Privacy Policy
Effective date: May 1, 2026·Last updated: May 4, 2026 (merged with sites.google.com policy)
App: ControlKit (Android, package com.app.controlkit.center.widgets) · Publisher: Bright Box Apps · Contact: oxaluspublic@gmail.com
1. Summary
- We do not sell your personal data.
- We do not read screen contents, keystrokes, passwords, or messages.
- The Accessibility Service is used only to display the Control Center over other apps and to perform actions you explicitly initiate from it.
- We collect a small amount of analytics and crash data to keep the App working and to improve it.
- We show ads from third-party ad networks. Some are personalized, depending on your consent.
2. Data we collect
2.1 Data you provide
The App does not require an account. We do not ask for your name, email, phone number, or address inside the App.
If you contact us at oxaluspublic@gmail.com for support, feedback, or to exercise a privacy right, the email address you write from and any details you include in the message are stored only for the purpose of replying to you and improving the App. Support correspondence is not connected to the analytics identifiers described below; an anonymous internal support ID is generated where needed to track an open ticket.
2.2 Data collected automatically
| Data | Purpose | Retained |
|---|---|---|
| Device model, OS version, screen size, language, country | Compatibility, app analytics | Up to 14 months |
| Anonymous app instance ID (Firebase Installation ID) | Crash attribution, app analytics | Up to 14 months |
| Advertising ID (GAID) | Ad delivery, frequency capping, attribution | User can reset/opt out in Android settings |
| Crash logs and stack traces | Diagnose crashes (Firebase Crashlytics) | Up to 90 days |
| App events (screens viewed, ad impressions) | Product analytics, ad measurement | Up to 14 months |
| IP address (collected by ad/analytics SDKs) | Approximate region, fraud prevention | Truncated/discarded by SDK |
| Install attribution (Adjust) | Marketing campaign measurement | Up to 24 months |
We do not collect: precise location (unless you enable Weather + grant Location), camera images (unless you use a Camera-related Control Center action), microphone input, contacts, SMS, call logs, files outside the App's storage, or screen contents/keystrokes.
3. Accessibility Service — what we do and do not do
3.1 Why it is required
Android only allows certain capabilities — drawing reliable overlays above other apps, and performing global actions such as taking a screenshot or toggling Do Not Disturb — through an Accessibility Service. The Control Center is the App's core feature, so the Accessibility Service is necessary for the App to function.
3.2 What it does
- Detects when the foreground app changes, so the Control Center overlay can show or hide itself appropriately.
- Hosts a window of type
TYPE_ACCESSIBILITY_OVERLAYso the Control Center can render above other apps and the home screen. - Performs system actions you explicitly initiate (e.g. take a screenshot, toggle Wi-Fi, change brightness).
3.3 What it does not do
- It does not read text from other apps.
- It does not capture keystrokes or passwords.
- It does not record the screen.
- It does not transmit any window content off the device.
This is enforced at the technical level by the Accessibility Service configuration: canRetrieveWindowContent="false", only typeWindowStateChanged events are received, and canRequestTouchExplorationMode="false".
3.4 Consent
Before the App opens the system Accessibility settings, we show a disclosure dialog with two buttons (Agree & Continue and Decline). You can revoke consent at any time in Android Settings → Accessibility → ControlKit → Off.
4. Other permissions
The App may request the following permissions. Each is requested only when needed for a feature you use, and you can deny or revoke any of them.
| Permission | Why we ask |
|---|---|
| Display over other apps | Show Control Center as fallback overlay. |
| Notification access | Read media playback state for music card. We do not transmit notifications. |
| Modify system settings | Adjust brightness / rotation toggle. |
| Do Not Disturb | Toggle DND from Control Center. |
| Camera (optional) | Flashlight torch on devices that route flashlight via Camera2. No images captured. |
| Location (optional) | Show local weather. No location history stored. |
| Post notifications | Foreground service notification (required by Android). |
| Schedule exact alarm | Auto-change wallpaper at scheduled times. |
| Battery optimization exemption | Keep Control Center responsive. |
5. Advertising
The App is monetized through in-app advertising. We use Google Mobile Ads (AdMob) as the primary ad provider, with the following mediation partners: AppLovin MAX, Meta Audience Network, Pangle (ByteDance), Mintegral, Vungle (Liftoff), Moloco, InMobi, Fyber (Digital Turbine).
These networks may collect your Google Advertising ID, IP address, and basic device info to deliver and measure ads. Each has its own privacy policy. In regions that require user consent (EU/EEA, UK, Switzerland, and others), we use the Google User Messaging Platform (UMP) to ask for your consent before serving personalized ads. You can change your consent at any time in Settings → About → Manage ad preferences within the App.
See §12 for our children's-privacy commitments.
6. Analytics, crash reporting, and attribution
- Firebase Analytics — anonymous app instance ID, screen views, custom events.
- Firebase Crashlytics — stack traces, device model, OS version.
- Firebase Remote Config — feature flags, kill switches.
- Adjust — install attribution and marketing measurement.
These SDKs do not have access to your personal content.
7. How we share data
We share data only with the third-party SDKs listed in §5 and §6, with government agencies when required by valid legal process, or with a successor entity in a merger/acquisition (subject to the same protections). We do not sell your personal data.
8. Data security
We use HTTPS for all network requests. SDK keys, signing keys, and credentials are not embedded in the public APK in plaintext. No system is perfectly secure. If we discover a breach affecting your data, we will notify affected users and the relevant authorities as required by law.
9. Data retention and deletion
Analytics and crash data is retained per the schedule above, then automatically deleted by the providers. Local app data stays on your device until you uninstall or use Settings → Storage → Clear data. To request deletion of analytics data tied to your device: email oxaluspublic@gmail.com with subject "Data deletion request" and your Google Advertising ID. We action requests within 30 days.
10. Your rights
Depending on where you live (e.g. EU/EEA under GDPR, California under CCPA/CPRA, Brazil under LGPD), you may have the right to access, correct, delete, restrict, or port your data; to object to processing; to withdraw consent; and to lodge a complaint with your local data protection authority. To exercise any of these rights, email oxaluspublic@gmail.com.
11. International transfers
Third-party SDK providers may process data on servers outside your country, including in the United States. Where required by law, those transfers rely on Standard Contractual Clauses or equivalent safeguards put in place by the SDK providers.
12. Children's privacy
The App is not directed to children. We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under the age of 13. For users in the European Economic Area, the App is not directed to and we do not knowingly collect personal information from children under the age of 16.
If a parent or guardian becomes aware that their child has provided us with personal information without their consent, please contact oxaluspublic@gmail.com and we will take reasonable steps to delete that information from our records.
13. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be highlighted in the App's release notes or a Settings notice. Continued use of the App after a change constitutes acceptance of the updated policy.
14. Contact
Bright Box Apps
Email: oxaluspublic@gmail.com