Privacy Policy

1. Introduction

Welcome to HexSign. This Privacy Policy explains how HexSign ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our Apple Developer certificate and profile management platform (the "Service").

We are an Australian company committed to protecting your privacy in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). This Privacy Policy applies to all users of our Service, including visitors to our website, registered users, and enterprise customers.

By accessing or using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide to Us

Account Information

When you create an account, we collect:

• First and last name
• Work email address
• Company or team name
• Password (hashed and never stored in plain text — managed via AWS Cognito)
• Phone number (optional, used for SMS-based multi-factor authentication if you enable it)

Apple Developer Credentials and Synced Data

To provide the Service, you supply credentials that let HexSign connect to Apple's App Store Connect API on your behalf. We collect and store:

• App Store Connect API keys (Issuer ID, Key ID, and the private key file), encrypted at rest using AWS KMS
• Apple Developer team identifiers and team names
• Synced Apple Developer assets: certificates (metadata and, where applicable, the public certificate), provisioning profiles, bundle identifiers and capabilities, and registered devices (including device names and UDIDs)
• Certificate signing requests (CSRs) you generate in HexSign or upload, and the associated private keys, encrypted at rest using AWS KMS
• Sync history, change events, and health metrics derived from your Apple Developer data

Some of the synced data — most notably device UDIDs and the names team members give their devices — may constitute personal information about your end users, testers, or employees. You are responsible for ensuring you have the right to provide that information to us, and for informing the relevant individuals as required by applicable privacy laws.

Team and Configuration Data

When you use the Service, we also collect:

• Names and email addresses of teammates you invite, and their assigned role (Owner, Admin, Member)
• Multi-factor authentication settings and registered authenticator devices
• Slack workspace and channel identifiers, and Slack incoming webhook URLs you configure for alerts
• Alert preferences (expiration thresholds, channels, recipients)
• Audit logs and per-user authentication activity
• Account settings and preferences (timezone, notification preferences)

Payment Information

Payment processing is handled by Stripe, our third-party payment processor. We do not store complete credit card information on our servers. Stripe processes and stores your payment information securely in compliance with PCI-DSS standards. We may retain:

• Billing address
• Last four digits of payment card
• Payment transaction history
• Stripe customer ID for subscription management

For more information about how Stripe handles your payment data, please review Stripe's Privacy Policy at https://stripe.com/privacy.

Communications

When you contact us, we collect:

• Support ticket content and correspondence
• Email communications
• Feedback and survey responses

2.2 Information Collected Automatically

Usage Information

We automatically collect information about your interaction with the Service:

• Pages and features accessed
• Time and date of visits
• Time spent on pages
• Click patterns and navigation paths
• Search queries within the Service
• Feature usage statistics

Device and Technical Information

• IP address
• Browser type and version
• Operating system
• Device type and identifiers
• Screen resolution
• Language preferences
• Referring website addresses

Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities. See Section 8 for more details about cookies.

2.3 Information from Third Parties

• Authentication data from AWS Cognito
• Payment information from payment processors
• Analytics data from service providers (e.g., Sentry for error monitoring)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Maintain the Service

• Create and manage your account
• Authenticate your identity and provide secure access
• Connect to the Apple App Store Connect API on your behalf to read and modify your Apple Developer assets (certificates, provisioning profiles, bundle identifiers, devices)
• Generate certificate signing requests (CSRs) and provisioning profiles
• Compute health scores, dependency relationships, and expiration timelines
• Send expiration and status alerts via email and to Slack channels you configure
• Maintain audit logs and sync history
• Enable collaboration with teammates and enforce role-based permissions
• Provide customer support and respond to inquiries

3.2 To Improve and Develop the Service

• Analyse aggregated usage patterns and trends
• Develop new features and functionality
• Test and optimise performance and reliability
• Identify and fix bugs and technical issues

We do not use your Apple Developer credentials, certificates, private keys, or synced asset data to train machine-learning models, and we do not share or sell that data to third parties for their own purposes.

3.3 To Communicate with You

• Send transactional emails (password resets, verification, notifications)
• Provide customer support and respond to requests
• Send service announcements and updates
• Request feedback or conduct surveys
• Send marketing communications (with your consent, where required)

3.4 For Security and Fraud Prevention

• Detect and prevent unauthorised access
• Monitor for suspicious activity
• Enforce our Terms and Conditions
• Protect against fraud, spam, and abuse
• Comply with legal obligations

3.5 For Billing and Payment Processing

• Process subscription payments
• Manage billing and invoicing
• Handle refunds and disputes
• Prevent payment fraud

3.6 Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and court orders
• Protect our legal rights and interests
• Enforce our agreements and policies

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 With Service Providers

We share information with third-party service providers who perform services on our behalf:

• Cloud Hosting: Amazon Web Services (AWS) for infrastructure, storage, and key management (KMS)
• Authentication: AWS Cognito for user authentication, MFA, and identity management
• Email Delivery: AWS SES for transactional and alert emails
• Payment Processing: Stripe for subscription billing and payment processing
• Error Monitoring: Sentry for application performance and error tracking
• Apple Developer Platform: Apple Inc. — using credentials you provide, we call the App Store Connect API to read and manage your Apple Developer assets on your behalf
• Slack Notifications: Slack Technologies — when you configure a Slack incoming webhook, alert content is delivered to the workspace and channel you specify
• Analytics: Google Analytics (Google LLC) for usage analytics on our marketing website

An up-to-date list of subprocessors is available on request via privacy@hexsign.io.

These service providers are bound by contractual obligations to keep information confidential and use it only for the purposes for which we disclose it to them.

4.2 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

4.3 Within Your Organisation

If you use HexSign as part of an organisation, we share your information with other users in your organisation account based on their roles and permissions. This includes:

• Account administrators and owners
• Team members with appropriate access permissions
• Users collaborating on shared quotes and contacts

4.4 For Legal Reasons

We may disclose your information if required to do so by law or in response to:

• Valid legal requests (subpoenas, court orders, warrants)
• Legal proceedings or governmental investigations
• Requests to protect safety and prevent harm
• Enforcement of our Terms and Conditions
• Protection of our rights, property, or safety

4.5 Business Transfers

If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and provide choices regarding your information.

4.6 Aggregated or De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you for analytics, research, or marketing purposes.

5. Data Security

We implement comprehensive security measures to protect your information from unauthorised access, disclosure, alteration, or destruction.

5.1 Technical Security Measures

• Encryption: We use encryption for data in transit and at rest using industry-standard protocols (specific implementations may change over time)
• Secure Authentication: Managed authentication and access controls (for example, via AWS Cognito) with configurable password and access policies
• Multi-Factor Authentication: Optional MFA using authenticator apps
• Access Controls: Role-based access control and user permission management
• Secure Infrastructure: AWS cloud infrastructure with security best practices
• Data Backup: Regular automated backups of your data
• Network Security: Firewalls, intrusion detection, and DDoS protection

5.2 Operational Security Measures

• Regular security audits and vulnerability assessments
• Security monitoring and incident response procedures
• Employee access controls and security training
• Secure software development practices
• Third-party security reviews

5.3 Your Security Responsibilities

While we implement strong security measures, you also play a role in protecting your information:

• Keep your password secure and confidential
• Use a strong, unique password
• Enable multi-factor authentication
• Log out when using shared devices
• Report suspicious activity immediately
• Keep your contact information up to date

5.4 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law, as soon as practicable and within any timeframes required by applicable law.

6. Data Retention

6.1 Active Accounts

We retain your information for as long as your account is active or as needed to provide you with the Service.

6.2 Closed Accounts

When you close your account, we will:

• Delete or anonymise your personal information within 90 days
• Retain information for longer if required by law or for legitimate business purposes
• Maintain aggregated, de-identified data for analytics and improvement

6.3 Legal and Business Requirements

We may retain certain information longer when required for:

• Compliance with legal obligations (tax, accounting, audit requirements)
• Resolution of disputes or enforcement of agreements
• Prevention of fraud and abuse
• Backup and disaster recovery purposes

6.4 Specific Retention Periods

• Account data: Duration of account plus 90 days
• Transaction records: 7 years (for tax and accounting purposes)
• Support tickets: 3 years
• System logs: 90 days
• Backups: 30 days

7. Your Privacy Rights

7.1 Australian Privacy Rights (APPs)

Under the Australian Privacy Principles, you have the following rights:

Access to Personal Information (APP 12)

• Request access to your personal information we hold
• Receive a copy in a structured, commonly used format
• Export your data directly from the Service or contact support@hexsign.io
• We will respond within 30 days and provide access free of charge (except for reasonable costs in some cases)

Correction of Personal Information (APP 13)

• Request correction of inaccurate, out-of-date, incomplete, or misleading information
• Update most information directly in your account settings
• If we refuse to correct information, we will provide you with a written notice explaining why
• You can request that we associate a statement with your information that you believe it to be inaccurate

Deletion and Anonymisation

• Request deletion of your personal information
• Delete your account through the Service or by contacting us
• Some information may be retained as required by Australian law

Opt-Out Rights

• Opt out of direct marketing communications at any time
• Request not to receive direct marketing materials
• Withdraw consent for specific data processing activities

7.2 Complaints and Privacy Commissioner

If you have a complaint about how we handle your personal information:

1. Contact Us First: Email your complaint to privacy@hexsign.io or support@hexsign.io. We will investigate and respond within 30 days.
2. Australian Privacy Commissioner: If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
   • Website: www.oaic.gov.au
   • Phone: 1300 363 992
   • Email: enquiries@oaic.gov.au
   • Mail: GPO Box 5288, Sydney NSW 2001

7.3 International Users' Rights

If you are located outside Australia (including the EEA, UK, or California), you may have additional rights under your local privacy laws. See Sections 14 and 15 for specific regional rights.

7.4 Exercising Your Rights

To exercise any of these rights, please contact us at support@hexsign.io or privacy@hexsign.io. We will:

• Respond to your request within 30 days
• Verify your identity before processing your request
• Provide reasons if we cannot fulfill your request
• Not charge a fee for making a request (except for reasonable costs in certain circumstances)

8. Cookies and Tracking Technologies

8.1 What Are Cookies

Cookies are small text files stored on your device that help us provide and improve the Service. We also use similar technologies like web beacons, pixels, and local storage.

8.2 Types of Cookies We Use

Essential Cookies (Required)

• Authentication and session management
• Security and fraud prevention
• Load balancing and performance
• You cannot opt out of these cookies

Functional Cookies

• Remember your preferences and settings
• Store your timezone and language choices
• Enhance user experience

Analytics Cookies

• Understand how you use the Service
• Analyse usage patterns and performance
• Improve features and functionality
• We may use Google Analytics cookies and similar identifiers to measure and improve our Service

Marketing Cookies (with consent)

• Track effectiveness of marketing campaigns
• Deliver relevant advertisements
• Measure ad performance

8.3 Managing Cookies

You can control cookies through your browser settings:

• Block all cookies (may affect Service functionality)
• Delete existing cookies
• Allow only certain cookies
• Receive notifications when cookies are set

Note: Disabling essential cookies will prevent you from using the Service.

8.4 Third-Party Cookies

Some cookies are set by third-party services we use. These are governed by the respective third party's privacy policy.

9. International Data Transfers (APP 8)

9.1 Data Location

Your data is primarily stored on servers located in Australia (AWS ap-southeast-2 region in Sydney). As an Australian company, we prioritise keeping your data within Australia where it is subject to Australian privacy laws.

9.2 Overseas Disclosure (APP 8)

In certain circumstances, we may disclose your personal information to overseas recipients, including:

• Cloud service providers: AWS (United States parent company; primary data storage remains in Australia)
• Apple Developer platform: Apple Inc. (United States) — when we call the App Store Connect API on your behalf, request and response data is processed by Apple's infrastructure
• Payment processing: Stripe (United States)
• Slack notifications: Slack Technologies (United States) — only for alert content sent through webhooks you configure
• Error monitoring: Sentry (United States)
• Analytics: Google Analytics (United States)
• Email services: AWS SES infrastructure (may involve US-based processing)

9.3 APP 8 Compliance

When we disclose personal information overseas, we take reasonable steps to ensure that overseas recipients comply with the APPs in relation to that information. This includes:

• Using service providers with strong privacy and security commitments
• Entering into contracts that require overseas recipients to protect your information
• Ensuring service providers have appropriate technical and organisational measures
• Selecting service providers with strong security practices and recognised industry standards

9.4 Your Consent

Some overseas disclosures may be necessary to provide the Service (for example, to process payments, deliver emails, provide support, or monitor errors). By using our Service, you acknowledge that your personal information may be disclosed to overseas recipients as described in this Privacy Policy.

When we disclose personal information overseas, we aim to comply with APP 8 by taking reasonable steps to ensure overseas recipients handle that information in a way that is consistent with the APPs. This may include contractual safeguards, due diligence, and security requirements appropriate to the type of information and the services being provided.

Please note that privacy laws and protections in the recipient's country may differ from those in Australia. If you have questions about our overseas disclosures, contact us at privacy@hexsign.io.

9.5 International Transfers for Non-Australian Users

For users outside Australia, when we transfer your information internationally, we ensure appropriate safeguards including standard contractual clauses, adequacy decisions, or your explicit consent.

10. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected information from a child under 16, please contact us immediately at support@hexsign.io.

11. Apple Developer Credentials and Cryptographic Material

11.1 What We Store

Because HexSign acts on your behalf with Apple, we hold material that requires particular care:

• App Store Connect API keys (Issuer ID, Key ID, and the private key file)
• Private keys associated with certificate signing requests (CSRs) you generate or upload

11.2 How We Protect It

• Sensitive credentials and private keys are encrypted at rest using AWS Key Management Service (KMS) with envelope encryption
• Access to plaintext keys is restricted to the application processes that need them to fulfil your requests
• All transport between you, HexSign, and Apple uses TLS
• Audit logs record actions performed using your credentials so you have visibility into what was done and by whom

11.3 Your Responsibilities

You are responsible for:

• Ensuring you are authorised by your organisation to provide the App Store Connect API key to HexSign
• Granting the API key only the minimum Apple Developer role required for your intended use
• Revoking any API key in App Store Connect if you suspect it has been compromised or no longer requires access
• Removing keys from HexSign when they are no longer needed

11.4 Apple's Handling of Your Data

When HexSign communicates with the App Store Connect API, request and response data is processed by Apple Inc. according to Apple's terms and privacy policy. Use of your Apple Developer account remains governed by your agreements with Apple.

12. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services. This Privacy Policy applies only to our Service.

We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through our Service.

Third-party services we integrate with include:

• Amazon Web Services (AWS)
• Apple Inc. (App Store Connect API)
• Stripe (payment processing)
• Slack Technologies (when configured for alert delivery)
• Sentry (error monitoring)
• Google Analytics

These third parties have their own privacy policies and terms of service:

• AWS Privacy Notice: https://aws.amazon.com/privacy/
• Apple Privacy Policy: https://www.apple.com/legal/privacy/
• Stripe Privacy Policy: https://stripe.com/privacy
• Slack Privacy Policy: https://slack.com/trust/privacy/privacy-policy
• Sentry Privacy Policy: https://sentry.io/privacy/

13. Marketing Communications

13.1 Types of Communications

We may send you:

• Transactional emails: Account verification, password resets, receipts (you cannot opt out)
• Service notifications: Updates, maintenance, security alerts
• Product updates: New features, improvements, tips
• Marketing emails: Promotions, newsletters, educational content (you can opt out)

13.2 Opt-Out

You can opt out of marketing communications by:

• Clicking the unsubscribe link in emails
• Updating your communication preferences in account settings
• Contacting us at support@hexsign.io

Note: You cannot opt out of transactional emails necessary for the Service.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

14.1 Your CCPA Rights

• Right to Know: Request information about data collected, used, or shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of sale of personal information (we do not sell data)
• Right to Non-Discrimination: Not be discriminated against for exercising rights

14.2 Categories of Information

We collect and disclose the following categories of personal information as described in Section 2:

• Identifiers (name, email, IP address)
• Commercial information (transaction history, subscription data)
• Internet or network activity (usage data, log files)
• Professional information (company name, business data)

14.3 No Sale of Personal Information

We do not sell your personal information to third parties. We have not sold personal information in the past 12 months.

14.4 Exercising CCPA Rights

To exercise your CCPA rights, contact us at support@hexsign.io. We will verify your identity and respond within 45 days.

15. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

15.1 Legal Basis for Processing

We process your personal information based on:

• Contract: Processing necessary to provide the Service
• Legitimate Interests: Improve the Service, prevent fraud, ensure security
• Consent: Marketing communications, optional features
• Legal Obligation: Comply with laws and regulations

15.2 Your GDPR Rights

In addition to rights described in Section 7, you have:

• Right to lodge a complaint with supervisory authority
• Right to withdraw consent at any time
• Right to object to automated decision-making

15.3 Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at support@hexsign.io.

16. Enterprise Customers

16.1 Enhanced Privacy and Security

Enterprise customers may require additional privacy and security measures beyond those outlined in this Privacy Policy. We offer:

• Data Processing Agreements (DPA): Formal agreements detailing data processing activities and responsibilities
• Custom Data Retention: Tailored data retention and deletion policies
• Dedicated Infrastructure: Options for isolated or dedicated cloud resources
• Advanced Security Controls: Enhanced encryption, access controls, and monitoring
• Regular Security Reviews: Scheduled security assessments and audits
• Security Documentation: Comprehensive security overview, architecture documentation, and vendor assessment support

16.2 Data Residency Options

While our standard offering stores data in Australia (AWS ap-southeast-2), enterprise customers with specific data residency requirements may discuss custom arrangements.

16.3 Business Associate Agreements

For customers in regulated industries (healthcare, finance, etc.), we can execute Business Associate Agreements (BAAs) or equivalent compliance documents as required.

16.4 Privacy Officer and Dedicated Support

Enterprise customers receive direct access to our Privacy Officer and dedicated support for privacy-related inquiries, data subject requests, and compliance matters.

16.5 Vendor Risk Management

We support enterprise customers' vendor risk management programs by providing:

• Security questionnaires and assessments
• Audit reports and certifications
• Incident response procedures
• Business continuity and disaster recovery documentation
• Subprocessor lists and agreements

16.6 Contact for Enterprise Privacy Inquiries

For enterprise privacy requirements and custom data protection agreements, contact sales@hexsign.io or privacy@hexsign.io.

17. Changes to This Privacy Policy

17.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

17.2 Notification

We will notify you of material changes by:

• Posting the updated Privacy Policy on our website
• Updating the "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice in the Service

17.3 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

17.4 Continued Use

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days as required by the Australian Privacy Principles.