Categories of Gathered Data

In-App Protection gathers only technical and device-related data required to evaluate the security and integrity of the application runtime environment. These data do not include direct identification data such as name, address, email address, phone number, or national identification number. Where the gathered data can be linked directly or indirectly to a natural person, they should be treated as pseudonymous personal data under GDPR.

Device-Related Identifiers

This category covers identifiers used to distinguish a device or client instance.

Device fingerprint

A set of identifiers and characteristics used to identify or distinguish a device.

Customer-assigned device ID

An identifier assigned by the customer to a device and provided to the system.

Customer-assigned client ID

An identifier assigned by the customer to a client, installation, or application instance and provided to the system.

Device Security and Integrity Attributes

This category covers technical attributes describing the security posture of the device and the runtime environment.

Root / jailbreak / compromised-device status

A technical flag indicating whether the device appears to be rooted, jailbroken, or otherwise security-compromised.

Emulator status

A technical flag indicating whether the application appears to run in an emulator rather than on a physical device.

Where these attributes are stored together with a device fingerprint, device ID, or client ID, they relate to a singled-out device or client record and should be treated consistently with those identifiers from a GDPR perspective.

GDPR Categorization Summary

For GDPR purposes, the gathered data are categorized as follows:

Pseudonymous personal data

• device fingerprint
• customer-assigned device ID
• customer-assigned client ID
• root / jailbreak / compromised-device status
• emulator status