Privacy Policy

The SDK is integrated by mobile app publishers (“Publishers”) into their iOS and Android apps. It runs as logic inside the Publisher’s own Firebase project, orchestrates ad requests across third-party ad networks, and reports performance back to the Publisher.

With respect to end-user personal data processed through the SDK, Publishers are the data controllers and Apps Kit acts as a data processor on their behalf. End users should refer to the Publisher’s in-app privacy policy as the primary disclosure.

The SDK and the partner ad networks it mediates may process the following categories of information from a Publisher’s app users:

• Advertising identifiers: Google Advertising ID (GAID), Apple Identifier for Advertisers (IDFA, when ATT permission is granted), Identifier for Vendor (IDFV), Android App Set ID.
• Device and technical data: device model, manufacturer, OS name and version, system language, country, time zone, screen size, network connection type, carrier.
• App data: app bundle ID, app version, SDK version, session start and duration, install timestamp.
• Ad interaction data: ad request, impression, click, viewable impression, eCPM, fill / no-fill, mediation waterfall result, ad unit ID, ad format.
• Coarse location derived from IP address (country / region). The SDK does NOT collect precise GPS location.
• Consent and privacy signals: IAB TCF v2.2 consent string, Google Additional Consent, IAB Global Privacy Platform (GPP) string, US Privacy String, COPPA flags.
• Diagnostic data: crash reports, ANR reports, latency metrics, and error logs strictly to maintain SDK stability.

The SDK does not knowingly collect names, email addresses, phone numbers, payment card data, government IDs, biometric data, or precise location.

• Serving and mediating ads across multiple ad networks to maximize fill and revenue.
• Frequency capping, pacing, and user experience controls.
• Measurement, attribution, and reporting back to the Publisher.
• Detection and prevention of invalid traffic, fraud, and abuse.
• Compliance with the Publisher’s configured consent and privacy settings (GDPR, CCPA, COPPA, etc.).
• Stability, security, and improvement of the SDK.

To deliver ads, the SDK shares request-time signals with the ad networks the Publisher has enabled. Each network is an independent controller of the data it receives and is governed by its own privacy policy. Current partners include:

• Google AdMob / Google Ads
• AppLovin / MAX
• Unity Ads (Unity LevelPlay / ironSource)
• Meta Audience Network
• Mintegral
• Liftoff / Vungle
• Pangle (ByteDance)
• InMobi
• Chartboost
• Digital Turbine / Fyber
• Smaato
• Verve Group

This list may change as Publishers enable or disable networks. Publishers are responsible for disclosing the active set of networks in their own app privacy policy and in their Google Play Data Safety form and Apple Privacy Nutrition Labels.

• Consent — for personalized advertising, use of advertising identifiers, and other purposes that require consent under the ePrivacy Directive and GDPR. Consent is captured via the Publisher’s IAB TCF v2.2 / GPP-compliant Consent Management Platform (CMP).
• Legitimate interests — for fraud prevention, security, debugging, frequency capping, contextual advertising, and aggregated analytics.
• Performance of a contract — to provide the SDK to the Publisher.
• Legal obligation — where applicable law requires retention or disclosure.

The SDK supports IAB TCF v2.2 with Google Additional Consent, IAB GPP for US state privacy laws, and the legacy US Privacy String. When a user denies consent or opts out, the SDK signals downstream networks accordingly and falls back to non-personalized or contextual ads where supported. On iOS, the SDK only accesses IDFA when the user has granted App Tracking Transparency (ATT) permission and respects a denied state across all networks.

The SDK is not directed to children. Publishers operating apps directed to children or mixed-audience apps must enable the appropriate flags (tagForChildDirectedTreatment / tagForUnderAgeOfConsent) before initialization. When these flags are set, the SDK disables personalized advertising, restricts data sharing with downstream networks to those certified for child-directed traffic (per Google Play Families Policy and the Apple Kids Category guidelines), and complies with the Children’s Online Privacy Protection Act (COPPA).

Depending on where you live, you may have the following rights with respect to your personal data:

• EEA, UK, Switzerland (GDPR / UK GDPR): access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent at any time.
• California (CCPA / CPRA): right to know, delete, correct, and opt out of the “sale” or “sharing” of personal information, including cross-context behavioral advertising. We treat the use of advertising identifiers for personalized ads as a “sale/share” under CPRA and honor Global Privacy Control (GPC) signals.
• Other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted): equivalent rights of access, deletion, correction, and opt-out of targeted advertising.
• Brazil (LGPD), Canada (PIPEDA), and other jurisdictions with comparable rights.

End users should exercise these rights through the Publisher of the app in which they encountered an ad. Publishers can contact us at privacy@appskitsdk.com for assistance.

Aggregated reporting and analytics are retained for the duration of the Publisher’s contract plus a limited grace period. Raw event-level data containing advertising identifiers is retained for the period required to detect fraud, reconcile revenue, and meet legal obligations — typically 13 to 24 months — after which it is deleted or de-identified. Each downstream ad network applies its own retention policy.

Data may be processed in countries outside your country of residence, including the United States and the European Union. Where required, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy decisions to safeguard cross-border transfers.

Data in transit is encrypted with TLS. Publisher reporting data lives inside the Publisher’s own Firebase project under their access controls. We follow industry-standard practices for access control, vulnerability management, logging, and incident response. No system is perfectly secure; we cannot guarantee absolute security.

Publishers integrating the SDK must:

• Maintain an accurate, accessible in-app privacy policy disclosing the use of the SDK and the ad networks enabled.
• Complete the Google Play Data Safety form and Apple Privacy Nutrition Labels truthfully, including the “Advertising or Marketing” and “Data Used to Track You” categories where applicable.
• Implement a certified CMP and pass valid TCF / GPP signals to the SDK.
• Display the ATT prompt on iOS where required and respect the user’s choice.

We may update this Privacy Policy from time to time. Material changes will be posted on this page with a new effective date and, where appropriate, communicated to Publishers through the dashboard or by email.

Questions, requests, or complaints can be sent to privacy@appskitsdk.com or by post to:

Pentabit Labs Apps Kit SDK 30 N Gould St, Suite 51546 Sheridan, WY 82801 United States