Contract effective date: September 18, 2024. Runtime consent, request, security, audit, and deployment timestamps remain factual records.
Mobile SDK, Permissions and Tracking Policy
Purpose
This policy governs mobile permissions, embedded SDKs, analytics, ads, attribution, push messaging, crash reporting, AI providers, cloud APIs and device identifiers.
Permission minimization
Ask for a permission only when the feature needs it. Provide a pre-permission explanation in plain language. Do not gate core service access behind unrelated permissions. Avoid background collection unless essential and disclosed.
SDK governance
No SDK may be added without:
- business owner and purpose;
- data fields collected and transmitted;
- endpoint domains and countries of access/storage;
- privacy policy and DPA review;
- app-store disclosure mapping;
- security review and dependency scan;
- opt-out/consent wiring where required;
- removal plan and vendor incident contact.
Tracking gate
Analytics, ads, attribution, social pixels, session replay, crash data with personal information, heatmaps and AI telemetry must be classified. Non-essential tracking must be disabled by default where opt-in is required and must respect opt-outs where required.
Health and sensitive data
Health, biometric, precise location, children, financial, government ID and user content must not be routed through advertising or general analytics SDKs without a specific legal/security review.