Hamme
A field guide to the studio ReviewHeron · Privacy
ReviewHeron · Privacy

Privacy.

For the ReviewHeron app · Last updated: June 18, 2026

01 · Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Nicolas Autzen
Heinrich-Vogeler-Weg 18
27726 Worpswede, Germany
Email: hi@hamme.software

For any privacy-related matter — access, erasure, objection or general questions — please contact the email address above.

We are not required to appoint a data protection officer: Hamme is run as a solo business with no further employees (Section 38 BDSG), and we carry out no processing that would require a data protection impact assessment under Article 35 GDPR.

02 · Scope

This policy applies to the macOS app ReviewHeron and the processes connected with it: purchase, download and automatic updates.

A separate privacy policy applies to the website hamme.software.

03 · Local-first — your content stays on your Mac

ReviewHeron is built local-first. The App Store and Play Store reviews you manage, your replies, drafts, notes and settings are processed and stored on your Mac.

  • No account with us, no registration to use the app.
  • No transfer of your content to us — we run no server that receives or stores your reviews or replies. The connections to the app store services you work with are established by you, with your own credentials, directly between your Mac and the respective provider.
  • No tracking, no analytics, no usage telemetry, no advertising. Optional crash reports, stripped of personal content, exist only if you explicitly switch them on (section 08) — off by default.

There are only the few, clearly defined data flows that are technically necessary for purchase, licensing, download and updates, plus — only with your explicit consent — the optional crash reports; described in sections 04 to 08.

04 · Purchase via Lemon Squeezy (Merchant of Record)

Your purchase of ReviewHeron is handled by Lemon Squeezy as the Merchant of Record — legally the seller towards you. The provider is Sold through Link, LLC (formerly Lemon Squeezy LLC), Salt Lake City, Utah, USA (a Stripe subsidiary). Lemon Squeezy collects and remits VAT, issues the invoice and generates and sends your license key.

Only a limited set of order data reaches us (e.g. order ID, product purchased, license key, time of purchase, and possibly your email address and the country for VAT). Your payment details (card, IBAN, PayPal) and full billing address are processed solely by Lemon Squeezy — we neither receive nor store them.

The legal basis for the order data reaching us is Article 6(1)(b) GDPR (performance of the purchase contract). For payment, tax and invoicing, Lemon Squeezy acts as an independent controller by virtue of its own legal obligations; details are set out in Lemon Squeezy’s privacy policy.

Transfer to the USA: the transfer to Sold through Link, LLC is safeguarded by the EU Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR (Lemon Squeezy DPA); the actual payment processing is carried out via Stripe, which is certified under the EU-U.S. Data Privacy Framework.

05 · License activation

To unlock the app, you enter your license key. ReviewHeron then checks it — on activation and for recurring validity checks — against Lemon Squeezy’s license API (api.lemonsqueezy.com). In doing so, the license key, a device identifier (so that your device limit is respected) and technically your IP address are transmitted.

The legal basis is Article 6(1)(b) GDPR — license verification is a precondition of contractual use. The recipient is Lemon Squeezy (USA, SCCs as in section 04). No API key is stored in the app; a temporary network error does not lock the app.

06 · Downloading the app

You download the app as a notarised DMG file via dl.hamme.software. This download runs through Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA), our processor under Article 28 GDPR.

In doing so, Cloudflare processes a technical server log (IP address, user agent, file requested, time). The purpose is secure, stable delivery; the legal basis is Article 6(1)(f) GDPR (legitimate interest in reliably providing the purchased product). We do not analyse these logs and do not identify individual users.

Transfer to the USA: Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF); the EU Standard Contractual Clauses (SCCs) from the Cloudflare Customer DPA apply in addition.

07 · Automatic updates (Sparkle)

ReviewHeron keeps itself up to date using the Sparkle update framework and checks once a day whether a new version is available at updates.hamme.software. This request also runs through Cloudflare (see section 06).

In doing so, your IP address and the installed app version (and the user agent) are transmitted. No further system profiling (e.g. hardware or OS details) takes place.

The legal basis is Article 6(1)(f) GDPR. The legitimate interest is particularly weighty here: the timely supply of security and feature updates. Update packages are cryptographically signed (EdDSA). You can switch off the automatic update check in the app’s settings.

08 · Optional crash reports

ReviewHeron can help you fix crashes — but only if you explicitly switch it on. The feature is off by default; you enable it via a toggle in Settings under Help & Feedback and can turn it back off there at any time.

When it is on, ReviewHeron sends, after a crash, a report reduced to the technically necessary minimum and stripped of personal content: the stack trace (the call path at the moment of failure), the app and macOS version and the crash type. Before sending, the data is cleaned against a whitelist — path components such as your user name are removed; review content, license keys, API tokens or Keychain data are never transmitted. We do not send any device or installation identifier: all that is counted is how often a particular error occurs (grouped by a technical fingerprint of the stack trace), so we can fix the most important crashes first. We use these reports solely to fix bugs, not for usage analytics or advertising.

The legal basis is your consent (Article 6(1)(a) GDPR). Where local crash logs stored on your device are read for this purpose, the access is additionally based on your consent under Section 25(1) TDDDG (formerly TTDSG). You can withdraw your consent at any time with effect for the future by switching the toggle off; the lawfulness of processing carried out until then remains unaffected.

The reports are received by an endpoint at crash.hamme.software, which runs through Cloudflare just like download and update (see section 06 — no additional recipient). The aggregated reports are stored in Cloudflare's EU region (the D1 database service, jurisdiction “eu”) — the stored data is therefore not transferred to the USA; the Cloudflare safeguards from section 06 (DPF + SCCs) apply to the mere transmission. We do not store an IP address with the reports, and the endpoint re-scrubs the data server-side. Per error fingerprint we store only its frequency, the affected versions and one scrubbed sample stack trace.

09 · Recipients

For the data flows of the app described in this policy (purchase, license, download, updates and optional crash reports), the only recipients of personal data are:

  • Lemon Squeezy (Sold through Link, LLC, USA) — purchase, payment, invoice, license; independent controller, SCCs (sections 04 and 05).
  • Cloudflare, Inc. (USA) — download, update delivery and the endpoint for optional crash reports; processor, DPF + SCCs (sections 06, 07 and 08).

If you write to us by email — for instance to join the ReviewHeron waitlist or to exercise your rights — this runs through our email service Hover (Tucows.com Co., Canada; independent controller). That channel is described in the website privacy policy (section 05).

No data is passed on to advertising partners or other third parties; disclosure to authorities occurs only where we are legally obliged.

10 · Retention

The server logs from download and update checks are stored by Cloudflare at its own discretion; we carry out no separate analysis of them.

The optional crash reports (section 08) are kept in aggregate per error fingerprint for as long as the error is relevant to our stability work, but no longer than 12 months; they contain no personal data and no IP address.

Purchase and license data that we need for our accounting (e.g. invoice and booking records) are subject to the commercial and tax-law retention periods of 6 to 10 years (Section 257 HGB, Section 147 AO). To that extent they are retained even if you request erasure (permissible retention reservation under Article 17(3)(b) GDPR), and deleted once the periods expire.

11 · Your rights

Under the GDPR you have the right of access (Art. 15), to rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection to processing based on legitimate interests (Art. 21). A plain email to hi@hamme.software is enough.

As Lemon Squeezy is independently responsible for purchase, payment and invoicing, you exercise rights concerning your payment and billing data directly with them; we are happy to assist.

Right to lodge a complaint (Art. 77 GDPR): you can complain to a data protection supervisory authority. The authority responsible for us is the State Commissioner for Data Protection of Lower Saxony (LfD Niedersachsen), Prinzenstraße 5, 30159 Hannover, Germany, lfd.niedersachsen.de.

12 · No automated decisions

We do not use automated decision-making, including profiling, within the meaning of Article 22 GDPR.

13 · Changes

We update this policy when the app, the services involved or the legal situation change. The current version is always available at hamme.software/en/apps/reviewheron/privacy. This English text is a convenience translation — the German version at hamme.software/apps/reviewheron/datenschutz is authoritative and prevails in the event of any discrepancy.