Application Privacy Policy

2. Scope and summary

This policy applies to the Photo Transfer App for iPhone, iPad, Android, Mac, and Windows (together, the "App"). It complies with the EU GDPR, the UK GDPR, the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), the California Consumer Privacy Act as amended by the CPRA, the Brazilian Lei Geral de Proteção de Dados (LGPD), the Canadian PIPEDA, the South African POPIA, and applicable platform rules (Apple App Store Review Guidelines and Google Play Developer Program Policies).

A short summary of what matters most:

• The App was built so that your photos and videos never pass through our servers. Local transfers run peer-to-peer over your Wi-Fi network. Cloud transfers go directly between your device and the cloud provider you choose.
• We do not sell your personal data and we do not share it for cross-context behavioural advertising.
• When the free version of the App displays advertising, ad selection is handled by Google AdMob. In regulated regions you are asked for consent through Google's User Messaging Platform (UMP); on iOS you are asked separately through Apple's App Tracking Transparency (ATT) prompt.
• Subscriptions are billed and managed by Apple or Google. We use RevenueCat only to know whether your subscription is active across devices.
• We use Firebase Analytics, Firebase Crashlytics, and Adjust to understand how the App is used and to fix problems. You can opt out at any time from the App's settings.

3. Data we process and why

We do not ask for your name, postal address, or phone number, and the App does not include a user account you need to register for.

4. Legal bases

For users in the EEA, United Kingdom, and Switzerland, we rely on the following bases under Article 6 GDPR:

• Performance of a contract (Article 6(1)(b)) — to provide the App's core features, including local and cloud transfers, restoring purchases, and verifying your subscription entitlement.
• Consent (Article 6(1)(a)) — for personalised advertising on iOS (ATT) and Android (UMP) and, where required by local law, for non-essential analytics. You can withdraw consent at any time.
• Legitimate interests (Article 6(1)(f)) — for aggregated usage and crash analytics, fraud and abuse prevention, and for attributing installs. We balance these interests against your rights and freedoms and offer opt-outs.
• Legal obligation (Article 6(1)(c)) — to respond to verified rights requests, comply with court orders, and meet tax or accounting obligations related to subscriptions.

5. On-device processing and transfers

The App is designed to keep your media on your own devices. There are two supported transfer paths, and Mobileware Studio has no access to the content of transfers on either path:

• Peer-to-peer transfer. Devices discover each other over the local Wi-Fi network using Bonjour/mDNS and exchange files directly through an embedded HTTP server that runs on the sending device. Traffic stays inside your local network.
• Cloud transfer. When you connect Google Drive, Dropbox, OneDrive, or Flickr, the App authenticates with the provider on your behalf using OAuth. Files travel directly between your device and the provider you picked. Authentication tokens are stored in the operating system's secure storage on your device and are never transmitted to Mobileware Studio.

Earlier versions of the App included a "Send to Someone" feature that relied on Amazon Web Services to temporarily store files for recipient download. That feature has been removed. No media is uploaded to Amazon or to any Mobileware-controlled server.

6. Third-party processors

We rely on a small number of carefully selected providers. Each one acts as a data processor for us under Article 28 GDPR, or as an independent controller when the nature of the service requires it (for example, Apple and Google for payment processing). We have executed data processing agreements and, where applicable, Standard Contractual Clauses with each of them.

7. Advertising and consent (ATT and UMP)

The free version of the App displays advertising served by Google AdMob. The PRO version does not display advertising.

• On iOS/iPadOS we show Apple's App Tracking Transparency prompt before any tracking identifier is used. If you select "Ask App Not to Track", the IDFA is not available to AdMob or any other partner, and ads are non-personalised.
• On Android we show Google's User Messaging Platform (UMP) consent form in regions where required. If you reject personalisation, AdMob receives only limited data to serve non-personalised ads, and IAB Transparency and Consent Framework signals are passed accordingly.
• On both platforms you can change your choice later: reset ATT in iOS Settings → Photo Transfer App → Allow Tracking, or reopen UMP from the App's "More" or "Settings" screen.
• Even with consent, we never upload the content of your transfers to AdMob or any advertising partner. Advertising is measured, not fed by your photos.

8. In-app purchases and subscriptions

We offer the App as a free download with optional PRO subscription tiers (monthly, yearly, and, on some platforms, a one-time lifetime purchase). Purchases are processed by Apple through the App Store or by Google through Google Play. We do not receive or store your payment card or billing information. Apple and Google share with us only limited purchase metadata required to grant you the features you bought (subscription identifier, validity period, anonymous transaction identifier).

We use RevenueCat to reconcile this purchase metadata so that your PRO entitlement works across your devices and can be restored if you reinstall the App. RevenueCat stores an anonymous user identifier, your purchase history, entitlement state, and, where allowed, your attribution identifier. RevenueCat does not receive payment card data. You can consult RevenueCat's own privacy policy at revenuecat.com/privacy.

Cancellations, refund requests, and subscription management are handled by Apple or Google under their own policies. See section 5 of the App Terms of Service for the details that govern the contract itself.

9. Cloud connections

You can connect the App to Google Drive, Dropbox, OneDrive, or Flickr in order to upload or download photos and videos. These connections are made via OAuth: you authenticate directly with the provider, which returns an access token (and optionally a refresh token) to the App.

• Tokens are stored in the operating system's secure storage (iOS Keychain or Android EncryptedSharedPreferences backed by Android Keystore). They are never transmitted to Mobileware Studio.
• Once connected, requests to read or upload files go directly between the App and the provider. We do not proxy or inspect that traffic.
• You can revoke access at any time from the App's "Cloud" or "More" section, or from the provider's website (for example, Google Account → Security → Third-party apps).
• Once you are connected to a provider, that provider becomes an independent controller for the data you share with it. Its own privacy terms apply.

10. Push notifications

The App may ask for permission to send push notifications. These are delivered through Apple Push Notification Service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android. The device token used for delivery is generated by the operating system and does not identify you directly. You can disable push notifications at any time in the operating system's settings.

11. International transfers

Some of the providers listed above process personal data outside the European Economic Area, mainly in the United States. Where that happens we rely on the mechanisms set out in Chapter V GDPR:

• The European Commission's adequacy decision for the EU–US Data Privacy Framework (Implementing Decision (EU) 2023/1795) for certified providers such as Google LLC, Apple Inc., Microsoft Corporation, and RevenueCat, Inc.
• The European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and, where appropriate, supplementary measures following the Schrems II judgment.
• The UK Information Commissioner's International Data Transfer Addendum for transfers from the United Kingdom.

Copies of the relevant clauses are available on request via the contacts in section 1.

12. Retention

• Photos, videos, and metadata transferred through the App — never stored by Mobileware Studio.
• Cloud OAuth tokens — stored on your device until you disconnect the provider or uninstall the App.
• Firebase Analytics event data — retained for 14 months (the shortest retention currently offered by Google), then automatically deleted.
• Firebase Crashlytics reports — up to 90 days for full crash details; summary data retained for up to 12 months.
• Adjust attribution data — retained under Adjust's default retention (24 months) unless extended by contract.
• RevenueCat subscription data — retained for the life of your subscription and for an additional period needed to comply with tax, accounting, and chargeback obligations (up to 10 years in Spain under Article 30 of the Commercial Code).
• Support correspondence — retained for up to 3 years to document the exchange, longer if required by law.

13. Your rights

Subject to local law you have the following rights:

• Access, rectification, erasure, restriction, objection, and portability under Articles 15–21 GDPR and equivalent provisions in other jurisdictions.
• Withdrawal of consent at any time — through ATT or UMP for ads, or by writing to us for other consent-based processing.
• Right not to be subject to automated individual decision-making producing legal or similarly significant effects. The App does not make such decisions.
• Right to lodge a complaint with the supervisory authority of your country of residence. In Spain, that is the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid — aepd.es.

To exercise these rights, email support@phototransferapp.com. Because the App does not have user accounts, we may ask for information that helps us locate any data we hold about you (for example, your App install identifier, your approximate country, and the date you first used the App). We will reply within one month and may extend this period by two further months for complex or numerous requests, informing you of the reason.

14. California (CCPA/CPRA)

California residents have the rights described in section 10 of our Website Privacy Policy, including the right to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information, plus the right to non-discrimination.

The categories of personal information we have collected through the App in the past 12 months, using the CCPA categories, are: identifiers (advertising identifiers when permitted, anonymous app install ID, device push tokens), internet or other electronic network activity (event logs, crash reports), geolocation (approximate, country-level only), commercial information (subscription status). Sources are you, your device, and our processors. We disclose these categories to the processors listed in section 6 for the purposes set out there. We do not sell or share this information in the CCPA sense and we do not process sensitive personal information beyond the limited purposes permitted by law. We honour the Global Privacy Control signal where we can technically receive it.

15. Brazil (LGPD)

In Brazil, the LGPD applies. In addition to the rights in section 13, you may request information about public and private entities with which we have shared your data. The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD).

16. United Kingdom

Users in the United Kingdom have equivalent rights under the UK GDPR and the Data Protection Act 2018. The supervisory authority is the Information Commissioner's Office (ICO) — ico.org.uk.

17. Children

The App is intended for a general audience and is not directed at children under 13 (or 16 in the EEA or the United Kingdom where local law sets that as the minimum age for consent to information-society services). We do not knowingly collect personal data from children. Parents or guardians who believe their child has used the App may contact us at support@phototransferapp.com and we will delete any data associated with their device.

18. Security

We apply technical and organisational measures appropriate to the risk, including TLS encryption of all external network traffic, secure on-device storage of cloud tokens (iOS Keychain or Android Keystore-backed EncryptedSharedPreferences), least-privilege access controls, and regular security review of our suppliers. No method of electronic storage or transmission is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and the competent supervisory authority in accordance with Articles 33–34 GDPR.

19. Changes

We may update this policy to reflect changes to the App, its processors, or applicable law. The "Effective" date at the top of the page indicates the current version. Material changes will be flagged inside the App or on this page, and, where required, fresh consent will be sought.

20. Contact and complaints

Questions, rights requests, or complaints: support@phototransferapp.com. Corporate and legal matters: info@mobilewarestudio.com. Postal address: see section 1.

© Mobileware Studio, S.L. All rights reserved. This policy is published in English. In case of translation, the English version prevails.