SkyExperia Privacy Policy
IN FORCE — version 1.0, effective 2026-07-14. Signed: Debopam De, Einselection (Chair review and approval recorded in the project decision ledger, 2026-07-14). Drafted under Chair delegation and adversarially seat-reviewed before signature.
Effective date: 2026-07-14 · Version: 1.0 · Applies to: every released build of the SkyExperia Android application from the first closed-testing release (v0.9) onward, and the SkyExperia desktop MCP extension (.mcpb), until superseded.
1. The promise, in plain language
SkyExperia answers questions about the sky — what's visible tonight, where a planet is, when something rises — entirely on your device. The app has no accounts, no analytics, no ads, no crash-reporting service, and no server of ours to talk to: we did not build a backend. The app itself sends nothing, to anyone. Your location, your questions, and everything you do in the app stay on your hardware and are yours to delete at any time by uninstalling.
We don't ask you to trust this paragraph. §5 explains exactly how that claim is enforced in the released software and how anyone can test it; §6 honestly describes the network activity that surrounds any Android app — the store, the operating system, things you explicitly share — and where the boundary of our claim sits.
2. What we collect
Nothing. Specifically, the released app contains:
- No account system — nothing to sign up for, no identifiers created.
- No telemetry or analytics — no usage events, no session tracking, no third-party analytics SDK of any kind.
- No advertising — no ads, no ad SDKs, no advertising identifiers read or transmitted.
- No crash-reporting SDK — the app embeds no crash uploader.
- No cloud backend — we operate no server that receives app data.
- No data sharing or sale — there is nothing collected, so there is nothing to share or sell.
3. What stays on your device
The app processes the following locally only, to do its job:
| Data | Used for | Where it lives |
|---|---|---|
| Location (GPS/network), optional (not present at all in v0.9, §9) | Computing what's visible from where you stand | Device memory/storage only; never transmitted. You may instead enter coordinates manually — the app is fully functional without the location permission. |
| Compass / orientation sensors | Pointing assistance (accuracy labeled on-screen as ±X°) | Read in real time, on device; not stored beyond the session, never transmitted |
| Your questions and the assistant's answers | Answering you; improving nothing — there is no feedback pipeline | Device storage only |
| Settings, saved objects, computed results, the on-device search index | App functionality | Device storage only |
Deletion: uninstalling the app removes all of it. There is no server-side copy to ask us to delete — the data never left.
4. Backups
To keep "your data never leaves the device" airtight, the v1.0 release opts out of Android auto-backup (android:allowBackup="false" plus exclude-all backup rules), so app data is not uploaded to your Google account by the OS backup service. One honest caveat: on Android 12 and later, some manufacturers' device-to-device migration tools can copy app data directly between your own two phones during setup even when cloud backup is off — that transfer happens phone-to-phone under the OS's control, at your initiative, and never touches us or any server. Ruled 2026-07-13: backup is not a v1.0 feature. If a future version ever offers backup, it will be opt-in, use Android's end-to-end-encrypted mechanism, and ship only with an in-app disclosure and a revision of this policy (§12).
5. How "zero-data" is enforced and verified
A privacy claim you can't test is marketing. Ours is enforced three ways, and every proof is published so you can re-run it:
- The release build requests no INTERNET permission. The Android manifest of every released APK/AAB omits
android.permission.INTERNET— the operating system itself will not let the app open a network socket. Anyone can verify this in one command against our published releases (e.g.aapt dump permissions <apk>). - Packet-capture egress test. Before every release, the candidate build runs a scripted session (fresh install → grant location → queries → all major screens) under full packet capture on both an emulator and a physical device. Pass = zero packets from the app's own UID/process. That is the enforceable, reproducible criterion: Android's system services (including the OS location framework) run under system identities we neither control nor can silence, so the harness documents those known system-side channels (§6) instead of pretending to police them. The harness, each release's capture report, and this exact scope definition are all published in the project repository — the definition of "app-originated" is itself public and criticizable.
- Reproducible evidence. The test scripts, the manifest check, and the per-release egress report are versioned in the open repository, so the claim is falsifiable by third parties — if you find app-originated egress in a release build, we have broken this policy and will treat it as a critical defect.
6. Network activity that is not the app's
For honesty's sake, things that involve the network but happen outside the app's process and this policy:
- Installing and updating the app happens through your app store (Google Play or the store you used), governed by that store's own policies. App updates are also how new astronomy catalogs and models arrive (§7) — the app itself never downloads anything.
- Your operating system and device vendor may collect diagnostics (e.g. Play's OS-level crash statistics) under their own policies and your device settings. The app embeds no mechanism of its own.
- System components acting on their own. The app deliberately includes no Google Play services client SDKs — location comes from the Android framework's own
LocationManager, not the Play-services fused-location client — so no Google component makes network calls on the app's behalf or as a consequence of the app requesting your position. Your phone's OS-level services (Play, device telemetry) still talk to their vendors as they do around every installed app; that traffic exists with or without SkyExperia and is controlled by your device settings, not by us. - Explicit sharing by you — if you use a share/export action, the OS share sheet hands the content to the app you choose, at your initiative.
7. Catalogs and models
The star/object catalogs and the on-device models the app uses are bundled with the app — large models ship as Google Play install-time asset packs, which the store delivers as part of installation, before first launch, with no action (and no network capability, §5.1) on the app's part — and they update only through normal app-store updates. The app performs no downloads. If a future version ever adds an in-app content-update mechanism, it will be off by default, user-triggered, disclosed in-app, and this policy will be revised and re-verified (§5) before that version ships.
8. The desktop MCP extension
The SkyExperia desktop extension exposes read-only astronomy tools (positions, visibility windows, ephemerides) to an AI host application such as Claude Desktop:
- It communicates with the host only over stdio (a local pipe). It opens no network listener and makes no outbound connections.
- It computes answers locally with the same deterministic engine as the app and stores nothing beyond its local program files.
- Your conversation with the host AI is governed by the host's privacy policy (e.g. Anthropic's for Claude Desktop) — the extension transmits nothing to us or anyone.
9. Permissions inventory (v1.0 release target)
| Permission / dependency | Status | Why |
|---|---|---|
INTERNET | absent | The enforcement mechanism of §5.1 |
| Location (fine/coarse) | absent in v0.9 ("early testers' edition" — manual coordinates only, Chair ruling 2026-07-13); optional runtime permission from a later release | On-device sky computation only; manual coordinates always work instead |
| Camera | absent in v1.0 | The capture feature is disabled in v1.0 |
| Sensors (orientation/compass) | standard, no permission dialog on modern Android | Pointing assistance, on-device |
| Google Play services client SDKs | none in the app | Location via the framework LocationManager (§6) — no Google component acts on the app's behalf |
Any permission added in a future version triggers a policy revision before release.
10. Children
The app is suitable for general audiences and is not directed at children. Because it collects no data from anyone, it collects no data from children; there is no profiling, no advertising, no accounts, no social features, and no user-generated content for any age group. A child using the app under family supervision is exposed to exactly what an adult is: astronomy, computed on the device.
11. Your rights (GDPR, UK GDPR, India DPDP Act 2023, CCPA/CPRA, and similar)
Under these laws you have rights to access, correct, delete, and port personal data an organization holds about you. We hold none — no personal data ever reaches us. To be precise rather than glib: your location and questions are personal data while the app processes them on your device; the design keeps that processing entirely under your control (you grant it, you see it, you delete it by uninstalling), and none of it is transmitted to us or anyone. There is therefore nothing to opt out of, no server-side record to request, and no sale or sharing to limit. For grievances or questions, contact §13.
One binding statement. This policy is the single authoritative description of the app's data practices. The Google Play Data safety form is a summary of it: under Play's definitions, data processed only on-device and never transmitted is not "collected," so the form reads "No data collected" even though the app can (optionally, at your request) use your device location on-device. If the form and this policy are ever found to disagree, the form is corrected to match this policy and the correction is disclosed publicly.
12. Changes to this policy
The policy is versioned in the public project repository with a changelog. Material changes — anything that would introduce data collection or egress — will be announced in release notes, take effect only in the release that ships them, require your consent where the law demands it, and be re-verified under §5 first.
13. Contact
Einselection (publisher) — contact@einselection.com
Questions, verification results, or a claim that a release violates §5 are all welcome at that address; §5 violations are treated as critical defects.
Annex A — Verify it yourself (summary)
- Manifest check: download the released APK, run
aapt dump permissions(or inspect in Android Studio) —android.permission.INTERNETmust be absent. - Packet capture: on a device or emulator you control, capture traffic (e.g.
tcpdump/PCAPdroid/mitmproxy at the router) while exercising the app — filter to the app's UID; there must be no app-originated traffic. - Repository artifacts: the egress-test harness, scripts, and each release's captured report live in the public project repository (github.com/debopamiitkgp/starscape).
Draft history: v0.1 2026-07-12 — initial draft (Orchestrator, per Chair delegation of D-6 authoring; review + signature + publication remain the Chair's). v0.1.1 2026-07-13 — Grok-4.5 pre-Chair seat-review amendments integrated: §1 absolute rescoped to §5/§6; §5.2 "attributable to the app" defined publicly; §6 + §9 no-Play-services-SDK / framework-LocationManager commitment; §11 single-binding-statement clause replacing "stricter governs," with the Play on-device ≠ "collected" mapping made explicit; §10 tightened. v0.1.2 2026-07-13 — Sol (ultra) seat-review amendments: §4 exclude-all backup rules + the Android-12+ device-to-device migration caveat disclosed; §5.2 pass criterion narrowed to the enforceable app-UID/process scope (system-side channels documented, not policed); §7 install-time asset packs named as the delivery mechanism. Sol also verified current main cannot honor this policy yet (Firebase/Crashlytics/http SDKs + INTERNET/CAMERA/RECORD_AUDIO permissions) — the W-INTAKE release-stack purge is the named precondition. v0.1.3 2026-07-13 — Chair rulings applied on D-9 ratification: name SkyExperia, contact contact@einselection.com, publisher Einselection, v0.9 = early testers' edition without the location permission (§3/§9). v0.2 2026-07-13 — hosting ruled (Vercel, einselection.com) and backup ruled: not a v1.0 feature (§4 final as drafted; opt-in encrypted backup = post-v1.0 candidate via §12). All ⟦…⟧ resolved — signature-ready. v1.0 2026-07-14 — IN FORCE: the Chair reviewed and approved the text ("I have been through the policy and OK with it") and ordered publication — recorded in DECISIONS.md as the D-6 signature act. Signed Debopam De, Einselection.