Trust
Security
App Tracker handles sensitive API credentials. Here is how we protect them.
Credential encryption
Every API key and private key you provide is encrypted using AES-256-GCM before being written to the database. The encryption key is stored separately from the database and is never logged. Keys are decrypted only in memory, immediately before use, and only within the server process handling your authenticated request.
Per-user isolation
Credentials are scoped to your user account. No other user can access your API keys or see your analytics data. Each request to Apple or RevenueCat is made using your specific credentials on your behalf.
App Tracker does not store Apple private keys (.p8) longer than necessary. You can delete your credentials at any time from the Settings page.
Authentication
Authentication is handled by Clerk, which provides secure session management, multi-factor authentication support, and OAuth login via Google. We do not store passwords.
Infrastructure
The application runs on Replit's infrastructure. The database is a managed PostgreSQL instance (Neon). All traffic is served over HTTPS with TLS.
App Tracker does not retain Apple or RevenueCat data permanently — analytics data is cached temporarily to reduce API calls and is associated with your account only.
Report a vulnerability
If you find a security issue, please disclose it responsibly by emailing enquiries@exitapp.social with a description of the issue. We will respond within 48 hours.