SDK disclosure · last audit 2026-05-09

Five SDKs. Each one named.

A table of every third-party network SDK in the QiFlux build, what it sends, when it sends it, and the on/off switch you have. The cap is 5. We are at 5.

SDK · 01 of 05

RevenueCat

Validates Apple StoreKit / Google Play Billing receipts so we know which features to unlock.

always-on · purchase only
FieldValue
What it sendsAnonymous UUID (per device) · purchase receipt · subscription status
What it never seesCycle data · 體質 tag · symptoms · name · email · IP (proxied via Apple/Google)
WhenOn purchase · on app launch (subscription status refresh)
RegionUS-East · processed under SOC 2 Type II
SwitchNone — required for billing. The data sent is functionally what Apple/Google already see.

SDK · 02 of 05

Google Mobile Ads (rewarded only)

Loads the optional rewarded video ad for free-tier users who choose "看廣告兌換 1 點" instead of waiting for the daily refresh.

opt-in · free tier only
FieldValue
What it sendsStandard ad-request payload (advertising ID, locale, app bundle, OS version)
What it never seesCycle data · 體質 tag · symptoms · purchase history · in-app behavior beyond "ad button tapped"
WhenOnly when the user actively taps "看廣告兌換 1 點"
Frequency cap5 per day per device
SwitchRemoved entirely from the build for Premium users · ATT prompt on iOS, "Limit ad tracking" honored

SDK · 03 of 05

Sentry

Crash reporter. Off by default; user must explicitly enable it in Settings → Help us improve.

opt-in · default OFF
FieldValue
What it sendsStack trace · device model · OS version · app version · breadcrumb of last 20 nav events (screen names only, no data)
What it never seesCycle data · symptoms · 體質 · UI text content · screenshots
WhenOnly on crash · only if user opted in
RegionSelf-hosted on EU-Central (Frankfurt) · GDPR DPA in place
SwitchSettings → Help us improve → toggle. Off by default for every install.

SDK · 04 of 05

Sign-in-with-Apple

Used only if you opt in to iCloud backup, to bind the encrypted blob to your Apple ID. We never see your email.

opt-in · backup only
FieldValue
What it sendsApple-issued opaque user identifier (private relay email if you choose)
What it never seesReal email (relay'd by Apple) · cycle data · device identifiers
WhenOne-time, when you tap "Backup to iCloud" in Settings
SwitchSign out from Settings → Backup → Disconnect, anytime

SDK · 05 of 05

google_sign_in (Android only)

Mirrors Sign-in-with-Apple on Android: only if you opt in to Google Drive backup.

opt-in · backup only
FieldValue
What it sendsGoogle-issued opaque user identifier · OAuth scope: drive.appdata only
What it never seesDrive contents outside our app sandbox · contacts · calendar · email contents
WhenOne-time, when you tap "Backup to Google Drive"
SwitchSettings → Backup → Disconnect, anytime · revoke at myaccount.google.com

Cap policy

5 SDKs is the ceiling, not the goal.

If we want to add a sixth, one of the existing five must come out first. The cap is enforced in CI: scripts/check-sdk-count.sh fails the build if the network-SDK count exceeds 5.