Privacy Policy
Last Updated: May 1st, 2026 Document Version: 1.0 Document Classification: Public
Apollo Deploy ("Apollo Deploy", "we", "us", or "our") provides a release intelligence platform designed to help teams manage software releases across mobile stores, backend services, and infrastructure.
This Privacy Policy describes how we collect, use, disclose, retain, and protect personal data when you access our website, join our waitlist, use the Apollo Deploy platform, or connect third-party integrations.
This Privacy Policy should be read in conjunction with our Terms of Service, Security & Trust document, and Data Processing Agreement (DPA). In the event of any conflict, the order of precedence shall be: (1) the executed enterprise agreement (if any), (2) the Terms of Service, (3) the Data Processing Agreement, (4) the Security & Trust document, (5) this Privacy Policy.
1. Definitions
For the purposes of this Privacy Policy:
- "Personal Data" has the meaning ascribed to it under applicable data protection law, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the UK Data Protection Act 2018 and UK GDPR, Brazil's Lei Geral de Proteção de Dados (LGPD), Australia's Privacy Act 1988, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and equivalent legislation in other jurisdictions.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, modification, or deletion.
- "Customer" means any entity or individual that has entered into an agreement with Apollo Deploy to use the platform.
- "Customer Data" means any data, content, or information submitted, uploaded, or generated by a Customer or its authorized users through the platform.
- "Subprocessor" means any third-party entity engaged by Apollo Deploy that processes Personal Data on Apollo Deploy's behalf.
- "Controller" means the entity that determines the purposes and means of Processing Personal Data.
- "Processor" means the entity that processes Personal Data on behalf of the Controller.
2. Scope of This Policy
This Privacy Policy applies to:
- The Apollo Deploy website and all associated subdomains
- Waitlist and early access programs
- The Apollo Deploy application, dashboard, and APIs
- Connected integrations and data sources
- All communications with Apollo Deploy, including email, support channels, and feedback submissions
It applies to visitors, prospective customers, users, customers, and authorized representatives of organizations using Apollo Deploy, regardless of geographic location.
This Privacy Policy does not apply to:
- Third-party websites, services, or applications linked from the Apollo Deploy platform, which are governed by their own privacy policies
- Personal Data processed by Customers using the Apollo Deploy platform, for which the Customer acts as the Controller
3. Data Controller and Processor Roles
3.1 When Apollo Deploy Acts as Controller
Apollo Deploy acts as the Controller of Personal Data when we:
- Collect and process data from website visitors and waitlist participants
- Manage user accounts and authentication
- Process data for our own business operations, analytics, and product improvement
- Communicate with users and prospective customers
3.2 When Apollo Deploy Acts as Processor
Apollo Deploy acts as a Processor on behalf of the Customer (as Controller) when we:
- Process Customer Data submitted to the platform in the course of providing the service
- Ingest data from third-party integrations connected by the Customer
- Store and manage release metadata, deployment events, and configuration data on the Customer's behalf
Where Apollo Deploy acts as a Processor, Processing is governed by the Data Processing Agreement between Apollo Deploy and the Customer.
4. Information We Collect
4.1 Information You Provide Directly
Depending on how you interact with Apollo Deploy, we may collect:
-
Contact information
- Email address
- Full name (optional at signup; may be required for account administration)
- Organization name, job title, or role (optional)
- Phone number (if voluntarily provided)
-
Account and organizational data (once the platform is active)
- User identifiers and account credentials (passwords are stored in hashed form only)
- Team and organization membership
- Access roles and permissions
- Account preferences and settings
-
Communications
- Support requests and correspondence
- Feedback and feature requests
- Survey responses
- Any other information you voluntarily provide in communications with us
-
Billing information (where applicable)
- Payment method details are processed by our third-party payment processor and are not stored directly by Apollo Deploy
- Billing address and invoicing details
4.2 Information Collected Through Platform Usage
When you use Apollo Deploy, we may process operational data related to software releases, including:
- Release metadata (version identifiers, build references, rollout state, release notes)
- Deployment events, timestamps, and status changes
- Configuration and policy data (feature flags, rollout rules, approval workflows)
- Audit and activity logs (actions performed, actor identifiers, timestamps)
- Error rates, stability metrics, and performance indicators associated with releases
This data is typically organizational data that forms part of Customer Data, not Personal Data, though it may reference user identifiers (e.g., who initiated a release, who approved a deployment). To the extent such data constitutes or contains Personal Data, it is processed in accordance with this Privacy Policy and the applicable DPA.
4.3 Data From Integrations
Apollo Deploy may ingest data from third-party services you choose to connect, such as:
- Source control systems (e.g., pull requests, commits, branch references, author identifiers)
- Error tracking and stability tools (e.g., crash rates, error groupings)
- Application stores and distribution platforms (e.g., review status, release state)
- Observability and metrics systems (e.g., latency, error rates, throughput)
- CI/CD pipelines (e.g., build status, deployment logs)
- Communication platforms (e.g., notification delivery for release events)
The specific data collected depends entirely on the integrations you enable and the permissions you grant. Apollo Deploy processes this data solely to provide release intelligence and related functionality as described in our Terms of Service.
Apollo Deploy accesses third-party services only with explicit Customer authorization and using the minimum permissions required for the integration's stated functionality. Customers may revoke integration access at any time.
4.4 Automatically Collected Information
We collect limited technical information automatically when you access our website or platform, including:
- IP address (may be anonymized or truncated for analytics purposes)
- Browser type and version
- Device type and operating system
- Referring URL and pages visited
- Usage patterns and interaction data within the platform (e.g., features used, navigation paths)
- Timestamps of access and session duration
- Language and locale preferences
This information is used for security, fraud prevention, reliability, performance optimization, and product improvement purposes.
4.5 Cookies and Similar Technologies
Apollo Deploy uses cookies and similar tracking technologies on our website. These include:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, security, core functionality | Session or persistent as required |
| Functional | User preferences, language settings | Persistent |
| Analytics | Understanding usage patterns, product improvement | Persistent |
We do not use advertising or behavioral tracking cookies.
Where required by applicable law, we obtain consent before placing non-essential cookies. You can manage cookie preferences through your browser settings or through our cookie consent mechanism where provided.
For more information, see our [Cookie Policy] (if published separately).
5. How We Use Information
We use collected information for the following purposes:
5.1 Service Delivery
- Operate, maintain, and provide the Apollo Deploy platform
- Authenticate users and enforce access controls
- Analyze release behavior, risks, and trends
- Process data from connected integrations to deliver release intelligence
- Provide customer support and respond to inquiries
5.2 Account and Access Management
- Manage waitlists and early access programs
- Create, administer, and secure user accounts
- Manage organizational membership, roles, and permissions
5.3 Communication
- Send transactional communications (e.g., account verification, password resets, security alerts)
- Communicate important product updates, service information, and policy changes
- Send marketing communications where consent has been obtained (with opt-out available at any time)
5.4 Security and Fraud Prevention
- Detect, prevent, and respond to security incidents, fraud, and abuse
- Monitor for anomalous behavior and unauthorized access
- Maintain audit logs for security and compliance purposes
5.5 Product Improvement
- Analyze aggregated and anonymized usage data to improve product functionality, reliability, and user experience
- Conduct internal research and development
5.6 Legal and Compliance
- Comply with applicable laws, regulations, and legal processes
- Respond to lawful governmental requests
- Establish, exercise, or defend legal claims
We do not sell, rent, or trade Personal Data. We do not use Personal Data for automated decision-making or profiling that produces legal or similarly significant effects on individuals, unless required to provide the service and disclosed to the affected individual.
6. Legal Basis for Processing
Where applicable data protection law requires a legal basis for Processing Personal Data, we rely on one or more of the following:
| Legal Basis | When We Rely on It | Examples |
|---|---|---|
| Consent | When you voluntarily provide information or opt in to specific processing | Joining the waitlist, subscribing to marketing communications, accepting non-essential cookies |
| Performance of a Contract | When processing is necessary to fulfill our contractual obligations to you | Providing the platform, managing your account, processing Customer Data under the DPA |
| Legitimate Interests | When processing is necessary for our or a third party's legitimate interests, provided those interests are not overridden by your rights | Operating and securing the platform, product improvement, fraud prevention, internal analytics |
| Legal Obligation | When processing is necessary to comply with applicable law | Responding to lawful governmental requests, tax and accounting requirements, mandatory data breach notifications |
Where we rely on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal. Where we rely on legitimate interests, you have the right to object (see Section 10).
7. How We Share Information
We may share information only in the following limited circumstances:
7.1 Subprocessors and Service Providers
We engage trusted third-party Subprocessors and service providers for hosting, infrastructure, analytics, email delivery, payment processing, and customer support. These providers:
- Process data only on our behalf and in accordance with our documented instructions
- Are bound by contractual confidentiality and data protection obligations no less protective than those described in this Privacy Policy and our Security & Trust document
- Are subject to due diligence prior to engagement and on a recurring basis
- Are listed in our Subprocessor register, which is available to Customers upon request
A current list of Subprocessors is maintained and Customers are notified of additions with [30] days' advance notice in accordance with the DPA.
7.2 Organizational Access
Within the Apollo Deploy platform, Customer Data (which may contain Personal Data such as user identifiers) may be visible to authorized members of the same organization according to configured roles and permissions. Access controls are the shared responsibility of Apollo Deploy (platform enforcement) and the Customer (role configuration and user management).
7.3 Legal Requirements
We may disclose information if required to:
- Comply with applicable laws, regulations, or legal processes
- Respond to lawful requests from governmental authorities, including law enforcement and national security agencies
- Protect the rights, privacy, safety, or property of Apollo Deploy, our Customers, or the public
- Enforce our Terms of Service or other agreements
Where legally permitted, we will make reasonable efforts to notify affected Customers before disclosing their data in response to legal process.
7.4 Business Transfers
If Apollo Deploy is involved in a merger, acquisition, reorganization, dissolution, or asset sale, Personal Data may be transferred as part of that transaction. In such event:
- We will notify affected users prior to their Personal Data being transferred and becoming subject to a different privacy policy
- The acquiring entity will be bound by obligations no less protective than those in this Privacy Policy with respect to Personal Data acquired in the transaction
- Where required by law, we will obtain consent or provide an opt-out mechanism before completing such transfer
7.5 Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify any individual. Such data is not subject to the restrictions in this Privacy Policy. We apply technical and organizational measures to ensure that anonymization is irreversible.
7.6 With Your Consent
We may share information in other circumstances with your explicit consent.
8. Data Retention
We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy, in accordance with the following principles:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Waitlist and early access data | Until the earlier of: (a) account creation, or (b) [24] months after collection, unless consent is renewed | Consent-based; limited purpose |
| Account and profile data | Duration of account plus [30] days post-deletion request or account termination | Contractual necessity |
| Customer Data (platform data) | As specified in the Terms of Service and DPA; deleted within [30] days of the end of the retention period | Contractual obligation |
| Audit and activity logs | Minimum [12] months, or longer where required by law | Security, compliance, and legal obligation |
| Billing and transaction records | As required by applicable tax and accounting law (typically [5–7] years) | Legal obligation |
| Support correspondence | [24] months after ticket closure, unless longer retention is required | Legitimate interests; service improvement |
| Automatically collected data (analytics, logs) | [12] months, unless anonymized for longer-term analysis | Legitimate interests; security |
| Backup copies | Deleted within [30] days of primary data deletion | Aligned with primary retention |
Upon expiry of the applicable retention period, Personal Data is permanently deleted using methods designed to prevent recovery, or irreversibly anonymized. Customers may request early deletion of their Personal Data, subject to legal retention requirements and contractual obligations.
9. Data Security
We implement reasonable and appropriate administrative, technical, and organizational safeguards to protect Personal Data against unauthorized access, loss, alteration, or misuse, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
- Role-based access controls and least-privilege access policies
- Multi-factor authentication for administrative and production access
- Continuous monitoring, logging, and anomaly detection
- Regular security assessments and penetration testing
- Personnel background checks and security awareness training
- Incident response procedures with defined notification timelines
For a comprehensive description of our security practices, please refer to the Security & Trust document.
Despite these measures, no method of transmission over the Internet or method of electronic storage is completely secure. Apollo Deploy cannot guarantee absolute security but is committed to promptly addressing any security incidents in accordance with our Incident Response procedures.
10. Your Rights
Depending on your jurisdiction and applicable law, you may have some or all of the following rights with respect to your Personal Data:
10.1 Rights Available Under Most Jurisdictions
| Right | Description |
|---|---|
| Access | Request confirmation of whether we process your Personal Data and obtain a copy of such data |
| Correction / Rectification | Request correction of inaccurate or incomplete Personal Data |
| Deletion / Erasure | Request deletion of your Personal Data, subject to legal and contractual retention requirements |
| Restriction of Processing | Request that we limit how we process your Personal Data in certain circumstances |
| Objection | Object to processing based on legitimate interests or for direct marketing purposes |
| Data Portability | Receive a copy of your Personal Data in a structured, commonly used, and machine-readable format |
| Withdrawal of Consent | Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing |
10.2 Additional Rights Under Specific Laws
European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR):
- Right to lodge a complaint with your local data protection authority (a list of EU DPAs is available at https://edpb.europa.eu)
- Right not to be subject to solely automated decision-making, including profiling, that produces legal or similarly significant effects
California, United States (CCPA / CPRA):
- Right to know the categories and specific pieces of Personal Data collected, the purposes of collection, and the categories of third parties with whom data is shared
- Right to opt out of the sale or sharing of Personal Data (Apollo Deploy does not sell or share Personal Data as defined under the CCPA/CPRA)
- Right to non-discrimination for exercising privacy rights
- Right to limit the use and disclosure of sensitive Personal Data (Apollo Deploy does not process sensitive Personal Data as defined under the CPRA beyond what is necessary to provide the service)
Brazil (LGPD):
- Right to information about public and private entities with which your data has been shared
- Right to revoke consent
- Right to petition the Autoridade Nacional de Proteção de Dados (ANPD) regarding your data
Australia (Privacy Act 1988):
- Right to access and correct Personal Data held about you
- Right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached
Canada (PIPEDA):
- Right to access Personal Data held about you and challenge its accuracy
- Right to lodge a complaint with the Office of the Privacy Commissioner of Canada
10.3 Exercising Your Rights
To exercise any of the rights described above, please contact us using the details in Section 15 of this Privacy Policy. We will:
- Acknowledge your request within [5] business days
- Verify your identity before processing any request (we may request additional information for verification purposes)
- Respond substantively within [30] days, or within the timeframe required by applicable law (whichever is shorter)
- Inform you if an extension is needed and the reasons for such extension
We will not charge a fee for processing reasonable requests, except where permitted by applicable law (e.g., manifestly unfounded or excessive requests).
If we are unable to fulfill a request (e.g., due to legal retention obligations), we will provide a clear explanation of the reasons.
10.4 Authorized Agents
Where permitted by applicable law, you may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authorization and your identity before processing such requests.
11. International Data Transfers
Apollo Deploy operates globally and may process Personal Data in countries other than the country in which it was collected. Where Personal Data is transferred across jurisdictional boundaries, we ensure appropriate safeguards are in place, including:
11.1 Transfer Mechanisms
| Origin | Destination | Safeguard |
|---|---|---|
| EU / EEA | Outside EU / EEA | Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by transfer impact assessments where required |
| United Kingdom | Outside UK | International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs as approved by the UK Information Commissioner's Office |
| Switzerland | Outside Switzerland | SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner |
| Brazil | Outside Brazil | Appropriate transfer mechanisms as recognized under the LGPD, including SCCs or regulatory authorization |
| Canada | Outside Canada | Contractual protections ensuring a comparable level of protection as required under PIPEDA |
| Australia | Outside Australia | Contractual protections ensuring compliance with Australian Privacy Principle 8 |
| Other jurisdictions | Various | Transfer mechanisms as required by applicable local data protection law |
11.2 Transfer Impact Assessments
Where required, Apollo Deploy conducts transfer impact assessments to evaluate the legal framework of the destination country and the effectiveness of supplementary measures. These assessments are documented and updated periodically or when circumstances change materially.
11.3 Data Residency
Where data residency requirements are specified in a Customer's agreement, Apollo Deploy will store and process Customer Data in the agreed-upon regions. Further details are set out in the Security & Trust document and applicable DPA.
12. Children's Privacy
Apollo Deploy is not intended for individuals under the age of 16 (or such older age as may be required by applicable law in the user's jurisdiction, such as 13 under COPPA in the United States).
We do not knowingly collect Personal Data from children. If we become aware that we have collected Personal Data from a child without appropriate parental consent, we will take prompt steps to delete such data.
If you believe a child has provided Personal Data to Apollo Deploy, please contact us immediately using the details in Section 15.
13. Do Not Track and Global Privacy Control
Apollo Deploy respects browser-based privacy signals where required by applicable law:
- Global Privacy Control (GPC): Where we detect a GPC signal, we treat it as a valid opt-out of the sale or sharing of Personal Data under the CCPA/CPRA. Since Apollo Deploy does not sell or share Personal Data, no additional action is required; however, the signal is honored as a matter of practice.
- Do Not Track (DNT): There is currently no universally accepted standard for DNT signals. Apollo Deploy does not use third-party advertising trackers and does not alter its data collection practices based on DNT signals.
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our data practices, legal requirements, regulatory developments, or our compliance status.
- Material changes (including changes to the categories of data collected, purposes of processing, third-party sharing practices, or your rights) will be communicated to users and Customers via email notification or in-platform notification at least [30] days before taking effect.
- Non-material changes (such as clarifications, formatting, or typographical corrections) may be made without advance notice.
- The "Last Updated" date at the top of this document reflects the most recent revision.
- Previous versions of this Privacy Policy are available upon request.
- Your continued use of Apollo Deploy after the effective date of changes constitutes acceptance of the revised Privacy Policy, unless you object in writing within the notification period. If you do not agree with the revised Privacy Policy, you should discontinue use of the platform.
15. Contact Us
For questions, requests, or concerns about this Privacy Policy or our data practices:
- Privacy & Data Protection: privacy@apollodeploy.com
- Data Protection Officer: dpo@apollodeploy.com (where required by applicable law)
- Security Team: security@apollodeploy.com (for security-related matters)
- Legal: legal@apollodeploy.com
We aim to respond to all privacy-related inquiries within [5] business days and to resolve requests within [30] days or the timeframe required by applicable law.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. Contact details for data protection authorities are available at:
- EU/EEA: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- United Kingdom: https://ico.org.uk
- Australia: https://www.oaic.gov.au
- Canada: https://www.priv.gc.ca
- Brazil: https://www.gov.br/anpd
16. Governing Law
General
This Privacy Policy is intended to comply with the data protection and privacy laws of all jurisdictions in which Apollo Deploy operates or in which its users and Customers are located.
Dispute Resolution
Unless otherwise specified in an executed enterprise agreement or required by mandatory local law:
- Any disputes arising from or relating to this Privacy Policy shall be governed by the laws of [Primary Jurisdiction, e.g., the State of Delaware, United States], without regard to conflict of law principles.
- The parties agree to attempt resolution through good-faith negotiation before pursuing formal proceedings.
- If negotiation is unsuccessful, disputes shall be resolved through binding arbitration administered by [arbitration body, e.g., the American Arbitration Association] under its then-current rules, unless the user or Customer is located in a jurisdiction where mandatory arbitration clauses are unenforceable for consumer or data protection matters, in which case disputes shall be resolved in the courts of competent jurisdiction.
Preservation of Local Rights
- Nothing in this Privacy Policy shall deprive any individual of mandatory data protection rights, consumer protections, or other non-waivable rights available under the laws of their jurisdiction of residence.
- Where mandatory local law imposes obligations on Apollo Deploy that exceed those described in this Privacy Policy, Apollo Deploy will comply with such obligations to the extent they are applicable.
- To the extent any provision of this Privacy Policy conflicts with mandatory local law applicable to a user or Customer, that provision shall be modified to the minimum extent necessary to comply with such law, and all remaining provisions shall continue in full force and effect.
This Privacy Policy is provided for informational and contractual purposes. It should be read in conjunction with Apollo Deploy's Terms of Service, Security & Trust document, and Data Processing Agreement. In the event of any conflict, the order of precedence shall be: (1) the executed enterprise agreement (if any), (2) the Terms of Service, (3) the Data Processing Agreement, (4) the Security & Trust document, (5) this Privacy Policy.