Privacy Policy for WearAuth

App name: WearAuth Package: com.mamadra.wearauth Developer: mamadra Contact: mamadra56789@gmail.com Effective date: May 25, 2026 Last updated: May 25, 2026

This Privacy Policy describes how WearAuth ("we", "us", "the app") handles information when you use the mobile app and the Wear OS companion. By installing or using WearAuth you agree to the terms below.


1. Summary (TL;DR)


2. What information the app handles

2.1 Data you create inside the app (stored only on your device)

Data Where it lives Encryption Sent off-device?
TOTP secret keys (the seed behind each 6-digit code) EncryptedSharedPreferences file totp_secrets on the phone and watch AES-256 (Android Jetpack Security) No. Only mirrored to your own paired Wear OS watch via the local Wearable Data Layer.
Account labels (issuer, account name) Same encrypted storage AES-256 Only mirrored to your paired watch.
Favorite flags, ordering, tile selection Same encrypted storage AES-256 Only mirrored to your paired watch.
Biometric-lock setting Same encrypted storage AES-256 Never leaves the device.

We do not operate any server, account system, or cloud backup. We cannot read your secrets, recover them for you, or restore them on a new device — that is by design.

2.2 Data scanned from QR codes

When you add an account by scanning a QR code, the camera frame is processed locally by the ZXing barcode library. The image is not stored and not transmitted. Only the parsed otpauth:// URI is saved in the encrypted store described above.

2.3 Diagnostic and analytics data (collected by Firebase)

The app integrates Google Firebase Analytics and Firebase Crashlytics. These services collect:

These events do not include TOTP secrets, generated codes, QR-code contents, your full account list, your IP address as a stored attribute, or any direct personal identifier.

Firebase data is processed by Google LLC and stored on Google infrastructure. See Google's privacy documentation: - Firebase: https://firebase.google.com/support/privacy - Google privacy: https://policies.google.com/privacy

2.4 Purchases (Google Play Billing)

If you purchase a premium subscription or a lifetime unlock (totp_premium_monthly, totp_premium_yearly, totp_premium_lifetime), the payment is processed entirely by Google Play. We receive only the purchase token returned by the Play Billing client, which the app uses locally to unlock premium features. We never receive or store your name, card number, billing address, or other payment details.

2.5 Wearable sync data

When WearAuth syncs to your Wear OS watch, the payload (SyncData) is transmitted directly between your paired phone and watch through the Google Play Services Wearable Data Layer (path /totp_sync). The transport is provided by Google Play Services. The payload includes encrypted account entries and your tile-selection preferences. It does not pass through any server operated by us.

2.6 Phone-unlock detection (optional, spec 006 wrist-detection feature)

If you enable wrist-detection lock, the app listens for USER_PRESENT and SCREEN_OFF system broadcasts via a foreground service to detect when your phone is unlocked. These signals are processed entirely on-device and are used only to control the locked/unlocked state of TOTP codes on your watch. No unlock event is logged or transmitted to us.


3. Permissions and why we ask for them

Android permission Purpose
CAMERA Scan QR codes when adding an account. No frames are stored or sent.
INTERNET Used by Firebase Analytics / Crashlytics and Google Play Billing. The app does not transmit your TOTP data over the internet.
POST_NOTIFICATIONS Show approval and status notifications for the wrist-detection lock flow.
USE_BIOMETRIC Optional biometric unlock for the app. The biometric prompt is handled by Android — we never see your fingerprint or face data.
FOREGROUND_SERVICE, FOREGROUND_SERVICE_DATA_SYNC Keep the phone-unlock detector alive on devices with aggressive battery management (e.g. Samsung, MIUI, EMUI).

4. How long we keep your data


5. Sharing of data

We do not sell your data. We do not share it with advertisers, data brokers, or any third party other than the service providers strictly necessary to run the app:

These providers act as data processors and are subject to their own privacy terms.


6. Your rights

Because we do not operate user accounts and do not store your TOTP data on any server, most data is fully under your control on your own devices. You can:

If you are in the EU/EEA, you also have rights under the GDPR (access, rectification, erasure, restriction, portability, objection). The legal basis for processing analytics/crash data is our legitimate interest in maintaining and improving the app (Art. 6(1)(f) GDPR). Payment processing is necessary for the performance of a contract (Art. 6(1)(b)).

If you are in California, you have rights under the CCPA/CPRA, including the right to know what personal information is collected and the right to deletion. WearAuth does not sell personal information.


7. Children's privacy

WearAuth is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has used the app in a way that involves us processing their data, please contact us so we can remove it.


8. Security

No system is perfectly secure. You are responsible for protecting your device with a strong screen lock and keeping Android up to date.


9. International data transfers

Firebase and Google Play data may be processed on servers located in the United States or other countries where Google operates. By using the app you acknowledge this transfer. Google maintains appropriate safeguards described at https://policies.google.com/privacy.


10. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Material changes will be communicated in the app's release notes on Google Play. Continued use of the app after a change constitutes acceptance of the updated policy.


11. Contact

Questions, requests, or complaints about this Privacy Policy:

mamadra56789@gmail.com

If you are in the EU/EEA and we cannot resolve your concern, you have the right to lodge a complaint with your local data protection authority.