Skip to main content
Audit date: 2026-05-05 SDK versions audited: Flutter 0.2.1 · Kotlin 0.4.1 · Swift 0.3.0 Auditor: Static code review + manual inspection Status: ⚠️ Static review passed; dynamic verification (network / storage / runtime PII inspection) is pending and tracked in the “Recommended testing” section below.

Executive summary

This privacy audit confirms that the Synheart Behavioral SDK adheres to its privacy-first design principles. The SDK collects ZERO personally identifiable information (PII), ZERO text content, and ZERO screen coordinates. All collected data consists solely of timing-based behavioral metrics.

Audit Findings

CategoryStatusDetails
PII Collection✅ PASSNo PII collected
Text Content✅ PASSNo text content captured
Screen Coordinates✅ PASSNo location data collected
Biometric Data✅ PASSNo biometric data
Device Identifiers✅ PASSSession IDs only (ephemeral)
Network Activity✅ PASSNo network requests
Storage✅ PASSIn-memory only, no persistence
Permissions✅ PASSNo mandatory permissions for core capture; optional permissions for notification / call observation only

Detailed Audit

1. Data Collection Analysis

1.1 Tap Gesture Collection

Files Audited:
  • lib/src/behavior_gesture_detector.dart
  • android/src/main/java/ai/synheart/behavior/GestureCollector.kt
  • ios/Classes/GestureCollector.swift
What is Collected:
  • ✅ Tap duration (time between tap down and tap up in milliseconds)
  • ✅ Long press detection (taps longer than 500ms)
  • ✅ Tap timing patterns
What is NOT Collected:
  • ❌ No tap coordinates (X, Y positions)
  • ❌ No text content
  • ❌ No field names or identifiers
  • ❌ No clipboard content (only counts of copy / paste / cut events)
  • ❌ No keystroke content (typing events carry timing metrics only — speed, cadence, gap ratio, backspace count — never the characters typed)
Privacy Verification: Flutter (behavior_gesture_detector.dart): 
// Tap events only include duration and long-press flag
BehaviorEvent.tap(
  sessionId: sessionId,
  tapDurationMs: durationMs,
  longPress: isLongPress,
)
// No coordinates, no content, only timing
CONFIRMED: No text content, coordinates, or keystroke data is captured or stored.

1.2 Scroll Dynamics Collection

Files Audited:
  • android/src/main/java/ai/synheart/behavior/GestureCollector.kt
  • ios/Classes/GestureCollector.swift
What is Collected:
  • ✅ Scroll velocity (pixels per second)
  • ✅ Scroll acceleration (change in velocity)
  • ✅ Scroll jitter (variance in velocity)
  • ✅ Scroll stop events (timing only)
What is NOT Collected:
  • ❌ No scroll position coordinates
  • ❌ No screen content
  • ❌ No viewport size
  • ❌ No URL or content identifiers
Privacy Verification: Android (GestureCollector.kt:113-155): 
// Line 130: Only velocity magnitude is calculated
val velocity = abs(dy - lastScrollY) / timeDelta.toDouble() * 1000.0
// No X/Y coordinates stored, only velocity magnitude
iOS (GestureCollector.swift:141-176): 
// Line 149: Only offset delta, not absolute position
let offsetDelta = abs(scrollView.contentOffset.y - lastScrollOffset)
let velocity = Double(offsetDelta) / timeDelta * 1000.0
// No coordinate data retained
CONFIRMED: No screen coordinates or content information collected.

1.3 Gesture Activity Collection

Files Audited:
  • android/src/main/java/ai/synheart/behavior/GestureCollector.kt
  • ios/Classes/GestureCollector.swift
What is Collected:
  • ✅ Tap rate (taps per second)
  • ✅ Long press count
  • ✅ Drag velocity (magnitude only)
  • ✅ Gesture timing
What is NOT Collected:
  • ❌ No tap coordinates (X, Y positions)
  • ❌ No touch pressure data
  • ❌ No finger size/shape
  • ❌ No UI element identifiers
Privacy Verification: Android (GestureCollector.kt:47-81): 
// Line 59-66: Only timing tracked
val duration = System.currentTimeMillis() - dragStartTime
if (duration > 500) {
    longPressCount++  // Count only, no location
    emitLongPressRate()
} else if (duration < 200) {
    tapCount++  // Count only, no coordinates
}
iOS (GestureCollector.swift:91-105): 
// Line 94-98: Only timestamp recorded
let now = Date().timeIntervalSince1970 * 1000
tapTimestamps.append(now)  // Time only, NO coordinates
CONFIRMED: No coordinate data or biometric information collected.

1.4 App Lifecycle & Attention Signals

Files Audited:
  • android/src/main/java/ai/synheart/behavior/AttentionSignalCollector.kt
  • ios/Classes/AttentionSignalCollector.swift
What is Collected:
  • ✅ Foreground/background state transitions
  • ✅ Foreground duration (time in milliseconds)
  • ✅ App switch count
  • ✅ Idle gap detection (timing only)
What is NOT Collected:
  • ❌ No app names or identifiers
  • ❌ No package names of other apps
  • ❌ No notification content
  • ❌ No system state information
Privacy Verification: Android (AttentionSignalCollector.kt:54-74): 
// Line 64-73: Only direction and timing recorded
emitAppSwitch(direction: "foreground", duration: backgroundDuration)
// No app identifiers, just state change timing
iOS (AttentionSignalCollector.swift:85-108): 
// Line 98-105: Only state and duration
emitAppSwitch(direction: "foreground", duration: backgroundDuration)
// No external app information captured
CONFIRMED: No third-party app information or system state details collected.

2. Data Storage & Transmission

2.1 In-Memory Storage Only

Files Audited:
  • All collector classes (GestureCollector, AttentionSignalCollector, etc.)
Findings:
  • ✅ All data stored in memory only (Lists, Maps, Arrays)
  • ✅ No file system writes
  • ✅ No database storage
  • ✅ No SharedPreferences/UserDefaults usage
  • ✅ No cloud synchronization
Code Examples: Flutter: 
// Events stored in memory only, no persistence
final List<BehaviorEvent> _events = [];
// Events are automatically cleaned up when session ends
CONFIRMED: No persistent storage, all data is ephemeral.

2.2 Network Transmission

Files Audited:
  • All SDK files
Findings:
  • ✅ No network API calls
  • ✅ No HTTP/HTTPS requests
  • ✅ No socket connections
  • ✅ No external service dependencies
  • ✅ All processing is local
Verification: 
# Search for network-related imports/classes
grep -r "HttpURLConnection\|URLSession\|Retrofit\|Alamofire" android/ ios/
# Result: No matches found
CONFIRMED: Zero network activity, fully local processing.

3. Platform Permissions Analysis

3.1 Android Permissions

File Audited: android/src/main/AndroidManifest.xml Declared Permissions: None Implicit Permissions Used:
  • None (Activity lifecycle callbacks are standard, no permission needed)
Not Required:
  • ❌ INTERNET
  • ❌ READ_EXTERNAL_STORAGE
  • ❌ WRITE_EXTERNAL_STORAGE
  • ❌ ACCESS_FINE_LOCATION
  • ❌ CAMERA
  • ❌ RECORD_AUDIO
  • ❌ READ_CONTACTS
CONFIRMED: No mandatory permissions for core gesture capture. The SDK ships with optional integrations for notification observation (POST_NOTIFICATIONS / BIND_NOTIFICATION_LISTENER_SERVICE on Android, UNUserNotificationCenter on iOS) and call observation (READ_PHONE_STATE on Android, CXCallObserver on iOS) — the host app declares these only if it enables those signals.

3.2 iOS Permissions

File Audited: ios/Classes/Info.plist (would be in host app) Required Permissions: None Not Required:
  • ❌ NSLocationWhenInUseUsageDescription
  • ❌ NSCameraUsageDescription
  • ❌ NSMicrophoneUsageDescription
  • ❌ NSContactsUsageDescription
  • ❌ NSPhotoLibraryUsageDescription
CONFIRMED: No privacy-sensitive permissions required.

4. Session Identifier Analysis

Files Audited:
  • lib/src/synheart_behavior.dart
  • android/src/main/java/ai/synheart/behavior/BehaviorSDK.kt
  • ios/Classes/BehaviorSDK.swift
Session ID Format: 
// lib/src/synheart_behavior.dart:84
final sessionIdToUse = sessionId ??
    '${_config.sessionIdPrefix ?? 'SESS'}-${DateTime.now().millisecondsSinceEpoch}';
Characteristics:
  • ✅ Ephemeral (generated per session)
  • ✅ Time-based, not device-based
  • ✅ No device identifiers (IMEI, MAC address, etc.)
  • ✅ Not linked to user identity
  • ✅ Can be customized by developer
Privacy Assessment:
  • Session IDs are NOT persistent device identifiers
  • They CANNOT be used to track users across sessions
  • They are LOCAL to the app instance
CONFIRMED: Session IDs are privacy-safe.

5. Third-Party Dependencies

Files Audited: pubspec.yaml, Android build.gradle, iOS Podfile Flutter Dependencies: 
dependencies:
  flutter:
    sdk: flutter
Native Dependencies:
  • Android: None (only standard Android SDK)
  • iOS: None (only standard iOS frameworks)
CONFIRMED: No third-party tracking libraries or analytics SDKs.

6. Compliance Assessment

6.1 GDPR Compliance (EU)

RequirementStatusNotes
Lawful Basis✅ PASSLegitimate interest (app functionality)
Data Minimization✅ PASSOnly timing metrics collected
Purpose Limitation✅ PASSData used only for behavioral analysis
Storage Limitation✅ PASSIn-memory only, automatic cleanup
Right to Erasure✅ PASSData cleared on session end/app close
Data Portability✅ PASSData available via getCurrentStats()
Privacy by Design✅ PASSPrivacy-first architecture
GDPR alignment: the SDK design is consistent with the principles above. This is a self-assessment, not a third-party audit; legal sufficiency for your specific deployment depends on how you wire consent in your host app.

6.2 CCPA principles (California)

PrincipleDesign alignment
Personal informationNone collected by the SDK
Sale of dataSDK does not transmit or sell data
Right to knowThis page documents what is collected
Right to deleteData is in-memory and cleared on session end
Opt-outEach signal type can be disabled via BehaviorConfig

6.3 COPPA principles (children’s privacy)

The SDK collects no PII and emits no child-specific data. Whether COPPA applies depends on how the host app uses the SDK and the user population it serves; consult counsel for your specific deployment.

6.4 iOS App Tracking Transparency (ATT)

The SDK does not perform cross-app or cross-website tracking, does not collect device identifiers, and does not share data with ad-network brokers. Whether your host app needs to present an ATT prompt depends on the rest of the app’s behavior, not on this SDK alone.

6.5 Android Privacy Sandbox

The SDK does not use advertising IDs, does not perform cross-app tracking, processes data locally, and does not share data with third parties. Privacy Sandbox restrictions therefore do not apply to the SDK’s collection paths.

7. Privacy Risks & Mitigation

Identified Risks

RiskSeverityMitigationStatus
Behavioral fingerprintingLOWNo cross-session tracking, ephemeral IDs✅ Mitigated
Memory inspectionLOWIn-memory data cleared on session end✅ Mitigated
Event replay attacksLOWNo authentication, events are timestamped✅ Mitigated
Overall Risk Level: 🟢 LOW

8. Recommendations

Immediate Actions

  1. Update Privacy Policy: Document SDK data collection clearly
  2. User Transparency: Inform users about behavioral signal collection
  3. Consent Mechanism: Provide opt-in/opt-out configuration
  4. ⚠️ Privacy Documentation: Include in app store descriptions

Best Practices for Implementation

// Provide user control
final config = BehaviorConfig(
  enableInputSignals: userAcceptsGestures,  // User consent for tap/scroll/swipe
  enableAttentionSignals: userAcceptsLifecycle,  // User consent
  enableMotionLite: false,  // Disabled by default
);

final behavior = await SynheartBehavior.initialize(config: config);

Privacy Notice Template

Our app uses behavioral analytics to improve your experience. We collect:
- Tap timing patterns (not tap locations)
- Scroll patterns (not screen coordinates)
- App usage patterns (not other apps)

We DO NOT collect:
❌ Text you type
❌ Tap locations
❌ Personal information
❌ Device identifiers
❌ Keystroke content

All data is processed locally on your device and never leaves your device.

9. Security Considerations

Data in Transit

N/A - No network transmission

Data at Rest

In-memory only - No persistent storage

Data Access Control

App-local - Data accessible only to host app

Encryption

⚠️ Not required - No sensitive data, in-memory only

10. Testing & Validation

Tests performed

  • Code inspection — all collection paths in lib/, the iOS MotionSignalCollector.swift, and the Android BehaviorSDK.kt were reviewed manually for PII / text / screen content collection.

Pending dynamic verification

The static review covers what the code says it does. The following runtime checks are intended to confirm what the binaries actually do in production builds; they have not been completed yet:
  • Runtime memory inspection to verify no PII reaches in-process buffers.
  • Network capture (Wireshark / Charles Proxy) to verify zero outbound activity from the SDK module.
  • Device storage inspection after SDK use to verify no persistent storage is created.
  1. Network Monitoring: Use Wireshark to confirm zero network activity
  2. Storage Inspection: Check device storage after SDK use
  3. Memory Dumps: Analyze memory to confirm no text content
  4. Permissions Test: Verify no runtime permission requests

Summary

Per the static review:
  1. No PII — no personally identifiable information is captured.
  2. No content — no text, images, microphone audio, or screen content.
  3. Local processing — all computation happens on-device; the SDK makes no outbound network calls.
  4. Ephemeral storage — data lives in process memory and is cleared on session end.
  5. No special permissions — basic gesture / interaction signals require no Android or iOS runtime permissions; notification and call observation are opt-in and gated by the host’s permission prompts.
  6. Designed around GDPR / CCPA / COPPA principles — see §6.
This is a static review, not a third-party certification. Dynamic verification (network capture, memory inspection, storage inspection) is listed as pending work in §10. Whether your specific deployment satisfies a particular regulation depends on how you wire consent in the host app.
  • ✅ Children’s apps (COPPA-compliant)

Appendix: Privacy Checklist

  • No text content captured
  • No keystroke content (typing events carry timing metrics only — speed, cadence, gap ratio, backspace count — never characters)
  • No screen coordinates collected
  • No biometric data
  • No location data
  • No camera/microphone access
  • No contacts access
  • No file system access
  • No network requests
  • No persistent storage
  • No device identifiers
  • No advertising IDs
  • No cross-app tracking
  • Ephemeral session IDs only
  • In-memory data only
  • Automatic data cleanup
  • User control via configuration
  • GDPR compliant
  • CCPA compliant
  • COPPA compliant
  • ATT not required
  • Privacy Sandbox compatible
Report Version: 1.0 Last Updated: 2026-05-05 Next Audit: Recommended after major version changes