|
| 1 | +# OnTime Privacy Policy Draft |
| 2 | + |
| 3 | +Draft status: not approved for publication. Prepared for issue #434 under |
| 4 | +parent track #464 on 2026-05-10. |
| 5 | + |
| 6 | +Do not publish this document until every `TODO` is resolved and a product/legal |
| 7 | +owner approves the final text. Backend account and data deletion behavior is |
| 8 | +still pending verification in #439, so the retention and deletion language below |
| 9 | +is intentionally incomplete. |
| 10 | + |
| 11 | +## Approval Blockers |
| 12 | + |
| 13 | +- TODO: Replace `[Developer legal entity]` with the exact developer or company |
| 14 | + name used in the Google Play listing. |
| 15 | +- TODO: Replace `[privacy contact]` with the support email, contact form, or |
| 16 | + other privacy inquiry mechanism approved by the release owner. |
| 17 | +- TODO: Replace `[effective date]` with the final publication date. |
| 18 | +- TODO: Complete the account deletion and retained-data sections after #439 |
| 19 | + confirms backend behavior by auth provider and data type. |
| 20 | +- TODO: Product/legal owner must approve the final text before #434 can close. |
| 21 | + |
| 22 | +## Draft Policy Text |
| 23 | + |
| 24 | +### Privacy Policy |
| 25 | + |
| 26 | +Effective date: `[effective date]` |
| 27 | + |
| 28 | +OnTime is provided by `[Developer legal entity]`. This Privacy Policy explains |
| 29 | +how OnTime collects, uses, shares, protects, retains, and deletes data when you |
| 30 | +use the OnTime app. |
| 31 | + |
| 32 | +For privacy questions or requests, contact `[privacy contact]`. |
| 33 | + |
| 34 | +### Data OnTime Collects Or Accesses |
| 35 | + |
| 36 | +OnTime collects or accesses the following data to provide accounts, schedules, |
| 37 | +preparation reminders, alarms, and support features: |
| 38 | + |
| 39 | +| Data | Examples | Purpose | |
| 40 | +| --- | --- | --- | |
| 41 | +| Account data | Email address, display name, password for email sign-up, Google sign-in token, Apple identity token, Apple authorization code, Apple-provided name or email when available | Create and authenticate accounts, keep users signed in, support social sign-in, and load user profile information | |
| 42 | +| Schedule data | Schedule ID, schedule name, schedule time, place name, place ID, movement time, spare time, notes, started/changed state, lateness time | Create, update, display, finish, and delete schedules | |
| 43 | +| Preparation data | Default preparation steps, schedule-specific preparation steps, preparation names, preparation durations, step order, spare time | Help users plan preparation steps and reminders before schedules | |
| 44 | +| Alarm and notification data | Alarm settings, notification permission state, device ID, FCM token, platform, app version, OS version, supported alarm providers, alarm status reports, armed or skipped schedule IDs, alarm failure reason | Deliver schedule reminders and alarm notifications, register the current device, restore alarms after device restart, and diagnose alarm coverage | |
| 45 | +| Feedback data | Optional account deletion feedback or other feedback message | Process user feedback and account deletion requests | |
| 46 | +| Local app data | Cached user, schedule, place, preparation, alarm, and token data stored on the device | Keep app state available locally and support app operation | |
| 47 | +| Technical data | Network request metadata, server logs, error metadata, and security-related operational records | Operate, secure, debug, and maintain the service | |
| 48 | + |
| 49 | +OnTime does not request app-owned access to location, contacts, camera, |
| 50 | +microphone, phone, SMS, storage, calendar, nearby-device, or Bluetooth |
| 51 | +permissions in the current Android release manifest. OnTime uses notification, |
| 52 | +exact alarm, full-screen intent, boot completion, vibration, Firebase messaging, |
| 53 | +and network-related permissions to provide schedule reminders and alarm |
| 54 | +functionality. |
| 55 | + |
| 56 | +### How OnTime Uses Data |
| 57 | + |
| 58 | +OnTime uses collected data to: |
| 59 | + |
| 60 | +- Create, authenticate, and manage user accounts. |
| 61 | +- Support email/password, Google, and Apple sign-in. |
| 62 | +- Create, update, finish, delete, and display schedules. |
| 63 | +- Create and update default and schedule-specific preparation steps. |
| 64 | +- Send schedule reminders, preparation notifications, and alarm notifications. |
| 65 | +- Register and unregister the current device for alarm and notification |
| 66 | + delivery. |
| 67 | +- Process optional feedback and account deletion feedback. |
| 68 | +- Maintain security, prevent abuse, debug failures, and operate the service. |
| 69 | + |
| 70 | +### Third-Party Services And Processors |
| 71 | + |
| 72 | +OnTime uses third-party services and SDKs where needed for core app behavior: |
| 73 | + |
| 74 | +| Service or SDK | Purpose | Data involved | |
| 75 | +| --- | --- | --- | |
| 76 | +| Google Sign-In | Google account authentication | Google account authentication data, including ID token and profile scopes for email/profile | |
| 77 | +| Apple Sign-In | Apple account authentication | Apple identity token, authorization code, and Apple-provided name or email when available | |
| 78 | +| Firebase Core and Firebase Cloud Messaging | App initialization and push notification delivery | Firebase installation or messaging identifiers, FCM token, notification delivery data, and device-related messaging metadata | |
| 79 | +| OnTime backend/API infrastructure | Account, schedule, preparation, alarm, notification, feedback, and deletion request processing | The account, schedule, preparation, alarm, notification, feedback, and technical data listed above | |
| 80 | + |
| 81 | +TODO: Confirm whether Kakao SDK is present only as an unused dependency for this |
| 82 | +release. If Kakao sign-in or Kakao SDK data processing is active in the release |
| 83 | +build, add Kakao to this table and update the Data safety form accordingly. |
| 84 | + |
| 85 | +TODO: Confirm the backend hosting, database, logging, monitoring, analytics, and |
| 86 | +crash-reporting providers used outside this frontend repository, then add each |
| 87 | +approved provider to this table if it processes personal or sensitive user data. |
| 88 | + |
| 89 | +### Data Sharing |
| 90 | + |
| 91 | +OnTime shares data with service providers only as needed to provide app |
| 92 | +functionality, authentication, notifications, hosting, security, operations, and |
| 93 | +support. OnTime does not use in-app advertising in the current release build. |
| 94 | + |
| 95 | +TODO: Product/legal owner must confirm whether any backend, analytics, |
| 96 | +monitoring, support, or legal/compliance sharing occurs outside the app code |
| 97 | +reviewed here. |
| 98 | + |
| 99 | +### Secure Data Handling |
| 100 | + |
| 101 | +OnTime uses HTTPS API communication, token-based authentication, local secure |
| 102 | +token storage, release-log restrictions, and redaction practices to protect |
| 103 | +personal and sensitive data. Release builds must not log tokens, authorization |
| 104 | +headers, request bodies, response bodies, personal schedule payloads, full alarm |
| 105 | +payloads, OAuth values, or FCM tokens. |
| 106 | + |
| 107 | +TODO: Backend owner must confirm server-side encryption, access controls, |
| 108 | +backup handling, production logging controls, incident response, and retention |
| 109 | +controls. |
| 110 | + |
| 111 | +### Data Retention |
| 112 | + |
| 113 | +OnTime keeps account, schedule, preparation, alarm, notification, feedback, and |
| 114 | +technical data for as long as needed to provide the service, maintain security, |
| 115 | +meet legal obligations, resolve disputes, and enforce agreements. |
| 116 | + |
| 117 | +TODO: Replace this general language with exact retention periods after #439 |
| 118 | +confirms: |
| 119 | + |
| 120 | +- Whether user account records are deleted immediately, soft-deleted, anonymized, |
| 121 | + or retained for a period after deletion. |
| 122 | +- Whether schedule, place, preparation, alarm settings, device registrations, |
| 123 | + FCM tokens, alarm status reports, and feedback are deleted with the account. |
| 124 | +- Whether server logs, backups, audit records, abuse-prevention records, or |
| 125 | + legal/compliance records are retained after account deletion. |
| 126 | +- The retention period and reason for each retained data type. |
| 127 | + |
| 128 | +### Account And Data Deletion |
| 129 | + |
| 130 | +Users can request account deletion from within the OnTime app. The current |
| 131 | +frontend routes deletion requests through separate backend endpoints for normal, |
| 132 | +Google, and Apple account types, and supports optional deletion feedback. On |
| 133 | +successful deletion, the app signs the user out. |
| 134 | + |
| 135 | +TODO: Finalize this section only after #439 verifies backend behavior. The final |
| 136 | +policy must clearly state: |
| 137 | + |
| 138 | +- How users request deletion in the app. |
| 139 | +- How users request deletion outside the app after #440 creates the public |
| 140 | + deletion request URL. |
| 141 | +- Which account data and associated user data are deleted. |
| 142 | +- Which data, if any, is retained after deletion. |
| 143 | +- Why retained data is kept and for how long. |
| 144 | +- Whether deletion covers Google and Apple social account paths consistently. |
| 145 | + |
| 146 | +### Children |
| 147 | + |
| 148 | +TODO: Product/legal owner must confirm the intended audience and Google Play |
| 149 | +target age settings before publication. If OnTime is not directed to children, |
| 150 | +state that clearly. If children may use the app, complete the required child |
| 151 | +privacy and Play Families review before publication. |
| 152 | + |
| 153 | +### Changes To This Policy |
| 154 | + |
| 155 | +OnTime may update this Privacy Policy to reflect changes in app behavior, legal |
| 156 | +requirements, or service providers. The effective date above will be updated |
| 157 | +when the policy changes. |
| 158 | + |
| 159 | +## Release Owner Checklist |
| 160 | + |
| 161 | +- [ ] Developer/entity name matches the Google Play listing. |
| 162 | +- [ ] Privacy contact method is approved and monitored. |
| 163 | +- [ ] #439 backend deletion and retention behavior is verified by data type. |
| 164 | +- [ ] #440 external account deletion request URL exists or the policy links to |
| 165 | + the approved deletion request path when available. |
| 166 | +- [ ] All active third-party SDKs and backend processors are listed. |
| 167 | +- [ ] Data categories match the shipped app and the Play Console Data safety |
| 168 | + form. |
| 169 | +- [ ] Retention and deletion language matches backend behavior. |
| 170 | +- [ ] Product/legal owner approves the final text. |
| 171 | +- [ ] Approved policy is handed to #435 for public HTTPS hosting. |
| 172 | +- [ ] Hosted policy URL is entered in Play Console in #437. |
| 173 | + |
| 174 | +## References |
| 175 | + |
| 176 | +- Google Play User Data policy: |
| 177 | + https://support.google.com/googleplay/android-developer/answer/10144311 |
| 178 | +- Google Play app account deletion requirements: |
| 179 | + https://support.google.com/googleplay/android-developer/answer/13327111 |
| 180 | +- Google Play Data safety form guidance: |
| 181 | + https://support.google.com/googleplay/android-developer/answer/10787469 |
| 182 | +- Local app data-flow review sources: `lib/data/data_sources/`, |
| 183 | + `lib/core/constants/endpoint.dart`, `lib/data/tables/`, |
| 184 | + `android/app/src/main/AndroidManifest.xml`, `docs/Android-Manifest-Permissions.md`, |
| 185 | + and `docs/Logging-Policy.md`. |
0 commit comments