Privacy Policy

Effective date: May 6, 2026

This Privacy Policy explains how Touchscreen Gestures ("we", "us", "the Software") collects, uses, and handles information under the EU General Data Protection Regulation (Reg. 2016/679, "GDPR") and Greek Law 4624/2019.

1. Information We Collect, Purposes & Legal Basis

Each item below is tagged with the GDPR Article 6 legal basis.

• Email address — when you request a download link (pre-contractual step at your request under Art. 6(1)(b), and legitimate interest in securely delivering the installer under Art. 6(1)(f)); and at Stripe checkout to deliver your installer link, receipt, and licence key (contract performance, Art. 6(1)(b)).
• Machine identifier — a one-way SHA-256 hash of the hardware UUID of the device on which the Software is activated. The hash is used solely for licence validation and cannot be reversed to identify your device (contract performance, Art. 6(1)(b)).
• Payment information — processed entirely by Stripe Payments Europe Limited (Ireland). We never see, store, or have access to your credit card number, CVV, or bank details.
• App version and basic request metadata — sent when the app checks for updates or downloads an update so we can determine compatibility and deliver the correct release (contract performance, Art. 6(1)(b)).
• Download-request metadata — when you ask us to email a download link, we store the request time, referral or campaign tags you arrived with, and limited anti-abuse metadata such as IP address, user agent, and Cloudflare Turnstile verification results (legitimate interest in security & anti-abuse, Art. 6(1)(f)).
• Website analytics — aggregate, cookieless page-view data via Cloudflare Web Analytics. No personal identifiers, no cross-site tracking, no advertising cookies (legitimate interest in understanding site performance, Art. 6(1)(f)).
• Ad-conversion measurement and website analytics — we use Google Ads conversion tracking and Google Analytics 4 via the Google tag (gtag.js), loaded site-wide. If you visit from the EU/EEA, UK, or Switzerland: on your first visit you see a cookie banner asking whether to accept or decline advertising and analytics cookies. If you decline (or have not yet chosen), Google Consent Mode v2 default-denied applies — no cookies are set, no personal identifiers leave your browser, Google receives only aggregated modelled signals used for cookieless conversion modelling and traffic measurement (legitimate interest in measuring ad and site effectiveness, Art. 6(1)(f)). If you accept, Google sets first-party cookies (_gcl_aw for ad-click attribution; _ga, _ga_<id> for analytics sessions), tracks aggregate page-view, scroll, and form-interaction events, and receives a conversion event (Stripe session ID, purchase value) at checkout completion (consent, Art. 6(1)(a)). If you visit from outside the EU/EEA, UK, and Switzerland: Consent Mode v2 defaults to granted (no banner is shown, as your local law does not require prior opt-in for these technologies); the same Google cookies and events as the “accept” case above apply. The ad_personalization consent signal stays denied for everyone — we do not use Google Ads remarketing or audience-building. Your EU consent choice is stored in your browser's localStorage (key tg_consent_v1) and can be changed at any time via the “Cookie preferences” link in §7.
• Encrypted diagnostic and crash reports — may include system information, connected device identifiers, app and driver configuration, and relevant logs or crash data needed to diagnose failures. Diagnostic report bodies are end-to-end encrypted before upload. Limited operational metadata (install identifier, hashed machine identifier, report reason or category, consent mode, routing metadata) may accompany the encrypted file outside the encrypted body so we can rate-limit uploads, link support records, and locate reports in the admin tools. Diagnostic reports are uploaded only when you choose to send them (consent, Art. 6(1)(a)).
• Optional in-app feedback — star rating, notes, app version, licence or trial state, install identifier, hashed machine identifier, and device model identifiers. Feedback is sent over HTTPS and stored with encryption at rest (consent, Art. 6(1)(a)).
• Tax invoices & accounting records — retained for Greek tax compliance (legal obligation, Art. 6(1)(c)).

2. Information We Do NOT Collect

• No in-app telemetry or in-app usage analytics
• No app-usage or browsing data outside this website
• No location data
• No persistent cross-site advertising identifiers (we do not use mobile advertising IDs, fingerprinting, or audience-building cookies)
• No personal files or system data

The app is local-first and runs primarily on your Mac. It may contact our servers only for: trial start and verification; licence activation, deactivation, and transfer; update checks and downloads; encrypted diagnostic or crash-report uploads that you explicitly choose to send; and optional in-app feedback submissions. Our website may also contact our servers when you request a download link or when we record cookieless aggregate website analytics.

3. Retention Periods

We retain personal data only for as long as we have a legitimate purpose to do so:

• Licence-activation records (email, machine hash, activation history): retained for the lifetime of your licence so you can continue activating, deactivating, and transferring it across your devices. After the licence is fully refunded or expressly terminated, records are retained as needed for tax, audit, and dispute-resolution purposes.
• Stripe purchase records and tax invoices: retained by Stripe and by us as required by Greek tax law (L. 4174/2013 Art. 13 and PD 186/1992), which currently provides for a 10-year retention period for accounting books and records.
• Download-request records, diagnostic / crash reports, feedback, support correspondence, and anti-abuse logs: retained for as long as needed to provide and improve the service, address abuse, and respond to support enquiries. Inactive records may be deleted automatically after a configurable period (currently 30 days for download-request leads, 90 days for trial records).

You may request earlier deletion of your personal data at any time by contacting [email protected], subject to legal obligations to retain certain records (notably tax invoices).

4. Third-Party Service Providers

• Stripe Payments Europe Limited (Ireland) — payment processing for European customers, with onward transfers to Stripe, Inc. (US) under the EU–US Data Privacy Framework and the EU Standard Contractual Clauses. stripe.com/privacy
• Cloudflare, Inc. — licensing / download / diagnostic API hosting, bot protection via Turnstile, and cookieless web analytics. cloudflare.com/privacypolicy
• Resend, Inc. — transactional email delivery (download links, receipts, support replies). resend.com/legal/privacy-policy
• Google Ireland Limited — Google Ads conversion tracking and Google Analytics 4 via gtag.js loaded site-wide. With your consent (granted via the cookie banner): Google sets first-party cookies for ad-click attribution (_gcl_aw) and analytics sessions (_ga, _ga_<id>), and receives full conversion + analytics events. Without consent: Consent Mode v2 default-denied applies — no cookies are set, only aggregated modelled signals are sent. Onward transfers to Google LLC (US). policies.google.com/privacy

We do not sell, rent, or share your personal information with any other third parties.

5. International Data Transfers

Stripe, Cloudflare, Resend, and Google are US-based processors (Google contracts with us via its Irish entity, Google Ireland Limited, with onward transfers to Google LLC, US). Transfers rely on (i) the EU–US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) where the processor is DPF-certified, and/or (ii) the EU Standard Contractual Clauses of 4 June 2021 (Decision (EU) 2021/914) as incorporated in each processor's Data Processing Agreement. Copies of the SCCs or a list of sub-processors are available on request.

6. Data Storage & Security

Licence data (email, machine hash, activation history), download-request records, optional feedback submissions, and uploaded encrypted diagnostic reports are stored on Cloudflare's infrastructure with encryption at rest. Diagnostic report bodies are end-to-end encrypted before upload. Payment data is stored exclusively by Stripe in PCI-compliant systems.

7. Cookies & Local Storage

Strictly necessary cookies (always set): Cloudflare Turnstile sets __cf_bm (up to 30 minutes) on the support and download-link request forms solely for bot detection. This cookie is strictly necessary for site security and is exempt from prior consent under Article 5(3) of the ePrivacy Directive.

Advertising and analytics cookies: the cookie banner is shown to visitors from the EU/EEA, UK, and Switzerland on first visit. For those visitors, clicking Accept causes Google to set _gcl_aw (Google Ads click attribution, ~90 days) and _ga / _ga_<id> (Google Analytics 4 sessions, ~13 months); clicking Decline or ignoring the banner means no advertising or analytics cookies are set and Google Consent Mode v2 sends only aggregated modelled signals. For visitors from other jurisdictions, the same Google cookies are set by default (no banner, no prior opt-in required under those local laws).

Local storage: we store your consent choice in localStorage under the key tg_consent_v1 (values: granted or denied) so we don't ask again on every visit.

Cookie preferences — click to revisit the consent banner and change your choice.

8. Your Rights Under GDPR

Under Articles 15–22 GDPR and Greek Law 4624/2019 you have the right to: access (Art. 15), rectification (Art. 16), erasure / "right to be forgotten" (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), object to processing based on legitimate interest (Art. 21), and withdraw consent at any time without affecting prior lawful processing (Art. 7(3)). To exercise any right, email [email protected]. We respond within one month (Art. 12(3)).

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (ΑΠΔΠΧ), Kifissias 1–3, 11523 Athens, Greece — [email protected] — www.dpa.gr. EU residents may also complain to their national supervisory authority.

Provision requirement: providing an email at checkout is required to deliver your licence; refusal means we cannot complete the sale. Providing diagnostic reports or feedback is entirely optional.

Automated decisions: we do not engage in automated decision-making producing legal or similarly significant effects (Art. 22 GDPR).

Controller: Touchscreen Gestures — [email protected]. No Data Protection Officer is appointed (Article 37 GDPR thresholds not met). Legal-entity identification (registered name, address, ΑΦΜ, ΓΕΜΗ) is set out in §16 of our Terms of Service.

9. Children's Privacy

Touchscreen Gestures is a macOS productivity utility intended for general adult users and small-business customers. The Software and this website are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe that a child under 13 has provided personal information to us, please contact [email protected] and we will delete the information promptly in accordance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506.

10. Changes & Contact

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For any question about this policy or your data, email [email protected].