ASC Copilot Privacy Policy

Effective Date: February 10, 2026 | Last Updated: February 10, 2026

Privacy-First Design: ASC Copilot is built with your privacy as the top priority. We do not collect personal information, do not run analytics or tracking, and do not operate backend servers that receive your project data. All your data stays on your device — you have complete control.

1. Introduction

Welcome to ASC Copilot ("we," "our," or "the App"), developed and provided by Jinhui Cheng. ASC Copilot is a macOS tool designed to help developers manage App Store Connect workflows — including metadata editing, IAP/localization operations, screenshot management, marketing asset generation, and AI-powered translation.

This Privacy Policy explains how ASC Copilot handles data and protects your privacy. By using the App, you agree to the practices described in this policy.

2. Data Collection

2.1 What Data We Collect

The simple answer: None.

ASC Copilot does not collect, transmit, or store any personal information on external servers. All data generated during your use of the App remains exclusively on your device.

2.2 Important Notes

No Personal Identifiers: We do not collect your name, email address, phone number, or any other personally identifiable information.
No Tracking: We do not use analytics services, advertising SDKs, or any third-party tracking tools.
No Account Required: ASC Copilot does not require registration or login with us. You can start using the App immediately without providing any personal information.

3. Data Stored Locally on Your Device

To provide core functionality, ASC Copilot stores data locally on your Mac, including:

App Store Connect Account Configuration: Account name, issuer ID, key ID
Project Data: Metadata text, IAP content, localization fields, screenshot sets, marketing configuration
Generated Assets: Rendered marketing images, preview files, and video output
Settings: Language settings, upload preferences, localization toggles, base language selection
LLM Provider Configuration: Provider name, base URL, model name (API key is stored separately via Keychain — see Section 5)
Optional Local Model Files: On-device machine-learning model packages (e.g., NLLB translation model) downloaded at your request

4. How Data Is Used

Since all data is stored locally on your device, we do not "use" your data in any way. The data you generate serves only to:

Provide Core Functionality: Metadata editing, IAP management, localization, screenshot organization, and marketing asset composition
Execute User-Triggered Operations: Upload/sync workflows, AI translation, and marketing image rendering
Maintain Preferences: Language settings, account configurations, and workflow state

These operations are performed locally on your device except when you explicitly invoke a third-party API flow (see Section 6).

5. Data Storage and Security

5.1 Keychain Storage

Sensitive credentials are stored securely via macOS Keychain:

App Store Connect Private Key — stored under service com.asc.copilot.asc-key
LLM API Keys — stored under service com.asc.copilot.llm-key

Keychain data is encrypted by macOS using hardware-backed encryption. ASC Copilot never stores these credentials as plaintext in app data or on disk.

5.2 App Sandbox

ASC Copilot runs inside macOS App Sandbox with limited entitlements:

Network Client: Required for App Store Connect API, user-configured LLM endpoints, and optional model downloads
User-Selected Read-Only Files: Only files you explicitly select via system file dialogs

The App cannot access files, folders, or processes outside its sandbox without your explicit permission.

5.3 Local Model Security

When you download an on-device translation model, the App verifies the archive's integrity using SHA-256 checksum before installation. Downloaded models are stored in the App's Caches directory within the sandbox.

6. Third-Party Connections Initiated by You

The App may connect to third parties only in the following cases, always initiated by your action:

Apple App Store Connect API: When you fetch, sync, or upload App Store data. Your ASC credentials (JWT token) are sent directly from your device to Apple's servers.
User-Configured LLM Endpoint: When you run AI translation or optimization, your metadata text is sent to the provider you configured (e.g., OpenAI, Anthropic, or a local Ollama instance). Your API key and text content are sent directly from your device to that provider.
Optional Model Download: When you choose to download a local translation model, the App fetches the model archive and checksum file from the configured host (e.g., GitHub Releases).

In all these cases, data is sent directly from your device to those providers. We do not proxy, inspect, or store this traffic on our own servers. Each third-party service is governed by its own privacy policy and terms.

6.1 LLM Data Transmission

When you use the AI translation/optimization feature with a cloud-based LLM provider, the following data may be sent to the provider you configured:

App metadata text (titles, descriptions, keywords, promotional text)
IAP display names and descriptions
Marketing screenshot text overlays

Important: You choose and control which LLM provider receives this data. If you prefer not to send data to any cloud service, you can use the built-in local CoreML translation model, which operates entirely offline on your device （The local translation model in the current version has not been developed due to stability issues and is expected to be provided in subsequent iterative versions）.

7. What We Do Not Do

We do not collect personal profiles or identifiers for analytics
We do not sell, rent, or share your project data with advertisers
We do not run cloud storage for your ASC Copilot workspace data
We do not use third-party ad/attribution SDKs inside the App
We do not transmit telemetry, crash reports, or diagnostics to our own servers

8. Data Sharing and Disclosure

We do not share, sell, rent, or disclose any data to third parties.

Because ASC Copilot does not operate any server infrastructure that receives your data, there is no mechanism for data sharing or disclosure on our part.

8.1 Legal Disclosures

Since we do not collect or have access to your data, we have nothing to disclose even if legally compelled. Your data remains solely on your device under your control.

9. Retention and Deletion

Project Data: Remains on your device until you delete it within the App or uninstall the App
Generated Assets: Marketing images, videos, and preview files are stored in the App's Application Support directory and persist until you remove them
Local Model Files: Stored in the App's Caches directory; can be removed via Settings or by uninstalling the App
Keychain Credentials: Remain in macOS Keychain until you remove them from within the App or from the system Keychain directly

Data sent to third-party services that you use (Apple / LLM providers) is governed by their own retention policies.

10. Your Rights and Controls

You have complete control over your data in ASC Copilot:

10.1 Access Your Data

View all project data in the App's Copilot workspace
View and manage account configurations in Settings

10.2 Delete Your Data

Remove linked ASC / LLM configurations at any time via Settings
Delete project records and generated assets from within the App
Remove downloaded local model files via Settings
Uninstall the App to remove all local app sandbox data

10.3 Control Network Access

Disable optional network-dependent features by not configuring external providers
Use the local CoreML translation model for fully offline AI translation

11. Subscription and Payment Data

If you purchase access to ASC Copilot or any in-app content, the transaction is processed entirely by Apple through the App Store. We do not collect or have access to your payment information.

What We Receive: Only a confirmation that a valid purchase or subscription is active (verified through StoreKit)
What We Don't Receive: Credit card numbers, billing addresses, Apple ID credentials, or any payment details

Apple's privacy policy governs how they handle your payment data: apple.com/legal/privacy

12. Children's Privacy

ASC Copilot is intended for developers and business users. It is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us — though we do not collect any data to begin with.

13. International Data Transfers

Since all core data is stored locally on your device, there are generally no international data transfers initiated by us.

However, when you choose to use cloud-based third-party services (Apple ASC API or LLM providers), data may be transmitted to servers located outside your country. These transfers are initiated directly by you and governed by the respective service's privacy policy and data transfer mechanisms.

14. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), the legal basis for processing your data (which stays on your device) is:

Consent: By downloading and using the App, you consent to the local storage of your data
Legitimate Interest: Processing is necessary to provide the core functionality of the App
Contract Performance: Processing is necessary to deliver the services you requested

15. Your GDPR Rights (EEA Users)

If you are located in the EEA, you have the following rights:

Right to Access: You can access all your data within the App
Right to Rectification: You can edit or update your projects and settings
Right to Erasure ("Right to be Forgotten"): You can delete individual records or uninstall the App to erase all data
Right to Data Portability: Your data is stored in your device's file system and included in macOS backups
Right to Object: You can disable features or uninstall the App at any time
Right to Restrict Processing: You can limit functionality by not configuring external services

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

16. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used. Since ASC Copilot does not collect any personal information, the CCPA substantive requirements do not apply to our data practices. However, we affirm:

Right to Know: We do not collect personal information
Right to Delete: All data is local; you may delete it at any time
Right to Opt-Out of Sale: We do not sell personal information
Right to Non-Discrimination: We do not discriminate against users who exercise their rights

17. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. When we make changes:

We will update the "Last Updated" date at the top of this policy
We will notify you through App Store update notes for material changes
Continued use of the App after changes constitutes acceptance of the new policy

18. Contact Us

If you have any questions, concerns, or feedback about this Privacy Policy or ASC Copilot's privacy practices, please contact us:

Email: [email protected]

We will respond to your inquiry as soon as possible.