Privacy Policy for The Podcast App

Last Updated: January 2025

1. DATA CONTROLLER

Magnolia Apps
Email: support@thepodcastapp.dev

2. DATA WE COLLECT

When you create an account:

• Email address
• Display name (if provided)
• Profile photo (if using Google Sign-In)

When you use the app:

• Podcast subscriptions (titles, RSS feed URLs)
• Episode playback positions and progress
• Listening history
• Queue and playlist data
• Premium subscription status (if applicable)

Device and authentication data:

• Firebase Cloud Messaging (FCM) device tokens (for push notifications)
• Play Integrity verification signals (for premium feature authentication)
• Firebase App Check attestation tokens (for API security)
• Session snapshots (currently playing episode, position, queue state)

Interaction telemetry (anonymous):

• Recommendation views and interactions (which podcasts you viewed or tapped from recommendations)
• Feature usage patterns for improving recommendations
• App performance metrics

Purchase verification data:

• In-app purchase tokens and receipts (verified with Google Play)
• Purchase timestamp and product ID
• Subscription status and expiration

Stored locally on your device only:

• Downloaded episode files
• App settings and preferences
• Cached podcast artwork
• All data is encrypted using AES-256 encryption with keys stored in device secure storage (Android Keystore / iOS Keychain)

3. HOW WE USE YOUR DATA

We use your data to:

• Sync subscriptions and playback across your devices
• Restore your listening session when you sign in
• Send notifications about new episodes (if enabled)
• Verify and process premium subscriptions
• Improve podcast recommendations based on your listening patterns
• Protect against fraud and unauthorized access
• Improve app performance and fix bugs
• Ensure API requests come from legitimate app instances

Legal basis (GDPR): Legitimate interest, contract performance, and consent (where applicable).

4. THIRD-PARTY SERVICES

We use the following third-party services that may collect data:

Google Firebase (Auth, Firestore, Analytics, Cloud Messaging, Functions)

• Used for: Account authentication, cloud sync, analytics, push notifications, backend services
• Data shared: Email, user ID, device tokens, usage analytics, subscription data (podcast titles/URLs), playback positions, listening history, queue data
• Privacy policy: https://firebase.google.com/support/privacy
• Note: Firebase Firestore stores your subscription data, listening history, playback positions, queue, and session snapshots for cross-device sync

Firebase App Check

• Used for: Protecting Firebase services from abuse and unauthorized access
• Data collected: App attestation tokens, device verification signals
• Privacy policy: https://firebase.google.com/support/privacy
• Purpose: Ensures requests to our backend come from legitimate app instances

Google Play Integrity API

• Used for: Verifying app authenticity for premium features and preventing fraud
• Data collected: Device integrity verdict, app licensing status, basic device information
• Privacy policy: https://policies.google.com/privacy
• Note: Only used when accessing premium features or making purchases

Google Play Billing

• Used for: Processing in-app purchases and subscriptions
• Data collected: Purchase tokens, receipts, transaction IDs, product IDs
• Privacy policy: https://policies.google.com/privacy
• Note: Purchase verification performed via our backend (Firebase Functions)

Backend Services (Firebase Cloud Functions)

• Used for: Premium subscription verification, recommendation telemetry collection
• Data shared: Purchase verification tokens, anonymous recommendation interaction data (podcast IDs, view/tap events), device integrity tokens
• Storage: Google Cloud Platform (Firebase Functions)
• Data retention: Recommendation telemetry deleted after 90 days; purchase records retained per Google Play requirements
• Note: This is our own backend service hosted on Firebase infrastructure

Google AdMob (for non-premium users)

• Used for: Displaying advertisements
• Data collected: Advertising ID, device info, IP address, usage data
• May use cookies and tracking technologies for personalized ads
• Privacy policy: https://policies.google.com/privacy
• Opt-out: Use your device's ad settings or upgrade to Premium

Google Sign-In

• Used for: Account authentication
• Data shared: Email, name, profile photo
• Privacy policy: https://policies.google.com/privacy

Podcast Index API

• Used for: Podcast search and discovery
• Data shared: Search queries, podcast IDs
• Privacy policy: https://podcastindex.org/privacy

Apple Podcast API (fallback)

• Used for: Podcast search when primary API is unavailable
• Data shared: Search queries
• Privacy policy: https://www.apple.com/legal/privacy/

5. DATA STORAGE AND TRANSFERS

Your data is stored:

• Locally: On your device using AES-256 encrypted storage (Hive database). Encryption keys are stored in device secure storage (Android Keystore on Android, iOS Keychain on iOS). Local data becomes unrecoverable if you delete your account or uninstall the app.
• Cloud: Firebase Firestore (Google Cloud servers, may include US/EU regions) stores subscription data, listening history, playback positions, queue, and session snapshots for cross-device sync.
• Backend: Firebase Cloud Functions (Google Cloud Platform) processes purchase verifications and recommendation telemetry.

For users in the EU/EEA: Your data may be transferred to countries outside the EU. Google uses Standard Contractual Clauses approved by the EU Commission.

6. DATA RETENTION

• Account data: Retained until you delete your account
• Sync data (Firestore): Deleted immediately when you delete your account
• Local encrypted data: Deleted when you uninstall the app, clear app data, or delete your account (encryption key is also deleted, making data permanently unrecoverable)
• Recommendation telemetry: Anonymized and automatically deleted after 90 days
• Purchase verification records: Retained per Google Play requirements (typically 1 year for audit purposes)
• FCM device tokens: Automatically expire and are deleted when you uninstall the app or revoke notification permissions
• Analytics: Anonymized after 14 months
• Session snapshots: Overwritten with each new session; deleted when you delete your account

7. YOUR RIGHTS (GDPR/CCPA)

You have the right to:

• Access your data (contact support@thepodcastapp.dev)
• Correct inaccurate data (edit in app settings)
• Delete your data (Settings > Delete Account or visit https://thepodcastapp.dev/delete-account)
• Export your data (Settings > Export Subscriptions)
• Restrict processing (disable cloud sync in settings)
• Object to processing (opt out of notifications and ads)
• Withdraw consent (delete account or disable features)
• Lodge a complaint with your data protection authority

8. DATA SECURITY

We implement security measures including:

• Encryption at rest: AES-256 encryption for all local data with keys stored in device secure storage (Android Keystore / iOS Keychain)
• Encryption in transit: HTTPS/TLS for all network communications
• Firebase security rules for cloud data access
• Authentication required for cloud data access
• Firebase App Check to verify requests come from legitimate app instances
• Google Play Integrity API to prevent fraud and unauthorized access to premium features
• Automatic encryption key deletion when you delete your account (makes local data permanently unrecoverable)
• Regular security updates

However, no method of transmission over the internet is 100% secure.

9. CHILDREN'S PRIVACY

The app is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe we have collected data from a child under 13, contact us immediately.

10. ADVERTISING AND TRACKING

Non-premium users see ads via Google AdMob, which may use:

• Cookies and similar technologies
• Advertising identifiers
• Device information for ad personalization

You can:

• Opt out via device settings (iOS: Limit Ad Tracking, Android: Opt out of Ads Personalization)
• Upgrade to Premium to remove all ads
• Reset your advertising ID in device settings

11. ANALYTICS AND TELEMETRY

We use Firebase Analytics to understand app usage and improve performance. This includes:

• App opens, crashes, screen views
• Feature usage statistics
• Device model, OS version, country

We collect recommendation telemetry to improve podcast recommendations:

• Which podcasts you view or tap from recommendations
• Recommendation performance metrics (e.g., did you subscribe after seeing a recommendation?)
• Interaction patterns (anonymous)

All analytics and telemetry data is anonymized and aggregated. Recommendation telemetry is automatically deleted after 90 days.

12. DO NOT SELL MY INFORMATION

We do not sell your personal information to third parties. We do not share your information except as described in this policy (service providers like Firebase and AdMob).

13. CHANGES TO THIS POLICY

We may update this policy from time to time. Material changes will be announced in-app. Continued use after changes constitutes acceptance.

14. CONTACT US

Questions or requests:
Email: support@thepodcastapp.dev

For EU users: You have the right to lodge a complaint with your local data protection authority.