Android App Privacy Notice
Last Updated: June 9, 2026 · Applies to the Code Four Android app on Google Play
This notice describes how the Code Four Android app (the "App") collects, uses, shares, retains, and lets users control personal data. It is the privacy policy referenced from the Code Four Google Play store listing and linked from inside the App. It is published at a public, non-geofenced URL and is also reachable from the App's Profile tab.
The Code Four App is sold exclusively to law-enforcement and public-safety agencies as part of Code Four's enterprise platform. Officers cannot self-register: an agency administrator provisions accounts only after the agency has signed a Memorandum of Understanding or Definitive Agreement covering data processing, subprocessors, and security obligations. By the time a user signs in to the App, their agency has contractually accepted the terms summarized below. Code Four is a private vendor tool for agencies; it is not an official government application.
1. What Data the App Collects
The App may collect the following categories of data from authorized users (officers, supervisors, and other agency staff). The corresponding Google Play Data safety categories are noted in brackets.
- •Account identity. Email address, name, rank, badge number, agency, and role provisioned by the agency administrator. [Personal info — name, email address, user IDs.]
- •User content. Incident report narratives, transcripts, evidence metadata, AI chat messages, and attached photos or video that the user authors or uploads. [App activity — other user-generated content; Photos and videos; Files and docs.]
- •Audio. Microphone recordings made during voice-assisted reporting sessions and short voice clips recorded for transcription inside the chat composer. [Audio — voice or sound recordings.]
- •Optional location. A single reverse-geocoded location fix (street, city, state, postal code) captured at the start of a voice-assisted session, collected only when the user has enabled the location toggle in the App's Privacy settings and granted the Android location permission. Depending on the precision the user grants at the system prompt, this fix may be approximate or precise. The App captures a single fix and never tracks location in the background. [Location — approximate location and, if the user grants precise access, precise location.]
- •Authentication metadata. Sign-in timestamps, device platform, app version, and IP address generated during normal authentication. [App activity / Device or other IDs.]
- •Operational telemetry. Performance, crash, and error metrics generated by the App for reliability and debugging. [App info and performance — crash logs, diagnostics.]
The App does not collect: advertising identifiers, contacts, browsing or search history outside the App, health data, financial data, photos beyond what the user explicitly attaches, or device-level identifiers used for cross-app tracking. The App is not used to track users across other apps or websites, requests no Android advertising ID, and embeds no advertising or analytics SDK. Photo and video attachments are selected through the Android system photo picker, so the App requests no broad media-storage permission.
2. How the App Collects This Data
- •Account identity is provisioned by the agency administrator before the user ever signs in. Profile fields (e.g., phone number, profile photo) can be updated by the user from inside the App.
- •User content and attachments are authored by the user inside the App or uploaded through explicit affordances (the New Report sheet, the chat composer's attach button, the camera, or the Android photo picker). Camera access is gated by the standard Android runtime permission dialog; selecting existing photos or video uses the Android system photo picker, which grants access only to the items the user picks.
- •Audio is captured by the device microphone only after the user grants the Android microphone permission and only while the user is actively in a voice-assisted session or holding the chat-composer voice button.
- •Location is captured as a single fix at session start (not continuous tracking) only when the user has explicitly enabled the location toggle in the App's Privacy settings AND granted the Android location permission. Both gates must be on; either disabled means no location is collected. Android lets the user choose approximate or precise accuracy at the system prompt, and the App honors that choice.
- •Authentication metadata is generated server-side during sign-in.
- •Operational telemetry is generated by the App and the backend during normal operation. The App does not embed any third-party analytics or advertising SDK.
3. All Uses of That Data
Code Four uses the data above only for the following purposes:
- •Provide the Service. Render reports, transcripts, and evidence; route requests; enforce role-based access controls; produce exports.
- •AI assistance. Power transcription, AI chat, narrative drafting, evidence extraction, and the voice assistant. These features use Google Cloud's Vertex AI / Gemini service, a service offering of our existing cloud provider, acting as a processor on Code Four's instructions — see Section 4 for the equal-protection commitments. AI-generated text is a draft that requires human review before it becomes part of an official record.
- •Security and integrity. Detect abuse, maintain audit logs, secure customer data, and run intrusion detection.
- •Compliance. Respond to lawful subpoenas or court orders directed at the agency or at Code Four. Where legally permitted, Code Four will direct the requesting party to the agency, which is the controller of the underlying data, and will notify the agency in advance if Code Four is required to produce data directly.
- •Aggregated, de-identified platform improvement. Operational metrics such as processing times, error rates, and aggregated latency to improve reliability and performance. These metrics are de-identified at the source and never used to train AI models.
Code Four does NOT use Customer Data to train or fine-tune general or shared AI models.
Customer Data remains isolated per-agency tenant and is never pooled across customers for model development. This commitment is published in our public Terms of Service Part B and is incorporated into every signed customer agreement. The App is not used to track users across other apps or websites; it does not collect data for advertising; it does not embed any advertising or tracking SDK.
4. Third-Party Processors and Equal Protection
The App relies on three subprocessors. Each processes data on Code Four's behalf and on Code Four's instructions — none receives Customer Data to use for its own purposes, and Code Four does not sell or "share" Customer Data with third parties for their independent use. The current authoritative list is published at codefour.us/trust/subprocessors.
Google Cloud Platform — including Vertex AI / Gemini (cloud + AI)
Google Cloud Platform hosts the App's backend and provides the Vertex AI / Gemini service used for AI features. Vertex AI is not a separate third party — it is a service offering of the same Google Cloud Platform that hosts the rest of our infrastructure, governed by the same Google Cloud customer agreement and Data Processing Addendum. All processing occurs in United States Google Cloud regions.
Amazon Web Services — Cognito GovCloud (identity)
Provides identity, authentication, and password / multi-factor authentication enforcement. Operated in an isolated AWS GovCloud (US) region in FIPS 140-2 mode.
GitHub (source-code version control)
Stores Code Four's source code. GitHub does not receive Customer Data.
AI processing path
The Android App does not call Vertex AI directly. Device traffic terminates over TLS at Code Four-controlled backend services running in the same Google Cloud project as the rest of our infrastructure. The backend then invokes Vertex AI in the same United States region.
Equal-protection commitments
Each subprocessor provides protection of user data that is the same or equivalent to the protection described in this notice:
- •No training on Customer Data. Google Cloud's Vertex AI customer terms commit that prompts and responses sent to Vertex AI are not used to train Google's foundation models. Code Four's own no-training commitment is in our Terms of Service Part B and every customer agreement.
- •Encryption at rest with customer-managed keys. Backend services that handle Customer Data are deployed with customer-managed encryption keys and configured to take the service offline if the encryption key is revoked. Primary databases are encrypted with hardware-backed keys on regular automatic rotation.
- •Encryption in transit. TLS 1.2+ on every device-to-server and server-to-subprocessor hop.
- •United States data residency. All Customer Data is processed and stored in United States cloud regions only. Our backend enforces a U.S.-region allowlist for AI calls. Google Cloud's data-processing posture is designed to support FedRAMP and CJIS-aligned controls; AWS GovCloud is an isolated FIPS-mode region.
- •Least-privilege access. Each backend service runs with a dedicated identity scoped to that service's purpose. Cross-service access is not granted by default.
- •Audit logging. Authentication events, configuration changes, and material data operations are continuously logged. Audit-log retention is in line with CJIS Security Policy guidance, with at least one log destination configured with locked retention to prevent reduction.
- •Identity hardening. Multi-factor authentication is enabled for all users. Password policy requires minimum length and full character-class complexity. Officers cannot self-register; only agency administrators can provision users.
5. Disclosure and Consent Before Data Is Sent
The App obtains explicit user consent before any data is sent to Vertex AI / Gemini and before any sensitive permission is used, in line with Google Play's User Data policy and its Prominent Disclosure & Consent requirement:
- •Pre-sign-in disclosure. The App's sign-in screen displays a third-party AI disclosure directly under the "Continue with email" button, with a tappable link to this notice. The disclosure is visible before any sign-in.
- •Bundled AI Data Processing notice. After authentication and before any AI feature is reachable, the App presents a full-screen notice that enumerates the data classes that may be sent, names the third-party processor ("Google Cloud Vertex AI / Gemini"), and includes a "View privacy policy" button linking to this page. The user must tap "Agree and Continue" before any AI feature loads.
- •Per-feature just-in-time prompts. The first time a user taps the chat microphone, attaches a photo to a chat message, or starts a voice-assisted session, an in-app disclosure naming the AI processor appears and links back to this notice. It immediately precedes the Android runtime permission request, and consent is captured by an affirmative tap. Translation sessions show a per-session disclaimer every time, by design.
- •Android runtime permissions. Microphone, camera, and location access are each gated by the standard Android runtime permission dialog, requested just-in-time at the point the feature is used rather than up front. Selecting existing photos or video uses the Android system photo picker, which requires no storage permission and shares only the items the user selects.
- •Optional, off by default. Location is opt-in, off by default, and used only as a single fix at the start of an explicit voice-assisted session. The App never tracks location in the background and declares no background-location permission.
6. Data Retention
- •Reports, narratives, transcripts, evidence: retained per the agency's configured retention policy. The agency administrator controls these settings.
- •Voice-assisted session audio: stored in encrypted United States cloud storage per the agency's configured retention policy.
- •Audit logs: retained in line with CJIS Security Policy guidance, with locked retention configured to prevent reduction.
- •Authentication metadata: retained for the lifetime of the account plus a backup-retention period.
- •Operational telemetry: retained de-identified for a limited period.
7. How to Revoke Consent or Request Deletion
- •Revoke AI processing acknowledgement at any time. Open the App's Profile tab → Privacy → toggle "Allow AI data processing" off. Doing so clears the bundled AI Data Processing acknowledgement and every per-surface just-in-time acknowledgement, so the disclosures fire again on next use.
- •Disable location. Profile → Privacy → toggle "Use location for guided reports" off. The App will stop sending location immediately. You can also revoke the Android location permission in the system Settings → Apps → Code Four → Permissions.
- •Delete your account. Profile → scroll to "Delete Account" → confirm by typing your email. Account deletion removes the sign-in record, signs you out of every device, and deletes the associated account data. You can also request deletion without signing in at codefour.us/data-deletion. Past reports and audit-log entries that name you remain in the agency's tenant per the agency's retention policy and applicable law — these are retained for security, integrity, and legal-record obligations.
- •Data subject requests. Because the agency is the controller for officer-authored content, requests to access, correct, or delete underlying content are routed through the agency administrator. You can also email support@codefour.us and Code Four will coordinate with the agency.
- •Sign out from any device. Profile → Sign Out. Active sessions are revoked at the identity provider.
8. Other Information
Children. The App is not directed to children and its target audience is adults. Users must be employed or contracted by a public-safety agency in good standing.
AI-generated content. Report drafts, chat replies, and translations are AI-assisted and require human review before they become part of an official record. Users can flag problematic AI output to Code Four from inside the App, and Code Four uses those reports to improve filtering and safety.
International transfers. The App is designed for U.S. agency customers and processes data in U.S. regions only.
Changes to this notice.Material changes to this notice will be communicated to customer-agency administrators with at least 30 days' notice where feasible. The "Last Updated" date at the top of this page reflects the most recent revision.
9. Contact
Questions about this notice or about how the Code Four Android app processes data:
Code Four Labs, Corp.
5033 Trembath Lane, Cary, NC 27519
Email: support@codefour.us
See also: iOS App Privacy Notice, Platform Privacy Addendum, Subprocessors, Security Overview, Terms of Service.