Privacy Policy

Last updated: May 2, 2026

This Privacy Policy describes how Inventor Inc., a Delaware C Corporation (“Inventor”, “we”, “us”, or “our”), collects, uses, and protects your information when you use the Inventor platform and services (the “Service”). Inventor Inc. is the controller of personal data processed through the Service. By using the Service, you consent to the practices described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect your email address and generate a unique user ID. If you sign in with Google OAuth, we receive your name, email address, and profile picture from Google.

Project Data

For each project you create, we store:

• Generated source code and project files
• Conversation history (your prompts and AI responses)
• File and image attachments you upload
• App icons and project names
• Code version snapshots, used by the revert feature
• The preview URL for each snapshot, so historical versions remain viewable
• If you converted a public website into an app, the website URL you provided

Publishing Data

If you choose to submit your app to the App Store or Google Play through Inventor, we additionally store:

• Listing metadata: app name, subtitle, descriptions, keywords, categories, support and marketing URLs, copyright, age-rating answers, privacy declarations, target-audience and ads declarations, and export-compliance answers
• App icons and screenshots, in user-scoped storage
• Apple App Store Connect API keys (the .p8 file plus team, key, and issuer IDs) and Google Play service-account JSON files that you upload, encrypted at rest with AES-256-GCM
• Reviewer demo credentials (username, password, and notes) you provide for app reviewers, with the password encrypted at rest
• Submission state: build IDs, current phase, version and build numbers, and release notes
• The full error body returned by Apple or Google if a submission is rejected or fails, so the AI can help you fix it
• Privacy policies you ask us to host on your behalf, served from our public /privacy/[id] page

Apple and Google credentials are decrypted only inside short-lived sandboxes when needed to call their APIs on your behalf, and are never returned to the browser or visible elsewhere.

User-Provided API Keys and Configuration

If your app uses third-party APIs (such as OpenAI, Stripe, or Supabase), you provide the corresponding API keys through the Service’s API Keys panel. These values are stored directly on your project’s Expo (EAS) project as sensitive environment variables and are not stored in Inventor’s database. We mirror only metadata — the variable name and whether it is intended for client-side or server-side use — so we can show which variables are configured for which version of your app. Values themselves never touch our database.

Subscription and Billing Data

We store your subscription tier, usage balance, billing period, and payment status. All payment card information is processed and stored exclusively by Stripe, our payment processor. We never receive, process, or store your credit card numbers or bank account details.

Usage Data

We maintain an audit trail of usage, including the dollar amount charged per request, the AI model used, and token counts. This data is used for billing accuracy and service monitoring.

What We Do Not Collect

We do not use analytics services, tracking cookies, advertising pixels, browser fingerprinting, or any similar tracking technologies. We do not track your browsing behavior across other websites.

2. How We Use Your Information

We use the information we collect to:

• Process your prompts, project files, and (for the URL-conversion mode) public website content through AI providers to generate or refine your app
• Run the resulting code in disposable sandboxes for build and preview
• Publish each version of your app to Expo (EAS Update) so you can preview it in the Inventor Preview companion via QR code, and so you can revert to any prior version
• Deploy server-side API routes (when your app contains them) to Cloudflare Workers via Expo’s EAS Hosting
• When you initiate App Store or Google Play submission, build a release binary on EAS Build, upload it to Apple App Store Connect or Google Play under your own developer accounts, push your listing metadata, and track the review state
• Process payments and manage your subscription
• Send transactional communications such as password reset emails and billing notifications

3. Third-Party Data Sharing

We share your data with the following third-party services solely to provide the Service.

AI and Sandbox Execution

• Anthropic (Claude API)— Your prompts, project context, and conversation history are sent to Anthropic’s Claude API for AI-powered code generation. See Anthropic’s Privacy Policy.
• E2B— Your project files are processed in disposable E2B sandboxes where the AI agent runs and your app is built. Each sandbox is destroyed after the run. See E2B’s Privacy Policy.

Build, Preview, and Distribution

• Expo (EAS)— Each version of your app is published to Expo Update under our @inventor-appsaccount so you can preview it. When you submit your app, Expo Build compiles the binary and Expo Submit uploads it to the App Store or Google Play. Server-side API routes are deployed to Cloudflare Workers via Expo’s EAS Hosting. Your user-provided API keys are stored as sensitive environment variables on your project’s Expo project. Listings on the App Store and Google Play remain under your own developer accounts; the @inventor-apps Expo account is used only for the development and preview pipeline. See Expo’s Privacy Policy.
• Cloudflare— If your app contains server-side API routes, those routes execute on Cloudflare Workers (via Expo’s EAS Hosting). Requests your end users send to your API routes pass through Cloudflare. See Cloudflare’s Privacy Policy.
• Appetize.io— The in-browser iOS and Android simulator boots the Inventor Preview companion, which loads your app from its published EAS Update. We do not transmit your prompts, source files, account information, or credentials to Appetize. See Appetize’s Privacy Policy.

App Store Submission

• Apple (App Store Connect)— When you submit to the App Store, we use the Apple credentials you uploaded to call App Store Connect on your behalf: create the app record, push your listing metadata and screenshots, attach the build, declare age rating, privacy nutrition, and export compliance, and submit for review. Your app is listed under your own Apple Developer account. See Apple’s Privacy Policy.
• Google (Google Play)— When you submit to Google Play, we use the service-account JSON you uploaded to call the Play Developer API on your behalf: create or update the listing, upload screenshots and your app icon, upload the build, and promote it to production. Your app is listed under your own Google Play Console account. Several Play Console declarations (Data Safety, content rating, target audience, ads, app access) are filled out by you in the Play Console web UI; we provide deep links and pre-written answers but do not submit those forms automatically. See Google’s Privacy Policy.
• GitHub— If you choose the optional source-code export, your generated code is pushed to a GitHub repository under our publishing organization. If you import an existing project from a GitHub repository, we use a GitHub OAuth token you authorize to read the repository contents; the token is held only in your browser session. See GitHub’s Privacy Statement.

Infrastructure

• Supabase— Our database, authentication, and file-storage provider. See Supabase’s Privacy Policy.
• Vercel— Hosts the Inventor web application and runs the scheduled jobs that advance submissions through Apple and Google review. See Vercel’s Privacy Policy.
• Stripe— Handles all payment processing. Stripe is PCI-DSS Level 1 compliant. See Stripe’s Privacy Policy.

We do not sell your personal data. We do not share your data with advertisers or data brokers. We share data with the third parties above only as needed to operate the Service.

4. Data Storage and Security

Your data is stored in a PostgreSQL database hosted by Supabase, with the following security measures:

• Row Level Security (RLS) ensuring you can only access your own data
• Encryption at rest, managed by Supabase infrastructure
• All communications encrypted in transit via HTTPS / TLS
• Server-side authentication on all API routes with defense-in-depth ownership checks

We apply additional encryption to particularly sensitive fields. Apple App Store Connect API keys, Google Play service-account JSON files, and the reviewer demo password you supply for App Store review are each encrypted with AES-256-GCM using a per-record initialization vector before being written to the database. Apple and Google credentials are decrypted only inside short-lived sandboxes, written to a private location with restrictive file permissions for the duration of one operation, and removed before the sandbox is destroyed.

API keys you provide for use inside your generated app (such as OpenAI or Stripe keys) are stored as sensitive environment variables on your project’s Expo (EAS) project. Their values are not stored in Inventor’s database. We retain only the variable name and whether it is intended for client-side or server-side use, so we can show which variables are configured for which version of your app. Variable names beginning with EXPO_PUBLIC_are intentionally inlined into your app’s client bundle (as is standard with Expo); variable names without that prefix are accessible only to your server-side API routes.

5. Data Retention

You control the lifecycle of your data:

• You can delete individual projects at any time through the Service
• Deleting a project removes its files, conversation history, version snapshots, listing metadata, screenshots, and submission records
• Deleting your account permanently removes all of the above for every project, along with your subscription records, uploaded developer credentials, and any privacy policies we host on your behalf
• Data is retained until you choose to delete it — we do not automatically delete inactive projects

Apps already published to the App Store or Google Play under your own developer accounts remain under your control through those accounts; deleting your Inventor account does not remove apps already published to those stores.

6. Your Rights

You have the following rights regarding your data:

• Access — View all your data through the Service interface, including projects, conversation history, listings, and subscription details
• Deletion — Delete individual projects, uploaded developer credentials, or your entire account at any time
• Export — Export your generated source code via GitHub export or by copying project files
• Correction — Update your email and account information through account settings

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with data protection laws, you may have additional rights including the right to data portability and the right to lodge a complaint with your local data protection authority. To exercise any of these rights, contact us at info@inventor.build.

7. Cookies and Tracking

The Service uses only strictly functional cookies required for authentication (session tokens managed by Supabase Auth). We do not use:

• Analytics cookies (no Google Analytics, Segment, Mixpanel, or similar)
• Advertising or tracking cookies
• Third-party tracking pixels or beacons
• Browser fingerprinting

8. Children’s Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at info@inventor.build.

9. International Data Transfers

Your data may be processed in the United States and other countries where our third-party service providers operate. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have data protection laws that differ from those in your country.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service. The “Last updated” date at the top of this page indicates when this policy was last revised. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

11. Contact

If you have questions or concerns about this Privacy Policy or our data practices, or to exercise your privacy rights, contact us: