WiFiCopy Official Site

Privacy Policy

Privacy Policy for WiFiCopy

Effective Date: January 1, 2025
Last Updated: October 3, 2025
App Version: 1.7

Overview

WiFiCopy is a privacy-first Android application designed to transfer files from your mobile device to network file servers using SMB, FTP, and SFTP protocols. We are committed to protecting your privacy and ensuring your data remains secure and under your control.

Information We Collect

Data Stored Locally on Your Device

Server Credentials (SMB, FTP, SFTP):

  • Server addresses or hostnames (IPv4, IPv6, or domain names)
  • Usernames and passwords (encrypted with AES-256-GCM encryption using hardware-backed keys)
  • Domain names (for SMB, if applicable)
  • Port numbers and share names
  • Protocol preferences (SMB, FTP, SFTP)
  • Connection settings (SMB version, encryption settings, FTP passive mode)
  • SFTP host key fingerprints (for SSH server verification)
  • Last used protocol preference (for user convenience)

File Selection Data:

  • Paths and metadata of files you choose to transfer
  • Folder selections for dynamic backup (tree URIs)
  • App preferences and settings

Scheduled Backup Configurations:

  • Backup job names and schedules (daily, weekly, monthly)
  • Source file/folder selections
  • Destination server configurations
  • Backup frequency and timing preferences
  • Network connectivity requirements (WiFi-only settings)

Technical Information:

  • Network connectivity status (to ensure WiFi-only operation)
  • File access permissions for selected files only

Data We DO NOT Collect

  • No Analytics or Tracking: We do not use analytics services, tracking pixels, or usage statistics
  • No Personal Information: We do not collect names, email addresses, phone numbers, or other personal identifiers
  • No Device Information: We do not collect device IDs, advertising IDs, or hardware information
  • No Location Data: Despite network permissions, we do not track or store location information
  • No File Content: We do not analyze, store, or process the content of your files

How We Use Your Information

Local Processing Only

  • Server credentials (SMB/FTP/SFTP) are used solely to establish connections to your specified servers
  • File selections are used only to transfer files to your designated network shares
  • Scheduled backups run locally on your device using Android WorkManager
  • All processing occurs locally on your device with no cloud intermediaries

No Third-Party Sharing

  • We do not share, sell, or transmit your data to any third parties
  • We do not use cloud services or external servers for data processing
  • Your information never leaves your device except when connecting to your own SMB servers

Data Security

Encryption and Protection

  • Military-Grade Encryption: All passwords (SMB, FTP, SFTP) are encrypted using AES-256-GCM encryption
  • Hardware-Backed Keys: Encryption keys are stored in Android's hardware-backed Keystore when available
  • Separate Encrypted Storage: SMB and FTP credentials stored in separate encrypted containers
  • Memory Protection: Passwords are handled securely to minimize memory exposure
  • Backup Exclusion: All sensitive data (passwords, configurations, encryption keys, SFTP host keys) is explicitly excluded from Android's automatic backup systems
  • No Plaintext Storage: Credentials are never stored in plaintext anywhere on the device

Network Security

  • SMB3 Encryption: Supports encrypted SMB3 connections when available (auto-negotiated)
  • SFTP Encryption: Full SSH-based encryption for SFTP connections
  • SFTP Host Key Verification: Validates SSH server fingerprints to prevent man-in-the-middle attacks
  • FTP Passive Mode: Uses firewall-friendly passive mode for maximum compatibility
  • WiFi-Only Operation: Designed to work on local WiFi networks (configurable per backup job)
  • Secure Logging: Debug logs automatically sanitize sensitive information (IP addresses, paths, UUIDs, hostnames)
  • Input Validation: Comprehensive validation prevents injection attacks, path traversal, and command injection
  • Production Log Removal: All debug logs are completely removed from release builds via code optimization

Data Retention

Local Storage

  • Server configurations (SMB/FTP/SFTP) are stored on your device until you manually delete them
  • Scheduled backup jobs are stored locally and can be deleted at any time
  • SFTP host key fingerprints are stored for trusted servers
  • File selection preferences are retained for your convenience
  • You can delete all stored data by uninstalling the app or clearing app data
  • Sensitive data is excluded from Android Auto Backup and cloud backup systems

Logs

  • Debug logs are only generated in development builds
  • Production builds have all debug/info logs completely removed via ProGuard/R8 optimization
  • Warning and error logs automatically sanitize sensitive information (IP addresses, paths, UUIDs, hostnames, file URIs)
  • Passwords and credentials are never logged in any build type
  • Logs are never transmitted or stored externally
  • Log sanitization uses regex-based pattern matching to redact personally identifiable information (PII)

Your Rights and Controls

Data Management

  • Access: You can view all stored server configurations (SMB/FTP/SFTP) within the app
  • Modification: You can edit or update your server settings at any time
  • Deletion: You can delete individual configurations, scheduled backups, or all data by clearing app storage
  • Export: Configuration details can be manually recreated on other devices if needed
  • Scheduled Backups: Full control to create, edit, pause, or delete backup jobs
  • SFTP Host Keys: Manage trusted SSH server fingerprints

Permissions

  • Minimal Permissions: The app only requests necessary permissions for core functionality
  • File Access: Only accesses files and folders you explicitly select (Android 13+ granular media permissions)
  • Network Access: Only connects to servers you specify (SMB/FTP/SFTP)
  • Background Execution: Scheduled backups use WorkManager with battery-friendly constraints
  • Boot Receiver: Optional permission to automatically restore scheduled backups after device reboot or app update
  • Foreground Service: Used for long-running file transfers with visible notifications
  • No Dangerous Permissions: No access to camera, microphone, location, contacts, or other sensitive data
  • Revocable: All permissions can be revoked through Android settings at any time

Third-Party Services

No External Dependencies

  • WiFiCopy does not integrate with advertising networks
  • No analytics or crash reporting services are used
  • No social media integrations or external APIs
  • The app functions entirely offline after initial setup

Open Source Libraries

  • We use open source libraries (SMBJ, Apache Commons Net, JSch, Android Security Crypto, WorkManager) that do not collect data
  • All libraries are privacy-respecting and do not contain tracking or analytics
  • Libraries are regularly updated for security patches
  • Full list of dependencies is available in the app's "View Licenses" section

Children's Privacy

WiFiCopy does not knowingly collect information from children under 13. The app is designed for technical users managing network file transfers and is not directed at children.

Changes to This Policy

We may update this privacy policy to reflect changes in our practices or for legal compliance. We will notify users of significant changes through:

  • App store update descriptions
  • In-app notifications for major changes
  • Updated effective date at the top of this policy

Data Transfers

International Use

  • All data processing occurs locally on your device
  • No data is transmitted to our servers or third parties
  • Network connections (SMB/FTP/SFTP) are made directly to your specified servers
  • No cross-border data transfers by the app developer
  • File transfers occur directly between your device and your servers

Legal Basis for Processing

We process your data based on:

  • Legitimate Interest: To provide the core functionality of file transfer
  • User Consent: Through your explicit configuration of SMB settings
  • Contract Performance: To deliver the services you expect from the app

Contact Information

For privacy-related questions or concerns:

Developer: Keith Neilson
Website: https://www.wificopy.app
Support: Available through the app's support website

Security Measures

Code Security

  • Code Obfuscation: Release builds use R8 optimization to obfuscate code and prevent reverse engineering
  • Input Validation: All user inputs are validated to prevent injection attacks
  • Path Sanitization: File paths are sanitized to prevent directory traversal attacks
  • No SQL Injection Risk: App uses DataStore (Protocol Buffers) and EncryptedSharedPreferences, not SQL databases
  • No XSS Risk: App uses native Android UI (Jetpack Compose), no WebView or HTML rendering
  • Regular Security Audits: Code is regularly reviewed for security vulnerabilities

Data Protection

  • Encryption at Rest: All credentials encrypted with AES-256-GCM
  • Secure Key Storage: Encryption keys stored in Android Keystore
  • Memory Safety: Kotlin/Java memory safety prevents buffer overflow attacks
  • No Hardcoded Secrets: No API keys, passwords, or secrets in code
  • Backup Exclusion: Sensitive data excluded from Android Auto Backup

Compliance

This privacy policy is designed to comply with:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Android App Privacy Requirements
  • Google Play Store Privacy Policies
  • OWASP Mobile Security Standards

Summary: WiFiCopy is built with privacy by design and security by default. Your server credentials (SMB/FTP/SFTP) and file data remain on your device, encrypted with AES-256-GCM using hardware-backed keys. We don't track you, analyze your usage, or share your information with anyone. The app simply does what it says: securely transfers your files to your network servers, nothing more. All sensitive data is excluded from backups, all debug logs are removed from production builds, and comprehensive input validation protects against injection attacks.

This privacy policy reflects our commitment to user privacy and data protection. WiFiCopy operates on a "local-first" principle where your data stays under your control.