Kordant/android/docs/data-safety-form.md

# Google Play Data Safety Form — Kordant Android

> **Last updated:** 2026-06-01  
> **Package:** `com.kordant.android`  
> **Instructions:** Use this document to fill out the Play Console Data Safety section at  
> **Play Console → Your app → App content → Data safety**

---

## Section 1: Data Collection & Sharing

### Q1: Does your app collect or share any of the required user data types?

**Answer:** ✅ Yes

### Q2: Is all of the user data collected by your app encrypted in transit?

**Answer:** ✅ Yes

All API communication uses TLS 1.2+ enforced via `network_security_config.xml`.  
Clear text traffic is blocked at the platform level.

### Q3: Do you provide a way for users to request that their data is deleted?

**Answer:** ✅ Yes

Users can delete their data via:
1. **In-app:** Settings → Delete Account (calls backend API + clears all local data)
2. **Email:** privacy@kordant.com with data deletion request
3. **Backend:** Account deletion endpoint (`/api/trpc/user.delete`)
4. **Local effect:** `clearAllData()` on EncryptedSharedPreferences + DataStore + CacheManager

### Q4: Has your app been independently reviewed against a global security standard?

**Answer:** ⚠️ No (planned before production launch)

External security audit by a third party is planned but not yet completed.

---

## Section 2: Data Type Declarations

### 2.1 Location

**Do you collect precise or approximate location?**
**Answer:** ❌ No

Evidence: No `ACCESS_FINE_LOCATION` or `ACCESS_COARSE_LOCATION` permission in AndroidManifest.xml.

---

### 2.2 Personal Info

**Do you collect any personal info?**
**Answer:** ✅ Yes

| Data Type | Collected | Shared | Ephemeral | Purposes |
|-----------|-----------|--------|-----------|----------|
| **Name** | ✅ Yes | ❌ No | ❌ No | App functionality, Personalization, Account management |
| **Email address** | ✅ Yes | ❌ No | ❌ No | App functionality, Personalization, Account management |
| **Phone number** | ✅ Yes | ❌ No | ❌ No | App functionality, Personalization |
| **User IDs** | ✅ Yes | ❌ No | ❌ No | App functionality, Account management |
| **Address** | ✅ Yes | ❌ No | ❌ No | App functionality (HomeTitle property monitoring) |
| **Other info (avatar)** | ✅ Yes | ❌ No | ❌ No | Personalization |

**Details:**
- Name, email, and user ID collected at account registration (mandatory)
- Phone number collected optionally for spam call detection
- Address collected optionally for property monitoring
- Stored encrypted in `EncryptedSharedPreferences` and on the backend server
- Shared only with the app's backend API via TLS-encrypted connections

---

### 2.3 Financial Info

**Do you collect financial info?**
**Answer:** ❌ No (on-device)

Stripe Checkout and billing portal are handled via web views. Payment card data goes directly to Stripe and never touches the Kordant Android app.

**Exception:** Subscription tier and billing status are retrieved from the backend API (`/api/trpc/billing.*`), but no raw financial data (credit card numbers, bank accounts) is collected by the app.

---

### 2.4 Health & Fitness

**Do you collect health or fitness data?**
**Answer:** ❌ No

---

### 2.5 Messages

**Do you collect messages?**
**Answer:** ❌ No

No SMS, MMS, or in-app messaging data is collected.

---

### 2.6 Photos & Videos

**Do you collect photos or videos?**
**Answer:** ❌ No

The app loads images from URLs (avatars, property photos) via Coil image loader, but does not capture or store photos/videos. No `CAMERA` or storage permissions are declared.

---

### 2.7 Audio Files

**Do you collect audio files?**
**Answer:** ✅ Yes

| Data Type | Collected | Shared | Ephemeral | Purposes |
|-----------|-----------|--------|-----------|----------|
| **Voice recordings** | ✅ Yes | ❌ No | ❌ No | App functionality (VoicePrint) |
| **Audio analysis results** | ✅ Yes | ❌ No | ❌ No | App functionality (VoicePrint) |

**Details:**
- Voice recordings are collected as part of the VoicePrint feature for voice-based caller identification
- User must explicitly enroll and grant `RECORD_AUDIO` permission
- Recordings are sent to the backend for voice analysis
- Analysis results are stored for matching incoming calls
- Not shared with third parties
- Stored encrypted in transit (TLS) and at rest on the backend

---

### 2.8 Files & Docs

**Do you collect files or documents?**
**Answer:** ❌ No

---

### 2.9 Calendar

**Do you collect calendar events?**
**Answer:** ❌ No

---

### 2.10 Contacts

**Do you collect contacts?**
**Answer:** ❌ No

The app does not access the device contacts book. No `READ_CONTACTS` permission.

**Note:** Call screening receives incoming phone numbers via the Android telecom system, but does not read the user's contact list.

---

### 2.11 App Activity

**Do you collect app activity data?**
**Answer:** ✅ Yes

| Data Type | Collected | Shared | Ephemeral | Purposes |
|-----------|-----------|--------|-----------|----------|
| **App interactions** | ✅ Yes | ❌ No | ❌ No | Analytics, Fraud prevention |
| **Installed apps (security check)** | ✅ Yes | ❌ No | ✅ Ephemeral | Fraud prevention, Security |
| **In-app search history** | ✅ Yes | ❌ No | ❌ No | Analytics, Personalization |
| **Other user-generated content** | ✅ Yes | ❌ No | ❌ No | App functionality |

**Details:**
- App interactions tracked via API calls and analytics (startup timing, feature usage)
- Installed apps list checked only during root detection (`SecurityChecker.kt`) — checked ephemerally, not stored
- Watchlist items, property addresses, and exposure reports are user-generated content
- App activity is used for fraud prevention (root detection) and improving the service

---

### 2.12 Web Browsing

**Do you collect web browsing history?**
**Answer:** ❌ No

---

### 2.13 App Info & Performance

**Do you collect app info and performance data?**
**Answer:** ✅ Yes

| Data Type | Collected | Shared | Ephemeral | Purposes |
|-----------|-----------|--------|-----------|----------|
| **Crash logs** | ✅ Yes | ✅ Yes (Firebase) | ❌ No | Analytics, Fraud prevention |
| **Performance data** | ✅ Yes | ❌ No | ❌ No | Analytics |
| **Other diagnostics** | ✅ Yes | ❌ No | ❌ No | Analytics |

**Details:**
- Crash logs are collected via Firebase Crashlytics and sent to Google's Firebase servers
- Performance data includes app startup timing (`StartupTracker.kt`)
- Diagnostics include ANR traces and network request timing
- Crashlytics is enabled for both debug and release builds

---

### 2.14 Device & Other IDs

**Do you collect device IDs?**
**Answer:** ✅ Yes

| Data Type | Collected | Shared | Ephemeral | Purposes |
|-----------|-----------|--------|-----------|----------|
| **Device ID / FCM token** | ✅ Yes | ❌ No | ❌ No | Analytics, App functionality |

**Details:**
- FCM device token is collected for push notification delivery
- A unique request ID is generated for each API call (`X-Request-ID` header)
- Device platform and app version are sent with every API request
- No Android Advertising ID or device serial number is collected

---

## Section 3: Data Sharing Declaration

### Do you share user data with third parties?

**Answer:** ✅ Yes — Limited sharing

| Third Party | Data Shared | Purpose | Type |
|------------|-------------|---------|------|
| **Firebase Crashlytics (Google)** | Crash logs, device info, app version | Crash analytics | SDK |
| **Firebase Cloud Messaging (Google)** | Device token, notification delivery data | Push notifications | SDK |
| **Google Sign-In (Google)** | OAuth tokens, profile info | Authentication | SDK |
| **Stripe** | N/A on device (payment processed via web) | Payment processing | Web view |

### Do you sell user data?

**Answer:** ❌ No

The app does not sell user data to any third party.

---

## Section 4: Security Practices Summary

| Practice | Status | Notes |
|----------|--------|-------|
| **Encryption in transit** | ✅ TLS 1.2+ | All API traffic; cleartext blocked by `network_security_config.xml` |
| **Encryption at rest** | ✅ AES-256-GCM | EncryptedSharedPreferences with MasterKey in Android Keystore |
| **User data deletion** | ✅ Available | In-app account deletion + privacy@kordant.com |
| **Security review** | ⚠️ Pending | External audit planned before production launch |

---

## Section 5: Play Console Entry Map

Use the following to navigate directly to the right sections:

1. **Play Console** → Select app → **App content** → **Data safety**
2. Click **"Start"** (or **"Manage"** if already started)
3. Follow the sections above for each question
4. For "Does your app collect or share any of the required user data types?" → **Answer Yes**
5. Fill in each data type section as documented above
6. In **Security practices**, check:
   - [x] Data encrypted in transit (TLS 1.3)
   - [x] Data encrypted at rest (EncryptedSharedPreferences)
   - [x] User can request data deletion
7. For **Independent security review** → Leave unchecked (pending)
8. Add **Privacy Policy URL**: `https://kordant.com/privacy`

---

## Section 6: Validation After Submission

After completing the form in Play Console, verify:

- [ ] Every question has an answer (no blanks)
- [ ] Crashlytics data sharing is accurately declared
- [ ] FCM data collection is accurately declared
- [ ] Google Sign-In data collection is accurately declared
- [ ] Voice recording collection is accurately declared
- [ ] No location data is declared (since not collected)
- [ ] "Data shared with third parties" accurately reflects Firebase/Google
- [ ] "Data encrypted in transit" is checked
- [ ] "User can request data deletion" is checked
- [ ] Privacy policy URL is linked and accessible
- [ ] Answers match the data collection audit document