IPA Encryption Checker

1. Introduction

At IPA Encryption Checker, we respect your privacy and are committed to protecting it. This Privacy Policy explains how we collect, use, and safeguard your information when you use our website located at https://ipachecker.qzz.io/ (the "Service").

We use your data solely to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect only the minimal information necessary to provide our Service:

• IPA Files: Files you voluntarily upload for analysis, or URLs to IPA files you provide
• IP Address: Your device's internet address (obtained from Cloudflare's CF-Connecting-IP header), used solely for rate limiting (30 requests per minute, 12 uploads per hour), abuse prevention, and security
• File Metadata: Information extracted from uploaded IPA files during analysis (app name, version, bundle identifier, architecture, encryption status, etc.)
• Verification Data: CAPTCHA responses processed by Cloudflare Turnstile to prevent automated abuse
• Authentication Tokens: Session identifiers (Upload IDs) generated to secure your file access
• URL Information: If you use URL mode, the URL you provide is temporarily stored for processing

We do not collect names, email addresses, or any other personally identifiable information unless you explicitly provide it when contacting us.

3. Upload Methods

Our Service supports two methods for submitting IPA files for analysis:

• Direct File Upload: Upload IPA files from your device (maximum 100MB per file, 5 files per upload session)
• URL Mode: Provide a direct URL to an IPA file hosted elsewhere (no file size limit). The file is downloaded by our analysis system and processed through the same security and analysis pipeline

For URL submissions, you must have the legal right to access and analyze the file at the provided URL. We validate that URLs end with .ipa and are properly formatted before processing.

4. Uploaded Files and Analysis

When you upload an IPA file or provide a URL to an IPA file:

• File Upload Mode: The file is stored on Cloudflare R2 servers with metadata including original filename, upload IP, timestamp, and file size
• URL Mode: The URL is validated and passed to our analysis system, which downloads the file during processing
• We automatically extract metadata from the file (app name, bundle identifier, version, minimum iOS version, architecture)
• We analyze the file's encryption status using automated tools
• We generate an MD5 hash of the file for verification purposes (performed in the backend analysis pipeline)
• Files are processed through GitHub Actions workflows for automated analysis
• A unique session identifier (Upload ID) is generated to authenticate your access to the file and results

5. CAPTCHA and Anti-Abuse Measures

To prevent automated abuse, we use Cloudflare Turnstile CAPTCHA verification. When you complete a CAPTCHA challenge:

• Your response is sent to and verified with Cloudflare's servers
• Cloudflare may process your IP address and browser information according to their privacy policy
• We do not store or access the verification data beyond confirming it's valid
• The verification token is used once and then discarded

For more information about Cloudflare Turnstile's data handling, please refer to Cloudflare's Privacy Policy.

6. Automated Processing

Our Service uses fully automated systems to analyze your uploaded files. This includes:

• Automated file format validation using magic bytes verification (ZIP/IPA signature check)
• File size validation and content-type verification
• Encryption status detection algorithms
• Metadata extraction scripts
• File hash generation (MD5)
• Architecture detection (32-bit, 64-bit, Universal)

No human manually reviews your uploaded files unless specifically required for technical support purposes, All analysis is performed by automated scripts and tools.

7. Cookies and Local Storage

We use minimal local storage for:

• Dark mode preference (stored locally in your browser)
• No tracking cookies or analytics cookies are used
• We do not track your browsing behavior across our site
• We do not use third-party advertising or tracking services

8. Use of Data

We use the collected data exclusively for:

• Providing the IPA analysis service
• Preventing abuse and ensuring fair use through rate limiting
• Maintaining service security and stability
• Improving the accuracy and performance of our analysis tools
• Authenticating file access using session identifiers
• Generating download links for processed files

We do not use your data for marketing, advertising, profiling, AI training, or any commercial purposes beyond providing the Service.

9. Data Retention

We have different retention periods for different types of data:

• Uploaded IPA Files (File Upload Mode): Stored on Cloudflare R2 servers for up to 1 hour for immediate analysis, then automatically deleted from our primary storage
• URL Information (URL Mode): URLs are stored in session data for up to 1 hour, then automatically deleted
• Analysis Results & Download Files: Stored via GitHub Actions artifacts for up to 90 days to enable download functionality through nightly.link
• IP Address Data (Rate Limiting):
  • Request rate limits: 1-minute rolling window
  • Upload limits: 1-hour rolling window
  • Data automatically expires after the respective time period
• Session Data: Temporary session information (including Upload IDs) is retained for up to 1 hour to coordinate the analysis process and authenticate file access
• Authentication Tokens: Upload IDs are stored with session data and expire after 1 hour

After these retention periods, all data is automatically and permanently deleted from our systems. GitHub artifacts are automatically deleted after 90 days by GitHub's systems.

10. Download Functionality

To provide download links for your processed files:

• Processed files and analysis results are stored as GitHub Actions artifacts
• Download links are provided through nightly.link, a third-party service that generates direct download URLs for GitHub artifacts
• These files remain available for download for 90 days
• Access to files during the 1-hour session window requires your original Upload ID for authentication
• After the session expires, files can only be accessed through GitHub artifact download links
• Download links do not require authentication after they are generated

11. Authentication and Session Security

To protect your uploaded files and ensure secure access:

• Each upload generates a unique session identifier (Upload ID)
• Upload IDs are required for all file operations (status checks, file access, updates, cleanup)
• We use constant-time comparison for authentication tokens to prevent timing attacks
• Files cannot be accessed without the correct Upload ID during the session window
• Session data and authentication tokens automatically expire after 1 hour

12. Data Transfer

Your information may be transferred to and processed in:

• United States/Europe (Cloudflare R2, Cloudflare Workers)
• United States (GitHub Actions for file processing)
• Other locations where our service providers operate

All transfers are conducted with appropriate security measures. By using our Service, you consent to these transfers.

13. Security Measures

We implement comprehensive security measures to protect your data:

• Transport Security: Encrypted file transfer (HTTPS/TLS) for all communications
• File Validation:
  • Magic bytes verification to ensure valid ZIP/IPA files
  • File size limits to prevent resource abuse
  • Content-type validation
• Access Controls:
  • Upload ID authentication for file access
  • Constant-time authentication comparison to prevent timing attacks
  • IP-based rate limiting (only CF-Connecting-IP header trusted to prevent spoofing)
• Automatic Deletion: Files automatically deleted after processing (1 hour retention)
• Rate Limiting:
  • 30 requests per minute per IP address
  • 12 uploads per hour per IP address
• Request Timeouts:
  • 3-minute for file uploads
  • 30-second for other requests
• Security Headers: Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Content-Security-Policy, Referrer-Policy
• Error Handling: In production, detailed error messages are sanitized to prevent information disclosure

While we strive to protect your data, no method of internet transmission is 100% secure. We cannot guarantee absolute security but implement industry-standard protections.

14. Third-Party Service Providers

We work with the following third-party services that may process your data:

• GitHub Pages: Web hosting for our website
• GitHub Actions: Automated processing and analysis of uploaded files
• Cloudflare R2: Temporary file storage during analysis (1 hour retention)
• Cloudflare Workers: Backend API and request processing
• Cloudflare Turnstile: CAPTCHA verification to prevent abuse
• nightly.link: Third-party service for generating direct download URLs from GitHub Actions artifacts

These providers process data according to their own privacy policies and are bound by contractual obligations to protect your information.

15. Analytics and Tracking

We do not use:

• Google Analytics or similar tracking services
• Social media tracking pixels
• Advertising networks or marketing cookies
• Cross-site tracking technologies
• Fingerprinting techniques
• Any form of behavioral tracking

We maintain complete privacy for all visitors and do not monitor your browsing behavior.

16. Children's Privacy

Our Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete such information immediately.

17. Your Privacy Rights

Depending on your location, you may have rights regarding your personal information:

• Access: Request information about data we have about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your personal data
• Portability: Request a copy of your data in a structured format
• Objection: Object to processing of your personal data

Since we collect minimal data and automatically delete files after processing, most data is automatically removed without action needed. For any privacy concerns or to exercise your rights, contact us using the information below.

18. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:

• We will post the updated policy on this page
• We will update the "Last Updated" date at the bottom
• For significant changes, we may provide additional notice on our website

We encourage you to review this policy periodically for any updates.

19. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, please contact us:

• Email: andres@ipachecker.qzz.io
• GitHub: Open an issue

We aim to respond to privacy-related inquiries within 30 days.