Play Console guide
Data Safety answers
Use this page as the source of truth when completing the Google Play Data Safety form for BPass.
Recommended form answers
Account creationNoBPass does not create a developer-hosted account or sign-in identity.
Data collectedYes, optionalOnly if the user enables Google Sheet sync. The app sends authenticator backup data to the Apps Script URL configured by the user.
Data sharedNo sale or advertising sharingBPass does not send data to ads, analytics, or developer-operated servers. Optional sync sends data to the user-controlled Google Sheet endpoint.
PurposeApp functionalityOptional backup, restore, and sync of authenticator entries.
Encryption in transitYesThe app only accepts HTTPS Google Apps Script /exec URLs for Sheet sync.
Sheet secret storageEncrypted before syncTOTP secrets are encrypted locally with the user's Settings webhook secret before being written to the Sheet.
User deletionSupported locallyUsers can delete entries in the app, clear app storage, uninstall the app, and delete synced Sheet rows directly from their Google Sheet.
Optional data types for Sheet sync
- Issuer or platform name
- Account label, such as an email or username entered by the user
- Encrypted TOTP secret when optional Sheet sync is enabled
- TOTP algorithm, digits, period, and created timestamp
- User-configured Apps Script URL, webhook secret, and sheet tab names
Not collected by BPass
- Advertising ID
- Analytics events
- Precise or approximate location
- Contacts
- Photos, videos, audio, or camera capture
- SMS, call logs, calendar, health, payment, or device identifiers
Do not mark as no data collected
If Google Sheet sync is shipped in the app, declare optional data collection for app functionality. The transfer is user-configured, but it still leaves the device when sync is enabled.