Overview
Our Privacy Commitment
AudiFlo is designed with privacy-first principles:
- Offline-first design - Your reading content stays on your device
- No content uploads - We never upload your PDFs, EPUBs, or documents to our servers
- Optional cloud sync - You control whether to sync settings across devices
- Local processing - Text-to-speech happens entirely on your device
- Minimal data collection - We only collect what's necessary for app functionality
- No advertising - We don't use your data for targeted ads or sell it to third parties
- Transparent practices - Clear explanation of what data we collect and why
Key Privacy Features
- Your documents never leave your device - All reading content is stored and processed locally
- Selective Encryption - Highly sensitive data (auth tokens, stats) is AES-256 encrypted; other data is protected by Android Sandbox
- You own your data - You can export, delete, or download your data anytime
- No tracking - We don't track your reading behavior for advertising purposes
- Firebase security - Cloud-synced settings use Firebase's robust security rules
Information We Collect
We collect minimal information necessary to provide and improve AudiFlo's functionality. Here's a complete breakdown:
1. Information You Provide Directly
Account Information (Optional - Only if you sign in)
When you choose to sign in with Google, we collect:
| Data Type | Source | Purpose | Storage Location |
|---|---|---|---|
| Email address | Google Sign-In | Account identification and authentication | Firebase Authentication |
| Display name | Google Profile | Personalization (e.g., "Welcome, [Name]") | Firebase Firestore |
| Profile photo URL | Google Profile | Visual personalization (optional) | Firebase Firestore |
| Google User ID (UID) | Google Sign-In | Unique account identifier | Firebase Authentication |
Important: Account creation is entirely optional. You can use AudiFlo fully offline without signing in.
User-Generated Content (Stored Locally Only)
The following data is created by you and never uploaded to our servers:
- Imported documents - PDFs, EPUBs, and text files you import
- Reading progress - Current page, position, and completion percentage
- Bookmarks - Saved reading positions
- Highlights - Text selections you highlight
- Annotations - Notes and comments you add
- Custom pronunciations - Corrections for TTS mispronunciations
- Character voice assignments - Custom TTS voice mappings for characters
- Library metadata - Book titles, authors, covers (extracted from files)
Privacy Note: This content remains on your device. We cannot access, view, or recover it.
2. Information Collected Automatically
Usage & Analytics (Firebase Analytics)
To improve app performance and user experience, we collect anonymized usage data:
| Data Category | Examples | Purpose | Identifiable? |
|---|---|---|---|
| App events | Button clicks, feature usage, screen views | Understand user behavior | No - Anonymized |
| Session data | App open/close times, session duration | Measure engagement | No - Aggregated |
| Device information | Device model, manufacturer, OS version | Optimize compatibility | No - Non-unique |
| App version | Installed version number | Track adoption of updates | No |
| Crash reports | Stack traces, error logs | Fix bugs and crashes | No - Anonymized |
| Performance metrics | Load times, memory usage, battery impact | Optimize performance | No - Aggregated |
Analytics Privacy:
- All analytics data is anonymized and cannot be traced back to you personally
- We use Firebase Analytics with IP anonymization enabled
- No personally identifiable information (PII) is included in analytics
- You can opt out of analytics (see Your Rights & Choices)
Device Information
We collect technical device information for compatibility and optimization:
- Device model and manufacturer (e.g., Samsung Galaxy S24, Google Pixel 8)
- Operating system version (e.g., Android 14)
- Available TTS engines (e.g., Google TTS, Samsung TTS) - to show compatible voices
- Available TTS voices (e.g., English (US) - Female) - for voice selection
- Screen resolution and orientation - to optimize reading layout
- App language preference - to display UI in your language
Privacy Note: This information is used solely for app functionality and is not linked to your identity.
Advertising Data
- Advertising Data: Interactions with ads (views, clicks) and Advertising IDs (e.g., Android Advertising ID) for ad delivery and frequency capping.
3. Information Synced to Cloud (Optional - Only if Signed In)
If you enable cloud sync, the following settings only are uploaded to Firebase Firestore:
| Setting Type | Examples | Why We Sync This |
|---|---|---|
| TTS preferences | Playback speed, pitch, volume | Consistent experience across devices |
| Voice selections | Preferred TTS voice, language | Apply your voice choices everywhere |
| Reading settings | Font size, theme, line spacing | Maintain visual preferences |
| Pronunciation rules | Custom word pronunciations | Keep TTS corrections synced |
| UI preferences | Theme (light/dark), color scheme | Preserve your customization |
| Notification settings | Reminder times, notification preferences | Sync reminder schedules |
What We DO NOT Sync:
- Your imported documents (PDFs, EPUBs, text files)
- Reading content or book text
- Reading progress, bookmarks, highlights
- Annotations or notes
- Library metadata or book covers
- Any file contents whatsoever
Privacy Guarantee: Cloud sync is **disabled by default** and requires explicit opt-in through Google Sign-In.
How We Use Your Information
We use collected information solely for the following purposes:
Core App Functionality
| Purpose | Data Used | How |
|---|---|---|
| Text-to-speech playback | Imported documents, TTS settings | Process text locally on your device |
| Reading progress tracking | Bookmarks, current position | Save your place in books |
| Library management | Book metadata, covers | Organize your imported content |
| Voice customization | Voice preferences, pronunciations | Apply your preferred TTS voices |
| User authentication | Google account information | Secure access to cloud sync |
Cloud Synchronization (Optional)
| Purpose | Data Used | How |
|---|---|---|
| Cross-device settings sync | TTS preferences, UI settings | Keep settings consistent across devices |
| Backup of preferences | Voice selections, pronunciations | Restore settings if you change devices |
App Improvement & Support
| Purpose | Data Used | How |
|---|---|---|
| Performance optimization | Analytics data, crash reports | Identify and fix bugs, improve speed |
| Feature development | Usage patterns (anonymized) | Understand which features are most used |
| Compatibility testing | Device information | Ensure AudiFlo works on all Android versions |
| Customer support | Email, support inquiries | Respond to your questions and issues |
Personalization
| Purpose | Data Used | How |
|---|---|---|
| Welcome messages | Display name from Google | Show personalized greetings |
| Reading reminders | Notification preferences, reading habits | Send helpful reading reminders |
| UI customization | Theme preferences, font settings | Remember your visual preferences |
We DO NOT Use Your Data For:
- Targeted advertising or ad personalization
- Selling to third-party data brokers
- Training AI models on your reading content
- Behavioral profiling or tracking across apps
- Marketing analytics or audience segmentation
- Sharing with advertisers or marketing partners
Data Storage & Security
We take your data security seriously and implement multiple layers of protection.
Local Data Storage (On Your Device)
Security Philosophy
We use a layered security approach to balance performance and protection:
- Android App Sandbox: The primary security layer. Your data (books, settings) is isolated from other apps.
- Selective Encryption: Highly sensitive data (auth tokens, notification statistics) receives additional AES-256 encryption.
Encryption Implementation
We apply AES-256-GCM encryption specifically to sensitive credentials and statistics:
| Security Measure | Implementation | Applied To |
|---|---|---|
| Encryption Algorithm | AES-256-GCM (Galois/Counter Mode) | Auth Tokens, Notification Stats |
| Key Storage | Android Keystore (Hardware-backed) | Encryption Keys |
| Standard Protection | Android App Sandbox (Linux user isolation) | Books, User Preferences, Bookmarks |
What Gets AES-256 Encrypted:
- Authentication tokens (if signed in)
- Notification history and statistics
- Sensitive configuration flags
What Uses Standard Sandbox Protection:
- Imported books and documents (SQLite database & Files)
- General user preferences (TTS speed, voice selection)
- Bookmarks and reading progress
Note: Sandbox protection prevents other apps from accessing this data on non-rooted devices.
Secure Storage Libraries
We use trusted, audited storage libraries:
- flutter_secure_storage - For storing encrypted keys and tokens
- EncryptedSharedPreferences - For sensitive preferences
- sqflite (SQLite) - For structured data (books, chapters)
Cloud Data Storage (Firebase - If Signed In)
Firebase Security Architecture
When you enable cloud sync, settings are stored in Google Firebase Firestore with multiple security layers:
| Security Layer | Implementation | Protection Against |
|---|---|---|
| Authentication | Firebase Authentication with Google Sign-In | Unauthorized access |
| Security Rules | User-only read/write access enforced server-side | Data leakage to other users |
| Encryption in Transit | TLS 1.3 / HTTPS for all communications | Man-in-the-middle attacks |
| Encryption at Rest | AES-256 encryption on Firebase servers | Physical server theft |
| Access Controls | Per-user data isolation via UID-based rules | Cross-user data access |
| Audit Logs | Firebase tracks all access attempts | Suspicious activity detection |
Firebase Security Rules
Your cloud data is protected by strict Firebase security rules:
// Only you can read/write your own data
match /users/{userId} {
allow read, write: if request.auth.uid == userId;
}This means:
- Only you can access your synced settings
- Other users cannot see or modify your data
- Even AudiFlo developers cannot access your data without explicit authorization
- All access is logged and auditable
Data Centers & Infrastructure
- Hosting: Google Cloud Platform (Firebase infrastructure)
- Locations: Data may be stored in multiple global regions for redundancy
- Compliance: Firebase adheres to SOC 2, ISO 27001, and other security certifications
- Backups: Automatic backups for disaster recovery (subject to Firebase retention policies)
Additional Security Practices
Network Security
- All data transmitted over the internet uses TLS 1.3 / HTTPS encryption
- Certificate pinning prevents man-in-the-middle attacks
- No data is sent over unencrypted HTTP connections
Code Security
- Regular security audits of our codebase
- Dependency vulnerability scanning
- Secure coding practices following OWASP guidelines
- No hardcoded secrets or API keys in the app
Device Security Recommendations
- Use a device lock screen (PIN, pattern, biometric)
- Keep Android OS and AudiFlo updated
- Only download AudiFlo from official Google Play Store
- Enable Google Play Protect for malware scanning
Data Breach Response
In the unlikely event of a security breach:
- We will notify affected users within 72 hours
- We will disclose what data was compromised
- We will provide guidance on protective measures
- We will report to relevant authorities as required by law
Third-Party Services
AudiFlo integrates with trusted third-party services. Here's complete transparency on what they access:
1. Firebase (Google LLC)
Services Used: Firebase Authentication, Cloud Firestore, Firebase Analytics, Firebase Remote Config, Firebase Crashlytics
Data Shared: Email address, name, Google UID (if signed in), TTS settings, voice preferences (if cloud sync enabled), Anonymized app usage events, Crash logs and stack traces (anonymized).
Privacy Policy: Google Firebase Privacy
Our Safeguards: Firebase Analytics IP anonymization enabled, User-only security rules on Firestore, Minimal data collection configuration, No Firebase data sharing with Google Ads.
2. Google Sign-In
Service Purpose: Optional authentication for cloud sync
Data Accessed: Email address, Display name, Profile photo URL, Google User ID
Privacy Policy: Google Account Privacy
Your Control: You can revoke AudiFlo's access anytime at Google Account Permissions
3. System Text-to-Speech Engines
Service Purpose: Convert text to spoken audio
Engines Supported: Google Text-to-Speech, Samsung TTS, Other device-specific TTS engines
Privacy Note: TTS processing happens entirely on your device. Your reading content never leaves your device during TTS playback. We don't control or access TTS engine data handling.
4. Syncfusion PDF Library
Service Purpose: Extract text from PDF files for TTS playback
Privacy: PDF processing happens entirely on your device. No PDF content is sent to Syncfusion servers. Syncfusion has no access to your documents.
License: Commercial license (no data sharing requirements)
5. Google Play Services
Service Purpose: App distribution, updates, licensing verification
Data Accessed: Device information for compatibility, Installation and update events, License verification
Privacy Policy: Google Play Privacy
6. Google AdMob
Service Purpose: Displaying advertising content to support the App.
Data Collected: Device Identifiers (Advertising ID), approximate location, cookies, and usage data.
Usage: To show personalized or non-personalized ads, measure ad performance, and prevent fraud.
Privacy Policy: Google AdMob Privacy
Opt-Out: You can control personalized ads in your device settings (Settings > Google > Ads) or via Google Ad Settings.
Third-Party Data Sharing Summary
| Service | Your Content Shared? | Settings Shared? | Analytics Shared? |
|---|---|---|---|
| Firebase | ❌ Never | ✅ If opted in | ✅ Anonymized only |
| Google Sign-In | ❌ Never | ❌ No | ❌ No |
| TTS Engines | ✅ For playback (local only) | ❌ No | ❌ No |
| Syncfusion | ❌ Never | ❌ No | ❌ No |
| Google Play | ❌ Never | ❌ No | ✅ Basic telemetry |
Data Sharing & Disclosure
What We DO NOT Do
We DO NOT:
- Sell your personal information to data brokers or advertisers
- Share reading content (PDFs, EPUBs, documents) with anyone
- Use data for targeted advertising or ad personalization
- Share data with marketing partners or analytics companies beyond Firebase
- Track your reading behavior for commercial purposes
- Rent or lease your data to third parties
- Provide data to AI training companies to train language models
- Cross-reference your data with other databases or services
When We May Disclose Data
We may disclose limited information only in these specific circumstances:
1. With Your Explicit Consent
- If you explicitly authorize data sharing for a specific purpose
- For example, if you request us to share data with customer support
2. Legal Compliance & Law Enforcement
- To comply with valid legal processes (court orders, subpoenas)
- To respond to government requests as required by law
- To enforce our Terms & Conditions
- To protect our legal rights or defend against legal claims
Legal Request Policy: We will notify you of legal requests unless legally prohibited, challenge overly broad or inappropriate requests, and provide only the minimum data required by law.
3. Safety & Security
- To prevent fraud, abuse, or security threats
- To protect the safety of users or the public
- To investigate Terms violations or illegal activity
4. Business Transfers
- In the event of a merger, acquisition, or sale of assets
- Successor entity must honor this Privacy Policy
- We will notify you 30 days before any ownership change
5. Aggregated & Anonymized Data
- We may share anonymized, aggregated statistics that cannot identify you
- Examples: "80% of users prefer dark mode" or "Average session duration: 25 minutes"
- Used for research, press releases, or public presentations
Data Processors
We use trusted third-party processors who handle data on our behalf:
| Processor | Role | Data Access | Location |
|---|---|---|---|
| Google (Firebase) | Cloud infrastructure, analytics | Settings, analytics only | Global (primary: US) |
| Google Play | App distribution | Installation data | Global |
All processors are contractually required to use data only for specified purposes, implement appropriate security measures, not disclose data to unauthorized parties, and delete data when no longer needed.
Your Rights & Choices
You have full control over your data. Here are your rights and how to exercise them:
| Right | How to Exercise | Response Time |
|---|---|---|
| Access Your Data | Email support@zrota.us with subject "Data Access Request" | 30 days |
| Correct/Update Data | Update in app Settings > Account or contact us | Immediate / 30 days |
| Delete Local Data | Uninstall AudiFlo or use Settings > Clear Local Data | Immediate |
| Delete Cloud Data | Settings > Account > Delete Account | Within 30 days |
| Delete Analytics data | Email support@zrota.us | Per Firebase retention (14 months) |
| Delete Account | Settings > Account > Delete Account | Within 30 days |
| Export Your Data | Email support@zrota.us with subject "Data Export Request" | 30 days |
| Opt Out of Cloud Sync | Never sign in, or Settings > Account > Sign Out | Immediate |
| Opt Out of Analytics | Email support@zrota.us with subject "Opt Out of Analytics" | 7 days |
| Disable Notifications | Settings > Notifications > Disable All Notifications | Immediate |
| Revoke Google Access | Visit myaccount.google.com/permissions > Remove AudiFlo | Immediate |
| Object to Data Processing | Email support@zrota.us | 30 days |
| Lodge a Complaint | Contact DPA (India/EU/US) | - |
Our Commitment: We prefer to resolve concerns directly. Please contact support@zrota.us first.
Data Retention
We retain data only as long as necessary for app functionality and legal compliance.
Local Data (On Your Device)
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Imported documents | Until you delete them | Manual deletion or app uninstall |
| Reading progress | Until you delete them | Manual deletion or app uninstall |
| Bookmarks & highlights | Until you delete them | Manual deletion or app uninstall |
| App settings (local) | Until you clear app data | Settings > Clear Data or uninstall |
Control: You have complete control. We cannot access or delete local data remotely.
Cloud Data (Firebase - If Signed In)
| Data Type | Retention Period | Automatic Deletion |
|---|---|---|
| Account information | While account is active | Upon account deletion (30 days) |
| Synced settings | While account is active | Upon account deletion (30 days) |
| TTS preferences | While account is active | Upon account deletion (30 days) |
| Inactive accounts | Indefinitely | Only on user request |
Analytics & Crash Data
- Firebase Analytics events: 14 months (governed by Firebase retention policy)
- Crash reports: 90 days (governed by Firebase Crashlytics policy)
- Performance metrics: 90 days (governed by Firebase Performance policy)
Automatic Deletion: Firebase automatically purges analytics data after retention periods.
Legal Retention
We may retain certain data longer if required by legal obligations, ongoing legal disputes, or legitimate business interests (fraud prevention, security). We will inform you if we must retain your data beyond normal retention periods.
Children's Privacy
AudiFlo requires users to be at least 13 years of age (or 16+ in certain jurisdictions where applicable).
COPPA Compliance (USA)
We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).
No Directed Content
AudiFlo is not designed or marketed to children under 13.
Parental Notice
If you are a parent or guardian and believe your child under 13 has provided personal information to AudiFlo, please contact us immediately at support@zrota.us and we will delete the account and all associated data within 30 days.
International Data Transfers
AudiFlo is developed in India and uses Firebase infrastructure hosted by Google, which may process data in various global regions. This means your data may be transferred to and processed in countries outside India.
Transfer Safeguards
- Standard Contractual Clauses (SCCs) - Google (Firebase) uses EU-approved Standard Contractual Clauses
- Encryption in Transit - All data transferred internationally uses TLS 1.3 / HTTPS encryption
- Firebase Security Certifications - SOC 2 Type II, ISO 27001, GDPR-compliant infrastructure
Your Rights by Region
- EU/EEA/UK: Full GDPR rights apply (access, deletion, portability, etc.)
- India (DPDP Act): Rights under Digital Personal Data Protection Act 2023 apply
- California (CCPA/CPRA): Right to know, delete, and opt out of data sales (we don't sell data)
- Other Regions: We respect data protection rights recognized in your jurisdiction. Contact support@zrota.us
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in data practices, new features, or legal requirements.
Notification of Changes
- Minor Changes: Update the "Last Updated" date at the top, post revised policy in-app.
- Material Changes: Update "Effective Date", notify via in-app notification and email (if signed in) with 30 days' notice.
Continued use of AudiFlo after changes take effect constitutes acceptance of the updated Privacy Policy.
Version History
You can request previous versions of this Privacy Policy by emailing support@zrota.us.
Contact Us
Email: support@zrota.us
Developer: ZrotA
Location: Assam, India
Specific Requests
| Request Type | Email Subject | Response Time |
|---|---|---|
| Data access request | "Data Access Request" | 30 days |
| Data deletion request | "Delete My Data" | 30 days |
| Data export request | "Data Export Request" | 30 days |
| Opt out of analytics | "Opt Out of Analytics" | 7 days |
| Privacy concerns | "Privacy Question" | 5-7 business days |
| Security issues | "Security Issue - URGENT" | 48 hours |
| General support | "AudiFlo Support" | 5-7 business days |
What to Include in Your Request
For faster processing, please include your name and account email (if signed in), clear description of your request, and any relevant details (e.g., device model, app version).
Data Protection Officer
For formal data protection inquiries, email support@zrota.us (mark "ATTN: Data Protection"). We will designate a formal DPO when required by law.
Complaints & Escalation
- Escalate internally: Reply to our response requesting escalation
- File a complaint: Contact your local data protection authority
- Legal action: You may have the right to pursue legal remedies
Additional Information
Google Play Data Safety Disclosure
As required by Google Play, here's our complete data safety disclosure:
| Data Type | Collected? | Shared with Third Parties? | Purpose |
|---|---|---|---|
| Email address | ✅ Optional (if signed in) | ❌ No | Account authentication |
| Name | ✅ Optional (from Google) | ❌ No | Personalization |
| Profile photo | ✅ Optional (from Google) | ❌ No | Visual personalization |
| App interactions | ✅ Yes (anonymized) | ❌ No | Analytics, app improvement |
| Crash logs | ✅ Yes (anonymized) | ❌ No | Bug fixes, stability |
| Device identifiers | ✅ Firebase Auth tokens only | ❌ No | Authentication only |
| Location | ❌ Never collected | ❌ No | N/A |
| Financial information | ❌ Never collected | ❌ No | N/A |
| Health information | ❌ Never collected | ❌ No | N/A |
| Personal documents | ⚠️ Local only | ❌ Never uploaded | TTS playback (local) |
| Reading progress | ⚠️ Local only | ❌ Never uploaded | Save your place |
| Bookmarks/highlights | ⚠️ Local only | ❌ Never uploaded | Personal reference |
Security Practices
- Data encrypted in transit - TLS 1.3 / HTTPS for all network communication
- Data encrypted at rest - AES-256-GCM for sensitive local data
- User can request deletion - Via Settings > Account > Delete Account
- No third-party data sharing - Your data stays with AudiFlo and Firebase only
- Compliant with Google Play Families Policy - When applicable
Open Source Privacy
AudiFlo uses open-source libraries with audited privacy practices:
- Firebase SDK (Apache License 2.0)
- flutter_secure_storage (BSD-3-Clause)
- Google Sign-In (Google APIs)
Full license attributions available in Settings > About > Open Source Licenses
Summary - Your Privacy in Plain English
What we collect: Your email (optional, only if you sign in with Google), app settings you choose to sync (optional), anonymous usage stats to improve the app.
What we DON'T collect: Your reading content (PDFs, books, documents) - NEVER uploaded, your reading history or behavior, your location, any personal information beyond basic account info.
Your control: Use offline without an account - fully functional, delete your data anytime, export your data in portable format, opt out of analytics.
Our promise: We never sell your data, we never use your data for ads, your documents stay on your device, your privacy is our priority.