What screenshot inputs are required?

Clean simulator captures in PNG format are required. The studio composites each capture into the chosen device frame and applies your typography, layout and theme.

Can a project be saved and resumed later?

Yes. Authenticated users can save projects to the cloud, name them, and open them again from any device. Autosave runs every 30 seconds during an active session and uploads only the screenshot bytes that have actually changed. The Free tier supports one saved project; the Pro tier supports twenty.

Is the export compatible with fastlane?

Yes. The export bundle uses the exact directory layout expected by fastlane deliver and supply, including locale and device folders. iOS and Google Play screenshots may be mixed within a single bundle without further reorganisation.

Can multiple device sizes be rendered together?

Yes. Any combination of iOS 6.9, 6.7, 6.5 and Google Play may be selected. A single render produces every selected size and packages them in one bundle.

How customisable is the typography?

Each project supports an arbitrary number of named text fields. Within each field, individual character spans may be styled with their own font, size, weight, colour, italics, underline and alignment. More than 30 Google Fonts are available out of the box.

Where is data stored?

Render output and project assets are stored in Cloudflare R2 under the European Union jurisdiction (primary copy in Western Europe). Accounts, render history, and billing data sit in Postgres on a Contabo VPS in Düsseldorf, EU. Render outputs are removed after 24 hours; screenshots associated with saved projects are retained for the lifetime of the project. No training is performed on customer data, and the studio interface uses no tracking cookies.

legal · 04

Data Processing Addendum

Last updated: 2026-05-18. Version 1.0.

This Data Processing Addendum ("DPA") forms part of the Agreement between you ("Customer", acting as Data Controller) and Omelas, operator of AppScreen ("Processor"). It applies whenever Customer's use of AppScreen involves the processing of personal data subject to the EU General Data Protection Regulation (GDPR) or the UK GDPR. By using AppScreen on a Pro plan, Customer accepts this DPA.

1. Definitions

"Personal data", "processing", "data subject", "controller", "processor", "sub-processor", and "supervisory authority" have the meanings given in the GDPR.

2. Subject matter and duration

Processor processes personal data on Customer's behalf for the duration of the Agreement and for the limited purpose of delivering the AppScreen service (rendering App Store / Play Store screenshot bundles, storing the underlying project, sending transactional email).

3. Nature, purpose, and categories

Nature: hosting, storage, automated rendering of supplied assets; transmission of email notifications; billing through a third-party payment processor.

Categories of data subjects: Customer's authenticated end users of AppScreen and, where Customer uploads screenshots depicting third parties, those third-party data subjects.

Categories of personal data: account identifiers (email), billing data, and any personal data embedded in screenshots or copy that Customer uploads. AppScreen does not request and does not require special-category data.

4. Processor obligations

Processor will:

process personal data only on Customer's documented instructions, including transfers, unless required by EU or Member-State law (in which case Processor will inform Customer);
ensure personnel authorised to process the data are bound by confidentiality;
implement appropriate technical and organisational measures (see Section 7);
assist Customer in responding to data-subject rights requests and in meeting obligations under Articles 32–36 GDPR;
on termination of the Agreement, delete or return all personal data as Customer chooses, subject to legal retention obligations;
make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by Customer or a mandated auditor.

5. Sub-processors

Customer grants general authorisation for Processor to engage the sub-processors listed at /legal/subprocessors. Processor will give Customer at least 30 days' notice of any intended addition or replacement and provide Customer the opportunity to object. If Customer objects on reasonable grounds, Customer may terminate the Agreement with a pro-rata refund.

Processor imposes data-protection terms on each sub-processor that are no less protective than those in this DPA and remains fully liable to Customer for sub-processor performance.

6. International transfers

Where transfers to a third country occur (notably to Google for Firebase Authentication and Stripe for payments), Processor relies on the European Commission's Standard Contractual Clauses (Module 3) or, where applicable, the EU-US Data Privacy Framework. Processor will conduct and document a Transfer Impact Assessment for each non-EU sub-processor.

7. Security measures (Art. 32)

TLS 1.2+ for every connection; HSTS enforced on web.
Postgres + Cloudflare R2 encrypted at rest by the provider; age-encrypted DB backups in a dedicated bucket.
API keys stored as sha256 hashes; Stripe webhooks signature-verified; one-time bearer tokens for sign-in links.
Principle of least privilege: tier-1 admin access limited to two named operators; quarterly access review.
Hard-purge 30 days after account deletion; render bundles auto-deleted after 24 hours.
Audit log of sensitive operations: account delete, data export, plan change, API key creation/revocation.
Vulnerability monitoring via Dependabot-style alerts and internal error capture.

8. Personal data breach

Processor will notify Customer without undue delay, and in any case within 48 hours of becoming aware of a personal-data breach affecting Customer's data, with at least the information required by Art. 33(3) GDPR. Notice is sent to the admin email on Customer's account.

9. Data-subject requests

Customer can self-serve access, export, and deletion via /account/data and /account. For requests Processor cannot fulfil through these tools (or where Customer needs Processor's assistance with a request from one of Customer's own end users), email hello@appscreen.co.

10. Liability and term

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA terminates automatically when the Agreement terminates.

11. Governing law

This DPA is governed by the law of the Agreement, except where GDPR or Member-State law mandatorily applies.

12. Signature

No counter-signature is required. Customer's continued use of AppScreen on a Pro plan after this DPA's effective date constitutes acceptance. A counter-signed PDF is available on request to hello@appscreen.co for procurement processes that require one.