Kodular Kodular Policies
App Data Processing Notice
← All Policies

App Data Processing Notice

Last modified: March 30, 2026

1. Introduction and Scope

1.1. This App Data Processing Notice (“Notice”) describes how Junnovate Limited, trading as Kodular (“we”, “us”, “our”), collects and processes data from mobile applications built using the Kodular Creator platform (“Built Apps”).

1.2. This Notice applies to data that Kodular collects through its own runtime services embedded in Built Apps, specifically:

(a) The app analytics service (powered by Microsoft App Center), which is included in all Built Apps; and

(b) The Kodular Monetize event tracking system and build integrity verification system, which are included only in apps that use Kodular Monetize advertising components.

1.3. This Notice does not cover:

(a) Data collected by third-party services that app developers choose to integrate (such as Firebase, Google Sheets, CloudDB, or any third-party extensions). App developers are independent data controllers for such integrations and must disclose them in their own privacy policies.

(b) Data collected by device sensors or components that app developers choose to include (such as location, camera, contacts, microphone, or SMS). The app developer controls whether these components are used and is responsible for obtaining end-user consent.

(c) Data collected by Kodular from its platform users (app creators), which is covered by our separate Privacy Policy.

2. Data Controller

For data collected through Kodular’s runtime services in Built Apps, the data controller is:

Junnovate Limited, trading as Kodular
Company Registration Number: 784589 (Ireland)
24A Baggot Street Upper, Dublin, D04 N528, Ireland
Contact: support@kodular.io

App developers who build and distribute apps using Kodular are independent data controllers for any additional data their apps collect. App developers are responsible for providing their own privacy policies to end-users and for obtaining any required consents.

3. Data We Collect from Built Apps

3.1. Data Collected from All Built Apps

All apps built with Kodular Creator include the Microsoft App Center SDK, which collects the following data when the app is launched and during use:

(a) App Center install identifier: A universally unique identifier (UUID) generated by the App Center SDK on first launch. This identifier is unique to each app installation and is not linked to any personal account or device identifier.

(b) Device information: The device manufacturer, device model, operating system name and version, screen size, carrier name, and device locale (country and language).

(c) App information: The app version, Kodular Creator version used to build the app, the app’s package name, and the source from which the app was installed (e.g., Google Play Store, Amazon Appstore, or direct installation).

(d) Usage events: The following usage events are recorded:

  • App launch (including app name and package name)
  • Screen transitions (screen name)
  • Ad impressions (ad network and format, when ad components are used)
  • Runtime errors (component type, function name, error code, and error message)

(e) Crash reports: If the app crashes, a crash report including the stack trace and device state at the time of the crash is transmitted.

3.2. Data Collected from Apps Using Kodular Monetize

The following data is collected only from apps that include Kodular Monetize advertising components (such as AdMob or Google Ad Manager components). Apps that do not use these components do not include the Kodular Monetize SDK and none of the data described in this Section 3.2 is collected.

3.2.1. Installation Data

When a Monetize-enabled Built App is first launched on a device, the Kodular Monetize SDK collects:

(a) Install identifier: A randomly generated 32-character alphanumeric string (prefixed with “ins_”) that is unique to each app installation. This identifier is not linked to any personal account, email address, or device identifier. It is generated locally on the device and persists for the lifetime of the app installation.

(b) Device information: The device manufacturer (brand), device model, Android version, Android release name, and Android API level.

(c) Public key data: A cryptographic public key hash and certificate chain generated by the app for integrity verification. The Google attestation status of the key is also recorded.

(d) IP-derived geolocation: The IP address from which the installation request originates is used to determine the country and continent of the device. The raw IP address is stored with the installation record.

3.2.2. App Event Data

When certain events occur within a Monetize-enabled Built App, the Kodular Monetize SDK transmits event records containing:

(a) Event metadata: A unique event identifier, the event type, and the timestamp of the event as recorded on the device.

(b) App context: The screen name, component type, and component name where the event occurred.

(c) Identifiers: The install identifier (as described in Section 3.2.1(a)) and the build identifier (which identifies the specific version of the app).

(d) IP-derived geolocation: The country and continent of the device, derived from the IP address at the time the event is received.

(e) Event types. The following event types are collected:

  • AD_SERVED — an advertisement was displayed
  • AD_CLICKED — an advertisement was tapped
  • AD_REWARDED — a rewarded advertisement was completed
  • IN_APP_PURCHASE — an in-app purchase occurred
  • SURVEY_RECEIVED — a survey was presented

No other event types are collected. No user input, text content, or interaction data beyond the events listed above is transmitted.

3.2.3. Build Integrity Data

When a Monetize-enabled Built App starts, the Kodular Monetize SDK performs a build integrity check to verify that the app has not been tampered with. This check transmits:

(a) The build identifier and install identifier; (b) The app package name; (c) A cryptographic signature and certificate chain; (d) Device information (as described in Section 3.2.1(b)).

3.3. Data We Do NOT Collect

Kodular’s runtime services do not collect:

  • End-user names, email addresses, phone numbers, or account credentials
  • Precise GPS location or fine-grained geolocation data
  • Contacts, call logs, or SMS messages
  • Camera images, audio recordings, or microphone data
  • Browsing history, search queries, or keystrokes
  • Advertising identifiers (GAID/IDFA)
  • Any data entered by end-users into the app’s user interface
  • Any data from third-party components or extensions added by the app developer

We process the data described in Section 3 for the following purposes:

4.1. Monetisation and Billing (Contract)

Event data is used to calculate advertising revenue earned by app creators through the Kodular Monetize programme and to generate usage-based invoices. This processing is necessary for the performance of the contract between Kodular and the app creator.

4.2. Fraud Prevention and Platform Integrity (Legitimate Interest)

Build integrity data and cryptographic signatures are used to detect tampered or pirated apps, prevent fraudulent event reporting, and protect the integrity of the Kodular Monetize advertising network. IP geolocation is used to identify geographic patterns associated with fraudulent activity.

4.3. Service Operations (Legitimate Interest)

App analytics data, crash reports, device information, and install data are used for debugging, compatibility analysis, and ensuring the Kodular runtime operates correctly across different Android devices and versions. Aggregated event data is used to monitor service health and performance.

We may process event and billing data to comply with applicable tax laws, respond to lawful requests from authorities, or exercise or defend legal claims.

5. Data Sharing

We share data collected from Built Apps with the following service providers:

ProviderData SharedPurposeLocation
Microsoft (App Center)App analytics events, device information, crash reportsApp usage analytics and crash reporting for all Built AppsUS
Amazon Web ServicesMonetize event and install dataEvent ingestion (IoT Core), processing (Lambda), storage (S3, DynamoDB)EU
ipinfo.ioIP addressesIP-to-country/continent geolocation (Monetize apps only)US

Microsoft’s processing of App Center data is governed by the Microsoft Products and Services Data Protection Addendum. Further information on App Center’s data practices is available in Microsoft’s App Center GDPR documentation.

We do not sell data collected from Built Apps. We do not share this data with advertisers, data brokers, or any parties other than those listed above.

The app creator (the Kodular user who built the app) has access to aggregated usage data (event counts by type and period) through the My Kodular dashboard. The app creator does not have access to individual event records, IP addresses, or device information.

6. International Data Transfers

Data collected from Built Apps is primarily processed within the European Union (AWS infrastructure in the EU).

Event ingestion endpoints are available in additional regions for latency optimisation: United States, India, Singapore, and Brazil. Events received in these regions are transferred to our EU infrastructure for processing and storage.

For transfers to Microsoft (App Center), ipinfo.io, and Google (United States), we rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.

7. Data Retention

DataRetention
App Center analytics and crash dataUp to 90 days, subject to Microsoft App Center retention policies
Individual Monetize event records (S3)Up to 365 days, then permanently deleted
Aggregated Monetize usage data (DynamoDB)As long as the app creator’s account is active
Monetize install records (DynamoDB)As long as the app creator’s account is active

8. End-User Rights

End-users of Built Apps have the following rights with respect to data collected by Kodular’s runtime services:

8.1. Right of access. End-users may request confirmation of whether their data is being processed and access to their data. Because we do not collect personal identifiers, we may require the end-user to provide their install identifier to locate their records.

8.2. Right to erasure. End-users may request deletion of their installation and event data. Uninstalling the app permanently removes the install identifier from the device, preventing any further data collection. Server-side records are subject to the retention periods in Section 7.

8.3. Right to object. End-users may object to processing based on legitimate interests.

8.4. Right to lodge a complaint. End-users located in the EU/EEA have the right to lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie) or their local supervisory authority.

8.5. To exercise these rights, end-users should contact support@kodular.io. We will respond within 30 days.

9. Information for App Developers

9.1. Your responsibility. As an app developer using Kodular, you are an independent data controller for any data your app collects beyond what is described in this Notice. You must provide your own privacy policy to your end-users that accurately describes your app’s data practices.

9.2. Disclosing Kodular’s data collection. We recommend that your app’s privacy policy includes a disclosure that the app uses the Kodular platform, which collects app analytics data and device information for service operations and debugging purposes. If your app uses Kodular Monetize components, you should additionally disclose the collection of IP-derived geolocation and advertising/purchase event data for monetisation and platform integrity purposes.

9.3. App store compliance. Google Play and the Apple App Store require apps to have a privacy policy that discloses all data collection, including data collected by third-party SDKs embedded in the app. Kodular’s runtime services constitute such an SDK. You should include the data described in Section 3 of this Notice in your app store data safety declarations.

9.4. Children’s apps. If your app is directed at children under 13 (or under 16 in the EEA), you are responsible for ensuring compliance with COPPA, GDPR Article 8, and any other applicable children’s privacy laws. Kodular’s runtime services do not collect personal identifiers from end-users, but the device information and IP-derived geolocation described in this Notice may be subject to additional requirements for children’s apps.

10. Automated Decision-Making

The Kodular runtime employs automated systems for the following limited purposes:

(a) Build integrity verification: Automated verification of cryptographic signatures and certificate chains to detect tampered apps. Apps that fail integrity checks may be prevented from transmitting events.

(b) Billing status enforcement: Automated checks of the app creator’s billing status. Apps associated with creators who have overdue invoices may have event processing suspended.

These automated processes do not produce legal effects or similarly significantly affect end-users.

11. Changes to This Notice

We may update this Notice from time to time. Material changes will be communicated to app developers via email or prominent notice on the Kodular platform at least 30 days before they take effect. App developers are responsible for updating their own privacy policies to reflect any changes.

12. Contact

If you have questions about this Notice, whether as an end-user or an app developer, please contact us:

Junnovate Limited, trading as Kodular
24A Baggot Street Upper, Dublin, D04 N528, Ireland
Email: support@kodular.io