Privacy Policy

1. Introduction

NovoTech Pty Ltd ("we", "us", or "our") operates the NovoTech Beam mobile application (the "App"), available on the Google Play Store under the package name com.novotechx.beam.

This Privacy Policy explains what information we collect, how we use it, and the choices you have. By installing or using the App you agree to the practices described in this policy. If you do not agree, please uninstall the App.

Beam is designed to be a privacy-first file-sharing utility. There are no accounts, no contact lists, and no cloud storage of your files. Beam pairs two devices using a short 6-character "Beam Code" and transfers files peer-to-peer using WebRTC. Your file content is never uploaded to or stored on our servers.

To keep the App free, Beam displays advertisements supplied by third-party ad networks through the Appodeal mediation platform (which includes Google AdMob and other ad partners). In regions where data-protection law requires it (such as the European Economic Area, the United Kingdom, and Switzerland), Beam uses Google's User Messaging Platform (UMP) to ask for your consent before any personalised advertising or non-essential data processing takes place. See Section 9 for full details.

2. At-a-Glance Summary

Category	Status	Details
User accounts / login	None	No account, sign-up, email, or contact information required
Personal information collected	No direct identifiers	No name, email, phone, address, or contact list
File content stored on our servers	Never	Files transfer peer-to-peer via WebRTC; no copy is retained by us
Cloud relay (when P2P fails)	Encrypted transit only	If direct P2P is impossible, file bytes are relayed via Cloudflare TURN under DTLS encryption; not persisted (5 MB per-file cap)
Device permissions	Network + AD_ID	INTERNET, ACCESS_NETWORK_STATE, and Google's AD_ID (advertising identifier) permission for ad delivery
Advertising	Yes	Ads served via Appodeal mediation (Google AdMob and other partner networks). Consent collected through Google UMP where required (EEA/UK/Switzerland). See Section 9
Advertising identifier (AD_ID)	Used by ad SDKs	Used by ad partners to limit ad frequency, measure performance, and (with consent) personalise ads. You can reset or opt out via your Android settings
Analytics	Yes	Firebase Analytics (anonymous usage events)
Crash reporting	Yes	Firebase Crashlytics (anonymous crash logs)
Signaling backend	Yes	Supabase is used solely to exchange WebRTC signaling messages (no file data)
In-app purchases	None	The App is free; there are no in-app purchases or subscriptions
Data sold to third parties	No	We never sell, rent, or trade your data

3. How Beam Works (Plain English)

Beam transfers files directly between two devices. The flow is:

1. One device generates a 6-character Beam Code (and optionally a 4-digit PIN).
2. The other device enters that code (and PIN, if set) to identify the session.
3. Both devices connect to a small signaling server (Supabase Realtime) just long enough to exchange the technical handshake details (SDP offers, answers, and ICE candidates) needed to establish a direct connection.
4. Once a peer-to-peer (P2P) WebRTC data channel is open, the file content flows directly between the two devices, encrypted end-to-end with DTLS-SRTP.
5. If the two networks cannot establish a direct path (e.g., strict NATs or symmetric firewalls), WebRTC falls back to a Cloudflare TURN relay. Bytes transit the relay in encrypted form and are not stored. In relay mode, Beam enforces a per-file size cap (currently 5 MB) and displays a banner so you know the relay is in use.
6. The signaling record is removed after the handshake completes or when the code expires (5 minutes by default).

4. Information We Collect

4.1 Information You Provide

Beam does not require registration, login, or any form of account creation. You are never asked to provide your name, email address, phone number, or any other personal information.

When you choose files to send (using Android's Storage Access Framework), the App reads only the files you explicitly select, and only for the duration of the transfer. Beam does not browse, index, or upload your wider file system.

4.2 Information Created During a Transfer (Signaling Metadata)

To pair two devices, the following short-lived signaling data is exchanged through our Supabase backend:

• The 6-character Beam Code (and the hash/comparison of the optional 4-digit PIN)
• A device label or display name you choose for the session (e.g., "Pixel 8")
• Device type (phone, tablet, desktop)
• WebRTC SDP offer/answer descriptors and ICE candidate strings (technical network handshake data — these may include your device's local and public IP addresses so the two peers can find each other)
• Session timestamps (created, joined, expired)

This metadata is held only as long as it takes to establish the connection. The Beam Code and associated session record automatically expire after approximately 5 minutes, and the record is removed once the handshake completes.

4.3 File Content

File content travels over a WebRTC data channel directly between sender and receiver, encrypted in transit using DTLS. We do not have access to the contents, names, sizes, or types of any files you transfer through P2P mode.

When the connection falls back to the Cloudflare TURN relay, file bytes pass through the relay in their already-encrypted form. The relay does not decrypt, log, or retain file content; it forwards encrypted packets only and discards them after delivery.

4.4 Information Collected Automatically (Analytics & Crash Reporting)

When you use the App, the following non-personal information may be collected automatically by our analytics and crash-reporting providers:

a) Firebase Analytics

We use Google Firebase Analytics to understand general usage patterns and improve the App. Firebase Analytics may automatically collect:

• App opens and session duration
• Screen views and navigation flows
• Anonymous event counts (e.g., "session_started", "transfer_completed", "relay_detected")
• Device model, operating system version, and screen resolution
• App version and country/region (derived from IP address, which is not stored)
• Installation source (install referrer)

This data is aggregated and anonymised. We do not link analytics events to the file content of your transfers or to any directly identifying information about you.

b) Firebase Crashlytics

We use Google Firebase Crashlytics to detect and fix crashes and errors. When a crash or non-fatal error occurs, Crashlytics may collect:

• Crash stack traces and exception details
• Device model, operating system version, and orientation
• Available memory and disk space at the time of the crash
• App version and build number
• Breadcrumb logs (general event sequence leading to a crash, containing no personal data and no file content)

c) Google Play Install Referrer

We capture the install referrer string provided by the Google Play Store. This tells us how you found the App (e.g., a search, a campaign link, or a direct install) but does not identify who you are.

4.5 Information We Do NOT Collect

5. Device Permissions

Beam declares the minimum permissions required to operate. The current Android manifest requests the following:

Permission	Purpose
INTERNET	Required to reach the signaling backend, the TURN credentials endpoint, the WebRTC TURN relay (when needed), and the ad networks that serve ads in the App
ACCESS_NETWORK_STATE	Detect whether a network is available before attempting a transfer
com.google.android.gms.permission.AD_ID	Allows Google AdMob, Appodeal, and partner ad SDKs to read the Google Advertising ID for frequency capping, fraud prevention, and (where consent has been given) ad personalisation

File selection is performed through Android's Storage Access Framework (SAF), which grants Beam access only to the specific files you pick — no broad READ_EXTERNAL_STORAGE, READ_MEDIA_*, or MANAGE_EXTERNAL_STORAGE permission is required or requested.

Beam does not request any of the following dangerous runtime permissions: camera, microphone, location, contacts, SMS, phone, calendar, body sensors, or nearby Bluetooth/Wi-Fi devices.

6. How We Use Your Information

The limited data we process is used exclusively for the following purposes:

• Pairing devices: Using signaling metadata to introduce two peers and establish a WebRTC data channel.
• Delivering files: Routing encrypted bytes peer-to-peer or, when necessary, through the TURN relay.
• Stability and performance: Identifying crashes, bugs, and connection failures through Crashlytics so we can deliver fixes.
• Usage analytics: Understanding aggregate usage patterns (e.g., how often relay fallback occurs, which features are used) to guide development.
• Install attribution: Measuring the effectiveness of marketing channels using install referrer data.
• Advertising: Displaying ads through Appodeal mediation (which includes Google AdMob and other partner networks) so we can offer the App free of charge. See Section 9 for full details.
• Consent management: Showing a Google UMP consent form where required, recording your choice locally, and passing the corresponding consent signals to advertising SDKs.

We do not sell your personal information, engage in cross-app tracking beyond what is disclosed in this policy, or make automated decisions that produce legal or similarly significant effects about you.

7. Local Data Storage

Beam stores the following data locally on your device using Android app sandbox storage (Room/SQLite and DataStore preferences). This data is never uploaded to our servers:

• Saved devices: Friendly names of devices you have previously paired with, so you can reconnect quickly.
• Transfer history: A local log of past transfers (file names, sizes, direction, timestamps, and the other device's chosen display name). This is stored on your device only.
• App settings: Your preferences (e.g., default sharing mode, auto-accept toggle, theme).
• Cached session state: Temporary state for an in-progress transfer.
• Pseudonymous app-instance identifier: Used by Firebase for analytics attribution; not linked to your identity.

You can clear this data at any time by clearing the App's data through your device settings (Settings → Apps → Beam → Storage → Clear Data) or by uninstalling the App. The App also exposes options to clear transfer history and saved devices from within the Settings screen.

8. Third-Party Services

Beam integrates with the following third-party services. Each service has its own privacy policy governing the data it processes:

8.1 Supabase (Signaling Backend)

• Provider: Supabase, Inc.
• Purpose: Exchanging WebRTC signaling messages (Beam Code records, SDP offers/answers, ICE candidates) so two devices can find each other and negotiate a direct connection
• Data sent: Beam Code, hashed/compared PIN, device labels and types, SDP descriptors, ICE candidate strings (which may include local and public IP addresses), session timestamps
• What is NOT sent: File content, file names of transferred files, personal information
• Retention: Session records are short-lived (~5 minutes) and removed after the handshake completes
• Privacy Policy: https://supabase.com/privacy

8.2 Cloudflare (TURN Relay & Credentials Worker)

• Provider: Cloudflare, Inc.
• Purpose: (a) A Cloudflare Worker issues short-lived TURN credentials to the App; (b) Cloudflare's TURN/STUN service relays encrypted WebRTC packets when a direct peer-to-peer path is not possible
• Data processed: Your device's IP address (necessary to deliver packets), encrypted DTLS payloads (the relay cannot read them), and standard request metadata logged by Cloudflare
• Retention: Cloudflare does not persist relayed packets; relay sessions exist only for the lifetime of the transfer. Operational logs are retained per Cloudflare's standard policies
• Privacy Policy: https://www.cloudflare.com/privacypolicy/

8.3 Google Firebase (Analytics & Crashlytics)

• Provider: Google LLC
• Purpose: Anonymous usage analytics and crash reporting
• Data processed: Anonymous device and usage metadata as described in Section 4.4
• Privacy Policy: https://firebase.google.com/support/privacy

8.4 Google Play Install Referrer

• Provider: Google LLC
• Purpose: Measuring how users discover and install the App
• Data processed: Install referrer string and timestamps
• Privacy Policy: https://policies.google.com/privacy

8.5 Google Play In-App Review

• Provider: Google LLC
• Purpose: Allows you to leave a Play Store rating without leaving the App
• Data processed: Handled entirely by the Google Play Store; we do not receive or store the content of your review
• Privacy Policy: https://policies.google.com/privacy

8.6 Appodeal (Ad Mediation)

• Provider: Appodeal Inc.
• Purpose: Mediation platform that selects and displays ads from multiple ad networks (including Google AdMob, Meta Audience Network, Unity Ads, AppLovin, Vungle, IronSource, Mintegral, Yandex, Bigo Ads, Pangle, and others) to maximise the chance that an ad is available to show
• Data processed: Google Advertising ID (AAID), IP address, coarse location derived from IP, device model and OS version, app version, ad-unit identifiers, ad-event signals (impression, click, completion), and the consent signals (TCF string, GPP string, US-CA opt-out) collected via UMP
• Use of data: Selecting which network bids on the ad slot, fraud detection, frequency capping, ad performance reporting, and (where consent has been given) personalised ad delivery
• Partner networks: Each integrated demand partner is an independent controller for the data they receive; Appodeal publishes the current list and links to each partner's privacy policy. Bidding partners may include Google, Meta Platforms, Unity, AppLovin, Digital Turbine, Yandex, ByteDance/Pangle, Mintegral, Bigo, Vungle, IronSource, and others
• Privacy Policy: https://www.appodeal.com/privacy-policy/
• Partner list: https://www.appodeal.com/home/partners/

8.7 Google AdMob

• Provider: Google LLC
• Purpose: Serves ads to the App as one of the demand sources mediated by Appodeal. Beam is registered with AdMob and uses an AdMob App ID configured in the Android manifest
• Data processed: Google Advertising ID (AAID), IP address, device model and OS version, ad interaction events, and the consent signals collected via UMP. Where you have consented, AdMob may also use this data for personalised advertising and conversion measurement
• Children: Beam is not directed at children. Where applicable, requests are tagged with the Tag-For-Child-Directed-Treatment (TFCD) and Tag-For-Users-under-Age-of-Consent (TFUA) flags as configured by the App and by Appodeal
• How Google uses partner data: https://policies.google.com/technologies/partner-sites
• Privacy Policy: https://policies.google.com/privacy

8.8 Google User Messaging Platform (UMP) — Consent

• Provider: Google LLC
• Purpose: An IAB Transparency & Consent Framework (TCF) v2.2 certified Consent Management Platform (CMP) used to display the consent form to users in regulated regions (EEA, UK, Switzerland, and other jurisdictions Google applies the form to), to record your choice, and to relay your consent signals to advertising SDKs and bidders
• Data processed: Your consent choices (the TCF v2 string, Google Additional Consent string, and the US Privacy / GPP string), the form version shown, and a timestamp. These signals are stored locally on your device and shared with partners only when they would otherwise process your data
• Re-consent: You can change your choices at any time from Settings → Privacy → Manage Ad Consent within the App, which re-displays the UMP form
• Privacy Policy: https://policies.google.com/privacy

9. Advertising and Consent

Beam is offered free of charge and is supported by advertising. Ads are delivered through the Appodeal mediation SDK, which integrates Google AdMob as well as a number of other ad networks listed by Appodeal. Beam uses Google's User Messaging Platform (UMP) to manage user consent in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and applicable U.S. state privacy laws.

9.1 What ads we show

• Banner, interstitial, and/or rewarded ad formats may appear at non-intrusive moments (for example, after a transfer completes).
• Ads are not shown during an active file transfer in a way that disrupts the transfer, and ads never have access to your file content, file names, or transfer metadata.
• The ad networks themselves provide the creative and decide which specific ad is served; Beam does not pre-select advertisers.

9.2 What data the ad SDKs collect

When ads are served, the Appodeal SDK and the underlying ad networks (most notably Google AdMob) may process the following data, as described in their own privacy policies:

• The Google Advertising ID (AAID) — a resettable, device-level identifier provided by Google Play Services. The App declares the com.google.android.gms.permission.AD_ID permission for this purpose.
• IP address (used for ad routing, fraud prevention, and approximate country/region inference).
• Device model, OS version, locale, screen size, time zone, and connection type.
• Coarse, IP-derived geolocation (country/region only — Beam does not request precise location permissions).
• App package name, app version, and ad-unit identifiers.
• Ad interaction events (impression, click, video completion).
• Your consent signals (the TCF v2 string, Google Additional Consent string, and U.S. Privacy / Global Privacy Platform string).

Beam itself does not receive or store this data; it is sent directly from the ad SDK on your device to the relevant ad network.

9.3 Consent (UMP) — EEA, UK, Switzerland, and other regulated regions

On first launch (and again whenever Google determines re-consent is required) Beam displays a Google UMP consent form. The form lets you:

• Consent to personalised advertising and the purposes / partners listed in the form;
• Refuse consent, in which case Beam will request only non-personalised ads (NPA) from AdMob and equivalent contextual ads from other networks. Non-personalised ads still rely on coarse, non-personal signals (e.g., approximate location from IP, current page context) but do not use cross-app tracking or behavioural profiles;
• Manage individual purposes and partners through the granular settings in the form.

Your choice is stored locally on your device (via the UMP SDK) and is replayed to the ad networks on every ad request. You can re-open the consent form at any time from Settings → Privacy → Manage Ad Consent inside the App.

9.4 U.S. state privacy rights

For users in U.S. states with applicable privacy legislation (including California — CCPA/CPRA, Virginia, Colorado, Connecticut, Utah, and others as they come into force), Beam recognises the IAB Global Privacy Platform (GPP) signal generated by UMP. You can choose to opt out of the sale or sharing of personal information directly in the consent form, and that choice is forwarded to ad partners via the GPP / U.S. Privacy string.

9.5 Children

Beam is a general-audience utility and is not directed at children under 13. Ad requests are tagged appropriately so that ad networks comply with the U.S. Children's Online Privacy Protection Act (COPPA), the EU GDPR's age-of-consent provisions, and Google AdMob's families policies.

9.6 Your controls

• Reset your advertising ID or opt out of ad personalisation via Android: Settings → Privacy → Ads.
• Limit ad tracking by deleting your AAID entirely on Android 12+: Settings → Privacy → Ads → Delete advertising ID. The App will then receive a string of zeros instead of an identifier and ads will be non-personalised.
• Withdraw or change UMP consent in the App: Settings → Privacy → Manage Ad Consent.
• Stop ad data collection entirely by uninstalling the App.

10. Peer-to-Peer Transfers and Encryption

Beam uses the Google WebRTC stack (org.webrtc) for peer-to-peer transfers. WebRTC data channels are encrypted by default using DTLS (Datagram Transport Layer Security) negotiated at session start. This applies to both direct P2P connections and TURN-relayed connections.

Practical implications:

• The other device receives your file content; treat the Beam Code and PIN like a short-lived password and only share them with the recipient you intend.
• The TURN relay cannot read your encrypted file bytes; it only forwards them.
• Our signaling backend never sees file content.
• If your network blocks both direct P2P and the TURN relay, the transfer will fail cleanly — the App shows an error rather than falling back to any unencrypted path.

11. Data Sharing and Disclosure

We may share limited, non-personal data in the following circumstances:

• Infrastructure providers: Supabase processes signaling messages and Cloudflare provides STUN/TURN services on our behalf, subject to their respective data processing terms.
• Analytics providers: Firebase (Google) processes anonymous analytics and crash data on our behalf.
• Advertising partners: Appodeal, Google AdMob, and the demand-partner networks listed in Appodeal's partner directory receive the data described in Section 9 directly from the ad SDK on your device. They act as independent or joint controllers (not processors) for that data and use it under their own privacy policies, subject to your UMP consent choices.
• Legal requirements: We may disclose information if required to do so by law, regulation, legal process, or enforceable governmental request.
• Safety: We may disclose information if we believe in good faith that it is necessary to protect the rights, safety, or property of NovoTech Pty Ltd, our users, or the public.

12. Data Retention

• Signaling records (Supabase): Beam Code sessions expire after approximately 5 minutes and are removed after the handshake completes.
• Relayed packets (Cloudflare TURN): Not persisted; forwarded and discarded.
• Local data on your device (saved devices, transfer history, settings, local identifiers): Retained until you clear the App's data, use the in-app delete options, or uninstall the App.
• Firebase Analytics data: Retained for up to 14 months by default, after which it is automatically deleted from Google's servers.
• Firebase Crashlytics data: Retained for 90 days, after which it is automatically purged.
• Operational logs at our infrastructure providers (Supabase, Cloudflare): Retained per their respective standard policies.
• Advertising data processed by Appodeal, Google AdMob, and other demand partners: Retained according to each partner's own retention schedule. Google AdMob, for example, retains advertising-cookie/identifier data for up to 13 months by default, after which it is automatically removed or anonymised. Appodeal documents its own retention practices in its privacy policy.
• UMP consent records: Stored locally on your device for as long as the App is installed; not sent to NovoTech servers.

13. Data Security

We take reasonable measures to protect the information associated with the App:

• WebRTC data channels are encrypted with DTLS end-to-end between peers.
• All HTTP communication with our backend (Supabase, Cloudflare Worker) uses HTTPS/TLS.
• Local database and preference storage are protected by Android's application sandboxing.
• Release builds use code obfuscation (R8/ProGuard) to deter reverse engineering.
• Beam Codes are short-lived (~5 minutes) and limited to a constrained character set that excludes ambiguous letters/digits.
• The optional 4-digit PIN provides an additional layer of session protection.
• Permissions are limited to INTERNET, ACCESS_NETWORK_STATE, and the AD_ID permission required by Google ad SDKs.

While we strive to use commercially acceptable means to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

14. Children's Privacy

NovoTech Beam is a general-purpose utility application. It is not directed at children under the age of 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has somehow provided personal information through the App, please contact us so we can take appropriate action.

15. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your data:

15.1 General Choices

• Delete local data: Clear all locally stored data (saved devices, transfer history, settings, local identifiers) by using the in-app delete options, going to your device Settings → Apps → Beam → Storage → Clear Data, or by uninstalling the App.
• Opt out of analytics: You can restrict the App's network access in your device settings or uninstall the App to prevent any further analytics collection.
• Manage advertising consent: Open the in-app UMP consent form via Settings → Privacy → Manage Ad Consent at any time to change your choices.
• Reset or delete your advertising ID: Use Android's Settings → Privacy → Ads to reset or delete the AAID and to opt out of personalised ads system-wide.
• Decline a transfer: Receivers can refuse incoming files; senders can cancel a transfer at any time before completion.

15.2 European Economic Area (EEA), United Kingdom, and Switzerland — GDPR

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR), including the right to:

• Access the personal data we hold about you
• Request rectification or erasure of your data
• Object to or restrict processing of your data
• Data portability
• Lodge a complaint with your local supervisory authority

Because Beam does not require an account and does not associate transfers with a personal identity, the data we hold that could be linked to you is limited to ephemeral signaling records, anonymous analytics events, and the advertising data described in Section 9 (which is processed by our ad partners under the consent framework provided by UMP). To exercise any right, contact us at the address in Section 18.

15.3 California Residents — CCPA / CPRA

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to know what personal information is collected, to request deletion, and to opt out of the sale or sharing of personal information.

NovoTech Beam does not sell personal information for monetary consideration. The App does, however, share certain identifiers (such as the AAID and IP address) with advertising partners to deliver ads, which may be considered "sharing" or a "sale" under the CCPA/CPRA's broad definitions. California residents can opt out of such sharing at any time by:

• Selecting Do Not Sell or Share My Personal Information (or refusing personalised ads) in the in-app UMP consent form, which sets the U.S. Privacy / GPP opt-out signal that ad partners must honour;
• Enabling Android's system-wide Opt out of Ads Personalization control;
• Contacting us at the address in Section 18 to make a verifiable consumer request.

15.4 Brazil — LGPD

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you rights over your personal data, including the right to access, correct, delete, and port your data. For enquiries, contact us at the address in Section 18.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

• Update the "Last Updated" date at the top of this page.
• Post the revised policy at the same URL.
• For material changes, provide notice within the App or through the Google Play Store listing.

Your continued use of the App after any changes constitutes your acceptance of the revised policy. We encourage you to review this page periodically.

17. Legal Basis for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases for processing the data described in this policy:

• Performance of a contract (Art. 6(1)(b)): Processing signaling metadata and operating the TURN relay are necessary to provide the file-transfer service you requested.
• Legitimate interests (Art. 6(1)(f)): Anonymous analytics and crash reporting are processed to maintain the stability and quality of the App, and to serve non-personalised, contextual advertisements where you have not consented to personalised ads. You can object to this processing by uninstalling the App or restricting its network access.
• Consent (Art. 6(1)(a)): Personalised advertising and the corresponding processing by Appodeal, Google AdMob, and partner ad networks are performed only where you have given consent through the Google UMP form. You may withdraw consent at any time via Settings → Privacy → Manage Ad Consent.
• Legal obligation (Art. 6(1)(c)): Where we are required to retain or disclose data to comply with applicable law.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your enquiry within 30 days.

19. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of Australia, without regard to its conflict-of-law provisions, except where mandatory local privacy legislation (such as GDPR, CCPA, or LGPD) applies.