Privacy Policy

Overview

WebBLE ("the Extension") is committed to protecting your privacy. This privacy policy explains how the Extension handles your information when you use our Safari Web Extension for Bluetooth® Low Energy device connectivity.

Data Controller

The data controller responsible for this Extension is:

Wojtek Kulma
Contact: [email protected]

Information Collection and Use

The Safari Extension

All Bluetooth data remains on your device. The extension processes BLE peripheral identifiers (UUIDs), device names, and GATT values locally to provide Bluetooth connectivity. These identifiers are generated by your device's Bluetooth stack, differ across iPhones, and are never transmitted off-device.

Crash Reporting & Diagnostics

The companion app and extension use Sentry for crash reporting and performance monitoring. When enabled, the following data may be sent to Sentry's servers (hosted in the EU, ingest.de.sentry.io):

• Crash reports — stack traces, device model, OS version, app version
• Performance data — transaction durations, app startup time
• Diagnostic data — app hang detection, breadcrumbs (user actions leading to a crash)

This data is not linked to your identity. IP addresses are not collected (sendDefaultPii is disabled). No Bluetooth device data, browsing history, or personal information is included in crash reports.

Opt out: You can disable crash reporting in the app's Settings. When opted out, no diagnostic data is sent.

Legal basis (GDPR): Legitimate interest in maintaining app stability and fixing crashes. You may object at any time by opting out in Settings.

Optional Web SDK Analytics

Web developers may add optional WebBLE web SDK analytics on their own sites. This web integration is separate from the app and extension. When a developer enables analytics for their integration, the service may send minimal events to api.ioswebble.com/v1/events containing:

• The website hostname (not full URL)
• Browser user agent string
• Timestamp
• An integration identifier associated with the developer account

This data is keyed to the developer integration, not to end users. No personal information, Bluetooth data, or browsing history is collected. Developers can opt out by not enabling these analytics features.

Local Data Storage

The Extension stores minimal data locally on your device for functionality:

1. BLE Device Permissions — Website permissions to access specific Bluetooth devices are stored locally in your browser
2. Connection State — UUIDs of connected devices are stored locally to enable automatic reconnection after the extension process restarts. Cleared when you disconnect or use Reset All Data
3. User Preferences — Extension settings such as UI preferences (stored locally)
4. Background Sync Registrations — When you enable background sync for a website, the following data is stored in the App Group shared between the extension and companion app: device UUIDs, service and characteristic UUIDs, notification display templates, same-origin notification URLs, a SHA-256 hash of the registering origin, and registration expiry timestamps. No full browsing history is stored. URLs are limited to the same origin that registered the background task.
5. Notification Rate-Limit State — The app stores per-origin and per-intent cooldown timestamps locally so background alerts do not spam you. This state is cleared when you remove background sync data or reset app data.

The extension shares minimal operational data (such as connection state and heartbeat status) with its companion app through a secure App Group. No data leaves your device except crash reports as described above.

Bluetooth Permissions

How Permissions Work

• Websites must request permission to access BLE devices
• You explicitly grant or deny each permission request
• Permissions are stored per-website origin

Security

• Only HTTPS websites can request BLE access
• Each website can only access devices you explicitly authorize
• Background beacon scanning can run only for websites where you granted Bluetooth access and explicitly registered background sync. Notification URLs are restricted to HTTPS and the same origin as the registering site

Data Sharing

The Extension shares diagnostic data (crash reports, performance metrics) with Sentry, Inc. as described above. This data is not linked to your identity and contains no Bluetooth or browsing data.

The optional CDN script (a separate web asset, not part of the app binary) shares minimal usage analytics with the WebBLE API service when configured by web developers.

No data is shared with:

• Advertising networks
• Data brokers

Children's Privacy

The Extension does not knowingly collect personal information from children under 13. Crash reporting collects only technical diagnostic data that is not linked to any user's identity. IP address collection is disabled to comply with COPPA requirements.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be noted with an updated "Last Updated" date at the top of this policy.

Your Rights

All Users

• Clear all stored data through the "Reset All Data" option in the app's Settings
• Remove only background monitoring data through the "Clear Background Sync Data" option in the app's Settings
• Disable crash reporting in the app's Settings
• Remove all extension data by uninstalling the extension

European Economic Area (GDPR)

If you are located in the EEA, you have the right to:

• Access — request a copy of data we process about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data
• Restriction — request we limit processing of your data
• Portability — receive your data in a portable format
• Object — object to processing based on legitimate interest
• Lodge a complaint — with your local data protection authority

To exercise any of these rights, contact us at [email protected].

California (CCPA)

If you are a California resident:

• We do not sell your personal information and have never done so
• Categories of personal information collected: Device diagnostic data (crash reports, performance metrics) — not linked to your identity
• Business purpose: Maintaining and improving app stability
• You have the right to request disclosure of what data we collect and to request deletion

To exercise your CCPA rights, contact us at [email protected].

Contact Information

For questions about this privacy policy or the Extension's privacy practices, please contact us at: [email protected]

Compliance

This Extension complies with:

• Apple's App Store Guidelines
• Safari Web Extension policies

We maintain a Data Processing Agreement (DPA) with Sentry, Inc. for processing of diagnostic data.

Data Retention

• Permission data — Retained until you clear data or uninstall the extension
• Connection state — UUIDs of connected devices are stored locally to enable automatic reconnection. Cleared when you disconnect or use Reset All Data
• Preferences — Retained until you change them or uninstall the extension
• Background sync registrations — Expire automatically after 30 days. Cleared immediately when you unregister background sync for a site, use Clear Background Sync Data, or use Reset All Data
• Notification rate-limit state — Retained only while background sync registrations remain active. Cleared immediately when background sync data is removed
• Crash/diagnostic data — Retained by Sentry for 90 days, then automatically deleted

Technical Implementation

The Extension operates within Safari's sandboxed environment:

• Uses Safari's native messaging API for communication
• Operates within Safari's permission model
• Cannot access data from other third-party extensions or applications
• Cannot modify browser behavior outside of BLE connectivity

Third-Party Services

Third-Party Websites

This privacy policy applies only to the Extension itself. Websites that use BLE device access through our Extension have their own privacy policies and data practices.