1. Data Controller
For purposes of applicable privacy law, the data controller is:
Company: CodeSecDev
Email: support@codesecdev.com
Address: Near Hanoi Highway, Tan Phu Ward, Thu Duc City (formerly District 9), Ho Chi Minh City, Vietnam (Saigon Hi-Tech Park)
2. Scope
This policy applies to:
- CodeSecDev websites, including codesecdev.com.
- CodeSecDev iOS applications and associated backend services.
- Communications with users, customers, and partners.
3. Definitions
- Personal Data: Information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
- Controller: The entity that determines purposes and means of processing.
- Processor: A service provider processing personal data on behalf of a controller.
- Tracking: Cross-app or cross-service linking of data for targeted advertising or measurement where legally defined.
- Consent: Freely given, specific, informed, and unambiguous indication of agreement where required by law.
4. Data We Collect
Depending on app features and your choices, we may process the following categories of data:
- Contact data: name, email address, support messages.
- Device and technical data: device model, operating system, app version, language, approximate location from IP.
- Usage data: feature interactions, session length, in-app events, crash logs.
- Advertising data: ad request metadata, ad impression/click signals, consent state, advertising identifiers where permitted.
- Purchase data: non-financial transaction identifiers, product SKU, subscription status from Apple or Google.
- Privacy preference data: consent choices, opt-out states, ATT authorization status.
We do not knowingly collect full payment card details in our apps. Billing is handled by Apple App Store or Google Play billing systems.
| Data Category | Examples | Collection Context |
|---|---|---|
| Identifiers | Internal user ID, installation ID, push token | App onboarding, account features, notification delivery |
| Diagnostics | Crash traces, device memory state, performance metrics | Reliability monitoring and bug triage |
| Attribution Signals | Campaign data, referrer, SKAN conversion values | Install and campaign measurement |
| Consent Signals | CMP preferences, ATT status, regional mode | Ad eligibility and privacy enforcement |
| Support Evidence | Email thread content, screenshots provided by user | Technical support and dispute handling |
5. Data Sources
We obtain personal data from the following sources:
- Directly from you: Contact forms, support emails, account setup input, feedback submissions.
- Automatically from your device: App telemetry, diagnostic logs, interaction events, consent flags.
- From platform operators: Apple and Google purchase confirmations and subscription status responses.
- From integrated partners: Aggregated ad delivery and attribution reports from approved SDK providers.
- From legal or compliance channels: Verification records for rights requests and dispute handling.
6. How We Use Data
- Provide, maintain, and improve our apps and services.
- Secure our systems, detect abuse, and prevent fraud.
- Measure product quality and reliability (including crash analysis).
- Deliver contextual or personalized advertising where legally permitted.
- Process and validate subscriptions and one-time purchases.
- Comply with legal obligations and enforce our terms.
Purpose Limitation: We process personal data only for explicit, legitimate, and documented purposes. We do not use sensitive personal data for unrelated commercial profiling.
7. Consent and Preference Management
Where required by local law, we obtain consent before activating non-essential tracking or personalized advertising.
- Consent can be granted, refused, or withdrawn using in-app controls where available.
- For Apple platforms, ATT prompts are shown before tracking-enabled identifiers are accessed.
- For Google ecosystems, consent mode and policy-aligned disclosures are used where applicable.
- Withdrawal of consent does not affect processing already performed lawfully before withdrawal.
8. In-App Advertising Types We May Use
Depending on app design and region, our apps may include one or more of the following ad formats:
- App Open / Splash Ads
- Banner Ads
- Interstitial Ads
- Rewarded Video Ads
- Native Ads
- Playable Ads
9. Advertising Partners and Monetization Platforms
We may integrate one or more of the following partners directly or through mediation. Partner availability depends on app, region, and business needs.
Google AdMob / Google Ad Manager
Ad serving, mediation, and measurement.
Meta Audience Network
In-app audience monetization and ad delivery.
AppLovin MAX
Mediation and advertising demand optimization.
Unity Ads
Game and utility app ad inventory monetization.
ironSource / LevelPlay
Mediation and performance optimization.
Liftoff / Vungle
Rewarded and performance-focused ad inventory.
Chartboost
In-app ad monetization services.
InMobi
Mobile advertising and demand access.
Digital Turbine (AdColony / Fyber)
Mediation and ad network demand.
Smaato
Ad exchange and monetization support.
Tapjoy / Liftoff Offerwall
Offerwall and rewarded engagement placements.
Criteo
Commerce and performance advertising services.
Verizon Media / Yahoo Ad Tech
Advertising and demand-side services.
Snap Audience Network
Audience-based ad demand and monetization.
10. Analytics and Measurement SDKs
We may use analytics, attribution, and reliability providers including:
- Firebase Analytics
- AppsFlyer
- Adjust
- Branch
- Firebase Crashlytics
These tools help us understand product quality, campaign performance, install attribution, and app stability. Processing is configured in line with regional law and user consent settings.
| Provider | Primary Function | Typical Data Elements |
|---|---|---|
| Firebase Analytics | Product analytics | Event names, app version, coarse device attributes |
| AppsFlyer | Attribution | Campaign source, install timestamp, conversion data |
| Adjust | Attribution and fraud controls | Ad campaign signals, anti-fraud risk indicators |
| Branch | Deep linking and attribution | Link interaction events, campaign metadata |
| Crashlytics | Crash diagnostics | Crash stack traces, device state snapshots |
11. Legal Bases for Processing
Where required by law, we rely on one or more of the following legal bases:
- Performance of a contract (service delivery, account features, purchases).
- Legitimate interests (security, fraud prevention, service improvement).
- Consent (tracking, personalized ads, certain analytics in regulated regions).
- Legal obligation (compliance with law, tax, and lawful requests).
| Processing Activity | Typical Legal Basis | Notes |
|---|---|---|
| Account support and service access | Contract | Necessary to deliver requested functionality |
| Security monitoring and abuse prevention | Legitimate interests / legal obligation | Balancing tests applied where required |
| Personalized ads and tracking | Consent | Enabled only in jurisdictions where legal prerequisites are met |
| Transaction records and tax evidence | Legal obligation | Retention based on statutory requirements |
12. International Privacy Laws We Address
Our privacy framework is designed to support major global laws and platform obligations, including:
| Regulation / Framework | Region | Our Approach |
|---|---|---|
| GDPR (Articles 15-22 rights) | EU / EEA | Access, rectification, erasure, restriction, portability, objection, and related rights request handling. |
| CCPA / CPRA | California, USA | Notice at collection, rights to know/delete/correct, opt-out mechanisms where required. |
| COPPA | United States | No knowing collection from children under 13 without legally required parental controls and disclosures. |
| LGPD | Brazil | Lawful basis mapping, transparency, and rights fulfillment processes. |
| VCDPA | Virginia, USA | Consumer rights support and purpose-limited processing. |
| CPA | Colorado, USA | Data minimization, transparency, and user rights support. |
| CTDPA | Connecticut, USA | Controller obligations and rights response workflows. |
| Privacy Act | Australia | Data handling consistent with local privacy principles. |
| PIPEDA | Canada | Consent, safeguards, and access principles support. |
| PIPA | South Korea | Data protection controls and consent-sensitive handling. |
| APPI | Japan | Notice and processing practices aligned with APPI obligations. |
| DPDP Act 2023 | India | Notice, purpose limits, and rights-responsive processes. |
| PDPA | Thailand | Consent and data processing management in line with PDPA expectations. |
| DMA | European Union | Platform transparency and fairness requirements monitoring. |
| DSA | European Union | Digital services compliance and accountability-oriented governance. |
For region-specific legal requirements, this policy should be read together with local notices presented in-app, on store listings, or in account/support workflows.
13. Apple Platform Compliance
- App Tracking Transparency (ATT): We request permission before accessing tracking-enabled identifiers where required.
- Privacy Nutrition Labels: We maintain app privacy disclosures in App Store Connect to reflect data categories and purposes.
- SKAdNetwork / SKAN 4.0: We may use privacy-preserving attribution frameworks provided by Apple.
- Age Signal API (2025/2026): Where applicable, we implement age-appropriate controls and ad treatment logic based on Apple platform guidance.
14. Google Platform Compliance
- Google Play User Data Policy: We follow disclosure and purpose limitations for collection and processing.
- Google Play Families Policy: For child-directed or mixed-audience scenarios, ad and SDK behavior is restricted per policy.
- Data Safety Section: We maintain Data Safety declarations to reflect processing categories and sharing.
- DELETE_APP_USERS support: Where required by policy, users can request account or associated data deletion via in-app options or direct contact.
15. In-App Purchases and Payment Processing
Digital goods, subscriptions, and in-app purchases are processed by platform providers:
- Apple App Store billing (for iOS purchases)
- Google Play billing (for Android purchases, where applicable)
We receive transaction confirmations and subscription status metadata but do not receive full card numbers. Refunds are generally managed by Apple or Google under their billing rules, though we may assist support inquiries at support@codesecdev.com.
Where required by consumer law, we provide reasonable support to help users submit billing disputes through the relevant store channels.
16. Data Sharing and Processors
We may share data with service providers acting on our instructions, such as cloud hosting, analytics, attribution, customer support, and ad partners. We require contractual safeguards and limit sharing to what is necessary for service delivery, security, legal compliance, and monetization operations.
- We do not sell personal data in the ordinary meaning of a direct data brokerage model.
- Where local law interprets targeted advertising as "sale" or "sharing," we provide opt-out methods as required.
- Partners are expected to process data according to their own applicable privacy terms and legal obligations.
| Recipient Type | Why We Share | Safeguards |
|---|---|---|
| Cloud and infrastructure providers | Hosting, backups, uptime | Contractual confidentiality and security controls |
| Analytics and attribution providers | Performance, campaign analysis | SDK controls, consent gating where required |
| Advertising partners and mediation layers | Ad delivery and monetization | Policy filtering, age and region compliance rules |
| Professional advisors and legal authorities | Compliance, legal obligations, claims defense | Necessity and lawfulness review before disclosure |
17. Data Retention
We retain data for as long as needed for service operation, legal compliance, dispute resolution, security, and enforceability of agreements. Retention periods vary by data type, legal obligations, and product context. Data is deleted or anonymized when no longer needed.
| Record Type | Typical Retention Window | Reason |
|---|---|---|
| Support tickets | Up to 24 months after closure | Service continuity and quality assurance |
| Crash diagnostics | Up to 18 months | Reliability analysis and regression tracking |
| Consent logs | Up to 36 months | Compliance evidence and auditability |
| Purchase/subscription metadata | As required by law and platform rules | Accounting, disputes, anti-fraud |
18. Security Measures
- Encryption in transit using modern TLS.
- Role-based access controls and least-privilege principles.
- Audit logging and monitoring for security events.
- Secure development and dependency management practices.
- Incident response procedures for potential breaches.
No system is completely immune from risk. If a reportable breach occurs, we will follow applicable notification duties and platform incident processes.
19. Children and Families
We do not knowingly collect personal data from children in violation of applicable law. Where a product is directed to children or mixed audiences, we apply stricter ad and tracking controls, disable personalized ads where required, and follow COPPA and platform-specific Families requirements.
If you believe a child submitted personal data inappropriately, contact us so we can investigate and delete data where required.
20. International Data Transfers
Because we work with global infrastructure and partners, data may be processed outside your country. When required, we apply appropriate safeguards, such as contractual protections and transfer risk controls, consistent with applicable law.
- Standard contractual protections may be used for cross-border processing.
- Transfer impact assessments may be applied where mandated.
- Data minimization and pseudonymization are used where practicable.
21. Your Privacy Rights
Depending on your location, you may have rights including:
- Right to know/access personal data.
- Right to correct inaccurate data.
- Right to delete personal data.
- Right to restrict or object to certain processing.
- Right to data portability.
- Right to withdraw consent (where consent is used).
- Right to non-discrimination for exercising rights (where applicable).
To submit a rights request, contact support@codesecdev.com with enough information for us to verify your request and protect account security.
| Region | Core Rights | Typical Response Window |
|---|---|---|
| EU/EEA (GDPR) | Arts. 15-22 access, rectification, erasure, restriction, portability, objection | Usually within 1 month, extendable where lawful |
| California (CCPA/CPRA) | Know, delete, correct, limit use where applicable, opt-out | Typically 45 days, extension permitted by law |
| Brazil (LGPD) | Confirmation, access, correction, anonymization/deletion, portability, review | As required under LGPD deadlines |
| Other listed jurisdictions | Equivalent rights under local law where applicable | Within statutory deadlines |
22. Rights Request Process
- Submit request to support@codesecdev.com with subject: Privacy Request.
- Include app name, account identifier (if any), country/state, and requested right.
- We may request limited verification data to prevent unauthorized disclosure.
- Authorized agents may submit requests where legally recognized, subject to authority verification.
- If we deny a request, we explain the legal basis and available appeal path where required.
23. Account and Data Deletion
If our app provides accounts, users can request deletion of account data from in-app settings or by contacting us at support@codesecdev.com with subject line: DELETE_APP_USERS Request. We process valid deletion requests within legally required timeframes and will inform you if limited retention is required by law.
Deletion may include account profile data, linked user content, and non-essential telemetry associated with the account, except records that must be retained for legal, security, anti-fraud, or accounting obligations.
24. Automated Decision-Making
We may use automated systems for limited functions such as fraud prevention, content abuse filtering, and ad capping. We do not use fully automated legal or similarly significant decisions about users without appropriate safeguards required by law.
25. Complaints and Supervisory Authorities
If you have unresolved privacy concerns, contact us first so we can attempt to resolve the issue promptly. Where applicable law permits, you may lodge a complaint with your local data protection or consumer authority.
27. Sensitive Data and Special Categories
We do not intentionally collect sensitive personal data (for example: precise health, biometric, religious, ethnic, or political data) unless a product feature explicitly requires it and a lawful basis exists.
- Where legally required, we request explicit consent before processing sensitive categories.
- Sensitive data, if processed, is limited to minimum necessary scope and protected by elevated controls.
- We do not use sensitive categories for generalized advertising profiling.
28. Corporate Transactions
In connection with mergers, acquisitions, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of the transaction, subject to confidentiality and legal safeguards.
If such transfer materially changes how your personal data is processed, we will provide notice where required by law.
29. Jurisdiction-Specific Notices
Additional disclosures may apply based on local law. Highlights include:
- EU/EEA/UK: Rights under GDPR-equivalent frameworks, including objection and portability where applicable.
- United States (selected states): Consumer rights and opt-out options under state privacy laws including California, Virginia, Colorado, and Connecticut.
- Brazil: LGPD rights handling with legal basis and transparency controls.
- APAC jurisdictions: Policy and consent handling aligned with APPI (Japan), PIPA (Korea), DPDP (India), and PDPA (Thailand).
- Canada and Australia: Practices aligned with PIPEDA and Australia Privacy Act principles as applicable.
30. Changes to This Policy
We may update this policy from time to time to reflect legal, technical, or business changes. Material updates will be communicated through the website, app notices, or other appropriate channels. The Effective Date at the top indicates the latest revision.
31. Contact Us
For privacy questions, legal notices, or data rights requests:
Email: support@codesecdev.com
Business Contact: contact@codesecdev.com
Address: Near Hanoi Highway, Tan Phu Ward, Thu Duc City (formerly District 9), Ho Chi Minh City, Vietnam (Saigon Hi-Tech Park)
If you are contacting us for a legal request, include your jurisdiction and app name to help us route your request correctly and respond faster.