Privacy Policy
Whitelist This is an Android app that filters your Gmail notifications against a list of senders you trust. It runs entirely on your device. There is no backend, no analytics, and no account to create. The only data that leaves your device does so via Google Play Billing when you choose to start a Pro subscription — and even then, what reaches us is subscription state metadata, not payment details.
This policy explains what the app touches, what it stores on your phone, and what it never does. It is short on purpose. If a section feels generic, that is because we genuinely don't do that thing.
What we access
Whitelist This uses Android's Notification Listener permission to read Gmail's incoming notifications. That permission gives us four pieces of metadata per notification:
- The sender's email address
- The sender's display name (if Gmail provides one)
- The subject line
- Gmail's internal message ID and the recipient Gmail account on your device
We use this metadata to decide whether the sender is on your whitelist, and — if you tap the notification later from our widget — to open the correct email inside the Gmail app.
We do not read email bodies, attachments, drafts, contacts, calendar, sent mail, or anything inside Gmail itself. We do not request Gmail API access. We do not have an OAuth scope. We cannot see emails that Gmail does not post a notification for.
What we store, and where
Everything below lives on your phone. None of it is uploaded, synced, or transmitted by us.
| What | Where | Why |
|---|---|---|
| Your whitelist (senders and domains you add) | Local Room database | So we can match incoming notifications against it |
| Notification history (last 50 matches, oldest rotated out) | Local Room database | So the home-screen widget can show recent subjects |
| Your subscription tier (free / trial / active / grace / cancelled-with-access), the renewal or expiry date, the trial start/end timestamps if applicable, your trial eligibility, your Google Play purchase token and order ID, and the productId of the plan you bought | Local SharedPreferences, mirrored from Google Play Billing's purchase record on your device | So the app knows whether to enforce the free-tier cap, when to show the "trial ends in N days" banner, when to re-query Play for renewal status, and where to deep-link "Manage subscription" |
| (Not stored) Your payment method — card number, UPI VPA, Play balance, etc. | We never receive or see this. Google Play Billing handles it entirely on Google's side. | n/a — the app does not have payment-instrument data |
| Your display name and email for QR exchange | Local SharedPreferences | So the QR you show others contains your name and email |
If you uninstall the app, all of this is deleted. There is no cloud copy to restore from. That is the trade-off of a local-only app, and we think it is the right one.
The QR exchange feature encodes your name and email into a URL of the form https://whitelistthis.app/add?email=...&name=.... The QR is rendered on your device. We do not transmit it. When you share it, it leaves your phone the same way a text message does — through Android's share sheet, to whoever you choose.
What we do not do
- We do not run a backend server.
- We do not use analytics — no Firebase Analytics, no Google Analytics, no third-party SDKs for tracking.
- We do not show ads.
- We do not ask you to create an account.
- We do not track you across other apps.
- We do not sell, rent, or share your data with anyone, because we do not have it.
- We do not see or receive your payment method. When you buy or renew a Pro subscription, your card, UPI, or Play Store balance is handled entirely by Google Play. What reaches us is subscription state metadata — are you subscribed, when does it renew, are you in a trial — and never the payment instrument itself.
- We do not request location, contacts, microphone, or camera except the in-app QR scanner. The scanner reads QR codes through Google's on-device Code Scanner and does not store images, frames, or video.
If a future version of the app starts doing any of these, this policy and the app's onboarding will say so before that version ships.
Third parties
Two, and only two:
- Google Play Billing processes the Pro subscription — monthly, annual, and the 7-day free trial on the monthly plan. When you start a subscription or trial, Google's purchase sheet handles the transaction; Google receives the information needed to charge your payment method, manage renewals, and remember that your Google account is subscribed. The app receives back from Google only the subscription state metadata listed in the storage table above — never payment-instrument data. Google's privacy policy applies to the transaction and to anything Google retains on its side: https://policies.google.com/privacy. Subscription changes you make on Google Play (such as cancelling) propagate into the app the next time the app queries Google Play Billing, typically on next launch — not in real time, because the app does not run a server.
- Google Play Closed Testing — during the app's testing phase, your Google account email may appear on the license-tester list we maintain inside Google Play Console so you can install pre-release builds. This list is internal to Play Console; we do not export it.
There are no other third parties. No crash reporter sending data off-device in v1. No ad networks. No customer-support chat widget. No CDN logs of you.
Data retention
All app data lives on your device. We retain nothing on a server because we do not have a server.
- Whitelist entries stay until you remove them or uninstall.
- Notification history rotates automatically — only the 50 most recent matches are kept; older ones are deleted as new ones arrive.
- Uninstalling the app deletes the local database and preferences in full.
Google Play Billing retains its own subscription record so you can restore your subscription on a new device, and so that renewal, cancellation, and refund flows work from the Google Play Store. The retention period and policies for that record are Google's, not ours.
Your rights
You do not need to ask us to access, export, or delete your data, because we are not the ones holding it. Everything is in your hands:
- Access / export — the data is on your device. You can clear individual entries inside the app's whitelist screen.
- Deletion (app data) — uninstall the app. The local database and preferences (including the subscription-state mirror) are deleted with it. This satisfies the right to erasure under GDPR, UK GDPR, and equivalent regimes for the data we hold on your device.
- Deletion (billing data held by Google) — uninstall does not delete Google's purchase record. To delete that, use the data controls in your Google account, or contact Google directly. We have no access to that record and cannot delete it on your behalf.
- Cancel your Pro subscription — Google Play Store → Subscriptions → Whitelist This Pro → Cancel. You keep access until the end of the period you have already paid for; after that, the app reverts to the Free tier. Your existing whitelist entries are preserved.
- Withdraw notification access — Android Settings → Notification Access → Whitelist This → off. The app stops reading notifications immediately.
If you live somewhere with stronger statutory rights (GDPR, UK GDPR, CCPA, etc.), they apply to whatever processing happens on your device. Since none of your data reaches us, most data-subject requests have nothing for us to fulfill — but if you have a question, email below.
Children
Whitelist This is intended for users 13 and older, matching the minimum age for a Google account (which the app requires in order to receive Gmail notifications). The Play Store listing's age gate enforces this floor. Users between 13 and the age of contractual majority in their country should use the app with a parent or guardian's involvement, particularly around any Pro subscription purchase. The app does not knowingly collect information from anyone under 13, and given that the app collects nothing centrally, there is nothing collected from anyone, child or adult.
Changes to this policy
If we change what the app accesses, stores, or shares with third parties, we will update this page and bump the "Last updated" date at the top. Material changes — including any change to what subscription-related data is stored, retained, or shared — will surface inside the app on the next launch after they ship, and where Google Play policy or applicable law require it, will be flagged before your next subscription renewal.
The version of this policy that applies to you is the one published at https://whitelistthis.app/privacy on the date your installed version of the app was released.
Contact
Privacy questions, complaints, or "this section is wrong" corrections:
hello@whitelistthis.app
A real person reads this inbox.