ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

All data is stored and processed within an internal network closed by a firewall. The data is continuously replicated across multiple data centers. Adapty also stores incremental backups.

ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

The data is continuously replicated across multiple data centers. Adapty also stores incremental backups.

processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

All code deployed to production is peer-reviewed. Autotests (including security tests) are a part of the deployment process. 3rd party software regularly updated to the latest stable version, including but not limited: to OS, databases, caches, IDE, orchestration services, etc.

Customer identification and authorization

Customers are authorized with email and password. All passwords are stored encrypted with randomized salt.

protection of data during transmission

All data transferred encrypted thanks to SSL certificates.

protection of data during storage

All data is stored and processed within an internal network closed by a firewall.

ensuring the physical security of locations at which personal data are processed

Tier 1 data centers are used to store and process data.

ensuring events logging

The distributed logging system is used which also stores data behind a firewall.

ensuring system configuration, including the default configuration

System configuration, including default configuration, is peer-reviewed and monitored constantly. Default ports and passwords are always changed.

internal IT and IT security governance and management

Adapty implements multiple and varied infrastructure security measures to protect customer information from unauthorized access, loss, alteration, viruses, Trojans, and other similar harmful code. This includes:
• Regular updates of operating systems, hardware, and any third-party software to avoid security vulnerabilities.
• Use of firewalls and Intrusion Prevention Systems (IPS) systems to limit access and protect Adapty servers.
• Securing remote access communication using multifactor authentication.
• Backing up customer data on a daily basis, on a rotating schedule.

certification/assurance of processes and products

No

ensuring data minimization

Only the personal information which is necessary for the purposes of the provision of the Services is collected. No personal information is used for purposes other than those which have been identified in the Data Processing Agreement with the Customer and the Adapty Terms of Service and only retained for as long as is necessary to fulfill such purposes.

ensuring data quality

The Customer can request alteration or deletion of the End-Users personal data.

ensuring limited data retention

Personal data is retained as per the contractual terms agreed with the Customer and as required by law.

ensuring accountability

Personal data is unique, mapped to a specific Customer, and not shared between users. Events and audit trails related to platform and system access are logged, monitored, and reviewed periodically.

allowing data portability and ensuring erasure

Adapty guarantees data portability and erasure upon written request.

Our personal data protection system is based on industry-leading standards such as SOC 2. Additionally, Adapty openly shares its security and compliance program. You can monitor how Adapty’s security and compliance system is structured in real time through the compliance program on TrustCloud. Adapty continuously monitors, tests, and improves its security and compliance system to ensure the protection of personal data.

6. Data Privacy Frameworks

Adapty employs various legal instruments for the legitimate transfer of personal data from the European Union, the United Kingdom, and Switzerland to jurisdictions beyond these territories. Adapty complies with the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (“Swiss-US DPF”) as set forth by the USA Department of Commerce.

Adapty has certified to the USA Department of Commerce that it adheres to the EU-US DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. Adapty has certified to the US Department of Commerce that it adheres to the Swiss-US DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF.

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Last update: June 19, 2025.