Privacy Policy for Crashlytics

Privacy Policy for Crashlytics

Crashlytics can be an effective and convenient way for you to discover the causes and severity of crashes in your app. But to do its job, Crashlytics needs to collect and analyze a lot of information about your users and their activity.

You may not have really considered it, but this has some major privacy implications. If your app uses Crashlytics, you're required to maintain a Privacy Policy that explains these implications to your users.

Let's take a look at how you can create a Privacy Policy that will satisfy both your agreements with Crashlytics and the law.


What Is Crashlytics?

Few things are more frustrating for a developer than their app repeatedly crashing. This can cause delays in development, degrade user experience, or, at worst, end up completely destroying your project.

This is where crash reporting software, such as Crashlytics, can be useful. Crashlytics will log usage data about your app and provide insights into the nature of stability problems.

Crashlytics provides a software development kit (SDK) that developers can integrate into an Android, iOS or Unity app. It was created by Fabric. The company was acquired by Google in 2017, and Crashlytics is now part of Google's Firebase platform.

Why Do I Need a Privacy Policy for Crashlytics?

Why Do I Need a Privacy Policy for Crashlytics?

Fundamentally, developers using Crashlytics require a Privacy Policy because of the type of information that Crashlytics collects and processes about their users.

If you already have a Privacy Policy for your app, you'll need to update it to include the information required by Crashlytics.

This only needs to be a short section, containing some key information specified by Crashlytics.

But it's not only Crashlytics that requires you to create a Privacy Policy.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

It's also a requirement under certain privacy laws to which you're likely to be subject.

Information Collected by Crashlytics

Information Collected by Crashlytics

Many people think of "personal information" as being the obvious things like a person's name, address or social security number. However, the definition is a lot broader than this.

According to Crashlytics' Terms of Service, Crashlytics collects data such as:

  • Device state information
  • Unique device identifiers
  • Location data
  • Usage data
  • Email address (depending on how the developer implements Crashlytics)

This sort of data can constitute personal information. It reveals information about individual people, and can, in theory, be linked to them. It also reveals how individuals use your app. Many people would consider this to be intrusive.

Crashlytics Terms of Service

As mentioned, Crashlytics specifically requires customers to maintain a Privacy Policy. Here's an excerpt from Section 2.6 of the Crashlytics Terms of Service:

Crashlytics Terms of Service: Clause excerpt that requires a Privacy Policy

Let's break that down. In order to use Crashlytics, you need a Privacy Policy that:

  • Is "readily accessible" from your website and/or app
  • Lists the types of information that Crashlytics collects
  • States that this information is shared with third parties (including Crashlytics)
  • Explains how Crashlytics collects and uses this information
  • Discloses that your app uses technology to track your users' activities and collect information from them

Privacy Law

Privacy Law

The collection of device and usage information also falls under the ambit of certain data protection and privacy laws, such as:

  • The EU General Data Protection Regulation (GDPR)
  • The California Online Privacy Protection Act (CalOPPA)
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)

These laws are in place to ensure that you treat your users' personal information respectfully and that you're transparent about what personal information you collect.

Not all privacy laws are equally demanding.

California's CalOPPA, for example, doesn't impose any requirement beyond creating a Privacy Policy and ensuring that it's accessible from your website and/or app.

The EU's GDPR, on the other hand, is much more extensive and covers every aspect of how you collect and process the personal information of your users. It also has a much wider definition of what constitutes personal information.

Generally speaking, you don't only have to consider the privacy laws of your home country. You must also obey the privacy laws of the places where your users reside. So if you have users in the EU, you're obligated to make sure your app follows the strict rules imposed by the GDPR.

What to Include in Your Crashlytics Privacy Policy

What to Include in Your Crashlytics Privacy Policy

We're going to take a look at three examples of Privacy Policies that make reference to Crashlytics. Each approaches the requirements slightly differently, but together you can learn from them and provide your users with something compliant and comprehensive.

Our first example comes from Callabio, which provides Crashlytics with its own section in its Privacy Policy.

allabio Privacy Policy: Crashlytics clause excerpt

Callabio appears to have covered most of what is required of it under the Crashlytics Terms of Service. However, it doesn't specifically state that this information will be used to track users, and it doesn't disclose that Crashlytics collects location data.

Callabio then goes on to provide links to further privacy information provided by Google and Fabric, which is a welcome addition:

Callabio Privacy Policy: Crashlytics clause - Settings and Google Privacy Policy excerpt

Here's our second example, from DBDSoft. DBDSoft has included some of the information required by Crashlytics but not all of it:

DBDSoft Privacy Policy: Crash reports clause about Crashlytics

DBDSoft identifies the types of information collected: "device state information, unique device identifiers, device hardware and OS information [...] physical location.."

DBDSoft does name Crashlytics but doesn't specifically state that this information will be shared with them. It's important to mention this because your users need to know where this information is going.

The Momento app's Privacy Policy includes information about its use of Crashlytics in two places. First, in the clause that discusses what information Momento shares, with who and why, it's noted that "device and usage information will be shared with...Crashlytics."

Momento App Privacy Policy: Device and Usage Information clause

This meets the requirement that you state that information will be shared with third parties, including Crashlytics.

Crashlytics is also mentioned in the Third-Party Services clause in the Third Party SDK's section. Here, users are informed that the Fabric SDK makes it possible for the app to "capture and collect crash logs through the Crashlytics service and interact with the Twitter Platform."

Momento App Privacy Policy: Third Party SDK - Fabric SDK clause

This meets the requirement that the types of information collected by Crashlytics are listed.

In the clause that covers what information Momento collects, a general Usage Information section notes that "anonymous analytical information" is collected when the service is used and this includes "information about your interaction with the Services, including the actions you take on the Services."

Momento App Privacy Policy: Usage Information clause

Even though Crashlytics isn't mentioned here explicitly, this clause still works to meet the requirement that you disclose that your app uses technology to track your users' activities and collect information from them.

Making Your Privacy Policy Accessible

Making Your Privacy Policy Accessible

Using Crashlytics means agreeing not only to maintain a Privacy Policy, but also to make it "readily accessible" within your app.

Many apps make their Privacy Policies available via the "Settings" or "About" menu. You should make sure that a user can access your Privacy Policy easily within just two or three taps and not have to search extensively for it.

Let's take a look at some examples.

Slack places an option to access its "Privacy and licenses" at the bottom of its Settings menu:

Slack app Settings screen

Tapping on this option leads to the following screen:

Slack app Privacy and Licenses menu screen

Selecting "Privacy Policy" opens an in-app custom browser pointed at Slack's Privacy Policy:

Slack mobile Privacy Policy: Screenshot of intro

Here's a slightly different approach from Malwarebytes.

Malwarebytes' Privacy Policy is accessible via the About menu, which can be selected from the app's sidebar:

Screenshot of Malwarebytes app sidebar menu

Here are the options available in the About screen:

Screenshot of Malwarebytes About menu

Selecting the Privacy Policy opens the user's default browser and directs them to the policy:

Malwarebytes mobile Privacy Policy: Screenshot of intro

Make sure your Privacy Policy is easily accessible from your website and mobile app at all times to comply with privacy laws and with Crashlytics' Terms of Service.

Special Rules for Developers with EU Users

Special Rules for Developers with EU Users

The Crashlytics Terms of Service makes some specific demands of developers who have users based in the European Union.

If you have users in the EU, or if you're based in the EU, you'll need to abide by EU privacy law.

Just to reiterate: this applies to all the users you have in the EU. It doesn't matter whether you're based in the United Kingdom, United States, or the United Arab Emirates - or anywhere else, for that matter. What matters is where your users are located.

EU privacy rules apply to anyone collecting the personal information of people in the EU for the purposes of "offering goods or services." Note that this applies whether or not your app costs money or makes a profit.

The Crashlytics Terms of Service states the following:

Crashlytics Terms of Service: Clause excerpt that requires consent to be obtained

Meeting EU data protection standards means abiding by these two important privacy laws:

  • The ePrivacy Directive. Sometimes known as the EU Cookies Directive, the ePrivacy Directive requires you to earn consent for using cookies and other devices. This includes any software that accesses a user's information or tracks their behavior, such as Crashlytics.
  • The General Data Protection Regulation (GDPR). The GDPR sets the standard of consent. It requires that, wherever you're asking for consent, you must do so in a meaningful way. You can't assume that you have a user's consent for crash reporting and then ask them to opt out. You need to take proactive steps to ensure that they're really happy for you to use their personal information in this way.

Not every company is very good at complying with these rules. But it's very important that you do so, as the EU's Data Protection Authorities aren't shy about taking legal action.

In fact, Google itself was hit with an eye-watering €50 million fine in January 2019 because of the way in which it was collecting consent. So it might be not surprising that, by default, Firebase Crashlytics collects users' personal information without their consent.

If you're serving EU users, you should enable opt-in reporting. This is an option provided by the service, and so it's your responsibility to activate it. This will give your users real control about whether you use their personal information for this purpose.

Here's Google's guidance on how to do this for Android users within Firebase:

Firebase: Customize Crashlytics Reports - Enable opt-in reporting section

There are different instructions if you're developing an app for iOS or Unity.

Many apps collect consent for crash reporting. Here's an example from Ookla's Android app, Speedtest:

Speedtest App's permissions screen to collect advanced analytics and crash reports

You should also provide an option to allow your users to withdraw consent once they've given it (or provide consent if they've previously refused it). Here's how Speedtest does this:

Speedtest App's settings adjustment screen for permissions screen to collect advanced analytics and crash reports

International Transfers

The Crashlytics Terms of Service gives the following requirement:

Crashlytics Terms of Service: Clause excerpt that requires consent to transfer data of EU users

The Crashlytics Terms require that you obtain EU users' consent to transfer their data to countries outside of the EU.

This is a somewhat confusing provision.

There are rules about transferring personal information out of the EU, to non-EU countries. These rules are discussed at Chapter 5 of the GDPR. There are several different ways to legally perform such a transfer. The GDPR sets out several safeguards, and the European Commission provides a list of "approved" countries for whom no safeguards are required.

It is possible to transfer a user's personal information out of the EU on the basis of their consent. However, this is normally a last resort, where none of the other safeguards are available.

In fact, data transfers to Crashlytics are covered by a different safeguard - Google's certification under the EU-US Privacy Shield Framework. This means that, under the GDPR, it isn't necessary or appropriate to seek a user's consent to transfer their data outside of the EU for the purposes of using Crashlytics.

In light of this, it isn't clear why Crashlytics requires developers to earn consent for such transfers. It is difficult to find any examples of apps that actually do this.

SeriesGuide makes reference to Crashlytics' Privacy Shield certification in its Privacy Policy:

SeriesGuide Privacy Policy: Third-party services clause - Crashlytics section

This fulfills Crashlytics' requirement that developers give their users notice of the international transfer of their personal information.

Although this part of Crashlytics' Terms of Service is confusing, and although it appears to have been ignored by many if not all developers, remember that you do agree to fulfill this requirement by using the service.

Summary

Crashlytics requires all developers using the service to have a Privacy Policy, or update their existing Privacy Policy to include information about Crashlytics.

This must include information about:

  • The types of information Crashlytics collects
  • How Crashlytics collects and uses this information

You must disclose that:

  • This information is shared with Crashlytics (i.e. Google) and other third parties
  • Crashlytics tracks your users' activities

The Privacy Policy must be readily accessible from within your app.

There are extra requirements pertaining to any of your users in the EU:

  • Get consent for collecting crash reporting data
  • Provide notice of, and get consent for, the transfer of your users' personal information outside of the EU
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.