Privacy Policy
Version of July 2, 2026 · English (service translation, Italian original prevails)
Service translation. In case of dispute, the original Italian version prevails: privacy.html
This privacy policy is provided pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR) to all users of the mobile application Privavis for Android and of the website privavis.com.
Privavis is a privacy awareness application that operates entirely on your device. Our primary promise is simple: we do not collect personal data on our servers, because we do not have application servers. What follows details how this promise translates into practice, with the precision that the GDPR requires of us.
1. Data Controller
The data controller for any personal data possibly collected through the website privavis.com and the application Privavis is:
Massimo Zanirato
Ronco Briantino (MB), Italy
Privacy email: privacy@privavis.com
Contact email: hello@privavis.com
Website: privavis.com
Massimo Zanirato operates the independent Privavis project as an individual developer, under the applicable tax regime. No Data Protection Officer (DPO) has been appointed as the mandatory conditions of Art. 37 of Regulation (EU) 2016/679 are not met.
To exercise your GDPR rights or for any request related to the processing of your personal data, write to privacy@privavis.com: we will respond within 30 days as required by Art. 12 of the Regulation.
This policy will be updated should the legal nature of the controller change (for example, in the event of incorporation as a company).
2. What data Privavis DOES NOT collect
Let's begin with what is most important to understand the product's approach. Privavis does not collect:
- no data about the apps installed on your phone
- no data about your apps' permissions
- no data about how you use the Privavis app
- no telemetry, no analytics, no crash reports containing personal data
- no advertising identifier (Advertising ID), no device fingerprint
- no location data
- no contact information, except for what you voluntarily write to us by email
All the data that the Privavis application reads from the Android operating system (list of installed apps, permissions each of them holds, usage statistics) remains on your phone. There is no network transmission sending this information to Privavis systems or to third parties. Technically: the app has no backend, makes no calls to its own APIs, and writes to no remote databases.
3. Data that remains on the device
To work, Privavis reads and stores locally, in the application's storage on your device, the following information:
3.1 Diagnosis of installed apps
Through the public Android PackageManager API, Privavis reads: the list of installed apps, the name of each one, the icon, the permissions declared in the manifest, and the runtime grant state of those permissions. This data is processed to calculate the Privacy Score and displayed in the interface. It does not leave the device.
3.2 Usage statistics (optional, special access)
If you authorize access to PACKAGE_USAGE_STATS from the system Settings, Privavis reads the list of the most used apps in recent days to better weight the risk calculation (an unused app is less relevant than one used daily). This data also remains on the device.
3.3 User preferences
Privavis stores in the app's local storage (AsyncStorage):
- the chosen interface language
- the state of the onboarding process
- name and email that you may enter in Settings to sign GDPR requests (optional input)
- archive of the GDPR requests you have created, with their status, dates, and personal notes you decide to add
- list of "trusted apps" that you declare should not weigh on the Privacy Score
This data is accessible only to the Privavis application on your device. It can be deleted at any time by uninstalling the app or through the operating system's Settings (Android Settings → Apps → Privavis → Storage → Clear data).
3.4 Premium features: history, snapshots and monitoring
If you activate the Premium features, Privavis also saves locally on your device:
- the history of your Privacy Score over time (numerical timeline capped at the 120 most recent data points);
- the snapshots of the permission state that you manually save (up to 20), to compare the current state with previous moments;
- the list of changes detected by continuous monitoring (newly installed apps with sensitive accesses, existing apps that have obtained a new access), kept until you mark them as seen;
- the configuration of the active Premium profiles (Home, Travel, Work, Anonymous, Custom);
- the output of the on-device AI anomaly score that combines sensitive accesses, app dormancy, and recent regressions to highlight the "strangest" apps. Processing is performed exclusively by models embedded in the app bundle: no analysis data is ever transmitted to cloud AI APIs (OpenAI, Anthropic, or others).
This data also remains entirely on the device and is never transmitted to Privavis application servers (which do not exist) or to third parties.
3.5 Optional Google Drive backup (Premium, opt-in)
The Premium features include an optional Google Drive backup function to preserve your documents across different devices or in case of app uninstallation. This function is disabled by default and is activated only if the user explicitly taps on "Connect Google Drive" and completes the OAuth consent flow in the Settings → Drive Backup screen.
What we save on Drive (if you activate the backup):
- the complete archive of your GDPR requests (drafts, sent, completed, with personal notes and timestamps);
- your PDF reports of the privacy audit, generated with the "Export report" function;
- your personal data for GDPR requests (name and email for signatures — only if you have entered them voluntarily);
- your user preferences (language, apps declared trusted, custom Premium profiles).
What we DO NOT save on Drive: current Privacy Score, list of installed apps, this specific device's Privacy Score history, permission snapshots, anomaly score output. This data is device-specific and is automatically regenerated when the app is first launched on a new device. It makes no sense (and would potentially be misleading) to transfer it.
Requested OAuth scope: the scope is https://www.googleapis.com/auth/drive.file. This means that Privavis can view, create, modify, and delete exclusively the files it has created itself. All other files in your Google Drive (documents, photos, work, anything) are invisible to Privavis. This is a limit imposed by Google itself: it is not a trust-based promise, it is a technical limitation of the OAuth token.
Backup files are saved in a folder called "Privavis Backups" in your personal "My Drive", visible at any time from drive.google.com. The last 10 versions of JSON backups are kept; older ones are moved to the Drive trash (recoverable for 30 days). Audit PDFs, on the other hand, are all kept, because they are personal historical documents.
To disable the backup: tap "Disconnect" in the Settings → Drive Backup screen. Privavis revokes its own OAuth token and stops accessing your Drive. Existing backup files remain in your Drive — you can delete them manually from the "Privavis Backups" folder, or leave them for a possible future restore.
Data controller for Drive: within the limits of the backup described, the controller remains Privavis as a service. Google LLC operates as data processor for the underlying Drive storage service, pursuant to its own Data Processing Addendum available at cloud.google.com/terms/data-processing-addendum.
4. Android permissions requested by the app
The Privavis application declares the following Android operating system permissions in its manifest:
4.1 QUERY_ALL_PACKAGES
Permission required to read the complete list of apps installed on the device. Without this permission it is not possible to provide the product's main function — the privacy diagnosis of your apps. Google Play requires a specific justification for granting this permission, which is declared in our developer console.
4.2 PACKAGE_USAGE_STATS
"Special" permission that requires manual authorization through the system page "Usage data access". Privavis uses it exclusively to weight the Privacy Score calculation with your real usage patterns. You can deny or revoke this permission at any time from the Android Settings, without compromising the app's basic functionality.
4.3 POST_NOTIFICATIONS
Permission to generate local notifications. Privavis uses it for the following function:
- Continuous monitoring (Premium): when you detect a newly installed app with sensitive accesses or an existing app obtains a new access, the app can notify you via the Android status bar.
All notifications are generated locally on your device, without any push server, without open tracking, without data transmitted to third parties. You can disable notifications at any time from the Android Settings.
4.4 Google Sign-In and Drive access (opt-in, Premium)
Only if you activate the Google Drive backup function (Premium, described in section 3.5) does the app use the Google Play Services library for Android to manage the OAuth authentication flow to your Google account. Privavis declares in the manifest the dependency on com.google.android.gms:play-services-auth.
The sign-in flow opens a system dialog controlled by your device's Google Play Services, where you confirm the Google account to use and read the list of requested scopes (drive.file, email, profile, openid to identify the account). Privavis never sees your Google credentials (password, 2FA codes): authentication takes place directly between your Android and Google Auth servers.
Once sign-in is complete, the app stores locally on the device's storage the access token and refresh token issued by Google, which are necessary to call the Drive API. These tokens are automatically revoked when you tap "Disconnect" or when you uninstall the app. They can also be revoked at any time from your Google account's security panel (myaccount.google.com → Security → Third-party apps with access to your account).
4.5 Google Advertising Identifier (AD_ID) — for state detection only
Starting with version 1.0.1, Privavis declares in the manifest the com.google.android.gms.permission.AD_ID permission and includes the com.google.android.gms:play-services-ads-identifier library for a single purpose: to read the global state of the Google Advertising Identifier (AD_ID) on your device and show you, in each app's detail screen, whether you have already deleted the advertising ID at system level (Settings → Google → Ads → Delete advertising ID).
In this category on Google Play Console we have declared the use of AD_ID with the purpose "App functionality", not for advertising or analytics.
What Privavis DOES NOT do with the AD_ID:
- It does not send it to any server, ours or third parties'.
- It does not use it for profiling, tracking, fingerprinting, or personalization.
- It does not retain it. The call
AdvertisingIdClient.getAdvertisingIdInfo()is executed exclusively on the device, in memory, and the value is immediately discarded after reading whether it is "all zeros" (i.e., whether the user has deleted it globally). - It does not associate it with your profile or with that of other installed apps.
- It does not share it with advertisers, ad networks, advertising partners, or analytics services.
The only information Privavis derives from that read is a simple internal label of three states: "AD_ID active", "AD_ID deleted globally", or "not available" (e.g., devices without Google Play Services). This label serves only to color the "Disabled at system level" badge green in an app's detail screen, when appropriate, to avoid making you believe that the app is still receiving your unique identifier when in fact it is no longer receiving it.
You can completely disable this reading by uninstalling the app or by manually disabling the "Ads" permission from Android Settings if your version of Android allows it.
External verification. What is described in this section is also declared in the "Data safety" form of Privavis on the Google Play Store, visible to anyone visiting the app's page before installing it. In that form we declare that the Advertising Identifier is not shared with third parties and is not transmitted off your device, with the declared purpose of "App functionality". Data safety declarations are subject to Google Play's review process: their consistency with the app's actual behavior is verifiable both technically (analysis of the app's code and network traffic) and formally (the declaration on Play Console is a statement made to the store, with consequences in case of inconsistency). In other words: we do not ask you to trust what is written here on our word alone — we ask you to compare this page with Privavis's public listing on Google Play.
4.6 Tracker Blocker via Private DNS (no permission required)
The Privavis Tracker Blocker feature is a guide that walks the user through the configuration of Android's native Private DNS (from the system Settings). Privavis does not intercept network traffic, does not require special permissions (in particular it does NOT use VpnService), and does not see DNS queries. Activation takes place entirely in the Android Settings; once AdGuard DNS is configured at the system level, all installed apps resolve domains through AdGuard, which blocks those known to be advertising or tracker domains.
Privavis includes a functional test to verify that blocking works: it tries to reach a publicly known tracker domain (e.g., google-analytics.com) and observes whether the request succeeds or fails. If it fails, blocking is likely active. This test is local, in real time, and does not record any data.
No data on the activation, use, or outcome of the tests is sent to Privavis servers or to third parties. AdGuard, as the DNS provider, receives the device's DNS queries in order to respond; for the policies on the data collected by AdGuard, consult their privacy policy: adguard-dns.io/en/privacy.html.
5. privavis.com website
The institutional website privavis.com is a static informational page. It does not use profiling cookies or third-party technical cookies. The only processing that may take place is:
- Waitlist subscription: if you enter your email in the form on the main page, we will receive your address. We will use it exclusively to send you updates on product development and launch announcements. You can unsubscribe at any time by writing to privacy@privavis.com. The mailing management service we will use will be communicated here before activation.
- Typographic fonts: the site loads the Cormorant Garamond and Inter fonts from the Google Fonts service. The Google Fonts system may detect your IP address to serve the fonts themselves. We are evaluating self-hosting the fonts to eliminate this call as well.
- Hosting: the site is hosted on infrastructure in Europe. Server access logs may contain the visitor's IP address and the time of the visit for technical purposes (security, debugging, error diagnosis). Such logs are rotated and deleted within 14 days.
6. Premium AI features (future)
In a future version, the Privavis Premium plan will include intelligent assistant features based on the Anthropic API. Such features will be explicitly opt-in, with a three-level consent system:
- a general master toggle to enable AI;
- a separate toggle for functions that require a cloud call, as opposed to those that operate on-device;
- a confirmation for each first use that indicates exactly which data will be sent to Anthropic.
When you activate one of these features, you will receive a specific supplementary notice with the details of AI processing. The data sent will be strictly what is necessary for the user's request, in anonymous form where possible, and will not be retained on Anthropic servers after processing.
7. Payments (Google Play) and validation via RevenueCat
The Privavis Premium plan is sold through the Google Play payment system (Google Play Billing). The processing of payment data (card number, billing address, etc.) is the exclusive responsibility of Google pursuant to its own policy: policies.google.com/privacy.
To manage server-side validation of Google Play purchases and the activation of the Premium entitlement on your device, Privavis uses the service RevenueCat (RevenueCat, Inc., 410 Townsend St, San Francisco, CA, USA), which operates as data processor on our behalf pursuant to its own Data Processing Addendum: revenuecat.com/dpa. RevenueCat is GDPR-certified and is included in the EU-US Data Privacy Framework.
When you purchase, renew, or restore a subscription, Privavis transmits to RevenueCat:
- the purchase token received from Google Play for the transaction (it is an opaque identifier of the purchase, it does not contain financial data);
- an anonymous device identifier (UUID generated by the RevenueCat SDK on first launch, not linked to your Google account or to a real identity).
In return, Privavis receives from RevenueCat exclusively the status of your Premium entitlement (active / expired / cancelled / in grace period), without any financial data. RevenueCat retains the purchase history for as long as the subscription exists, to manage renewals, restore purchases, and refunds.
This is the only network communication that Privavis makes to third-party servers during ordinary use of the app. The "everything on-device" promise applies to the processing of your apps' privacy data; it does not apply (and could not apply) to the purchase validation mechanism, which by definition requires talking to a server.
8. Your rights
Pursuant to Articles 15-22 of the GDPR, you have the right to:
- access your personal data that may be processed by Privavis (Art. 15);
- request rectification if inaccurate (Art. 16);
- request erasure (Art. 17, "right to be forgotten");
- request restriction of processing (Art. 18);
- receive your data in a structured and machine-readable format (Art. 20, portability);
- object to the processing (Art. 21);
- not be subjected to automated decisions (Art. 22).
To exercise any of these rights, write to us at privacy@privavis.com. We will respond within 30 days as provided for by Art. 12 of the Regulation. Note that, given the on-device model of Privavis, the only data we might have about you is your email address if you have subscribed to the waitlist.
You also have the right to lodge a complaint with the Italian Data Protection Authority — Garante per la Protezione dei Dati Personali (gpdp.it) — or with the supervisory authority of the EU Member State in which you reside.
9. Data retention
The data that remains on your phone (see section 3) is retained until you uninstall the app or manually delete it. The waitlist email address, where provided, is retained until you ask us to remove it or until the product launch + 24 subsequent months, after which it will be automatically deleted unless you expressly request to keep it.
10. Transfers outside the EU
The data that remains on your phone is not transferred to any country, since it does not leave the device. The waitlist email address and the hosting logs remain within the European Economic Area.
For processing that relies on US providers (RevenueCat for Google Play purchase validation, Google Drive for optional backup), the transfer of personal data to the United States takes place on the basis of the EU-US Data Privacy Framework and, secondarily, the standard contractual clauses (SCCs) adopted by the respective providers. RevenueCat is DPF-certified (see dataprivacyframework.gov). Google LLC is DPF-certified for Google Workspace and Google Cloud services, including the Drive API used by Privavis.
In any case, the data transferred is minimal: for RevenueCat, an anonymous UUID + a Google purchase token; for Drive, only the contents that you decide to save by activating the backup (GDPR requests, audit PDFs, preferences), with the files remaining in your personal Drive account.
11. Changes to the policy
This policy may be updated over time, in particular when Privavis introduces new features or new providers. Significant changes will be communicated to you via the subsequent version of the app and via the website. The current version of this document is always indicated at the top of the page.
The changes introduced compared to the previous version of this document mainly concern: (i) section 3.4 extended with details on the on-device AI anomaly score; (ii) section 3.5 newly introduced, dedicated to the optional Google Drive backup (drive.file scope, user opt-in, what is and is not saved); (iii) section 4.4 newly introduced, on the Google Sign-In flow used exclusively for the optional Drive backup; (iv) section 7 extended with details on the integration of RevenueCat as data processor for Google Play purchase validation; (v) section 10 updated with the legal bases for transfers to the US (Data Privacy Framework + SCCs); (vi) in version v1.0.3 (June 30, 2026) the Tracker blocker function via local VPN was removed (along with the FOREGROUND_SERVICE / FOREGROUND_SERVICE_SPECIAL_USE permissions and related persistent notifications) for compliance with Google Play's policy on the use of VpnService; the sections of §4 were renumbered accordingly; (vii) section 4.6 newly introduced, on the Tracker Blocker via Private DNS (guide-to-Settings approach, without VpnService, in line with Google Play policies).
12. Contacts
For any question, request, or report concerning this policy:
- DPO / privacy email: privacy@privavis.com
- General email: hello@privavis.com
- Website: privavis.com