Mobile App — Privacy Policy

Overview

AuthRelay is an Android app that lets you use your phone to complete Google sign-in on desktop browsers. This policy describes what data the mobile app collects and how it is used.

AuthRelay is designed with a zero-knowledge architecture — your Google credentials and OAuth tokens never leave your device or reach our servers in readable form.

What the App Does

• Scans a QR code displayed by the AuthRelay Chrome extension on your desktop.
• Opens the Google sign-in page in an in-app browser on your phone.
• Captures the OAuth callback URL and relays it to your desktop via an encrypted relay server.

Permissions Used

• Camera — Used solely to scan QR codes. Camera access is not recorded, stored, or transmitted.
• Internet — Required to communicate with the relay server and load OAuth sign-in pages.

Data Collection

Data we do NOT collect

• Your Google username, password, or credentials
• OAuth access tokens or refresh tokens
• Personal information (name, email, phone number)
• Contacts, photos, files, or any on-device data

Data collected automatically

The app uses the following Firebase services to improve stability and understand usage patterns:

• Firebase Analytics — Collects anonymous usage events such as screen views and feature interactions. No personally identifiable information is included.
• Firebase Crashlytics — Collects anonymous crash reports including device model, OS version, and stack traces. This helps us identify and fix bugs. Crash reports never contain your Google credentials or OAuth tokens.

Firebase may also automatically collect:

• Device type, manufacturer, and operating system version
• Approximate location (country/region level, derived from IP address)
• App version and session duration

Data Storage & Retention

• Login history (timestamp and provider) is stored locally on your device using SharedPreferences. It is never transmitted to any server.
• Relay sessions are ephemeral — they expire automatically and are never persisted on the server.
• Firebase Analytics data is retained according to Google's Firebase data retention policies.

Third-Party Services

• Firebase Analytics — Anonymous usage analytics. See Firebase Privacy.
• Firebase Crashlytics — Anonymous crash reporting. See Firebase Privacy.
• Google OAuth — Sign-in is handled by Google's standard OAuth flow. See Google Privacy Policy.

Children's Privacy

AuthRelay is not directed at children under the age of 13. We do not knowingly collect personal information from children.

Open Source

AuthRelay is fully open source under the MIT License. You can audit the complete source code on GitHub.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date.

Contact

If you have questions about this privacy policy or want to request data removal, please open an issue on our GitHub repository.