Privacy Policy
This Privacy Policy explains how Individual Entrepreneur DALER AZIMOV ("we", "us", "our") collects, uses, and protects personal data in connection with the Convertessa macOS application ("App") and the website at convertessa.app ("Site").
Convertessa does not upload your files, store your converted files, sell your personal data, or use advertising trackers. It is not, however, accurate to say we process no personal data: the website, payment flow, license activation, update checks, support, and our server logs each process limited personal data, described category-by-category below. Every category corresponds to a real, code-verified data flow.
1. Who We Are (Data Controller)
Individual Entrepreneur DALER AZIMOV
Registered in Georgia under the LEPL National Agency of Public Registry.
Identification number: 305750979
Address: Georgia, Tbilisi, Saburtalo district, Bakhtrioni street, N 22, apartment N75
Email: [email protected]
Phone: +995 511 16 0576
2. What Data We Collect and Why
2-A. When You Visit the Website
Cloudflare Web Analytics
Our website uses Cloudflare Web Analytics, a privacy-first analytics service. It records anonymised signals — page views, referring URL, browser type, operating system, and approximate country — without placing cookies or tracking individual visitors across sessions. No cross-site tracking, no fingerprinting, no personally identifiable information.
- Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)) — understanding aggregate traffic patterns so we can improve the site.
- Processor: Cloudflare, Inc. (subject to Cloudflare's Data Processing Addendum and Privacy Policy).
- Retention: governed by Cloudflare's own data retention policy.
2-B. When You Buy Convertessa
When your purchase is confirmed, Paddle (our Merchant of Record) sends a webhook event to our payment API. We process and store the following data.
Buyer email address
| What | Your email address, as entered at checkout |
| Why | To generate your license key, deliver your license email, and allow us to re-send the key if you lose it |
| Where stored | In our licensing database, hosted with our cloud infrastructure provider |
| Who else receives it | A transactional email delivery service (sends you the license email) |
| Retention | Retained as needed for accounting, tax, fraud prevention, support, and legal obligations — in practice for the lifetime of your license so we can verify ownership and re-deliver your key |
| Legal basis (GDPR) | Contract performance (Art. 6(1)(b)) to deliver the license; thereafter legal obligation (Art. 6(1)(c), accounting/tax) and legitimate interest (Art. 6(1)(f), fraud prevention and support) for continued retention |
Payment webhook audit log
| What | The webhook payloads Paddle sends for order events. Payloads with invalid or unrecognised signatures are minimised — we record only the metadata needed to investigate (event type, timestamp, signature-validation result), not the full body |
| Why | Audit trail for fraud detection, dispute resolution, and API debugging |
| Where stored | In our audit database, hosted with our cloud infrastructure provider |
| Retention | Valid order events: retained as needed for fraud prevention and audit, then purged. Invalid/failed-signature records: minimised and kept only as long as needed to investigate, not retained for 12 months unless a specific security or legal need requires it |
| Legal basis (GDPR) | Legitimate interest (Art. 6(1)(f)) — financial audit obligations and fraud prevention |
What Paddle retains (independent of us)
Paddle is the Merchant of Record for all purchases. Paddle independently collects and retains your payment method details, billing address, and transaction history under its own Privacy Policy. We do not receive or store your payment card number, billing address, or any full payment instrument details.
2-C. Your License Token (Stored on Your Device)
After activating Convertessa, your license token is saved locally on your Mac at:
~/Library/Application Support/Convertessa/license
The token is a cryptographically signed string that encodes your email address as a base64url payload. It is verified offline using a public key embedded in the App; no network call is made during activation or on subsequent launches to validate your license. The file is protected by standard macOS filesystem permissions but is not encrypted at rest beyond that.
We do not receive or have access to the local license file after it is delivered to you. This data is under your control on your own device.
2-D. Software Update Checks (Sparkle Framework)
The App uses the Sparkle open-source framework to check for software updates. On every App launch, and approximately once every 24 hours, the App sends an HTTPS request to updates.convertessa.app.
The request transmits:
| Field | Example value |
|---|---|
| App version | e.g. "1.0.0" |
| macOS version | e.g. "15.2" |
| CPU architecture | "Apple Silicon" or "Intel" |
| Sparkle framework version | e.g. "2.x" |
An update check does not transmit your name, email address, license token, file names, or conversion data. Like any web request, it necessarily sends technical request metadata to the update server — your device's IP address, a user-agent string, and a request timestamp — alongside the fields above. updates.convertessa.app is served via Cloudflare. Updates are never installed automatically; you approve each one via the standard Sparkle prompt.
There is no in-app toggle to disable update checks; they run automatically on the schedule described above.
- Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)) — ensuring users can receive security and compatibility updates for the App.
- Retention: The request metadata (IP address, user-agent, timestamp) that reaches
updates.convertessa.appmay appear in server logs as described in §2-E below, retained for a limited period.
2-E. Server Logs
Our servers and Cloudflare automatically record standard request logs when your device contacts the website, the licensing API, or the update endpoint. These logs may include your IP address, user-agent, timestamp, the endpoint requested, and error or security events.
- Why: operating, securing, and debugging the service; detecting abuse and fraud.
- Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)) — security and reliable operation.
- Retention: a limited period, typically 30–90 days, unless a specific security, fraud, or legal need requires longer.
2-F. Support Email
If you email us, we process your email address and anything you choose to include in your message.
- Why: to answer your request and keep a record of support and complaints.
- Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)) and, where your message concerns your purchase, contract performance (Art. 6(1)(b)).
- Retention: as needed to resolve your request and maintain reasonable records.
2-G. What We Do NOT Collect
- Your files or their contents — all conversion runs locally on your device. We do not transmit the files you convert to our servers.
- In-app analytics, crash reports, or telemetry — the App embeds no analytics SDK, tracking pixel, or usage tracking. (Update checks send only the technical request metadata described in §2-D.)
- Payment card numbers or billing addresses — these stay with Paddle.
- Passwords — we do not operate a user account system; your license token is your sole credential.
3. Third-Party Processors
| Processor | Role | Data shared | Privacy terms |
|---|---|---|---|
| Cloudflare, Inc. | Website analytics; CDN / edge serving for the site, licensing API, and update endpoint | Anonymised analytics signals (§2-A); request metadata such as IP address and user-agent in edge/server logs (§2-E) | cloudflare.com |
| Cloud infrastructure provider | Compute, database, and file storage for our licensing system | All data described in §2-B | Available on request |
| Email delivery provider | Transactional email delivery | Buyer email, license key, license token, order ID | Available on request |
| Paddle.com | Payment processor / Merchant of Record | Payment details, buyer email (Paddle is an independent controller for payment data) | paddle.com |
We do not sell or rent personal data to any third party. We do not use personal data for advertising or profiling.
Some processors operate outside your country of residence; see Section 7 (International Data Transfers).
4. Legal Bases for Processing (GDPR Summary)
| Processing activity | Legal basis |
|---|---|
| Delivering your license (email → license key → email delivery) | Art. 6(1)(b) — performance of a contract |
| Retaining your email after delivery (accounting, fraud prevention, re-delivery) | Art. 6(1)(c) legal obligation + Art. 6(1)(f) legitimate interest |
| Retaining webhook audit log | Art. 6(1)(f) — legitimate interest (fraud prevention, audit obligations) |
| Software update checks (Sparkle) | Art. 6(1)(f) — legitimate interest (App security and compatibility maintenance) |
| Website analytics (Cloudflare) | Art. 6(1)(f) — legitimate interest (understanding aggregate site traffic) |
| Server logs | Art. 6(1)(f) — legitimate interest (security and reliable operation) |
| Support email | Art. 6(1)(f) — legitimate interest (support and complaint records); Art. 6(1)(b) where the message concerns your purchase |
5. Data Retention
| Data | Retention period |
|---|---|
| Buyer email (licensing database) | As needed for accounting, tax, fraud prevention, support, and legal obligations; in practice the lifetime of your license |
| Webhook event payloads (audit log) | Valid events purged after audit need; invalid/failed-signature records minimised and not kept for 12 months unless required |
Local license token (~/Library/Application Support/Convertessa/license) | Until you uninstall the App or delete the file manually |
| Server logs (IP, user-agent, timestamp) | Typically 30–90 days, unless a specific security, fraud, or legal need requires longer |
| Support email records | As needed to resolve your request and maintain reasonable records |
| Cloudflare Web Analytics | Per Cloudflare's own retention policy |
| Email delivery provider records | Per the provider's own retention policy |
6. Your Rights (EU/EEA and UK Residents)
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR and the UK GDPR:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate data.
- Right to erasure (Art. 17): request deletion of your personal data, where we have no overriding legal obligation to retain it. Note: erasing your email from our licensing database will disable license re-delivery for your purchase.
- Right to restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest.
- Right to withdraw consent (where processing is based on consent): you may withdraw it at any time, without affecting processing already carried out.
- Right to lodge a complaint: if you believe we have processed your data unlawfully, you may lodge a complaint with the supervisory authority in your country of residence. UK residents may complain to the Information Commissioner's Office (ico.org.uk). EU/EEA residents may complain to their national supervisory authority. In Georgia (the country of the data controller), the supervisory authority is the Personal Data Protection Service (pdp.gov.ge).
To exercise any of these rights, contact us at [email protected] with the subject line "Privacy Request" and a description of your request. We will respond within 30 calendar days.
7. International Data Transfers
We are based in Georgia (country). Your personal data may be processed in Georgia and by service providers located in other countries. By purchasing Convertessa or using the Site, you acknowledge that your data may be processed outside your country of residence.
The safeguards for any such transfer depend on the provider and on applicable law, and may include mechanisms such as Standard Contractual Clauses or adequacy decisions where they apply. Details of a specific provider's safeguards are available on request.
8. EU / UK Representative
The data controller is Individual Entrepreneur DALER AZIMOV (Section 1). For any data-protection matter you may contact us directly at [email protected]. Where applicable law requires us to designate a representative in the EU and/or the UK, we are arranging to appoint one and will publish their details here.
9. Security
We use reasonable technical and organisational measures to protect personal data, including TLS for data in transit, access limited to those who need it, and verification of payment webhooks before they are processed. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
10. Children
Convertessa is not directed at children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected].
11. Changes to This Policy
We may update this policy from time to time. Material changes will be posted at convertessa.app/privacy at least 14 days before taking effect. We will note the updated "Last updated" date at the top.
12. Contact
Individual Entrepreneur DALER AZIMOV
Georgia, Tbilisi, Saburtalo district, Bakhtrioni street, N 22, apartment N75
Email: [email protected]
Phone: +995 511 16 0576