awebo awebo
$ cat privacy.md

Privacy Policy

# effective: April 17, 2026 · last updated: April 17, 2026

# compliant with GDPR (EU 2016/679), UK GDPR, and CCPA/CPRA

1. Data Controller

The entity responsible for processing personal data under this Policy ("Controller", "we", "us", "awebo") is:

Apptivity Patryk Pasek, VAT UE: PL6941695701, Poland.

Contact: hello@awebo.sh - use this address for any privacy request, GDPR subject-access request, or CCPA/CPRA consumer request. We do not have a dedicated Data Protection Officer; privacy matters are handled directly by the Controller.

2. Scope

This Policy applies to the awebo desktop application ("App") and the awebo.sh website ("Site"). It describes what personal data we process, why, on what legal basis, how long we keep it, and your rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable US state privacy laws (VCDPA, CPA, CTDPA, UCPA).

3. Privacy by design

awebo is privacy-first by construction. The App runs natively on your machine. AI inference, shell execution, editor state, git operations, and file access all happen locally. We do not stream your terminal input, AI prompts, source code, or file contents to any server.

The App performs no telemetry, no analytics, no crash reporting, and no background network calls by default. If a feature in the future would require network access, it will be opt-in with a clear in-app prompt.

4. Data processed by the App

Local-only data. The App stores configuration (TOML), local history, AI model files you download, and sandbox state on your device. This data never leaves your device and is not accessible to us.

Update checks. If enabled, the App may fetch public release metadata from api.github.com. GitHub receives your IP address and user-agent as part of a standard HTTP request. See github.com/site/privacy. We do not receive this data.

License validation. If you purchase a commercial license, the App may perform an outbound request to verify the license key with our payment processor (Lemon Squeezy). This request transmits your license key and a machine identifier hash. It does not transmit any of your files, prompts, or terminal content.

5. Data processed by the Site

The Site is a static page served by Cloudflare. We do not set advertising or tracking cookies. We do not embed third-party analytics, pixels, or fingerprinting scripts.

Server logs. Cloudflare processes standard connection metadata (IP address, user-agent, requested URL, timestamp, referrer) to deliver the Site and mitigate abuse. Logs accessible to us are retained for no longer than 7 days and are then deleted or irreversibly aggregated. Cloudflare processes this data as our processor under a Data Processing Addendum; see cloudflare.com/privacypolicy.

Local storage. We use a single localStorage entry to remember whether you dismissed the Discord invitation (7-day TTL), and a second entry to remember your cookie-consent choice (12 months). These are strictly necessary for the requested user preference and do not require consent under the ePrivacy Directive.

Analytics (opt-in only). We use Google Analytics 4 with IP anonymisation, Google Signals disabled, and ad personalisation disabled. GA scripts and cookies are NOT loaded until you explicitly click "Accept" on the cookie banner. You can withdraw consent at any time via the "cookies" button in the footer; this clears the _ga* cookies and prevents further loading. Google LLC acts as a processor for this data under our Data Processing Addendum; see business.safety.google/adsprocessorterms.

Outbound API calls. When you visit the download pages, your browser fetches public release metadata from api.github.com. That request goes directly from your browser to GitHub; we do not proxy or log it.

6. Purchases and billing

Commercial licenses are sold via Lemon Squeezy (Lemon Squeezy, LLC, USA), which acts as Merchant of Record and independent controller for billing data. When you check out, Lemon Squeezy collects your name, email, billing address, VAT/tax information, and payment instrument, and processes the transaction under its own privacy policy: lemonsqueezy.com/privacy.

We receive from Lemon Squeezy the minimum data required to issue and validate a license: your email address, order identifier, product, country (for VAT purposes), and license key. We retain this data for as long as the license is active and for up to 6 years thereafter to comply with Polish and EU tax and accounting law (legal obligation, Art. 6(1)(c) GDPR).

International transfers. Lemon Squeezy processes data in the United States. Transfers from the EEA/UK rely on the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

7. Purposes and legal bases (GDPR Art. 6)

Delivering the Site and App - performance of a contract (Art. 6(1)(b)) and our legitimate interest in operating the service (Art. 6(1)(f)).

Security, fraud prevention, abuse mitigation (Cloudflare logs) - legitimate interest (Art. 6(1)(f)).

License issuance, validation, customer support - performance of a contract (Art. 6(1)(b)).

Accounting, tax, and statutory record-keeping - legal obligation (Art. 6(1)(c)).

Responding to your emails and GDPR/CCPA requests - legitimate interest and legal obligation.

8. Retention

Cloudflare connection logs accessible to us: maximum 7 days.

Discord-pill dismissal flag (localStorage): 7 days on your device, deletable by clearing site data.

Email correspondence: up to 24 months after the last exchange, unless a longer period is required by law or for the establishment, exercise, or defence of legal claims.

License and billing records: duration of the license plus up to 6 years (Polish Accounting Act, Art. 74).

9. Recipients and processors

We share personal data only with the following categories of recipients, bound by written data processing agreements where required:

Google LLC - Google Analytics 4 (processor, opt-in only).

Cloudflare, Inc. - hosting, CDN, DDoS mitigation (processor).

Lemon Squeezy, LLC - payment processing, invoicing, license delivery (independent controller / Merchant of Record).

GitHub, Inc. - release hosting (independent controller; we do not transmit data, your browser does).

Tax, legal, or accounting advisors, and competent public authorities when required by law.

10. Your rights in the EEA, UK, and Switzerland

Under the GDPR and UK GDPR you have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict processing; data portability; object to processing based on legitimate interest; and withdraw any consent at any time without affecting prior lawful processing.

To exercise any right, email hello@awebo.sh. We will respond within one month (extendable by two months for complex requests, GDPR Art. 12(3)). There is no fee for reasonable requests.

You also have the right to lodge a complaint with a supervisory authority. The lead authority for the Controller is the Polish UODO (uodo.gov.pl). EU residents may also complain to their local authority.

11. Your rights in California and other US states

Under the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA and similar laws, eligible residents have the right to: know what personal information is collected; access and obtain a copy; correct inaccurate information; delete personal information; opt out of the sale or sharing of personal information; and limit the use of sensitive personal information.

We do not sell personal information and we do not share personal information for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months.

We do not process sensitive personal information for purposes other than those permitted without a right to limit under CCPA/CPRA § 7027.

To exercise a right, email hello@awebo.sh with the subject "US Privacy Request". We will verify your identity using information reasonably necessary (typically the email used to purchase a license) and respond within 45 days, extendable once by 45 days. You may designate an authorised agent to submit a request on your behalf; we will require written authorisation.

We will not discriminate against you for exercising any of these rights.

12. Do Not Track and Global Privacy Control

Because the Site does not perform behavioural tracking, Do-Not-Track (DNT) and Global Privacy Control (GPC) signals do not affect any additional processing. We treat a GPC signal as a valid opt-out of sale/sharing for CCPA/CPRA purposes even though we do not engage in such activities.

13. Children

The App and Site are not directed at children under 16 (EU) or under 13 (US, COPPA). We do not knowingly collect personal data from children. If you believe a child has provided us data, email hello@awebo.sh and we will delete it.

14. Security

We use HTTPS/TLS for all network traffic, rely on Cloudflare's edge security, and keep licensing data in access-controlled systems. No method of transmission or storage is 100% secure; we encourage you to use strong, unique passwords and to keep your device up to date.

15. International data transfers

Where personal data is transferred outside the EEA/UK (for example to Cloudflare or Lemon Squeezy servers in the United States), the transfer is based on the EU Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and - where the recipient is certified - the EU-US Data Privacy Framework and its UK Extension.

16. Changes to this Policy

We may update this Policy to reflect changes in the App, the Site, or applicable law. Material changes will be announced on this page with a new "last updated" date. Continued use of the App or Site after a change constitutes acceptance of the revised Policy.

17. Contact

Apptivity Patryk Pasek - VAT UE: PL6941695701 - hello@awebo.sh.

# questions or requests? email hello@awebo.sh