This Privacy Policy governs the collection, processing, storage, sharing, and deletion of personal information by the 365FM App. We are committed to full transparency and compliance with Google Play Store Data Safety requirements (2026), the DPDP Act 2023 (India), GDPR, and CCPA/CPRA.
Introduction & Operator Identity
Who we are and what this policy covers
The 365FM App is a resident-facing mobile application enabling users of properties managed by 365 Facility Management (365 Facility Management & Developers) to submit complaints, raise service requests, communicate with facility staff, and receive push notifications regarding property services.
Data Controller
365 Facility Management, operating under 365 Facility Management & Developers, is the sole data controller responsible for all personal data collected through the 365FM App.
Policy Scope
- The 365FM Android app distributed via Google Play Store
- The 365FM iOS app distributed via the Apple App Store
- All backend APIs operated by 365 Facility Management that the app communicates with
Data We Collect
Information collected during registration and use
Account & Identity Data
- Full name, email address, and mobile phone number
- Residential address, unit/flat number, and building details
- Household and family member information (optional, for service requests)
- Profile photograph (optional, user-uploaded)
- Professional designation (if applicable)
Authentication & Session Data
- JSON Web Tokens (JWT) — access tokens (15-min expiry) and refresh tokens (7-day expiry), stored in encrypted AsyncStorage via
@react-native-async-storage - Login timestamps and session metadata
- Device-level session identifiers (not linked to advertising IDs)
Service Usage & Activity Data
- Complaint submissions: title, description, category, attachments, and status history
- Service request logs and resolution timelines
- Chat messages sent to and received from facility management staff (via socket.io-client)
- Abuse reports submitted via the in-app ReportSheet feature
Voice & Media Data
- Photos or videos explicitly selected via
react-native-image-pickerfor complaint attachments or profile - Audio recordings made via the in-app voice recorder (
react-native-audio-record/react-native-audio-recorder-player) - Temporary audio files managed by
react-native-fs— deleted immediately after upload or playback
Device & Notification Data
- Firebase Cloud Messaging (FCM) device registration token — push notifications only
- Device platform and OS version (compatibility and support purposes only)
- App version number
- Precise or approximate GPS location data
- Advertising identifiers (GAID, IDFA, or equivalent)
- Browsing history or web activity outside the app
- Contacts, call logs, or SMS content
- Financial information, payment card, or banking data
- Biometric data of any kind
- Crash diagnostics or analytics telemetry (no analytics SDK bundled)
How We Use Your Data
Purpose, basis, and scope of data processing
Primary Purposes
- Authenticating and authorising your access to app features
- Processing complaints, maintenance requests, and service queries
- Enabling real-time chat with facility management via socket.io-client
- Delivering push notifications about service updates via Firebase Messaging
- Enabling photograph and voice note uploads as part of service requests
Safety & Moderation
- Reviewing and actioning abuse reports submitted through the ReportSheet feature
- Blocking or restricting users who violate community standards
- Maintaining moderation logs for facility management oversight
Legal Basis for Processing
- Contractual necessity — to provide the facility management services you signed up for
- Legitimate interests — to maintain app security, detect fraud, and moderate content
- Legal obligation — where required by applicable Indian law or regulatory authorities
- Consent — for optional features such as profile photos and voice notes (withdrawable at any time)
Device Permissions
Permissions requested, their purpose, and how they are used
The 365FM App (managed via react-native-permissions) requests only the permissions necessary for its stated functionality. No permission is requested in the background or without a clear user-initiated action.
Requested when: You tap the voice note record button.
Use: Captures audio during active recording only. Not accessed in background at any time. A disclosure is shown before first recording.
Data flow: Uploaded to 365FM servers over TLS; temporary files deleted immediately after upload.
Requested when: You choose to upload a profile photo or attach an image to a complaint.
Use: react-native-image-picker allows gallery selection or camera capture, triggered solely by your action. We do not scan your photo library.
Requested when: On first launch or when you opt into push notifications.
Use: Service updates, complaint status changes, and facility announcements via Firebase Messaging only. Never used for marketing or advertising.
Requested when: Required on older Android versions for temporary media file handling during upload via react-native-fs.
Use: Creates temporary files deleted immediately after upload. No persistent storage of user media on device.
Data Storage & Security
Technical and organisational security measures
Local Device Storage
- JWT tokens stored in
@react-native-async-storage/async-storagewith OS-level encryption - No sensitive personal data (name, address, messages) persisted locally beyond session needs
- Temporary media files via react-native-fs deleted immediately after upload or playback
Server-Side Security
- All API communications use HTTPS/TLS encryption (Axios with authenticated headers)
- Media and voice assets served through authenticated backend proxy — no unauthenticated CDN access
- Bearer token authentication required for every API and media request
- Role-based access controls limiting data access to authorised staff
Token Lifecycle
- Access tokens: expire after 15 minutes
- Refresh tokens: expire after 7 days
- Tokens invalidated on logout — cannot be reused after expiry
Real-Time Communication
Live chat and complaint updates use socket.io-client ^4.8.1 over TLS-secured WebSocket connections. All socket events are authenticated using the user's current JWT before connection is established.
Data Sharing & Disclosure
Who can access your data and why
365 Facility Management does not sell, rent, or exchange your personal data with any third party for commercial, marketing, or advertising purposes. Zero data is shared with advertising networks.
Authorised Sharing
- Facility management staff at 365 Facility Management & Developers — to process your complaints and service requests
- Firebase (Google LLC) — FCM device tokens transmitted to Google's infrastructure solely to deliver push notifications, governed by Google's Privacy Policy and DPA
- Legal authorities — where required by a court order, regulatory directive, or applicable Indian law
- Successor entity — in the event of merger or acquisition, under equivalent privacy protections
User-Generated Content & Moderation
Google Play UGC policy compliance
The 365FM App includes chat features and allows users to post messages, voice notes, and media. In compliance with Google Play's User-Generated Content (UGC) policy:
- Any user may long-press a chat message to submit an abuse report via the in-app ReportSheet, selecting a reason code and providing context
- Conversation-level controls allow residents to report a conversation or block replies from facility management
- Blocking a conversation immediately disables outgoing messages until explicitly unblocked
- Abuse reports are reviewed by authorised facility management moderators
- We reserve the right to remove content that violates our Community Standards or applicable law
- Moderation actions and block records are retained for accountability and audit purposes
Data Retention
How long we keep your information
We retain your data only for as long as necessary for the purposes described in this policy, or as required by law.
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| JWT Access Tokens | 15 minutes | Automatic expiry |
| JWT Refresh Tokens | 7 days | Expiry / Logout |
| Temp media files (device) | Immediate | After upload / playback |
| Profile & account data | Duration of account | 30 days post deletion request |
| Complaint / service history | Minimum 3 years | Account closure + legal review |
| Chat messages | 2 years | Account deletion |
| Abuse / moderation logs | 3 years | Regulatory minimum |
| FCM tokens | Auto-refreshed | Old tokens discarded by Firebase |
Children's Privacy
COPPA compliance and age restrictions
The 365FM App is intended solely for adults aged 18 and above (or 13 and above where applicable under local law). The App is designed for resident and facility management use within managed residential and commercial properties.
We do not knowingly collect, process, or store personal information from children under the age of 13. If we become aware that personal information has been collected from a child under 13 without verifiable parental consent, we will take immediate steps to delete such data.
If you are a parent or guardian and believe your child has provided personal information, please contact us using the details in Section 18 and we will act promptly.
Your Rights & User Controls
How to exercise control over your personal data
Request a copy of data we hold about you
Update profile from the Profile screen
Request account + data deletion, processed in 30 days
Manage via device system settings
In-app controls available at all times
Revoke permissions via device settings anytime
Third-Party SDK Inventory
All packages bundled in 365FM App v0.0.1 (React Native 0.81.0)
Zero advertising, behavioural analytics, or data broker SDKs are included. Every package listed below serves an explicit product function.
| Package | Version | Purpose | Data | Play Category |
|---|---|---|---|---|
| @react-native-firebase/app @react-native-firebase/messaging |
^23.3.1 | Push notifications via FCM | FCM device token, notification payloads | Device or other IDs |
| @react-native-async-storage/async-storage | ^2.1.0 | Secure local storage of auth tokens & session data | JWT tokens — local only, never transmitted externally | None shared externally |
| react-native-permissions | ^5.4.2 | Runtime permission prompts | None — OS permission dialogs only | None |
| react-native-image-picker | ^8.2.1 | Profile avatar & media uploads from gallery/camera | User-selected images, uploaded to app servers | Photos and videos |
| react-native-audio-record @react-native-ohos/react-native-audio-recorder-player |
^0.2.2 / rc.1 | Voice note recording & playback | Audio recorded by user, uploaded securely | Audio — voice recordings |
| react-native-fs | ^2.20.0 | Temporary local file handling for media uploads | Temporary media files (deleted after upload) | None shared externally |
| socket.io-client | ^4.8.1 | Real-time chat & complaint status updates | Chat messages & metadata via authenticated backend | Messages — in-app |
| axios | ^1.12.2 | HTTP client for all API requests | Request/response payloads — TLS encrypted | Transmitted through backend only |
| @react-navigation/native @react-navigation/native-stack @react-navigation/bottom-tabs |
^7.x | In-app navigation between screens | None | None |
| @react-native-community/checkbox @react-native-community/datetimepicker @react-native-community/slider |
^0.5.x / ^8.x / ^5.x | UI input components | None — UI rendering only | None |
| @react-native-picker/picker | ^2.11.2 | Dropdown selection UI component | None | None |
| react-native-safe-area-context react-native-screens |
^5.6.1 / ^4.16.0 | Layout & navigation rendering | None | None |
| react-native-keyboard-aware-scroll-view | ^0.9.5 | Keyboard-aware scroll adjustment | None | None |
| react-native-responsive-screen | ^1.4.2 | Screen-size-aware layout dimensions | None | None |
| react-native-alert-notification | ^0.4.2 | In-app toast/alert notification UI | None | None |
| react-native-bootsplash | ^4.7.3 | Splash screen on launch | None | None |
| react-native-svg | ^15.13.0 | SVG icon & graphic rendering | None | None |
| react-native-vector-icons | ^10.3.0 | Icon font rendering | None | None |
| buffer / js-utf8 | ^6.0.3 / ^0.1.0 | Binary & UTF-8 string encoding utilities | None | None |
Google Play Data Safety Declaration
Complete data safety summary for Play Console submission
| Data Type | Collected? | Shared? | Required? | Purpose |
|---|---|---|---|---|
| Name | ● YES | ○ NO | ● YES | Account identification |
| Email address | ● YES | ○ NO | ● YES | Login, notifications |
| Phone number | ● YES | ○ NO | ● YES | Account verification |
| Home address | ● YES | ○ NO | ● YES | Facility service delivery |
| Profile photo | ◑ OPTIONAL | ○ NO | ○ NO | User profile display |
| App interactions | ● YES | ○ NO | ● YES | Complaints & service requests |
| In-app messages | ● YES | ○ NO | ● YES | Facility communication |
| Voice/audio recordings | ● YES | ○ NO | ● YES | Voice note messaging |
| Photos / videos | ◑ USER-INIT | ○ NO | ○ NO | Media uploads |
| Device / FCM token | ● YES | ◑ FIREBASE ONLY | ● YES | Push notifications |
| Auth tokens (JWT) | ◑ LOCAL | ○ NO | ● YES | Session security |
| Crash logs / diagnostics | ○ NO | ○ NO | — | Not collected |
| Advertising ID | ○ NO | ○ NO | — | Not collected |
| Precise location | ○ NO | ○ NO | — | Not collected |
Security Practices Checklist
- Data encrypted in transit using TLS/HTTPS for all API and media communications
- Data encrypted at rest on the server side
- Deletion requests are honoured — users may request permanent data deletion
- No hardcoded secrets; all endpoints require bearer token authentication
- App enrolled in Google Play App Signing
- No advertising SDKs — app does not track users across apps or websites
- User-generated content moderation controls present and active
- Play Integrity API integration recommended for future high-risk actions
International Data Transfers
Cross-border data movement and safeguards
The 365FM App is primarily designed for use within India. Personal data is processed on servers located in India operated by 365 Facility Management.
Firebase Cloud Messaging (Google LLC, USA) receives FCM device tokens for push notification delivery. This transfer is governed by Google's standard contractual clauses and Data Processing Addendum. FCM tokens contain no personal identifying information beyond a pseudonymous device identifier.
No other international data transfers take place. No user personal data is transferred to third parties in foreign jurisdictions beyond the Firebase FCM transfer described above.
Cookies, Tracking & Advertising
Our zero-tracking commitment
The 365FM App is a native mobile application and does not use browser cookies. The App does not use any form of cross-app or cross-website tracking technology. No advertising identifier (Google Advertising ID, Apple IDFA) is accessed or used. No behavioural profiling, retargeting, interest-based advertising, or third-party analytics data collection occurs within the App.
Jurisdiction-Specific Rights
GDPR, CCPA, and DPDP Act 2023 compliance
Data Breach Notification
Our incident response commitments
In the event of a personal data breach that poses a risk to your rights and freedoms, 365 Facility Management will:
- Notify affected users within 72 hours of becoming aware of the breach, where technically feasible
- Notify relevant regulatory authorities as required by applicable law
- Take immediate steps to contain the breach and remediate affected systems
- Document the breach, its impact, and all corrective actions taken
Changes to This Policy
How we notify you of material updates
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or the packages we use. When we make material changes, we will:
- Update the "Last Updated" date at the top of this document and in the app header
- Send an in-app notification or push notification to active users
- Require re-acceptance of the updated policy for certain material changes
Continued use of the 365FM App after the effective date of any update constitutes acceptance of the revised policy.
Contact Us
Privacy requests, questions, and data deletion
For questions, privacy requests, data deletion, or complaints regarding this Privacy Policy, please contact us:
We aim to respond to all privacy-related inquiries within 10 business days. For urgent matters, please indicate the nature of your request clearly in your message.