Privacy Policy

Effective 30 April 2026 · Version 1.0

This Privacy Policy explains what information My Mobile Security
(the “App”, “we”, “our”, “us”) collects when you use it,
how we use that information, who we share it with, and the choices you have.
The App and its supporting backend services are owned and operated by
The Software Support LLC.

The short version

We collect the email, name, and optional phone number you give us so we can issue
your free activation key. We log how often you open the app and how often you run
breach scans, so the service stays operational. We never sell your data, never
share it for advertising, and never track you across other apps. You can delete
everything we store about you from
Settings → Account & data → Delete my account.

1. Who we are

My Mobile Security is a mobile application (iOS and Android) that helps you protect
your device through three features: an email breach lookup, a device security audit,
and a private DNS profile that you can route through a secure VPN tunnel. The Service
is published by The Software Support LLC.

2. What we collect

Activation details

When you claim your activation key, we ask for:

Email address — required, used as your account identifier
and to deliver the activation key.
Full name — required, used to personalize the activated
app experience.
Phone number — optional, kept on file for support
purposes only if provided.

Activation logs (audit trail)

Each time your activation key is issued, verified, revoked, or restored, we record a
timestamped log entry. This includes your IP address and your device’s
User-Agent string. We use these logs to detect abuse and maintain an audit
trail of credential lifecycle events.

App usage events

To operate the service responsibly, we record a small set of usage events on our server:

When the app verifies your activation on launch (an anonymous “heartbeat”).
When you run an email breach scan, including the count of breaches found and
the domain part of the searched email (e.g. example.com). The full
email address is hashed before storage and never retained in cleartext.

Your IP address on these events is hashed with a server-side secret salt before
storage, so the stored value cannot be reversed back to your IP address by anyone,
including us, without access to that secret.

Email breach lookups

When you run a breach scan, we forward the email address you entered to the
HaveIBeenPwned API,
which is operated by an independent third party. Their API receives the email over
HTTPS; we do not retain the address itself in our database.

Cached responses

We cache HaveIBeenPwned responses for up to six hours so we don’t hammer their
API with duplicate requests. The cache key is a hash of your email address (so the
cache does not contain your email in cleartext). Cache entries are evicted
automatically.

Crash and diagnostics data

We use Firebase Crashlytics to receive automatic crash reports if the App fails.
These reports do not include your activation details. They contain device model, OS
version, a stack trace, and (if available) breadcrumb logs of the steps that led to
the crash.

What we do not collect

We do not collect your device’s advertising identifier
(IDFA / AAID).
We do not fingerprint your device.
We do not track you across other apps or websites.
We do not collect location data.
We do not read or log the DNS queries that flow through your
selected DNS profile. The Secure VPN tunnel only carries DNS traffic; we do
not record what hosts you resolve.

3. Why we collect it

Issuing and validating your activation key — we need to
know who a key was issued to in order to verify it later.
Operating the service — counting scans and verify pings
so we can size capacity, detect outages, and prevent abuse.
Security & abuse prevention — rate-limiting, spotting
unusual patterns, blocking abusive IPs.
User support — if you contact us, we may use your email
and name to identify your account.

We do not use your data for advertising, profiling, or
sale/transfer to data brokers.

4. Third parties we work with

We rely on a small number of providers to operate the service. We share only the
minimum data necessary in each case.

HaveIBeenPwned (Troy Hunt, UK). When you run a breach scan we
send the email address you entered over HTTPS for lookup. We do not send your
name, phone, or any account information. Their privacy practices are at
haveibeenpwned.com/Privacy.
Google Firebase (Google LLC). We use Firebase Crashlytics for
crash diagnostics. Their privacy policy is at
policies.google.com/privacy.
Hosting provider. The backend runs on a server operated by our
hosting provider, which has access to disk-level data as required to operate
the infrastructure. Our hosting provider is contractually bound to
confidentiality.

5. How long we keep data

Activation account data (email, name, phone, key) — kept
while your activation is valid plus a reasonable period for support and audit.
Activation logs — up to 24 months, then automatically
purged.
Usage events (breach scans, verify pings) — up to 12
months in granular form, then aggregated to monthly totals (which are not
personally identifiable).
HIBP cache — up to 6 hours per email-hash. Auto-evicted.
Crash reports — per Firebase Crashlytics retention
defaults (currently 90 days).

If you delete your account, we soft-delete your record immediately: your name and
phone are emptied, and your email is replaced with a non-functional placeholder. The
row is retained only as a skeleton for foreign-key integrity in our audit logs and
is not personally identifiable.

6. Your rights and choices

Access — you can request a copy of the data we hold about
your account by emailing us. We will respond within 30 days.
Correction — if any of your activation details (name,
email, phone) are wrong, contact us and we will correct them.
Deletion — tap Settings → Account & data
→ Delete my account, then confirm. Your account is soft-deleted
immediately. You can also email us to request deletion.
Withdrawal of consent — if you uninstall the App, your
activation key remains on our servers until it expires. You can use the in-app
deletion to remove it explicitly.
Lodging a complaint — if you are an EEA resident you have
the right to lodge a complaint with your local data protection authority.

7. How we protect your data

All client-server traffic uses HTTPS (TLS 1.2 or higher).
Activation keys are stored server-side as bare hex strings.
IP addresses on event logs are sha256-hashed with a server-side secret salt.
Admin access to the database requires a hashed password and an HTTP-only,
SameSite=Lax session cookie.
The app uses certificate validation to defeat man-in-the-middle attacks on
misconfigured networks.

No system is perfectly secure. If we ever suffer a breach affecting your data, we
will notify you within 72 hours of becoming aware of it.

8. Children

The App is not directed at children under 13 (or under 16 in jurisdictions that set
a higher age). We do not knowingly collect personal information from children. If
you believe a child has submitted information to us, please contact us and we will
delete it promptly.

9. International users

Our backend is hosted in a single region; if you use the App from outside that
region, your data is transferred there. By using the App, you consent to that
transfer. We rely on standard contractual clauses for transfers from the EEA / UK
where applicable.

10. Changes to this policy

We may update this policy. When we do, we will bump the version number and effective
date at the top of this page. Material changes (e.g. new categories of data
collected) will be communicated in-app.

11. Contact

For privacy questions, deletion requests, or anything else covered above, write to:

info@thelivesupport.com

The Software Support LLC
We aim to respond within 5 business days, and within 30 days for formal data-subject
requests.