Play Console guide

Data Safety answers

Use this page as the source of truth when completing the Google Play Data Safety form for BPass.

Recommended form answers

Account creationNo

BPass does not create a developer-hosted account or sign-in identity.

Data collectedYes, optional

Only if the user enables Google Sheet sync. The app sends authenticator backup data to the Apps Script URL configured by the user.

Data sharedNo sale or advertising sharing

BPass does not send data to ads, analytics, or developer-operated servers. Optional sync sends data to the user-controlled Google Sheet endpoint.

PurposeApp functionality

Optional backup, restore, and sync of authenticator entries.

Encryption in transitYes

The app only accepts HTTPS Google Apps Script /exec URLs for Sheet sync.

Sheet secret storageEncrypted before sync

TOTP secrets are encrypted locally with the user's Settings webhook secret before being written to the Sheet.

User deletionSupported locally

Users can delete entries in the app, clear app storage, uninstall the app, and delete synced Sheet rows directly from their Google Sheet.

Optional data types for Sheet sync

  • Issuer or platform name
  • Account label, such as an email or username entered by the user
  • Encrypted TOTP secret when optional Sheet sync is enabled
  • TOTP algorithm, digits, period, and created timestamp
  • User-configured Apps Script URL, webhook secret, and sheet tab names

Not collected by BPass

  • Advertising ID
  • Analytics events
  • Precise or approximate location
  • Contacts
  • Photos, videos, audio, or camera capture
  • SMS, call logs, calendar, health, payment, or device identifiers

Do not mark as no data collected

If Google Sheet sync is shipped in the app, declare optional data collection for app functionality. The transfer is user-configured, but it still leaves the device when sync is enabled.