|
| 1 | +# Google Play Data Safety Worksheet |
| 2 | + |
| 3 | +This worksheet advances release issue #441 under parent track #464. It is not a |
| 4 | +final Google Play declaration and must not be pasted into Play Console until the |
| 5 | +open prerequisites below are resolved. |
| 6 | + |
| 7 | +## Status |
| 8 | + |
| 9 | +Current status: externally blocked. |
| 10 | + |
| 11 | +Blocking prerequisites: |
| 12 | + |
| 13 | +| Input | Source issue | Status on 2026-05-10 | Why it blocks submission | |
| 14 | +| --- | --- | --- | --- | |
| 15 | +| Approved privacy policy text | #434 | Open, manual | Google Play requires a privacy policy and the Data safety answers must match it. | |
| 16 | +| Backend deletion and retention truth | #439 | Open, manual/backend | Data deletion support, retention exceptions, and associated data deletion are server-side facts. | |
| 17 | +| External account deletion request URL | #440 | Open, manual | Play requires an outside-app deletion path for apps with accounts. | |
| 18 | +| Manifest permission audit | #442 | Closed | Evidence is available in `docs/Android-Manifest-Permissions.md`. | |
| 19 | +| Final release SDK/provider set | #441 prerequisite | Pending owner confirmation | SDK data collection must match the shipped release build. | |
| 20 | + |
| 21 | +Google's current guidance says developers are responsible for complete and |
| 22 | +accurate declarations, including data handled by third-party SDKs, and should |
| 23 | +review app permissions, APIs, SDK behavior, privacy policy, encryption, sharing, |
| 24 | +and deletion practices before submitting the form: |
| 25 | + |
| 26 | +- https://support.google.com/googleplay/android-developer/answer/10787469 |
| 27 | +- https://developers.google.com/android/guides/play-data-disclosure |
| 28 | +- https://firebase.google.com/docs/android/play-data-disclosure |
| 29 | + |
| 30 | +## Source Evidence Reviewed |
| 31 | + |
| 32 | +Repo evidence reviewed for this worksheet: |
| 33 | + |
| 34 | +- `pubspec.yaml` |
| 35 | +- `lib/core/constants/endpoint.dart` |
| 36 | +- `lib/data/data_sources/authentication_remote_data_source.dart` |
| 37 | +- `lib/data/data_sources/schedule_remote_data_source.dart` |
| 38 | +- `lib/data/data_sources/preparation_remote_data_source.dart` |
| 39 | +- `lib/data/data_sources/alarm_remote_data_source.dart` |
| 40 | +- `lib/data/data_sources/notification_remote_data_source.dart` |
| 41 | +- `lib/data/data_sources/token_local_data_source.dart` |
| 42 | +- `lib/data/repositories/user_repository_impl.dart` |
| 43 | +- `lib/domain/entities/user_entity.dart` |
| 44 | +- `lib/domain/entities/schedule_entity.dart` |
| 45 | +- `lib/domain/entities/place_entity.dart` |
| 46 | +- `lib/domain/entities/alarm_entities.dart` |
| 47 | +- `docs/Android-Manifest-Permissions.md` |
| 48 | +- `docs/Release-Checklist.md` |
| 49 | + |
| 50 | +## Current App Data Flow Inventory |
| 51 | + |
| 52 | +This table maps current source evidence to likely Google Play Data safety review |
| 53 | +areas. Final categories, required or optional status, purposes, sharing, and |
| 54 | +deletion support must be approved by the release owner. |
| 55 | + |
| 56 | +| Data flow | Current source evidence | Likely form area | Current confidence | |
| 57 | +| --- | --- | --- | --- | |
| 58 | +| Account sign-up and sign-in | Normal auth sends email, password, and name to `/login` and `/sign-up`; user responses include id, email, name, spare time, note, score. | Personal info, account management, app functionality | Source-backed, backend retention pending | |
| 59 | +| Google sign-in | Google auth requests `email` and `profile` scopes and sends an ID token to `/oauth2/google/login`. | Personal info and identifiers handled through Google sign-in | Source-backed, final provider set pending | |
| 60 | +| Apple sign-in | Apple auth requests email and full name scopes and sends ID token, auth code, full name, and optional email to `/oauth2/apple/login`. | Personal info and identifiers handled through Apple sign-in | Source-backed, final provider set pending | |
| 61 | +| Auth tokens | Access and refresh tokens are stored in `flutter_secure_storage` and sent as bearer authorization headers. | Security credential handling, not a Play user-facing data category by itself unless policy owner maps it | Source-backed, policy mapping pending | |
| 62 | +| Schedules | Schedule create/update sends schedule id, place id, place name, schedule name, schedule time, move time, spare time, started/change flags, and schedule note. | App activity, user-generated content, possible location/place information | Source-backed, final category mapping pending | |
| 63 | +| Preparation steps and spare time | Default and schedule preparation APIs send preparation ids, names, durations, ordering links, spare time, and note. | App activity or user-generated content | Source-backed, final category mapping pending | |
| 64 | +| Feedback and deletion feedback | Feedback endpoints send generated feedback id and free-text message; deletion can include optional feedback. | App activity or user-generated content, depending on final policy wording | Source-backed, backend retention pending | |
| 65 | +| Push notification registration | FCM token registration sends `firebaseToken` and app-generated `deviceId` to `/firebase-token`. | Device or other identifiers, app functionality | Source-backed, SDK disclosure pending | |
| 66 | +| Alarm device registration | Current device registration sends app-generated device id, platform, app version, OS version, native alarm support, and alarm providers. | Device or other identifiers, app info and performance | Source-backed, backend retention pending | |
| 67 | +| Alarm status reporting | Alarm status reports send device id, reconciliation timestamps, schedule window, coverage window, alarm provider, status, permission issue, armed schedule ids, skipped count, and failures. | App info and performance, diagnostics, device or other identifiers | Source-backed, backend retention pending | |
| 68 | +| Local alarm registry | Scheduled alarm records are stored locally with schedule id, alarm time, preparation start time, fingerprint, notification ids, provider, schedule title, and payload. | On-device storage; disclose only if transmitted or shared elsewhere | Source-backed | |
| 69 | +| Android permissions | Release manifest includes notification, exact alarm, full-screen intent, boot restore, vibration, and dependency-owned network/Firebase/sign-in permissions. It does not include location, contacts, camera, microphone, phone, SMS, storage, calendar, nearby-device, or Bluetooth permissions. | Permission/API evidence for form consistency | Source-backed by #442 | |
| 70 | +| Firebase Cloud Messaging SDK | The app uses `firebase_core` and `firebase_messaging`. Firebase documentation says Cloud Messaging collects app version automatically and depends on Firebase Installations; FID and Firebase user agent handling must be considered. | SDK-collected data, device or other identifiers, app info and performance | Source-backed dependency, final SDK review pending | |
| 71 | +| Google Play services core SDKs | Google Play services base/basement/tasks may be present through dependencies. Google's disclosure page says the listed core SDKs do not collect end-user data, but app owners remain responsible for the overall disclosure. | SDK review | Dependency review pending | |
| 72 | + |
| 73 | +## Answers That Must Stay Pending |
| 74 | + |
| 75 | +Do not finalize these fields until the owners listed below provide the missing |
| 76 | +facts. |
| 77 | + |
| 78 | +| Field or decision | Required owner input | |
| 79 | +| --- | --- | |
| 80 | +| Whether each collected data type is required or optional | Product owner and source review. | |
| 81 | +| Whether any data is shared outside service-provider processing | Backend owner, Firebase/Google configuration owner, and privacy owner. | |
| 82 | +| Backend retention period for accounts, schedules, preparations, feedback, FCM tokens, device registrations, alarm status, and logs | Backend owner. | |
| 83 | +| Whether deletion requests delete or anonymize each associated data type, and within what time window | Backend owner and privacy owner. | |
| 84 | +| Whether any data is retained for legal compliance, security, abuse prevention, or operations | Backend owner and legal/product owner. | |
| 85 | +| Final privacy policy URL and exact text | Product/legal owner and #434/#435. | |
| 86 | +| External account deletion request URL and page content | Web/backend owner and #440. | |
| 87 | +| Final active auth providers for Android release | Release owner. Current source supports normal, Google, and Apple paths; Kakao dependencies are present but no active release flow was found in the checked auth path. | |
| 88 | +| Firebase optional exports such as FCM delivery metrics to BigQuery or Analytics-linked notification interaction events | Firebase project owner. No Analytics dependency was found in `pubspec.yaml`, but console settings must still be checked. | |
| 89 | +| Play Console submission | Play Console owner. | |
| 90 | + |
| 91 | +## Pre-Submission Checklist |
| 92 | + |
| 93 | +1. Confirm the release build's exact dependency set and SDK configuration. |
| 94 | +2. Re-run the source audit after final release branch changes. |
| 95 | +3. Confirm backend deletion and retention behavior for normal, Google, and Apple |
| 96 | + account paths. |
| 97 | +4. Approve the privacy policy and verify every declared data type appears in it. |
| 98 | +5. Verify the public privacy policy URL works without login and is the same URL |
| 99 | + used in app and Play Console. |
| 100 | +6. Verify the public account deletion URL works without installing or opening |
| 101 | + the app and explains deleted and retained data. |
| 102 | +7. Enter the Data safety form in Play Console from this worksheet plus approved |
| 103 | + owner answers. |
| 104 | +8. Save the final submitted answers back into release documentation, replacing |
| 105 | + or appending to this worksheet. |
| 106 | + |
| 107 | +## Suggested Final Documentation Template |
| 108 | + |
| 109 | +After Play Console submission, append a section named `Submitted Answers` with: |
| 110 | + |
| 111 | +- Submission date and Play Console owner. |
| 112 | +- Privacy policy URL. |
| 113 | +- Account deletion URL. |
| 114 | +- Data types declared as collected. |
| 115 | +- Data types declared as shared, if any. |
| 116 | +- Purpose, required/optional status, and deletion support for each data type. |
| 117 | +- Encryption in transit answer. |
| 118 | +- Any retained data exceptions and retention period. |
| 119 | +- Evidence screenshots or links stored outside git, if applicable. |
0 commit comments