Privacy Policy — Firepulse (mobile app)

Last updated: 2026-05-10

In a nutshell: Firepulse is a read-only mobile viewer for your Google and Firebase projects. It uses Google Sign-In and asks only for read-only permissions, so it can never create, modify, or delete anything in your Firebase account. A Google refresh token is sent to our server only if you explicitly turn on daily or weekly notifications — it is encrypted with Google Cloud KMS before being written to storage. You can revoke our access at any time in one tap, either from inside the app or at myaccount.google.com/permissions.

This policy explains, in plain language, what we process, why, where it lives, and how you can make it go away.

1. Who we are

App name: Firepulse.
Publisher: a solo developer, operating from France.
This app is not affiliated with Google LLC. "Firebase" is a trademark of Google LLC; this is an independent client that uses Google's public APIs.

2. What data we process

Stored on your device only

Never leaves your phone unless you enable server-side notifications (section below).

Your Google sign-in state and a short-lived Google access token. Both are handled by the Google Sign-In SDK and protected by the OS keychain (iOS Keychain / Android Keystore).
App preferences: starred projects, dashboard widget configuration, and the TanStack Query cache (a local copy of recently fetched data so the app loads fast when offline).

Sent to Google APIs

These calls go directly from your phone to Google, over HTTPS, authenticated by your Google account. They are read-only — the app is physically incapable of mutating your Firebase resources, because it has not requested the scopes to do so.

Scopes requested (verbatim from the app's sign-in configuration):

profile
email
https://www.googleapis.com/auth/firebase.readonly
https://www.googleapis.com/auth/analytics.readonly
https://www.googleapis.com/auth/monitoring.read
https://www.googleapis.com/auth/cloud-billing.readonly
https://www.googleapis.com/auth/cloud-platform.read-only

Using these scopes, the app can view your Firebase projects, GA4 analytics, Cloud Monitoring metrics, Cloud Functions / Cloud Run services, enabled APIs, and project billing status. It cannot create, modify, or delete any Firebase or Google Cloud resource, run any Cloud Function, change any Firestore rule, modify billing, or post any data back to your Google Cloud project.

Sent to our server — only if you enable daily / weekly notifications

If (and only if) you tap "Turn on notifications" and accept the in-app consent sheet, the following is sent to our backend:

Your Google refresh token — one-time, at consent. Encrypted at rest with Google Cloud KMS before being persisted in Firestore. Plain-text refresh tokens are never written to disk.
Your Firebase user id (auth.uid) — used as the document owner and the access-control key for all your server-side data.
Your notification configuration: frequency (daily or weekly), chosen time slot (9 AM, 12 PM, or 7 PM), weekday (for weekly), the projects you selected, the metrics you selected, and your timezone.
Your FCM push token and device platform (iOS or Android) — so the server can deliver the push to the right device(s). You can register more than one device; stale tokens are automatically pruned by the server when FCM rejects them.

Generated by our server when a notification fires

A daily delivery record at users/{uid}/deliveries/{yyyy-mm-dd} containing the rendered notification body and per-metric numbers. Used for (a) idempotency (so we never send you the same digest twice in one day), (b) showing you the preview screen when you tap the push.

3. Why we process it

Read-only Google API scopes: to render your Firebase project data inside the app. That is the whole product.
Refresh token on the server: so that when your scheduled notification time arrives and the app is closed, the server can mint a short-lived access token, fetch your chosen metrics, and deliver the push. Without a refresh token, the server cannot deliver notifications while the app is backgrounded — which is the entire point of the feature.
FCM push token: to actually deliver the push to your device.
Notification config: to know what to compute, for which projects, and when.
Delivery records: to avoid duplicate sends, and to populate the "preview" screen when you tap a push.

4. Who we share data with

No third parties. We do not sell your data. We do not share it with advertisers, data brokers, or analytics vendors. We do not use it for anything other than delivering the product feature you enabled.
Google LLC processes the read-only API requests on your behalf. Google Cloud services — Firestore, Cloud KMS, Cloud Functions, Cloud Pub/Sub, Cloud Scheduler, Firebase Cloud Messaging — run our server-side infrastructure and operate under Google's standard privacy terms.

5. Limited Use of Google user data

Firepulse's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In practice that means:

We only use Google user data to provide or improve the user-facing features described in this policy (viewing your Firebase data and delivering the notifications you enabled). We do not use it for any other purpose.
We do not transfer Google user data to third parties, except as necessary to provide or improve these features, or to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
We do not allow humans to read Google user data, except with your explicit consent, to comply with applicable law, for security investigations, or when the data has been aggregated and anonymized for internal operations.

6. Where data is stored

Refresh tokens: encrypted with Google Cloud KMS (AES-256, Google-managed keys) before being written to Firestore. The ciphertext is stored at users/{uid}/profile/doc. The plain-text refresh token never persists.
Notification config, push tokens, delivery records: Firestore, under users/{uid}/…, locked to your uid by security rules — no other user (and no unauthenticated request) can read your documents. Server-only writes are enforced for delivery records.
Hosting region: Google Cloud, us-central1.

7. How we protect your data

Security procedures are in place to protect the confidentiality of your data. Specifically:

Encryption in transit. All traffic between the app, Google APIs, and our backend uses HTTPS/TLS 1.2+. The mobile app never opens a non-TLS socket.
Encryption at rest for sensitive credentials. Your Google refresh token is encrypted with Google Cloud KMS (AES-256, Google-managed keys) before being written to Firestore. The plain-text refresh token never touches disk and is held in process memory only for the few milliseconds needed to mint a short-lived access token.
Encryption at rest for all other server data. Firestore encrypts all documents at rest by default (AES-256).
Strict access control. Server-side documents under users/{uid}/… are locked to the authenticated user by Firestore security rules; no cross-user reads are possible. Delivery records are server-write-only. The KMS decrypt permission is held only by the dispatcher service account, not by clients.
Least-privilege OAuth scopes. Every requested Google scope ends in .readonly or .read-only. The app and backend are physically incapable of mutating your Firebase or Google Cloud resources.
Secret management. OAuth client secrets live in Google Secret Manager, not in source control or app bundles. Only the backend service account can read them.
No third-party trackers. No analytics SDK, advertising SDK, or third-party data broker is integrated; sensitive data is never sent to a third party.

8. How long we keep it

Notification configuration and refresh token: kept until you delete the notification (in-app), or sign out and request server-side deletion.
Push tokens: kept until FCM reports them as invalid, then auto-pruned by the server on the next failed send.
Delivery records: retained for audit and for the in-app preview screen.

9. Your rights

Access. You can view your complete notification configuration inside the app at any time — it's the same screen you used to set it up.
Correct. Edit any field at any time, directly in the app.
Delete. Tapping "Delete notification" in the app triggers, in one action:
1. Deletion of your notification document and profile document in Firestore.
2. Revocation of your Google refresh token via Google's /revoke endpoint.
3. Deletion of the stored KMS ciphertext and all your registered push tokens.
Revoke Google access directly. At any time, visit myaccount.google.com/permissions and remove "Firepulse". This works even if the app has been uninstalled.

10. Children

This app is intended for users 13 and older. It is not marketed to children, does not feature content designed to appeal to children, and does not knowingly collect data from anyone under 13.

11. Changes to this policy

If we change what we collect or how we process it, we will update this page and bump the consentVersion flag in the app. The next time you open the app after a material change, you will be asked to re-consent before the change takes effect — your old consent does not roll forward silently.

This policy describes the behavior of the "Firepulse" mobile app as of the last-updated date. It applies only to that app (published on the Google Play Store) and the backend that serves its notification feature.