# Data Collection Audit — Kordant Android > **Last updated:** 2026-06-01 > **Auditor:** Android Production Readiness > **Target:** `com.kordant.android` (v1.0, target SDK 36) > **Purpose:** Complete the Google Play Data Safety form accurately --- ## 1. Data Collected by the App ### 1.1 Personal Information | Data Type | Collected? | Source | Purpose | Required? | |-----------|-----------|--------|---------|-----------| | Name | ✅ Yes | User registration/signup | Account creation, personalization | Yes | | Email address | ✅ Yes | User registration/signup, Google Sign-In, password reset | Authentication, account recovery, notifications | Yes | | Password | ✅ Yes | User registration, signup, password reset | Authentication (never stored locally in plaintext) | Yes | | Phone number | ✅ Yes | User profile update, Call Screening, SpamShield | Caller ID verification, spam detection, user profile | No | | Avatar/photo | ✅ Optional | User profile, Google Sign-In | Profile display | No | **Sources:** - `AuthRepository.kt` — signup, login, forgot/reset password - `User.kt` data model — `name`, `email`, `phone`, `avatarUrl` - `SettingsViewModel.kt` — updateProfile(name, phone) - `GoogleSignInAccount` — idToken from Google Sign-In ### 1.2 Audio / Voice Data | Data Type | Collected? | Source | Purpose | Required? | |-----------|-----------|--------|---------|-----------| | Voice recordings | ✅ Yes | VoicePrint enrollment | Voice biometric identification, spam call analysis | No | | Voice analysis results | ✅ Yes | VoicePrint analysis API | Analyze incoming calls against enrolled voice prints | No | | Audio samples | ✅ Yes | RECORD_AUDIO permission | Create voice fingerprint for caller identification | No | **Sources:** - `VoiceEnrollment.kt` — `sampleCount`, `status` - `VoiceAnalysis.kt` — `confidence`, `result` - `TRPCApiService.kt` — `voiceprint.createEnrollment`, `voiceprint.analyzeAudio` - `AndroidManifest.xml` — `RECORD_AUDIO` permission ### 1.3 Phone Numbers & Call Data | Data Type | Collected? | Source | Purpose | Required? | |-----------|-----------|--------|---------|-----------| | Incoming caller phone numbers | ✅ Yes | Call Screening Service | Spam detection, caller identification | Yes (for call screening feature) | | Phone numbers to monitor | ✅ Yes | Watchlist (DarkWatch) | Alerts for data broker exposure of monitored numbers | No | | Blocked/reported numbers | ✅ Yes | SpamShield rules | Community spam protection | No | | Anonymized call logs | ✅ Yes | CallScreeningRepository | Analytics, false positive detection | No (SHA-256 hashed) | **Privacy protections:** - All phone numbers are SHA-256 **hashed** before being stored in the local spam database. - Raw phone numbers are never written to disk in the spam DB. - Call logs store only hashed representations (`SpamDatabase.hashPhoneNumber()`). - Anonymized call logging (`logScreenedCall` stores `number_hash`, not raw number). **Sources:** - `CallScreeningService.kt` — `onScreenCall()`, `extractPhoneNumber()` - `SpamDatabase.kt` — `hashPhoneNumber()`, `TABLE_SPAM_NUMBERS`, `TABLE_CALL_LOG` - `WatchlistItem.kt` — `type`, `value` (phone numbers being monitored) - `SpamRule.kt` — blocking rules ### 1.4 Device & Usage Information | Data Type | Collected? | Source | Purpose | Required? | |-----------|-----------|--------|---------|-----------| | FCM device token | ✅ Yes | Firebase Cloud Messaging | Push notification delivery | Yes | | App version | ✅ Yes | `X-Client-Version` header | API compatibility, debugging | Yes | | Device platform | ✅ Yes | `X-Client-Platform: android` header | API routing, analytics | Yes | | Unique request IDs | ✅ Yes | `X-Request-ID` header | Request tracing, debugging | Yes | | Android OS version | ✅ Yes | `Build.VERSION.SDK_INT` (network requests) | Analytics, crash reporting | Yes | | Device model | ✅ Yes | Crashlytics reports | Crash debugging | Yes | | Device language/locale | ✅ Yes | User preferences | Localization | Yes | | Boot completed events | ✅ Yes | `RECEIVE_BOOT_COMPLETED` permission | Re-schedule background sync after reboot | Yes | **Sources:** - `NetworkModule.kt` — request headers, logging interceptor - `FCMService.kt` — `onNewToken()`, `registerDeviceToken()` - `KordantApp.kt` — Crashlytics initialization - `SecureStorageManager.kt` — `fcmDeviceToken` ### 1.5 App Activity & Analytics | Data Type | Collected? | Source | Purpose | Required? | |-----------|-----------|--------|---------|-----------| | App startup timing | ✅ Yes | `StartupTracker.kt` | Performance monitoring, cold start optimization | Yes | | Login/logout events | ✅ Yes | `AuthRepository.kt` | Authentication tracking | Yes | | Feature usage API calls | ✅ Yes | All API endpoints via tRPC | Service functionality | Yes | | Notification preferences | ✅ Yes | `UserPreferencesDataStore.kt` | Respect user notification choices | Yes | | Theme preferences | ✅ Yes | `UserPreferencesDataStore.kt` | User personalization | No | **Sources:** - `StartupTracker.kt` — app cold start timing - `TRPCApiService.kt` — all API endpoints - `UserPreferencesDataStore.kt` — user settings & preferences ### 1.6 Crash & Performance Data | Data Type | Collected? | Source | Purpose | Required? | |-----------|-----------|--------|---------|-----------| | Crash reports | ✅ Yes | Firebase Crashlytics | Bug fixing, app stability | Yes | | ANR traces | ✅ Yes | Android system + Crashlytics | Performance debugging | Yes | | Security violation reports | ✅ Yes | `KordantApp.reportCompromiseToBackend()` | Security monitoring | Yes | **Sources:** - `KordantApp.kt` — `initializeCrashlytics()` - `build.gradle.kts` — `firebase-crashlytics` dependency - `AndroidManifest.xml` — `firebase_crashlytics_collection_enabled=true` ### 1.7 Property & Data Broker Data | Data Type | Collected? | Source | Purpose | Required? | |-----------|-----------|--------|---------|-----------| | Property addresses | ✅ Yes | HomeTitle feature | Property title monitoring, data broker listing detection | No | | Owner names | ✅ Yes | Property records | Property ownership verification | No | | Broker listing URLs | ✅ Yes | Remove Brokers feature | Track data broker removal requests | No | | Data exposure details | ✅ Yes | DarkWatch feature | Dark web monitoring alerts | No | **Sources:** - `Property.kt` — `address`, `ownerName`, `county` - `BrokerListing.kt` — `propertyAddress`, `brokerName`, `url` - `Exposure.kt` — `type`, `source`, `details` - `WatchlistItem.kt` — PII being monitored (email, phone, SSN, etc.) --- ## 2. Data NOT Collected | Data Type | Confirmed Not Collected | Evidence | |-----------|------------------------|----------| | Precise/approximate location | ✅ Not collected | No `ACCESS_FINE_LOCATION` or `ACCESS_COARSE_LOCATION` permission in manifest | | Health & fitness data | ✅ Not collected | No health-related APIs or permissions | | SMS/MMS messages | ✅ Not collected | No `READ_SMS` or `RECEIVE_SMS` permission | | Calendar | ✅ Not collected | No calendar permissions or APIs | | Contacts | ✅ Not collected | No `READ_CONTACTS` permission | | Photos/videos | ✅ Not collected | No `CAMERA` or `READ_MEDIA_IMAGES` permission; Coil only loads from URLs | | Files & documents | ✅ Not collected | No file access permissions | | Financial info (credit card numbers) | ✅ Not collected | Stripe Checkout is handled via web; no payment card data touches the app | | Biometric data (fingerprint) | ✅ Not collected | Biometric auth uses platform biometric prompt; no biometric data collected by app | | Browsing history | ✅ Not collected | No web browsing functionality | --- ## 3. Third-Party SDK Data Collection ### 3.1 Firebase Cloud Messaging (FCM) - **Provider:** Google - **Data collected by SDK:** Device token, IP address, push notification delivery status - **Purpose:** Push notification delivery - **Data shared with third parties:** Google (for notification delivery) - **User control:** Can disable notifications in system settings or in-app preferences ### 3.2 Firebase Crashlytics - **Provider:** Google - **Data collected by SDK:** Crash traces, device model, OS version, app version, stack traces, timestamps, device locale - **Purpose:** Crash reporting, app stability monitoring - **Data shared with third parties:** Google (Firebase) - **User control:** Crashlytics collection can be disabled; enabled by default in release builds ### 3.3 Google Sign-In - **Provider:** Google - **Data collected by SDK:** Google account email, profile name, avatar URL, OAuth tokens - **Purpose:** Authentication, account creation - **Data shared with third parties:** Google (OAuth flow) - **User control:** User must explicitly tap "Sign in with Google" to initiate ### 3.4 OkHttp / Retrofit - **Provider:** Square, Inc. - **Data collected by SDK:** HTTP request/response data - **Purpose:** API networking - **Data shared with third parties:** None (logs are sanitized locally — tokens, emails, phones redacted) - **User control:** N/A ### 3.5 Stripe (via web backend) - **Provider:** Stripe, Inc. - **Data collected by SDK:** None directly on Android; payments handled via Stripe Checkout in web view - **Purpose:** Payment processing - **Data shared with third parties:** Stripe (when user initiates purchase via web view) - **User control:** User initiates payment voluntarily ### 3.6 Coil Image Loader - **Provider:** Coil (open source) - **Data collected by SDK:** None (local image caching only) - **Purpose:** Image loading and caching - **Data shared with third parties:** None - **User control:** N/A --- ## 4. Security Practices | Practice | Status | Evidence | |----------|--------|----------| | **Encryption in transit** | ✅ TLS 1.2+ | `network_security_config.xml` enforces TLS, disables cleartext | | **Certificate pinning** | ✅ Implemented | SHA-256 pin hashes for `api.kordant.com` and `staging.api.kordant.com` | | **Encryption at rest** | ✅ AES-256-GCM | `EncryptedSharedPreferences` with `MasterKey` in Android Keystore | | **Auth token storage** | ✅ Encrypted | Access and refresh tokens in `EncryptedSharedPreferences` | | **PII storage** | ✅ Encrypted | User profile JSON in `EncryptedSharedPreferences` | | **Phone number storage** | ✅ SHA-256 hashed | Phone numbers hashed before SQLite storage in `SpamDatabase` | | **API log sanitization** | ✅ Implemented | Tokens, emails, phone numbers, passwords redacted from logs | | **Secure deletion** | ✅ Implemented | `secureOverwriteAndRemove()` overwrites keys before removal | | **GDPR right to erasure** | ✅ Supported | `clearAllData()` removes all local data including preferences | | **Root detection** | ✅ Implemented | `SecurityChecker.kt` — su binary, Magisk, Busybox, test-keys, emulator detection | | **Input validation** | ✅ Server-side | Auth error messages mapped generically (`AuthErrorMapper`) | --- ## 5. Data Retention & Deletion | Data Type | Retention | Deletion Mechanism | |-----------|-----------|-------------------| | Auth tokens | Until logout or token expiry | `clearAllAuthData()` or `clearAllData()` | | Cached user profile | Until logout or overwrite | `clearUserProfile()` or `clearAllData()` | | FCM device token | Until logout | `clearAllData()` removes token | | Spam database | Until user clears or app uninstall | `SpamDatabase.clearAll()` or app data clear | | Call logs (anonymized) | 7-day stats window | Auto-purged; can clear via app settings | | User preferences | Until changed or app uninstall | `clearAll()` on DataStore | | Crashlytics data | Per Firebase retention policy | User can request deletion via Firebase console | | Backend data | Per server retention policy | User can request account deletion via settings or `privacy@kordant.com` | --- ## 6. Permissions Justifications | Permission | Purpose | Required for Core Feature? | |-----------|---------|---------------------------| | `INTERNET` | API communication | Yes | | `ACCESS_NETWORK_STATE` | Network status checks | Yes | | `POST_NOTIFICATIONS` | Android 13+ notification permission | Yes | | `READ_PHONE_STATE` | Call screening, incoming call detection | Conditional (Call Screening) | | `ANSWER_PHONE_CALLS` | Call screening service | Conditional (Call Screening) | | `RECORD_AUDIO` | VoicePrint enrollment | Conditional (VoicePrint) | | `RECEIVE_BOOT_COMPLETED` | Re-schedule background sync | Yes | | `FOREGROUND_SERVICE` | Call screening foreground service | Yes | | `WAKE_LOCK` | Background sync processing | Yes | | `UPDATE_WIDGETS` | Home screen widget updates | Conditional (Widget) | | `BIND_CALL_SCREENING_SERVICE` | Android 10+ call screening role | Conditional (Call Screening) | --- ## 7. Google Play Data Safety Form Answers ### 7.1 Data Collection Overview | Google Category | Collected? | Data Types | Purposes | |----------------|-----------|-----------|----------| | **Location** | ❌ No | — | — | | **Personal info** | ✅ Yes | Name, email, phone, user ID | App functionality, personalization, account management | | **Financial info** | ⚠️ Indirect | Payment method via Stripe web checkout | Payment processing (handled off-device) | | **Health & fitness** | ❌ No | — | — | | **Messages** | ❌ No | — | — | | **Photos & videos** | ❌ No | — | — | | **Audio files** | ✅ Yes | Voice recordings | App functionality (VoicePrint) | | **Files & docs** | ❌ No | — | — | | **Calendar** | ❌ No | — | — | | **Contacts** | ❌ No | — | — | | **App activity** | ✅ Yes | App interactions, search history, installed apps (security check) | Analytics, fraud prevention, security | | **Web browsing** | ❌ No | — | — | | **App info & performance** | ✅ Yes | Crash logs, diagnostics, other performance data | Analytics, fraud prevention | | **Device & other IDs** | ✅ Yes | Device ID, FCM token | Analytics, fraud prevention | ### 7.2 Data Sharing **Does the app share data with third parties?** - ✅ Yes — Firebase (Google) for crash reporting and push notifications - ✅ Yes — Stripe (when user visits billing portal web view) - ❌ No — The app does not sell user data ### 7.3 Security Practices | Question | Answer | |----------|--------| | Data encrypted in transit? | ✅ Yes — All API traffic uses TLS 1.2+ | | Data encrypted at rest? | ✅ Yes — AES-256-GCM via EncryptedSharedPreferences | | User can request data deletion? | ✅ Yes — Account deletion available in settings and via privacy@kordant.com | | Independent security review? | ⚠️ Pending — External security audit planned before production launch | --- ## 8. Third-Party SDK Declaration | SDK | Data Types | Purposes | Collected? | |-----|-----------|---------|-----------| | Firebase Cloud Messaging | Device ID, device token | Push notifications | Yes | | Firebase Crashlytics | Crash logs, device info, app version | Crash analytics | Yes | | Google Sign-In | Name, email, avatar | Authentication | Yes (user-initiated) | | Stripe (via web) | Payment card info | Payment processing | No (off-device) | --- ## 9. Privacy Policy Requirements The privacy policy must cover: - [x] What data is collected (all types listed above) - [x] How data is collected (registration, in-app, via SDKs) - [x] Why data is collected (purposes listed per type) - [x] How data is stored (encrypted at rest, encrypted in transit) - [x] Third-party data sharing (Firebase, Stripe, Google) - [x] User rights (access, correction, deletion, export) - [x] Contact information (privacy@kordant.com) - [x] Data retention policy - [x] Children's privacy (COPPA compliance statement) - [x] International transfers (GDPR compliance) - [x] Policy update mechanism - [x] Accessible without login --- ## 10. Validation Checklist - [ ] Data Safety form answers match this audit - [ ] Privacy policy URL is live and accessible without login - [ ] Privacy policy covers all declared data types - [ ] Third-party SDKs declared with correct data types - [ ] Deletion request mechanism works (settings + email) - [ ] TLS 1.3 is active (verified via network_security_config.xml) - [ ] All permissions are justified with in-app rationale dialogs - [ ] Data collection is honest and accurate (no false claims) - [ ] No location data collected despite no permission declared - [ ] Voice data collection is explicitly declared - [ ] Analytics data collection is accurate - [ ] Security practices documentation is complete