Privacy Policy

Effective: 2026-04-21 · Last updated: 2026-04-21

TL;DR. We store the minimum we need to run the service. We don't sell your data. We don't share it for ads. We never look at the contents of apps you install — only at the metadata and logcat lines you actively choose to track.

1. Who we are

DroidFleet ("we", "us") operates the DroidFleet service and the DroidFleet Android agent. Data controller contact: [email protected].

2. What we collect

2.1 Account data

Email address — for sign-in, password reset, billing notifications.
Hashed password (bcrypt) — never stored or transmitted in plaintext.
Optional: display name.

2.2 Device telemetry (per paired phone)

Stable pairing id (e.g. p_7bc4a9d3ef01).
Device-reported identifier (manufacturer + model + random suffix).
Android OS + SDK version.
Battery percentage, free storage.
FCM registration token (only if you enable remote-wake).

2.3 Usage data

HTTP request logs (method, path, status, timestamp, IP — for security + debugging).
Install session metadata (APK file name, size, package name, version).
Logcat lines for packages you explicitly mark as tracked.
Crash reports + stack traces from the agent itself (not from third-party apps).

2.4 What we do NOT collect

Contents of apps you test (other than logcat lines they emit while tracked).
Contacts, photos, location, microphone, or any Android runtime permission beyond what's declared in the agent manifest.
Browsing data from other apps on the phone.
Passwords or credentials of any third-party service.

3. How we use it

Purpose	Legal basis (GDPR)
Provide the service	Contract
Bill paid plans	Contract
Transactional emails (signup, password reset, billing)	Contract
Improve the product (aggregated metrics)	Legitimate interest
Respond to security incidents	Legitimate interest
Comply with legal obligations	Legal obligation
Marketing emails	Consent (opt-in, unsubscribable)

4. Sub-processors

We share data only with these vendors, only as needed for the service:

Stripe, Inc. — payment processing.
Google (Firebase Cloud Messaging) — push notifications for remote-wake.
Cloudflare, Inc. — relay infrastructure + tunnels.
Sentry / PostHog — error monitoring + product analytics, IP-anonymised.

We do not sell, rent, or trade your data. We do not share it for advertising.

5. Retention

Active account data — for the life of your account.
Logs + sessions — 7 days (Free), 90 days (Pro), 1 year (Team), configurable on Enterprise.
Aggregated, de-identified statistics — indefinitely.
After account deletion — purged within 30 days, except billing records (kept 7 years per Israeli tax law).

6. Your rights

Under GDPR / CCPA / Israeli Privacy Law, you have the right to:

Access the data we hold about you.
Correct inaccurate data.
Delete your account and data ("right to be forgotten").
Export your data in JSON.
Object to direct-marketing processing.
Withdraw consent at any time.
File a complaint with your data protection authority.

Submit requests to [email protected]. We respond within 30 days.

7. International transfers

Servers in the EU (Frankfurt). Some sub-processors operate globally — covered by Standard Contractual Clauses where required.

8. Security

TLS 1.2+ in transit, AES-256 at rest.
bcrypt cost 12 for passwords.
Least-privilege IAM + MFA for all employee access.
Affected users notified within 72 hours of a confirmed breach (GDPR Art. 33).

9. Children

DroidFleet is a developer tool. Not intended for users under 16. We do not knowingly collect data from children.

10. Changes to this policy

Material changes communicated by email at least 30 days before taking effect. Latest version always at droidfleet.dev/privacy.

11. Contact

Privacy: [email protected]. Security: [email protected]. General: [email protected].