'Do I need to disclose use of Google Play billing library in the data safety form?
I've implemented in-app purchases in my app by using the Google Play billing library. I've implemented it as per the guidance here. This just a basic one-time purchases, and I don't store the purchase tokens or pass them to backend server or anything like that.
Looking at the data safety form in the Play store, there's a few questions around this area:
Does your app collect or share any of the required user data types? Yes/No
Is all of the user data collected by your app encrypted in transit? Yes/No
Under the: Financial Info > Other Financial info section: Is this data collected, shared or both?
Collected This data is transmitted off the user's device, either to you (the developer) or a third party. This includes data that is processed ephemerally, or stored for longer. ...AND/OR... Shared This data is transferred to a third party, either on or off the user's device
My initial thoughts were the answers to the questions are:
- Yes
- Yes
- Collected+Shared
But I'm not sure if this is correct. Thinking about it, what information is my app actually collecting/sharing? I'm just using the billing library to say "Does this user own sku X" or listen out when the library says "Hey, this person just purchased sku X". I'm not capturing or storing any kind of payment details or transaction history etc.
Can anyone offer their thoughts?
Solution 1:[1]
First off - I definitely recommend going through this doc - https://support.google.com/googleplay/android-developer/answer/10787469 Especially the What developers need to declare across data types section.
To a certain amount these are still murky waters, as this feature is new and Google is still figuring out which services go where. If you are not sure and want to be correct I would contact google support directly.
As to points:
Does your app collect or share any of the required user data types?
- Definitely yes. There is an option later - Ephemeral processing - that says that it is being only used real-time and is not collected for a longer.
Is all of the user data collected by your app encrypted in transit?
- Depends on the library. Haven't gone through it and hopefully someone will fill in the blanks here. My first guess would be yes, as google probably encrypts it.
Is this data collected, shared or both?
- I would pick only collected, yet again for Ephemeral processing and also following lines stated in the documentation I mentioned earlier
The following types of data transfers do not need to be disclosed as 'sharing':
- Service providers. Transferring user data to a 'service provider' that processes it on behalf of the developer.
- 'Service provider' means an entity that processes user data on behalf of the developer and based on the developer’s instructions.
Solution 2:[2]
I strongly suggest you to use an automated tool like Privado - Data Safety Report or Google Checks. Both tools generate the Data Safety Report on a .csv file and you just need to import it. I submit a couple of different forms with Privado - Data Safety Report and never had issues with it. P.S. both tools are free.
Solution 3:[3]
I think you are correct, it is:
1.Yes
2.Yes
3.Collected+Shared
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Ji?Ã Petera |
| Solution 2 | Adelino |
| Solution 3 | Jabbar |