Privacy Policy

§ 1

#Common

Who we are

iSign is run by independent operators — not a registered company. The "iSign" brand covers two related products:

iSign Marketplace — a Telegram mini-app for buying iOS code-signing certificate slots.
iSign Loader — a free Windows desktop tool for sideloading IPA files using your own Apple ID.

This policy covers both. Use the section navigation above to jump to the part relevant to you.

Contact

For privacy questions, deletion requests, or anything you'd like clarified, message @isign_rowdy on Telegram.

What we never do

We do not sell your data.
We do not run third-party advertising or analytics SDKs that share data with advertisers.
We do not require an account, an email address, or a phone number to use iSign Loader.

Your rights

You can request, at any time:

A copy of any data we hold about you.
Deletion of your Marketplace account and its purchase history.
Removal of your Telegram identity from our support archives.

Send the request to @isign_rowdy. We aim to respond within 7 days.

Data retention

We keep purchase records as long as the linked certificate slot is active, plus 12 months for support and dispute resolution. After that, records are anonymised (Telegram identity removed, slot history kept for accounting).

Changes to this policy

If we materially change what we collect or how we use it, the "last updated" date above changes and we post a notice in @isignspace.

§ 2

#Marketplace

Applies to the Telegram mini-app at @isign_certificate_bot/marketplace, the bot, and the community group @isignspace.

What we collect

Telegram identity — your Telegram user ID, username, first name, last name, language code. Provided automatically by Telegram when you open the mini-app or message the bot. We need it to identify your slots and process your purchases.
Purchase records — payment provider (Telegram Stars or Stripe), transaction ID issued by the provider, amount, currency, status. We do not see your card number, CVV, or bank details — those stay with Stripe / Telegram.
Device UDID — the 25- or 40-character hardware identifier of the iPhone or iPad you link to a slot. Used to issue your provisioning profile through Apple's Developer API. We do not collect IMEI, serial number, phone number, or installed-app lists.
Support messages — messages you send to the bot or to the support thread are forwarded to a private Telegram topic visible to operators.

What we don't collect

Your Apple ID or password — the Marketplace flow does not need them.
Your card number or banking credentials.
The contents of any IPA you sign.
Browser fingerprints, cross-site cookies, or third-party trackers (the marketplace is a Telegram WebApp, not a public website).

Where data lives

Your data is stored on servers located within the European Union and processed by us as the data controller. We rely on standard categories of third-party processors to operate the service:

Payment processors (Telegram, Stripe) — handle the payment transaction itself under their own privacy policies; we receive only the resulting transaction reference.
Messaging platform (Telegram) — the mini-app and bot run inside Telegram and are subject to Telegram's privacy policy.
Infrastructure providers — cloud hosting and content delivery used to run the database, the backend workflows, and this website. They process data on our behalf under data-processing agreements and have no independent right to use it.

We do not transfer your data to advertisers, data brokers, or analytics platforms.

Cookies

The website you're reading right now is static HTML on Cloudflare Pages and sets no cookies. The Telegram mini-app runs inside Telegram's own client and uses Telegram's session, not browser cookies.

Apple ID note. The Marketplace does not ask for, store, or transmit your Apple ID. You only provide a device UDID. If you want a flow that uses your own Apple ID instead, see the Loader section below.

§ 3

#Loader

Applies to the iSign Loader Windows desktop application distributed from loader.appload.tech.

Headline: Your Apple ID credentials never reach our servers. Authentication runs locally on your machine and talks directly to Apple. We see only anonymised header requests via our anisette server.

How sign-in actually works

iSign Loader uses Apple's official authentication flow through the open-source apple-platform-rs library. The flow is:

You type your Apple ID and password into the Loader window.
Your machine asks our self-hosted anisette server at anisette.appload.tech for a set of cryptographic headers that Apple requires from desktop clients. Your Apple ID is not sent to anisette. The server only returns machine-identifier headers.
Your machine then sends your Apple ID, password, and those headers directly to Apple over HTTPS. We are not in that path.
Apple returns an authentication token. Subsequent operations (issuing a free 7-day certificate, registering your device, signing your IPA) happen between your machine and Apple, again with no detour through our servers.

What our anisette server logs

Our anisette deployment runs the open-source anisette-v3-server by Dadoum. By design, the v3 protocol does not transmit Apple ID credentials — the server cannot log what it doesn't receive. We retain only the standard request metadata typical for any HTTP service: source IP, timestamp, user-agent. These logs are kept for at most 30 days for abuse prevention and rotated automatically.

What lives locally on your machine

Apple ID password — only if you tick "Save credentials". Stored in Windows Credential Manager, encrypted by the operating system. The Loader retrieves it via the keyring Rust crate; no plaintext copy is ever written to disk.
Saved Apple ID list — the e-mail addresses of accounts you have signed in with are stored in plaintext in %APPDATA%\tech.appload.isignloader\data.json. This file lets the Loader populate the dropdown of saved accounts. It contains no passwords.
Logs — debug-level traces of operations are written to %APPDATA%\tech.appload.isignloader\logs. These traces do not contain your Apple ID, password, or 2FA code — only event names like "auth_started", "auth_verified", "sideload_complete".
Apple-issued certificates and provisioning profiles — the development certificate Apple issues to your account is held in encrypted form by the sideloading library and used only to sign the IPA you select.

What the Loader never does

Read the contents of any IPA you select beyond what is needed to sign it.
Send your Apple ID, password, or 2FA code to any server other than Apple.
Open background network connections when you are not actively using it.
Collect telemetry, crash dumps, or usage analytics. (A privacy-respecting crash reporter is on the roadmap; until then there is none.)

Apple's Free Developer Tier — not our limits

The Loader uses Apple's free developer tier. Apple's own restrictions apply — not ours:

Signed apps expire after 7 days; you re-sign by re-running the Loader.
Up to 3 active certificates per Apple ID at any time.
Approximately 10 App IDs per 7-day window.
Approximately 100 device registrations per year per Apple ID.
No push notifications, no in-app purchases, no Game Center.

These are Apple's terms for the free tier and are out of our control.

How to wipe everything

Uninstall the Loader, then delete the folder %APPDATA%\tech.appload.isignloader. To remove your saved password from Windows Credential Manager: open Control Panel → User Accounts → Credential Manager → Windows Credentials and delete entries with the service name isign-loader.