Privacy Policy

1. Who we are & scope

This Privacy Policy describes how Хостадо Сълушънс ООД (Hostado Solutions, UIC 208502081; “we”, “us”) processes personal data when you use the APPix Marketplace website, related services, and communications with us. It is intended to meet transparency obligations under the EU General Data Protection Regulation (“GDPR”) and to provide disclosures aligned with common U.S. state privacy expectations (including California).

For GDPR purposes, Hostado Solutions is the data controller for personal data we determine the purposes and means of processing. Registered seat: Bulgaria, Varna 9023, Vladislav Varnenchik district, 28 6-ti Septemvri St., entrance B, floor 4, apt. 13. Where studios or other sellers process your data for their own purposes, they may act as separate controllers-see Section 5.

2. Categories of personal data

Depending on how you use the marketplace, we may process:

• Account & profile: name, email address, authentication identifiers, role (e.g. buyer, studio), preferences you set, and content you submit in profile or listing fields.
• Transaction & billing metadata: order identifiers, purchased products, amounts, currency, tax-related fields where applicable, and limited payment metadata. Card and bank details are processed by Stripe-we do not store full card numbers on our servers.
• Support & communications: messages you send to support@appix.bg, in-product support threads, and related attachments you choose to provide.
• Technical & usage data: IP address, device/browser type, general location derived from IP, timestamps, pages viewed, referring URLs, diagnostics, and security logs (e.g. failed logins).
• Marketing (where permitted): email engagement metrics and preferences if you opt in or where soft opt-in is lawful.

We do not knowingly collect special categories of data (e.g. health) unless you send it to us voluntarily in support messages.

3. Purposes & legal bases (GDPR)

We process personal data for the following purposes and, where GDPR applies, on these bases:

• Provide the marketplace & perform contracts (GDPR Art. 6(1)(b)): accounts, checkout, delivery of digital goods, studio dashboards, fraud prevention tied to the transaction, and essential service communications.
• Legitimate interests (Art. 6(1)(f)): improving the service, analytics in aggregate or pseudonymous form, security monitoring, enforcing our Terms, defending legal claims, and measuring marketing effectiveness-balanced against your rights.
• Legal obligation (Art. 6(1)(c)): tax, accounting, and regulatory compliance where applicable.
• Consent (Art. 6(1)(a)): non-essential cookies or marketing emails where required-withdraw anytime without affecting lawfulness of prior processing.

4. Cookies & similar technologies

We use cookies and similar technologies for session management, authentication, security, preferences, and (where enabled) analytics. Where EU/EEA/UK law requires consent for non-essential cookies, we will obtain it through a suitable mechanism. You can control cookies through your browser settings; disabling strictly necessary cookies may break login or checkout.

5. Recipients, marketplaces & subprocessors

We share personal data only as needed with:

• Stripe (payments, fraud, tax tooling as configured)-subject to Stripe’s privacy notice and, where relevant, its role as payment processor.
• Supabase (authentication, database, storage for application data)-as infrastructure subprocessor under our instructions.
• Hosting, email, and tooling providers that process data on our behalf under data processing terms.
• Studios / sellers to the extent needed to fulfill your order (e.g. delivery of licenses, onboarding, support for the purchased product). Sellers may use your contact details for fulfillment; their use is governed by their own notices and our Terms.
• Appix Support Team for temporary secure transfer and delivery coordination where source code handoff is routed through support before final buyer delivery.
• Professional advisers, auditors, or authorities where required by law or to protect rights.

We do not sell personal information as that term is commonly defined under U.S. state laws, and we do not sell personal data for money under GDPR definitions.

6. International transfers

We operate from the EU; some subprocessors (e.g. Stripe, Supabase) may process data in the United States or other countries. Where GDPR applies, we rely on appropriate safeguards such as the EU Commission Standard Contractual Clauses and/or adequacy decisions, plus supplementary measures where required. You may request further information via support@appix.bg.

7. Retention

We retain personal data only as long as necessary for the purposes above, including legal, tax, and accounting obligations. Typical ranges: account data for the life of the account plus a limited post-closure period; transaction records as required by law; support tickets according to operational needs; security logs on a rolling basis. We delete or anonymize data when no longer needed.

8. Your rights

EU / UK / EEA (GDPR & UK GDPR)

You may have the right to: access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, and to withdraw consent. You may lodge a complaint with your local supervisory authority.

United States (summary)

Depending on your state of residence, you may have rights to know/access, delete, or correct certain personal information, and to opt out of “sale” or certain “sharing” for cross-context behavioral advertising. We do not sell personal information and do not use sensitive data for inferring characteristics where prohibited. We do not discriminate against you for exercising privacy rights. California residents: we provide the categories of data collected and purposes above; we do not “share” personal information for cross-context behavioral advertising in a manner that requires opt-out under CPRA for the activities described in this Policy as currently operated-if that changes, we will update this Policy and controls.

To exercise rights, email support@appix.bg from your account email and describe your request. We may verify your identity before acting.

9. Automated decision-making

We do not use solely automated decision-making that produces legal or similarly significant effects on you under GDPR Article 22. Fraud screening by Stripe may involve automated scoring-see Stripe’s documentation.

10. Security

We implement appropriate technical and organizational measures (access controls, encryption in transit where supported, least-privilege administration, monitoring). No method of transmission over the Internet is 100% secure.

11. Children

The marketplace is not directed to children under 16 (or higher age where required by applicable U.S. state law). We do not knowingly collect personal information from children. If you believe we have, contact support@appix.bg and we will delete it.

12. Changes

We may update this Policy from time to time. Material changes will be communicated via the site or email where appropriate. The “Last updated” date reflects the latest revision.

13. Contact & EU representative

Questions or requests: support@appix.bg. If we appoint an EU/UK representative or a U.S. agent for service, we will list them here.