Security Policy
Last updated: February 11, 2026
At ApneaStatic, we take the security of our users' data seriously. This document outlines our security practices, architecture, and how to report security vulnerabilities.
1. Architecture Overview
ApneaStatic is designed with a local-first architecture, which means:
- No backend servers: We do not operate any servers that store or process your data. The app runs entirely on your device.
- Local storage: All training data, settings, and profile information are stored on your device using encrypted local storage (Capacitor Preferences).
- No database: There is no central database containing user data.
- Optional cloud sync: Cloud backup is performed directly between your device and your personal Google Drive account, using Google's OAuth 2.0 authentication.
2. Data Security Measures
2.1 Authentication
- Google Sign-In uses industry-standard OAuth 2.0 protocol.
- We never see, store, or have access to your Google password.
- Authentication tokens are stored securely on your device and are automatically refreshed.
- Access tokens are only used for Google Drive API calls and are scoped to the minimum permissions needed (application data folder only).
2.2 Data in Transit
- All communication with Google services (Sign-In, Drive, AdMob) uses HTTPS/TLS encryption.
- The web app is served over HTTPS only.
- No sensitive data is transmitted in plain text.
2.3 Data at Rest
- On Android, app data is stored in the app's private storage directory, which is sandboxed by the Android OS and not accessible to other apps.
- Cloud backup data is stored in your Google Drive's hidden application data folder, which only ApneaStatic can access.
- On the web, data is stored in browser local storage, protected by the browser's same-origin policy.
2.4 Android App Security
- The Android app uses code minification and obfuscation (R8/ProGuard) in release builds.
- The app follows Android security best practices for WebView applications.
- The app only requests the minimum permissions necessary for its functionality.
- All external URLs are opened using secure intent mechanisms.
3. Permissions
ApneaStatic requests only the following Android permissions:
| Permission | Purpose |
|---|---|
| INTERNET | Required for Google Sign-In, cloud backup, and ads |
| ACCESS_NETWORK_STATE | Check network connectivity before sync |
| WAKE_LOCK | Keep screen on during training sessions |
| FOREGROUND_SERVICE | Continue training timer when app is in background |
| FOREGROUND_SERVICE_MEDIA_PLAYBACK | Background audio for training voice guidance |
| MODIFY_AUDIO_SETTINGS | Control voice guidance volume |
| READ_MEDIA_AUDIO | Access background music files (premium feature) |
| BILLING | Process premium subscription purchases |
4. Third-Party Security
We integrate with the following third-party services, each with their own security measures:
- Google (OAuth, Drive, AdMob): Google maintains industry-leading security practices including SOC 2, ISO 27001 compliance. Google Cloud Security
- RevenueCat: SOC 2 Type II compliant. Processes subscription data securely. RevenueCat Security
- Firebase: Part of Google Cloud, inherits Google's security infrastructure.
5. Vulnerability Disclosure
ApneaStatic is a spare-time project developed and maintained by a solo developer. We welcome responsible disclosure of security vulnerabilities and appreciate your patience with response times.
If you discover a security issue in ApneaStatic, please:
- Email us at info@apneastatic.com with a description of the vulnerability.
- Include steps to reproduce the issue, the affected version, and any relevant screenshots or logs.
- Do not publicly disclose the vulnerability before we have had reasonable time to address it.
- Do not access, modify, or delete other users' data as part of your testing.
Please Note: We do not offer bug bounties at this time. However, we are happy to acknowledge security researchers in our release notes (with permission) and deeply appreciate responsible disclosure.
7. App Updates & Maintenance
As a spare-time project, updates are released on a best-effort basis. We strive to address security issues promptly, but update frequency depends on available time and severity.
We recommend:
- Always use the latest version of the app from the Google Play Store.
- Enable automatic updates on your device.
- Keep your Android operating system up to date.
8. User Responsibilities
To protect your data, we recommend:
- Use a strong password and two-factor authentication on your Google account.
- Keep your device's operating system and apps up to date.
- Do not share your device with untrusted individuals.
- Use the app's data export feature to maintain personal backups of important training data.
- Review the permissions granted to the app periodically in your device settings.
9. Contact
For security-related inquiries or to report a vulnerability:
Security Email: info@apneastatic.com
General Support: info@apneastatic.com