Skip to main content
This guide explains how the Flashduty RUM SDK (the “SDK”) processes personal information within your app, and helps you meet China’s Personal Information Protection Law (PIPL), the relevant app personal-information collection regulations, and the privacy requirements of various app stores. It focuses on the SDK’s own processing rules; Flashduty’s service terms and data security commitments as the entrusted processor are covered separately in the Data protection agreement and the RUM Data security doc.

Two key requirements for compliant use

After integrating the SDK, you (the app operator) must complete the following two compliance actions — both are mandatory:

① Privacy policy disclosure

Disclose in your app’s privacy policy that the SDK is integrated and what personal information it collects. See Privacy policy disclosure.

② Deferred initialization

Do not initialize the SDK or report any data before the user accepts your privacy policy. See Deferred initialization.

Division of compliance responsibilities

The SDK runs as a third-party component embedded in your app. The responsibility boundary is as follows:
RolePartyResponsibility
Personal information processorYou (the app operator)Disclose and obtain consent for your app’s overall collection and use of personal information, including the integrated SDK
Entrusted processorBeijing Flashcat Cloud Technology Co.,Ltd. (Flashduty)Process data only within the scope necessary to provide RUM services, never for purposes beyond what is agreed

How the SDK processes personal information

The following is the factual basis for completing your privacy policy disclosure.

Personal information collected

To support crash analysis, performance diagnostics, and user experience monitoring, the SDK automatically collects the following information. Apart from “app runtime information”, all collection items can be disabled or masked via configuration (see Data handling rules and commitments).
Information typeSpecific fieldsPurposeCollection methodCan be disabled
Device informationDevice model, brand, device name, CPU architecture, screen informationDistinguish crashes and performance across device modelsCollected automatically by the SDKNo (base attribute)
Operating system informationOS name and versionDistinguish compatibility and fault distribution across OS versionsCollected automatically by the SDKNo (base attribute)
Network informationConnectivity status, network interface type (Wi-Fi / cellular / wired network, etc.), uplink/downlink bandwidth, signal strengthAnalyze how the network affects loading and request latencyCollected automatically by the SDKNo (base attribute)
App runtime informationPackage name, version, build number, environment, SDK versionCorrelate issues with releasesCollected automatically by the SDKNo (required)
Crash and log informationCrash stack traces, error messages, ANR, custom logsReconstruct the crash scene and locate defectsCollected on crash/error or manual loggingYes (disable error tracking)
Behavior and performance informationView access paths and dwell time, user actions, resource loading latency, long tasks, launch timeReconstruct user journeys and analyze bottlenecksCollected on interaction/navigationYes (disable auto tracking or mask)
Session identifierRandomly generated session ID (session.id)Link events within a single session for traceabilityGenerated automatically by the SDKNo (already anonymized)
Network addressCountry/region derived from the report’s source IPAnalyze performance and faults by regionDerived server-side during processingYes (disable IP / geolocation)

Information explicitly not collected

To minimize privacy impact, the SDK does not collect the following, and does not request the related sensitive permissions:
  • Unique device identifiers: IMEI, IDFA, IDFV, Android ID, MAC address, OAID, etc.
  • Precise geolocation (GPS / latitude-longitude).
  • Contacts, SMS, call logs, photo albums, microphone, or camera content.
  • The list of installed apps.
  • SIM carrier name / carrier ID (simCarrierIdName / simCarrierId), and telephony identifiers such as IMSI or SIM serial number.
  • Directly identifiable information such as phone numbers or ID numbers (unless you actively pass it in via the API — see the note below).
If you actively pass personally identifiable information to the SDK via setUserInfo (user ID, name, email) or custom attributes, this information is reported along with events. Make sure such collection is disclosed in your privacy policy and consented to, and avoid passing in sensitive personal information.

Device permissions requested

The SDK only requests the network permissions necessary for monitoring; it requests no sensitive permissions.
PlatformPermissionPurposeRequired
Androidandroid.permission.INTERNETReport monitoring dataRequired
Androidandroid.permission.ACCESS_NETWORK_STATERead network status for metrics collection and reporting strategyRequired
iOSNo additional permission declaration requiredNetwork access uses the system default capability

Data handling rules and commitments

The SDK collects only the information necessary for monitoring. Sessions are identified by a random session.id and user identity is not tracked by default, anonymizing the data while preserving trend analysis.
You can finely control collection behavior:
  • Disable auto tracking: turn off automatic collection of user actions and view visits, keeping only explicit reporting.
  • Sampling: reduce collection and reporting via the session sample rate.
  • Attribute masking: use EventMapper to modify or drop fields before events are reported, removing any PII that may have leaked in (such as action names or personal information in URLs).
  • Action name masking: enable enablePrivacyForActionName to replace unnamed action names with a placeholder.
See the RUM Data security doc for details.
You can disable collection of IP address and geolocation (country/city) data in the app’s “user data collection” settings; the change takes effect immediately server-side.
All RUM events can be forwarded through your own proxy server so end-user devices never communicate with Flashduty directly, letting you centrally control egress traffic.

Integrator obligations

This section details how to implement the two key requirements.

1. Privacy policy disclosure

Add the SDK to the “third-party SDK information sharing list” in your app’s privacy policy. Reference text: 
SDK name: Flashduty RUM SDK
SDK provider: Beijing Flashcat Cloud Technology Co.,Ltd.
Purpose: app crash analysis, performance monitoring, and user experience diagnostics
Personal information collected: device information (model, brand, OS and version,
  CPU architecture), network information (connectivity status, network interface type,
  uplink/downlink bandwidth, signal strength), app runtime and crash log information, view access and actions
  during app usage, and a randomly generated session identifier
Website: https://flashcat.cloud
privacy policy: http://docs.flashcat.cloud/en/compliance/data-security

2. Deferred initialization

Do not call SDK initialization before the user accepts your privacy policy; or initialize with the PENDING state (collect but do not report), then switch to GRANTED after consent.
Consent stateSDK behaviorScenario
GRANTEDCollect and reportThe user has consented
NOT_GRANTEDCollect no dataThe user declined or withdrew
PENDINGCollect but defer reporting until the state changes to GRANTEDAwaiting user confirmation
import com.datadog.android.Datadog
import com.datadog.android.privacy.TrackingConsent

// Before consent: do not initialize, or initialize with PENDING
Datadog.initialize(this, configuration, TrackingConsent.PENDING)

// After the user taps "Agree" in the privacy dialog:
Datadog.setTrackingConsent(TrackingConsent.GRANTED)

// When the user withdraws consent in settings:
Datadog.setTrackingConsent(TrackingConsent.NOT_GRANTED)
For the full consent-state usage per platform, see Android advanced configuration · User tracking consent and the corresponding docs.

Data storage and security

Data collected by the SDK is reported only to the Flashduty server you configure and is used solely to provide monitoring services to you. It is not shared with any other third party and is not used for advertising, user profiling, or cross-app tracking. Data is stored on compliant servers within mainland China, transmitted over HTTPS/TLS, and protected by access control and auditing. For the full security measures, retention periods, and cross-border transfer terms, see the Data protection agreement and the RUM Data security doc.

Compliant integration checklist

1

Update your privacy policy

Add the SDK’s name, provider, collected information, and purpose to your app’s privacy policy.
2

Defer initialization

Ensure the SDK is not initialized and no data is reported before the user consents (or use the PENDING state).
3

Register the third-party SDK list

Register the personal information fields and purposes from this guide in your app’s third-party sharing list / filing materials.
4

Provide a withdrawal entry

Provide an entry to withdraw consent in your app settings, and call setTrackingConsent(NOT_GRANTED) upon withdrawal.
5

Avoid passing in sensitive information

Review setUserInfo and custom attributes to ensure no sensitive personal information is passed to the SDK.