This privacy policy is provided pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR) to all users of the mobile application Privavis for Android and of the website privavis.com.

Privavis is a privacy awareness application that operates entirely on your device. Our primary promise is simple: we do not collect personal data on our servers, because we do not have application servers. What follows details how this promise translates into practice, with the precision that the GDPR requires of us.

1. Data Controller

The data controller for any personal data possibly collected through the website privavis.com and the application Privavis is:

Massimo Zanirato
Ronco Briantino (MB), Italy
Privacy email: privacy@privavis.com
Contact email: hello@privavis.com
Website: privavis.com

Massimo Zanirato operates the independent Privavis project as an individual developer, under the applicable tax regime. No Data Protection Officer (DPO) has been appointed as the mandatory conditions of Art. 37 of Regulation (EU) 2016/679 are not met.

To exercise your GDPR rights or for any request related to the processing of your personal data, write to privacy@privavis.com: we will respond within 30 days as required by Art. 12 of the Regulation.

This policy will be updated should the legal nature of the controller change (for example, in the event of incorporation as a company).

2. What data Privavis DOES NOT collect

Let's begin with what is most important to understand the product's approach. Privavis does not collect:

All the data that the Privavis application reads from the Android operating system (list of installed apps, permissions each of them holds, usage statistics) remains on your phone. There is no network transmission sending this information to Privavis systems or to third parties. Technically: the app has no backend, makes no calls to its own APIs, and writes to no remote databases.

3. Data that remains on the device

To work, Privavis reads and stores locally, in the application's storage on your device, the following information:

3.1 Diagnosis of installed apps

Through the public Android PackageManager API, Privavis reads: the list of installed apps, the name of each one, the icon, the permissions declared in the manifest, and the runtime grant state of those permissions. This data is processed to calculate the Privacy Score and displayed in the interface. It does not leave the device.

3.2 Usage statistics (optional, special access)

If you authorize access to PACKAGE_USAGE_STATS from the system Settings, Privavis reads the list of the most used apps in recent days to better weight the risk calculation (an unused app is less relevant than one used daily). This data also remains on the device.

3.3 User preferences

Privavis stores in the app's local storage (AsyncStorage):

This data is accessible only to the Privavis application on your device. It can be deleted at any time by uninstalling the app or through the operating system's Settings (Android Settings → Apps → Privavis → Storage → Clear data).

3.4 Premium features: history, snapshots and monitoring

If you activate the Premium features, Privavis also saves locally on your device:

This data also remains entirely on the device and is never transmitted to Privavis application servers (which do not exist) or to third parties.

3.5 Optional Google Drive backup (Premium, opt-in)

The Premium features include an optional Google Drive backup function to preserve your documents across different devices or in case of app uninstallation. This function is disabled by default and is activated only if the user explicitly taps on "Connect Google Drive" and completes the OAuth consent flow in the Settings → Drive Backup screen.

What we save on Drive (if you activate the backup):

What we DO NOT save on Drive: current Privacy Score, list of installed apps, this specific device's Privacy Score history, permission snapshots, anomaly score output. This data is device-specific and is automatically regenerated when the app is first launched on a new device. It makes no sense (and would potentially be misleading) to transfer it.

Requested OAuth scope: the scope is https://www.googleapis.com/auth/drive.file. This means that Privavis can view, create, modify, and delete exclusively the files it has created itself. All other files in your Google Drive (documents, photos, work, anything) are invisible to Privavis. This is a limit imposed by Google itself: it is not a trust-based promise, it is a technical limitation of the OAuth token.

Backup files are saved in a folder called "Privavis Backups" in your personal "My Drive", visible at any time from drive.google.com. The last 10 versions of JSON backups are kept; older ones are moved to the Drive trash (recoverable for 30 days). Audit PDFs, on the other hand, are all kept, because they are personal historical documents.

To disable the backup: tap "Disconnect" in the Settings → Drive Backup screen. Privavis revokes its own OAuth token and stops accessing your Drive. Existing backup files remain in your Drive — you can delete them manually from the "Privavis Backups" folder, or leave them for a possible future restore.

Data controller for Drive: within the limits of the backup described, the controller remains Privavis as a service. Google LLC operates as data processor for the underlying Drive storage service, pursuant to its own Data Processing Addendum available at cloud.google.com/terms/data-processing-addendum.

4. Android permissions requested by the app

The Privavis application declares the following Android operating system permissions in its manifest:

4.1 QUERY_ALL_PACKAGES

Permission required to read the complete list of apps installed on the device. Without this permission it is not possible to provide the product's main function — the privacy diagnosis of your apps. Google Play requires a specific justification for granting this permission, which is declared in our developer console.

4.2 PACKAGE_USAGE_STATS

"Special" permission that requires manual authorization through the system page "Usage data access". Privavis uses it exclusively to weight the Privacy Score calculation with your real usage patterns. You can deny or revoke this permission at any time from the Android Settings, without compromising the app's basic functionality.

4.3 POST_NOTIFICATIONS

Permission to generate local notifications. Privavis uses it for the following function:

All notifications are generated locally on your device, without any push server, without open tracking, without data transmitted to third parties. You can disable notifications at any time from the Android Settings.

4.4 Google Sign-In and Drive access (opt-in, Premium)

Only if you activate the Google Drive backup function (Premium, described in section 3.5) does the app use the Google Play Services library for Android to manage the OAuth authentication flow to your Google account. Privavis declares in the manifest the dependency on com.google.android.gms:play-services-auth.

The sign-in flow opens a system dialog controlled by your device's Google Play Services, where you confirm the Google account to use and read the list of requested scopes (drive.file, email, profile, openid to identify the account). Privavis never sees your Google credentials (password, 2FA codes): authentication takes place directly between your Android and Google Auth servers.

Once sign-in is complete, the app stores locally on the device's storage the access token and refresh token issued by Google, which are necessary to call the Drive API. These tokens are automatically revoked when you tap "Disconnect" or when you uninstall the app. They can also be revoked at any time from your Google account's security panel (myaccount.google.com → Security → Third-party apps with access to your account).

4.5 Google Advertising Identifier (AD_ID) — for state detection only

Starting with version 1.0.1, Privavis declares in the manifest the com.google.android.gms.permission.AD_ID permission and includes the com.google.android.gms:play-services-ads-identifier library for a single purpose: to read the global state of the Google Advertising Identifier (AD_ID) on your device and show you, in each app's detail screen, whether you have already deleted the advertising ID at system level (Settings → Google → Ads → Delete advertising ID).

In this category on Google Play Console we have declared the use of AD_ID with the purpose "App functionality", not for advertising or analytics.

What Privavis DOES NOT do with the AD_ID:

The only information Privavis derives from that read is a simple internal label of three states: "AD_ID active", "AD_ID deleted globally", or "not available" (e.g., devices without Google Play Services). This label serves only to color the "Disabled at system level" badge green in an app's detail screen, when appropriate, to avoid making you believe that the app is still receiving your unique identifier when in fact it is no longer receiving it.

You can completely disable this reading by uninstalling the app or by manually disabling the "Ads" permission from Android Settings if your version of Android allows it.

External verification. What is described in this section is also declared in the "Data safety" form of Privavis on the Google Play Store, visible to anyone visiting the app's page before installing it. In that form we declare that the Advertising Identifier is not shared with third parties and is not transmitted off your device, with the declared purpose of "App functionality". Data safety declarations are subject to Google Play's review process: their consistency with the app's actual behavior is verifiable both technically (analysis of the app's code and network traffic) and formally (the declaration on Play Console is a statement made to the store, with consequences in case of inconsistency). In other words: we do not ask you to trust what is written here on our word alone — we ask you to compare this page with Privavis's public listing on Google Play.

4.6 Tracker Blocker via Private DNS (no permission required)

The Privavis Tracker Blocker feature is a guide that walks the user through the configuration of Android's native Private DNS (from the system Settings). Privavis does not intercept network traffic, does not require special permissions (in particular it does NOT use VpnService), and does not see DNS queries. Activation takes place entirely in the Android Settings; once AdGuard DNS is configured at the system level, all installed apps resolve domains through AdGuard, which blocks those known to be advertising or tracker domains.

Privavis includes a functional test to verify that blocking works: it tries to reach a publicly known tracker domain (e.g., google-analytics.com) and observes whether the request succeeds or fails. If it fails, blocking is likely active. This test is local, in real time, and does not record any data.

No data on the activation, use, or outcome of the tests is sent to Privavis servers or to third parties. AdGuard, as the DNS provider, receives the device's DNS queries in order to respond; for the policies on the data collected by AdGuard, consult their privacy policy: adguard-dns.io/en/privacy.html.

5. privavis.com website

The institutional website privavis.com is a static informational page. It does not use profiling cookies or third-party technical cookies. The only processing that may take place is:

6. Premium AI features (future)

In a future version, the Privavis Premium plan will include intelligent assistant features based on the Anthropic API. Such features will be explicitly opt-in, with a three-level consent system:

  1. a general master toggle to enable AI;
  2. a separate toggle for functions that require a cloud call, as opposed to those that operate on-device;
  3. a confirmation for each first use that indicates exactly which data will be sent to Anthropic.

When you activate one of these features, you will receive a specific supplementary notice with the details of AI processing. The data sent will be strictly what is necessary for the user's request, in anonymous form where possible, and will not be retained on Anthropic servers after processing.

7. Payments (Google Play) and validation via RevenueCat

The Privavis Premium plan is sold through the Google Play payment system (Google Play Billing). The processing of payment data (card number, billing address, etc.) is the exclusive responsibility of Google pursuant to its own policy: policies.google.com/privacy.

To manage server-side validation of Google Play purchases and the activation of the Premium entitlement on your device, Privavis uses the service RevenueCat (RevenueCat, Inc., 410 Townsend St, San Francisco, CA, USA), which operates as data processor on our behalf pursuant to its own Data Processing Addendum: revenuecat.com/dpa. RevenueCat is GDPR-certified and is included in the EU-US Data Privacy Framework.

When you purchase, renew, or restore a subscription, Privavis transmits to RevenueCat:

In return, Privavis receives from RevenueCat exclusively the status of your Premium entitlement (active / expired / cancelled / in grace period), without any financial data. RevenueCat retains the purchase history for as long as the subscription exists, to manage renewals, restore purchases, and refunds.

This is the only network communication that Privavis makes to third-party servers during ordinary use of the app. The "everything on-device" promise applies to the processing of your apps' privacy data; it does not apply (and could not apply) to the purchase validation mechanism, which by definition requires talking to a server.

8. Your rights

Pursuant to Articles 15-22 of the GDPR, you have the right to:

To exercise any of these rights, write to us at privacy@privavis.com. We will respond within 30 days as provided for by Art. 12 of the Regulation. Note that, given the on-device model of Privavis, the only data we might have about you is your email address if you have subscribed to the waitlist.

You also have the right to lodge a complaint with the Italian Data Protection Authority — Garante per la Protezione dei Dati Personali (gpdp.it) — or with the supervisory authority of the EU Member State in which you reside.

9. Data retention

The data that remains on your phone (see section 3) is retained until you uninstall the app or manually delete it. The waitlist email address, where provided, is retained until you ask us to remove it or until the product launch + 24 subsequent months, after which it will be automatically deleted unless you expressly request to keep it.

10. Transfers outside the EU

The data that remains on your phone is not transferred to any country, since it does not leave the device. The waitlist email address and the hosting logs remain within the European Economic Area.

For processing that relies on US providers (RevenueCat for Google Play purchase validation, Google Drive for optional backup), the transfer of personal data to the United States takes place on the basis of the EU-US Data Privacy Framework and, secondarily, the standard contractual clauses (SCCs) adopted by the respective providers. RevenueCat is DPF-certified (see dataprivacyframework.gov). Google LLC is DPF-certified for Google Workspace and Google Cloud services, including the Drive API used by Privavis.

In any case, the data transferred is minimal: for RevenueCat, an anonymous UUID + a Google purchase token; for Drive, only the contents that you decide to save by activating the backup (GDPR requests, audit PDFs, preferences), with the files remaining in your personal Drive account.

11. Changes to the policy

This policy may be updated over time, in particular when Privavis introduces new features or new providers. Significant changes will be communicated to you via the subsequent version of the app and via the website. The current version of this document is always indicated at the top of the page.

The changes introduced compared to the previous version of this document mainly concern: (i) section 3.4 extended with details on the on-device AI anomaly score; (ii) section 3.5 newly introduced, dedicated to the optional Google Drive backup (drive.file scope, user opt-in, what is and is not saved); (iii) section 4.4 newly introduced, on the Google Sign-In flow used exclusively for the optional Drive backup; (iv) section 7 extended with details on the integration of RevenueCat as data processor for Google Play purchase validation; (v) section 10 updated with the legal bases for transfers to the US (Data Privacy Framework + SCCs); (vi) in version v1.0.3 (June 30, 2026) the Tracker blocker function via local VPN was removed (along with the FOREGROUND_SERVICE / FOREGROUND_SERVICE_SPECIAL_USE permissions and related persistent notifications) for compliance with Google Play's policy on the use of VpnService; the sections of §4 were renumbered accordingly; (vii) section 4.6 newly introduced, on the Tracker Blocker via Private DNS (guide-to-Settings approach, without VpnService, in line with Google Play policies).

12. Contacts

For any question, request, or report concerning this policy:

← Back to home