1. Introduction

This Privacy Policy explains how AnyAOD+ LED ("we", "us", "the app") handles your data. Your privacy is our highest priority.

2. Data Controller

Developer: Timo Steiss (flokati.dev)

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: https://flokati.dev

3. What Data is Processed?

3.1 Notification Data (Local Only)

Data Type	Purpose	Storage
App package names from notifications	Display on Always-On Display	Not stored, only displayed temporarily
Notification timestamp	Ordering of notification signals	Not stored
App icons	Visual representation (NotifBadges)	Cached by Android system

Important: The app does NOT read notification content — no titles, no texts, no sender names. Only the package name (e.g. "com.whatsapp") and timestamp are accessed. This is verifiable in our public source code (see section 17).

3.2 Calendar Data (Optional, PRO version only)

Data Type	Purpose	Storage
Title of next event	Display on AOD	Not stored, only retrieved live
Event time	Display on AOD	Not stored, only retrieved live

Calendar data is read only on demand, processed only locally, and never transmitted to any external server.

3.3 Device Information (Local Only)

Data Type	Purpose	Storage
Battery level	Display on AOD	Not stored, only retrieved live
Time & Date	Display on AOD	Not stored, only retrieved live
Screen orientation	Layout adaptation	Not stored
Bluetooth connection status	Display of connection icon	Not stored (only "connected / not connected")
WiFi connection status	Display of connection icon	Not stored (no SSID, no MAC address)

3.4 Data Transmitted to Third Parties (Only for Specific Optional Features)

🌦️ Weather Feature (Optional — Only When Enabled)

If you enable the weather element in the Custom AOD, the following data is sent to Open-Meteo:

Data Type	Purpose	Recipient
City name you entered	Geocoding to coordinates	Open-Meteo (open-meteo.com)
Resulting geographic coordinates	Weather forecast lookup	Open-Meteo (open-meteo.com)
IP address	Technically unavoidable with any HTTP request	Open-Meteo (open-meteo.com)

About Open-Meteo: Open-Meteo is a privacy-friendly, non-commercial weather service based in Switzerland (operated by Patrick Zippenfenig). No cookies, no tracking, no API key, no registration. Details: https://open-meteo.com/en/terms

Your control: If you do NOT enable the weather feature, no connection to Open-Meteo is ever made.

💳 In-App Purchases (Only When You Purchase)

For optional premium features, the app uses the official billing service of your app store:

• Google Play version: Google Play Billing (operated by Google Ireland Limited)
• Samsung Galaxy Store version: Samsung In-App Purchase (operated by Samsung Electronics)

These are fully handled by Google / Samsung. Payment data never reaches us. We only receive the information whether a purchase was successful (to unlock premium features). No payment details, no credit card numbers, no personal data is visible to us.

• Google privacy policy: https://policies.google.com/privacy
• Samsung privacy policy: https://www.samsung.com/request-desk

📊 Crash Reporting (Firebase Crashlytics) — Active by Default, Opt-Out

To detect crashes and improve app stability, AnyAOD+ LED uses Firebase Crashlytics, provided by Google Ireland Limited.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining a stable, crash-free app. As a small developer, reliable crash reporting is essential for fixing bugs that affect all users. No personal data is collected.

Your right to object (Art. 21 GDPR): You can disable crash reporting at any time in the app under Settings → Privacy. From that moment on, no further crash reports are sent.

What is collected:

Data Type	Purpose	Recipient
Crash reports (stack traces)	Identify and fix bugs	Firebase / Google Ireland
Device model, Android version, manufacturer	Debug device-specific crashes	Firebase / Google Ireland
App version, language, region	Identify which app version is affected	Firebase / Google Ireland
Anonymous app instance ID (Firebase Installation ID)	Group reports from the same install	Firebase / Google Ireland
App settings context (e.g. screen mode, burn-in protection setting)	Diagnose crashes in specific configurations	Firebase / Google Ireland

Storage duration: Crash reports up to 90 days.

📈 Anonymous Usage Statistics (Firebase Analytics) — Off by Default, Opt-In

Optionally, you can help us improve the app by enabling Firebase Analytics, provided by Google Ireland Limited.

Legal basis: Art. 6(1)(a) GDPR — your active consent. Analytics is disabled by default and only activates after you explicitly enable it under Settings → Privacy.

Right to withdraw consent (Art. 7(3) GDPR): You can withdraw your consent at any time using the same toggle. From that moment on, no further usage data is sent.

What is collected (only when enabled):

Data Type	Purpose	Recipient
App usage events (sessions, screen views, feature usage)	Detect general adoption trends	Firebase / Google Ireland
App version, device type, language, region	Identify usage patterns across configurations	Firebase / Google Ireland
Anonymous app instance ID (Firebase Installation ID)	Group sessions from the same install	Firebase / Google Ireland

Important: The advertising ID (AAID) is not used. The corresponding permission is explicitly removed from the app manifest.

Common information for both Firebase services:

• Storage location: Firebase Analytics data is stored in the European Union. Crash reports are processed by Google's global infrastructure under EU Standard Contractual Clauses (Art. 46 GDPR) and the EU-US Data Privacy Framework.
• Storage duration: Crash reports up to 90 days, Analytics data up to 14 months.
• Data Processing Agreement: A GDPR-compliant Data Processing Agreement (Art. 28 GDPR) is in place with Google, automatically concluded via the Firebase Data Processing Addendum.

What is NOT collected by either service:

• ❌ NO personal information (no name, email, phone number)
• ❌ NO advertising IDs
• ❌ NO precise location
• ❌ NO notification content, calendar content, or any user data
• ❌ NO data from the optional weather feature

Google's privacy policy: https://policies.google.com/privacy
Firebase data processing terms: https://firebase.google.com/terms/data-processing-terms

🛡️ Trial Protection (Cloudflare) — Active by Default

To prevent the same device from claiming the 30-day free trial multiple times (via repeated uninstall and reinstall), AnyAOD+ LED uses a server-side trial check on a Cloudflare Worker, provided by Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA), with EU presence by Cloudflare Germany GmbH.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in protecting the economic viability of the app and preventing repeated abuse of the free trial period. As a small developer, the trial is the key incentive for users to evaluate the premium version; without protection, the trial loses its purpose.

Your right to object (Art. 21 GDPR): You can object to this processing at any time by writing to This email address is being protected from spambots. You need JavaScript enabled to view it.. Please note that objecting may result in the loss of your remaining trial days, as we can no longer verify your trial status server-side.

What is sent:

Data Type	Purpose	Recipient
Anonymous device hash (64-character SHA-256)	Identify the device for trial verification	Cloudflare, Inc.
App version code	Help diagnose version-specific issues	Cloudflare, Inc.
IP address	Technically unavoidable with any HTTP request	Cloudflare, Inc.

How the hash is created: The hash is generated once on first launch from the Android Device ID and a fixed app-internal value (a "salt"). The Android Device ID itself never leaves your device. The hash cannot be reversed to identify you, your device, or any other app on your device. The hash is unique to this app — even other apps on your device would produce a different hash.

How often is data sent? The check runs once on first launch and afterwards at most once every 7 days in the background. The app starts normally even if the check fails (e.g. when offline) — no functionality is blocked.

Storage location: Data is processed and stored exclusively on Cloudflare servers in the European Union (Western Europe region). EU Standard Contractual Clauses (Art. 46 GDPR) apply for any ancillary processing.

Storage duration: Entries are automatically deleted after 24 months of inactivity (no contact from the device).

Data Processing Agreement: A GDPR-compliant Data Processing Agreement (Art. 28 GDPR) is in place with Cloudflare via the Cloudflare Customer Data Processing Addendum, which is automatically incorporated into Cloudflare's Self-Serve Subscription Agreement.

What is NOT sent:

• ❌ NO name, email address, or phone number
• ❌ NO Google account or device account information
• ❌ NO Android Device ID itself (only a non-reversible hash)
• ❌ NO location data
• ❌ NO usage data, settings, or notification content
• ❌ NO advertising identifiers

Your rights (Art. 15–22 GDPR): You have the right to access, rectification, erasure, and restriction. As the stored hash cannot be linked to a person by us, identifying your individual entry is only possible if you provide us with your device hash. Please contact This email address is being protected from spambots. You need JavaScript enabled to view it. if you wish to exercise these rights.

Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/
Cloudflare's Data Processing Addendum: https://www.cloudflare.com/cloudflare-customer-dpa/

3.5 App Settings

• Configurations: Your personal AOD settings (colors, positions, fonts)
• Presets: Saved design templates
• App Preferences: Language, theme settings, enabled features
• Storage Location: Locally in app sandbox (SharedPreferences & internal files)

4. Required Permissions

4.1 Notification Listener

• Android Permission: BIND_NOTIFICATION_LISTENER_SERVICE
• Purpose: Detect which app posted a notification (for AOD notification signals)
• Usage: Reads only the package name and timestamp. NO notification content, NO title, NO text, NO sender name.
• Data Processing: Only temporary, no storage
• Verifiable: In public source code on GitHub (see section 17)

4.2 Calendar Access (Optional, PRO only)

• Android Permission: READ_CALENDAR
• Purpose: Display next calendar entry on AOD
• Usage: Reads title and time of next event
• Data Processing: Only retrieved live, processed locally, never transmitted
• Necessity: Optional, only when calendar element is activated
• Note: Can be revoked anytime in Android settings

4.3 Internet Access

• Android Permission: INTERNET, ACCESS_NETWORK_STATE
• Purpose: Weather data (Open-Meteo), in-app purchases (Google Play / Samsung), and Firebase Crashlytics / Analytics
• Usage: Only for the features described in section 3.4. No other network destinations are contacted.
• Necessity: Required only for weather (optional), in-app purchases, crash reporting (legitimate interest, opt-out available), and analytics (consent-based, opt-in only)

4.4 Bluetooth / WiFi Status

• Android Permissions: BLUETOOTH_CONNECT, ACCESS_WIFI_STATE
• Purpose: Display connection status icons on AOD (if enabled)
• Usage: Only reads "connected / not connected" state. NO device names, NO SSIDs, NO MAC addresses, NO identifying data.
• Data Processing: Only displayed, never stored or transmitted

4.5 Disable Battery Optimization

• Android Permission: REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
• Purpose: Reliable AOD functionality in standby mode
• Usage: Prevents Android from terminating the service in background
• Impact: Minimal additional battery consumption through optimized design
• Necessity: Recommended for reliable function

4.6 Additional Technical Permissions

• SYSTEM_ALERT_WINDOW: Display AOD over other apps
• USE_FULL_SCREEN_INTENT: Show AOD activity over lockscreen
• FOREGROUND_SERVICE_SPECIAL_USE: Background service for continuous AOD function
• WAKE_LOCK: Brief screen wake for AOD rendering
• POST_NOTIFICATIONS: Notifications for service status (Android 13+)
• RECEIVE_BOOT_COMPLETED: Auto-start AOD service after device reboot

5. How is Data Used?

5.1 Purpose Limitation

All processed data is used exclusively for the purposes described in this privacy policy:

• ✅ Display notifications on Always-On Display
• ✅ Show time, date, battery level, connection icons
• ✅ Display calendar events (optional, PRO)
• ✅ Display weather (optional, if enabled)
• ✅ Process in-app purchases (only when you purchase)
• ✅ Save your personal settings locally
• ✅ Crash reporting via Firebase Crashlytics (legitimate interest, opt-out available)
• ✅ Optional anonymous usage statistics via Firebase Analytics (only with your active opt-in)
• ❌ NO third-party advertising or behavioral tracking
• ❌ NO sharing with advertising partners
• ❌ NO profiling or fingerprinting

Legal-basis summary: Diagnostic data (Crashlytics) is processed on the basis of legitimate interest, with your right to object available at any time in the app settings. Usage statistics (Analytics) are processed exclusively after your active consent, withdrawable at any time in the app settings.

5.2 No Unauthorized Use

The app uses Notification permissions exclusively for the described purposes. There is:

• ❌ NO tracking of your user behavior beyond anonymous Firebase data (with your control as described)
• ❌ NO collection of personal communications
• ❌ NO analysis of notification content
• ❌ NO access to passwords or sensitive data
• ❌ NO advertising IDs collected

6. Data Storage

6.1 Local Storage

All user-configurable data is stored exclusively in your Android device's app sandbox:

• SharedPreferences: App settings and configurations
• Internal Files: Saved presets and design templates
• Access: Only the app itself can access this data
• Encryption: Protected by Android system encryption

6.2 Storage Duration

• Notification data: Not stored (only displayed temporarily)
• Calendar data: Not stored (only retrieved live)
• Device status: Not stored (only retrieved live)
• Weather data: Cached locally until next update (approx. every 6 hours)
• App settings: Until app uninstallation
• Crash reports (Firebase): Up to 90 days on Google's servers
• Analytics data (Firebase): Up to 14 months on Google's servers (only if you opted in)

6.3 Data Deletion

Upon app uninstallation, all locally stored data is automatically deleted:

• ✅ All app settings
• ✅ All saved presets
• ✅ All configuration data
• ✅ All cached weather data

Data previously sent to third parties (Open-Meteo, Google, Samsung, Firebase) is subject to their respective data retention policies — see their privacy policies linked in section 3.4.

7. Data Sharing

The app contains:

• ❌ NO advertising networks
• ❌ NO third-party tracking technologies
• ❌ NO cloud synchronization of your settings
• ❌ NO third-party SDKs beyond: Firebase (Crashlytics + Analytics, see section 3.4) and official Billing SDKs (Google Play / Samsung)

Firebase is a Google service used solely for crash reporting and optional usage analytics — never for advertising, profiling, or behavioral tracking. See section 3.4 for full details.

8. Internet Usage

AnyAOD+ LED uses the internet only for clearly limited purposes:

• Weather data — only if you enable the weather feature (sent to Open-Meteo)
• In-app purchases — only when you make a purchase (processed by Google Play / Samsung)
• Crash reporting — anonymized stability data via Firebase Crashlytics (active by default, opt-out in app settings)
• Optional usage statistics — anonymized usage data via Firebase Analytics (off by default, only with your active opt-in)

Technical Facts:

• ✅ All connections use HTTPS (encrypted in transit)
• ✅ Only Firebase for crash reporting and optional analytics — no third-party tracking, no ad networks
• ✅ No connections to our own servers (we operate none)
• ✅ The weather worker has a kill-switch: if the weather feature is disabled, no network request is ever made
• ✅ All internet usage is verifiable in our public source code (see section 17)

9. Cookies and Tracking

AnyAOD+ LED uses:

• ❌ NO cookies
• ❌ NO third-party tracking or advertising networks
• ❌ NO webviews or browser components
• ❌ NO advertising IDs or device fingerprinting

Firebase Crashlytics is used solely for anonymized crash reports; Firebase Analytics is used (only with your active consent) for anonymized usage statistics. Neither is used for behavioral tracking or advertising — see section 3.4.

10. Your Rights (GDPR)

10.1 Data Access

Since almost all data is stored locally on your device, you have full access at all times:

• View: All settings are visible in the app
• Modify: Possible anytime in app settings
• Export: Presets can be exported as JSON files

For data processed by third parties (Open-Meteo, Google, Samsung, Firebase), please contact them directly — they are the responsible controllers for that data.

10.2 Data Deletion

You can delete your local data completely at any time:

• Option 1: Uninstall app (deletes all local data)
• Option 2: In Android Settings → Apps → AnyAOD+ LED → Storage → Clear Data

To request deletion of Firebase data, contact us at This email address is being protected from spambots. You need JavaScript enabled to view it. — we can request deletion of crash reports and analytics data tied to your anonymous app instance.

10.3 Revoke Permissions and Withdraw Consent

All permissions and consents can be revoked at any time:

• Notifications: Android Settings → Apps → Special Access → Notification Access
• Calendar: Android Settings → Apps → AnyAOD+ LED → Permissions → Calendar
• Weather feature: In the app settings (disables all network requests to Open-Meteo)
• Crash reporting (Crashlytics): In the app settings under "Privacy" (your right to object under Art. 21 GDPR — disables all crash report transmission)
• Anonymous usage statistics (Analytics): In the app settings under "Privacy" (your right to withdraw consent under Art. 7(3) GDPR — disables all analytics transmission; off by default)

Note: Revoking the Notification Listener permission will impair app functionality.

10.4 Additional GDPR Rights

Under the GDPR, you also have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing based on legitimate interest (Art. 21 GDPR) — exercised via the "Crash reports" toggle in the app
• Right to withdraw consent at any time (Art. 7(3) GDPR) — exercised via the "Anonymous usage statistics" toggle in the app
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

11. Data Security

11.1 Technical Measures

• ✅ Data stored in protected app sandbox
• ✅ Android system encryption protects all local data
• ✅ All network traffic (weather, billing, Firebase) uses HTTPS encryption
• ✅ No sensitive data transmitted anywhere (weather only uses city names; Firebase only anonymized crash and usage data)
• ✅ Internal app broadcasts use RECEIVER_NOT_EXPORTED — no other app can probe our services
• ✅ Regular security updates of the app

11.2 Best Practices

• Code follows Android Security Best Practices
• Minimal permissions (Privacy by Design)
• No third-party SDKs with data access beyond Firebase (Crashlytics + Analytics) and official Billing SDKs
• Source code for privacy-relevant parts publicly available (see section 17)

12. Children

AnyAOD+ LED is suitable for all age groups. The app:

• ✅ Does not collect personal data from children
• ✅ Contains no content unsuitable for children
• ✅ Requires no age verification
• ✅ Contains no advertising

13. Legal Basis (GDPR)

Data processing is based on:

• Art. 6(1)(b) GDPR: Contract performance (providing app functionality, processing purchases)
• Art. 6(1)(f) GDPR: Legitimate interest (storing settings for better user experience, ensuring app stability via Crashlytics — with your right to object at any time)
• Art. 6(1)(a) GDPR: Consent (for optional features like calendar access, weather data, and Firebase Analytics — withdrawable at any time)

13.1 Third-Country Transfer

Weather data is transmitted to Open-Meteo in Switzerland. Switzerland has an adequacy decision from the EU Commission (Art. 45 GDPR), making this transfer GDPR-compliant.

Data related to in-app purchases is processed by Google Ireland Limited (EU) and Samsung Electronics — see their respective privacy policies for details on any international transfers.

Firebase data is processed by Google Ireland Limited (EU). Firebase Analytics data is stored in the EU. Crash reports may be processed via Google's global infrastructure under EU Standard Contractual Clauses (Art. 46 GDPR) and the EU-US Data Privacy Framework (Adequacy Decision of the EU Commission, July 10, 2023).

14. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in the app or legal requirements.

• Notification: Significant changes will be displayed in the app
• Current Version: Always available at https://flokati.dev/privacy
• Versioning: Date of last update is indicated above

Changelog:

• v2.2 (May 2026): Separation of Firebase Crashlytics (legitimate interest, opt-out) and Firebase Analytics (consent, opt-in); clearer description of withdrawal and objection rights; removal of references to the Accessibility Service (no longer used).
• v2.1 (May 2026): Initial Firebase block added (Crashlytics + Analytics under unified consent model).

15. Contact & Complaints

15.1 Contact for Questions

For privacy questions, contact us:

• Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
• Website: https://flokati.dev

15.2 Right to Lodge Complaint

You have the right to lodge a complaint with a data protection supervisory authority:

• Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)
• Other EU countries: Competent national data protection authority
• Outside EU: Your country's relevant data protection authority

16. Summary

17. Open Source Verification

The privacy-relevant parts of the app's source code are publicly available on GitHub, so anyone can verify our claims:

Repository: https://github.com/flokati-dev/anyaod-plus-led-privacy

You can verify yourself:

• That notification content is never read (AodNotificationListener.kt)
• That weather requests only go to Open-Meteo (OwnAodWeatherWorker.kt)
• That the only permissions are the ones listed above (AndroidManifest.xml)
• That only Firebase is included as a third-party SDK for crash reporting and analytics (build.gradle.kts)