# User Data Policies
The freeRASP and freeMalwareDetection modules collect anonymized security diagnostics data from apps. These data contain:
* Application state and security.
* Device state and security.
* Anonymous app instance ID and device ID.
This information allows Talsec to provide a [security report](https://docs.talsec.app/freerasp/freerasp/data-visualisation-portal), improve the freeRASP product and even the [commercial RASP SDK](https://docs.talsec.app/freerasp/freerasp/features-and-pricing-plans), or prepare mobile security reports and articles.
{% hint style="info" %}
Data collection can be disabled or configured to a custom customer-owned logging service in [premium plans of Talsec.](https://docs.talsec.app/freerasp/freerasp/features-and-pricing-plans)
{% endhint %}
All the data collected by the freeRASP is technical diagnostics information and anonymous, but depending on the regulations applied, it could be considered **sensitive** and/or **personal data**.
Talsec recommends adding the statement below to the dedicated **privacy policy page** of your app. You can also use the text below while filling in the [Google Play Safety Section](#google-plays-data-safety-policy) or [similar for Apple App Store](#app-store-user-data-policy) publishing.
Privacy Policy Statement
For the purpose of Fraud prevention, user safety, and compliance the dedicated App safety SDK needs to send the following anonymous diagnostic data off the device for detection of security issues. Thus the application collects the following data:
* Category: App info and performance
* Data Type: Diagnostics
* Information about the integrity of the app and the operating system. For example, rooting, running in an emulator, hooking framework usage, etc...
* Category: Device or other identifiers
* Data Type: Device or other identifiers
* Information that relates to an individual device. For example, a device model and anonymous identifier to control that app instance executed on the original device that it was initially installed on. It is needed to combat threats like bots and API abuse.
### Google Play's Data Safety Policy
Google Play requires all app publishers to declare how they collect and handle user data for the apps they publish on Google Play. They should inform users properly of the data collected by the apps and how the data is shared and processed. Google will reject the apps which do not comply with the policy.
{% hint style="info" %}
More about Google Play's Data safety [here](https://support.google.com/googleplay/android-developer/answer/10787469?hl=en).
{% endhint %}
The checks for the Google Play and details about data are specified above in [#privacy-policy-statement](#privacy-policy-statement "mention").
### App Store User Data Policy
Apple requires that all app developers disclose their data collection and handling practices for apps published on the App Store. Developers must clearly inform users about the data their apps collect, as well as how this data is shared and processed. Apps that do not adhere to Apple's data privacy guidelines will be rejected.
{% hint style="info" %}
More about Apple App privacy [here](https://developer.apple.com/app-store/app-privacy-details/).
{% endhint %}
To comply with the policy, in the App Privacy section, it is important to check the following:
* Identifiers -> Device ID -> App Functionality
* It is an anonymous device identifier for the App vendor as per:
* Talsec Security SDK can not link the device identifier to the user
* Diagnostics -> Performance Data -> App Functionality, Other Purposes, No for linking to the user
* Diagnostics -> Other diagnostics data -> App Functionality, Other Purposes, No for linking to the user
* Other data -> App Functionality, No for linking to the user
* Security diagnostics data (such as jailbreak)
## Disclosure Screen
Google Play’s User Data policy indicates that a prominent disclosure should be presented to the users **in case of an app collecting personal or sensitive data**.
Although freeRASP collects diagnostical data (anonymous and not user-related), you (as the app publisher) should consider adding a disclosure screen, describing why the security diagnostic data is needed, what data, and how the data is used.
{% hint style="info" %}
More about Google's best practices for prominent disclosure and consent [here](https://support.google.com/googleplay/android-developer/answer/11150561?hl=en\&ref_topic=2364761).
{% endhint %}
