Privacy Policy

Data Safety Summary (Google Play)

This summary provides key information required by Google Play Store about how oAlert collects, uses, and protects your data.

• DATA COLLECTED: Device identifiers (Android ID, identifierForVendor), device info (model, OS version, app version), IP address, push notification tokens (FCM/APNS), optional bug report data (description, email, photos), barcode scans (EAN codes sent to backend).
• DATA SHARED: Push tokens shared with Firebase Cloud Messaging and Apple Push Notification service for notification delivery. Device headers shared with oAlert backend for compatibility checks. Advertising ID may be shared with Google Mobile Ads SDK and AppLovin (iOS) for ad delivery. Analytics data shared with Firebase Analytics (Android only).
• DATA USAGE: Delivering product safety alerts, sending push notifications, displaying advertisements, improving app stability, troubleshooting crashes, barcode scanning for alert lookup.
• SECURITY PRACTICES: All data transmitted via encrypted HTTPS/TLS connections. No personal data stored on servers except push tokens and optional bug reports. Local data encrypted on device. Server access restricted.
• DATA RETENTION: Local cache deleted on app uninstall. Push tokens removed after 18 months of inactivity. Server logs kept for approximately one year. Bug reports kept for 12 months after resolution.
• USER RIGHTS: You can request access, deletion, or correction of your data by contacting [email protected]. You can delete local data via in-app reset. You can disable push notifications at any time.
• THIRD-PARTY ACCESS: Firebase (Google), Google Mobile Ads SDK, AppLovin SDK (iOS), ML Kit (Google). These parties operate under their own privacy policies.
• NO SELLING OF DATA: We do not sell, rent, or trade your personal data to third parties for marketing purposes.

1. Data controller

The oAlert mobile application (available at oAlert.pl) is operated by a private individual in Poland who created oAlert and personally acts as the controller of personal data processed within the Application.

For privacy requests or questions please write to [email protected].

2. Data stored directly on your device

We design features so that the most sensitive information stays on your device. The following items are written to local storage (UserDefaults/cache on iOS, Room Database/DataStore on Android) and never leave the device unless you explicitly include them in a support message:

• Alerts (product names, categories, shops, alert types, risk levels) downloaded from our backend are cached only to show lists, statistics and filters. They are deleted when you use the in-app "Reset/clear" option or uninstall the Application.
• User notes – free text attached to a specific alert. Notes remain in local storage (UserDefaults on iOS, Room/DataStore on Android) and are not uploaded anywhere. You may export notes to PDF or share them, but this happens locally on your device.
• Favourite alerts and "read" statuses – identifiers kept locally so the "Important" list and the red highlighting of new alerts work. The identifiers never leave the device.
• Filters, onboarding progress, consent prompts (ATT/push on iOS, notification permission on Android) and decisions about badges or tips – stored locally to remember your choices.
• Statistics and filtering results – the Application computes them locally on the cached alerts (e.g. monthly counts or top categories). No aggregated metrics are transmitted.
• Debug logs (AppLogger on iOS) generated in development or beta builds stay on the device and are cleared with the Application.

3. Device information sent to our backend

Every network call to refresh alerts, register a token or send feedback includes limited diagnostics so we can ensure compatibility and detect abuse. The data is delivered only to the oAlert backend via encrypted HTTPS connections.

• HTTP headers: X-App-Version, X-App-Build, X-OS-Version (X-iOS-Version on iOS, Android version on Android), X-Device-Model, X-Device-ID (identifierForVendor on iOS, Android ID on Android) and X-Platform. They help us troubleshoot crashes and verify that your device can handle the newest features.
• User-Agent header containing application name and version information.
• IP address and request metadata stored in access logs. These logs are automatically deleted after 90 days. Logs may be kept longer if required for security incidents or legal reasons.

4. Features that require additional data

Certain functions send extra fields so they can work as intended:

• Push notifications – we register the push notification token (APNS on iOS, FCM on Android) together with platform, locale, device model and device identifier (identifierForVendor on iOS, Android ID on Android). Tokens are used solely to deliver alerts and are removed once you disable notifications or after long-term inactivity. Push payloads may contain alert identifiers or small snippets to refresh the local cache; optional attachments are downloaded temporarily and discarded immediately after the notification is shown. On Android, WorkManager may trigger background fetch after receiving a push notification.
• Bug report – if you send a report we receive the description (max. 2,000 characters), an optional e-mail address, the Firebase device token and optional photo attachments. The data is not shared outside oAlert and is kept only for handling the ticket.
• Barcode scanner / camera – requires camera permission. On iOS the camera uses AVFoundation, on Android it uses CameraX and ML Kit Barcode Scanning. The camera works only while you keep the scanner screen open. Frames are not recorded, images are processed locally, and the decoded barcode (EAN) is treated like a local search phrase and may be sent to the backend to find matching alerts.
• Statistics and filtering – all calculations happen on-device. We do not upload summary data or personal insights.
• Advertisement tracking (Android) – when ads are displayed, the Application sends tracking events to the backend including display location, ad type, and states from ad management services. This may indirectly use the Google Advertising ID through Google Mobile Ads SDK.

5. Legal bases and purposes

Providing access to alerts, favourites, filters, scanner and local history – Article 6(1)(b) GDPR (performance of a service requested by the user).

Diagnostics, security monitoring and log retention – Article 6(1)(f) GDPR (legitimate interest of keeping the Application reliable).

Push notifications, optional reminders and marketing communication – Article 6(1)(a) GDPR when you grant consent and Article 6(1)(f) GDPR for operational notifications.

Displaying ads and funding the Application through partner SDKs – Article 6(1)(a) GDPR (ATT consent on iOS, notification consent on Android) and Article 6(1)(f) GDPR (legitimate interest of financing development).

Analytics and usage tracking (Android) – Article 6(1)(f) GDPR for Firebase Analytics to improve application stability and user experience.

6. Sharing and third-party SDKs

We share data only when it is necessary to deliver the service:

• oAlert backend – receives alert queries, filters, headers and bug reports. We do not send this data to other partners. On Android, communication uses Retrofit/OkHttp libraries; responses may be encrypted and decrypted locally using APIEncryptionHelper.
• Apple Push Notification service (APNS) and Firebase Cloud Messaging (FCM) – process device tokens and payloads exclusively to deliver notifications.
• Firebase (FirebaseCore, FirebaseMessaging, FirebaseAnalytics on Android) – manages push registration and token refresh. On Android, Firebase Analytics collects standard app usage events following Google privacy documentation.
• Google Mobile Ads SDK – renders banners, rewarded, App Open, interstitial and native/video ads. On iOS requires ATT consent before accessing advertising identifiers. On Android may access Google Advertising ID. Follows Google privacy documentation.
• AppLovinSDK (iOS only) – renders additional ad formats following their privacy documentation.
• App Tracking Transparency (ATT) prompt (iOS only) – shown by iOS; your decision is stored locally and is read only by Apple and, if you allow tracking, by the ad SDKs.
• ML Kit Barcode Scanning (Android only) – processes camera frames locally on device to decode EAN barcodes. No images leave your device.
• Additional Android libraries – Coil (image loading), Vico (statistics charts), ExoPlayer (video playback in ads), Accompanist (permissions UI, swipe-to-refresh), WorkManager (background tasks), Room Database and DataStore (local storage). These libraries operate entirely on-device.
• AVFoundation/Speech (iOS only) – used by the operating system or ad SDKs to play audio/video and optional text-to-speech elements. No extra telemetry is sent by us.
• Network communication – on iOS the Application uses URLSession, on Android it uses Retrofit/OkHttp. All connections are to the oAlert backend only; we do not call external analytic services beyond Firebase Analytics on Android.

7. Retention and deletion

Local caches, favourites, notes, filters and permissions disappear automatically when you uninstall the Application or use the in-app reset feature.

Push tokens are purged when Apple or Google mark them as invalid or after 18 months of inactivity. You can also delete them by disabling notifications.

Bug reports and attachments are kept for up to 12 months after the ticket is resolved so we can analyse recurring defects.

Server logs (API requests and search events) containing diagnostic headers are automatically deleted after 90 days. Logs may be stored longer if required for security incidents or legal compliance.

8. Your rights and security

You have the right to access, rectify, erase, restrict or object to the processing of your data, and to receive a copy of the data provided to us.

All connections use HTTPS/TLS, access to infrastructure is limited, and we monitor anomalies to keep diagnostic data free of personal content.

To exercise your rights contact us via [email protected]. You can also complain to the Polish Data Protection Office (UODO).

9. How to delete your data

To delete your data from our servers, contact us at [email protected] with your request. We will delete: (1) your push notification token (FCM/APNS) – this will stop you from receiving push notifications; (2) server logs containing your device identifier (Android ID or identifierForVendor); (3) any bug reports you submitted (if you provide the email address used in the report).

Note: Most data (alerts, notes, favourites, statistics, filters) is stored only on your device and is automatically deleted when you uninstall the Application or use the in-app "Reset/clear" feature. We cannot delete data that exists only on your device – you must do this yourself.

10. Website cookies and analytics

The oAlert.pl website uses cookies and third-party services to analyze traffic and measure advertising effectiveness. This section applies only to website visitors, not mobile app users.

• Google Ads (gtag.js) – We use Google Ads conversion tracking (ID: AW-17864085751) to measure the effectiveness of advertising campaigns. This service sets cookies on your device and may collect information such as: IP address, browser type, device information, pages visited, and time spent on the site.
• Cookie consent banner – When you first visit the website, you will see a cookie consent banner. You can choose to accept all cookies, only necessary cookies, or manage your preferences. Your choice is stored in your browser localStorage.
• Cookie categories: (1) Necessary cookies – required for basic website functionality, always enabled; (2) Analytics cookies – Google Analytics cookies (_ga, _gid) used to understand how visitors use the website, retained for up to 2 years; (3) Marketing cookies – Google Ads cookies (_gcl_*) used for conversion tracking and remarketing, retained for up to 90 days.
• Google Consent Mode v2 – We implement Google Consent Mode to respect your privacy choices. If you reject analytics or marketing cookies, Google tags will operate in limited mode without collecting personal data.
• Legal basis – Article 6(1)(a) GDPR (consent) for analytics and marketing cookies. Necessary cookies are based on Article 6(1)(f) GDPR (legitimate interest in website operation).
• Third-party data processing – Google LLC processes data as a processor under their Privacy Policy (https://policies.google.com/privacy). Data may be transferred to the United States under EU-US Data Privacy Framework.
• Your rights – You can withdraw consent at any time by clicking "Manage preferences" in the cookie banner, or by clearing your browser cookies. You can also opt out of personalized advertising at https://www.google.com/settings/ads.

11. Updates to this document

We may update the Privacy Policy when we add features, integrate new SDKs or when legal requirements change. The latest version is always available inside the Application and on oAlert.pl.

Contact

Private owner of oAlert
[email protected]