App name: WearAuth
Package: com.mamadra.wearauth
Developer: mamadra
Contact: mamadra56789@gmail.com
Effective date: May 25, 2026
Last updated: May 25, 2026
This Privacy Policy describes how WearAuth ("we", "us", "the app") handles information when you use the mobile app and the Wear OS companion. By installing or using WearAuth you agree to the terms below.
| Data | Where it lives | Encryption | Sent off-device? |
|---|---|---|---|
| TOTP secret keys (the seed behind each 6-digit code) | EncryptedSharedPreferences file totp_secrets on the phone and watch |
AES-256 (Android Jetpack Security) | No. Only mirrored to your own paired Wear OS watch via the local Wearable Data Layer. |
| Account labels (issuer, account name) | Same encrypted storage | AES-256 | Only mirrored to your paired watch. |
| Favorite flags, ordering, tile selection | Same encrypted storage | AES-256 | Only mirrored to your paired watch. |
| Biometric-lock setting | Same encrypted storage | AES-256 | Never leaves the device. |
We do not operate any server, account system, or cloud backup. We cannot read your secrets, recover them for you, or restore them on a new device — that is by design.
When you add an account by scanning a QR code, the camera frame is processed locally by the ZXing barcode library. The image is not stored and not transmitted. Only the parsed otpauth:// URI is saved in the encrypted store described above.
The app integrates Google Firebase Analytics and Firebase Crashlytics. These services collect:
app_opened, account_added (with the issuer name only — for example "GitHub"), account_deleted, watch_synced (with a count).These events do not include TOTP secrets, generated codes, QR-code contents, your full account list, your IP address as a stored attribute, or any direct personal identifier.
Firebase data is processed by Google LLC and stored on Google infrastructure. See Google's privacy documentation: - Firebase: https://firebase.google.com/support/privacy - Google privacy: https://policies.google.com/privacy
If you purchase a premium subscription or a lifetime unlock (totp_premium_monthly, totp_premium_yearly, totp_premium_lifetime), the payment is processed entirely by Google Play. We receive only the purchase token returned by the Play Billing client, which the app uses locally to unlock premium features. We never receive or store your name, card number, billing address, or other payment details.
When WearAuth syncs to your Wear OS watch, the payload (SyncData) is transmitted directly between your paired phone and watch through the Google Play Services Wearable Data Layer (path /totp_sync). The transport is provided by Google Play Services. The payload includes encrypted account entries and your tile-selection preferences. It does not pass through any server operated by us.
If you enable wrist-detection lock, the app listens for USER_PRESENT and SCREEN_OFF system broadcasts via a foreground service to detect when your phone is unlocked. These signals are processed entirely on-device and are used only to control the locked/unlocked state of TOTP codes on your watch. No unlock event is logged or transmitted to us.
| Android permission | Purpose |
|---|---|
CAMERA |
Scan QR codes when adding an account. No frames are stored or sent. |
INTERNET |
Used by Firebase Analytics / Crashlytics and Google Play Billing. The app does not transmit your TOTP data over the internet. |
POST_NOTIFICATIONS |
Show approval and status notifications for the wrist-detection lock flow. |
USE_BIOMETRIC |
Optional biometric unlock for the app. The biometric prompt is handled by Android — we never see your fingerprint or face data. |
FOREGROUND_SERVICE, FOREGROUND_SERVICE_DATA_SYNC |
Keep the phone-unlock detector alive on devices with aggressive battery management (e.g. Samsung, MIUI, EMUI). |
We do not sell your data. We do not share it with advertisers, data brokers, or any third party other than the service providers strictly necessary to run the app:
These providers act as data processors and are subject to their own privacy terms.
Because we do not operate user accounts and do not store your TOTP data on any server, most data is fully under your control on your own devices. You can:
If you are in the EU/EEA, you also have rights under the GDPR (access, rectification, erasure, restriction, portability, objection). The legal basis for processing analytics/crash data is our legitimate interest in maintaining and improving the app (Art. 6(1)(f) GDPR). Payment processing is necessary for the performance of a contract (Art. 6(1)(b)).
If you are in California, you have rights under the CCPA/CPRA, including the right to know what personal information is collected and the right to deletion. WearAuth does not sell personal information.
WearAuth is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has used the app in a way that involves us processing their data, please contact us so we can remove it.
EncryptedSharedPreferences), with keys managed by the Android Keystore.BIOMETRIC_STRONG | DEVICE_CREDENTIAL from AndroidX Biometric.No system is perfectly secure. You are responsible for protecting your device with a strong screen lock and keeping Android up to date.
Firebase and Google Play data may be processed on servers located in the United States or other countries where Google operates. By using the app you acknowledge this transfer. Google maintains appropriate safeguards described at https://policies.google.com/privacy.
We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Material changes will be communicated in the app's release notes on Google Play. Continued use of the app after a change constitutes acceptance of the updated policy.
Questions, requests, or complaints about this Privacy Policy:
mamadra56789@gmail.com
If you are in the EU/EEA and we cannot resolve your concern, you have the right to lodge a complaint with your local data protection authority.