Privacy Policy

1. Information We Collect

We collect device signals, cryptographic signatures, and application data strictly for the purpose of hardware attestation.

We automatically collect and log technical data when you access or use the service, including IP addresses, user agent strings, timestamps, and request metadata. This data is used strictly for security, authentication, abuse prevention, rate limiting, and infrastructure protection.

When a device interacts with a service that uses Kubian, we collect and process the following device-level data:

A hardware-derived device identifier (Android ID / Device ID), used solely to generate a project-scoped unique identifier
Cryptographic attestation certificates and hardware signatures issued by the device's secure hardware
Application package name and APK integrity hash
Device boot state, verified boot chain status, bootloader lock state, and security level
Operating system version and security patch level
Environment signals including root detection, debugger presence, emulator detection, and hook detection results
Device fingerprint strings used for audience binding in cryptographic tokens

Kubian is not intended for individuals under the age of 18 without the involvement and consent of a parent or legal guardian. We do not knowingly collect personal data from minors without verified parental or guardian consent.

2. Use of Information

The collected information is utilized solely to verify device integrity, protect our infrastructure, enforce rate limits, process developer-directed device bans, and ensure compliance with our security standards. We do not use your device information for tracking or personalized advertising.

We process personal data based on our legitimate interests in maintaining service security, preventing fraud and abuse, and fulfilling contractual obligations to provide the service.

We may collect and process device-level identifiers and hardware-backed attestation signals strictly for security, fraud detection, and abuse prevention purposes. These signals may be evaluated alongside internal security checks and platform-provided attestation indicators to identify high-risk or potentially compromised environments. This data is not used for tracking, profiling, or advertising purposes.

3. Project-Scoped Unique Device Identifiers & Device Bans

When your device interacts with an application that uses Kubian services, Kubian generates a project-scoped unique identifier (referred to as a "unique ID") derived from your hardware device identifier. This unique ID is specific to the project (application) you are interacting with and is not shared with, transferred to, or accessible by any other project or application using Kubian services.

Each application that integrates Kubian receives its own independently generated unique ID for your device. This means that two different applications both using Kubian cannot cross-reference, compare, or correlate your identity across their respective services using Kubian-provided identifiers. Your unique ID in one application is entirely separate from your unique ID in another.

If an application developer implements a temporary restriction or device ban, that ban is safely tied directly to this project-scoped unique ID rather than your raw hardware identity.

To maintain absolute alignment with data minimization principles, our device-banning mechanisms enforce the following strict privacy constraints:

Configurable, Temporary Lifecycles: Device bans are temporary by default (standardizing to 168 hours / 7 days unless customized up to a maximum window by the developer). Because these bans are anchored to a transient token, any remaining restriction automatically becomes obsolete and is permanently lifted once the underlying 60-day unique ID rotates.
Administrative Isolation & Masking: Application developers possess administrative access to query a real-time index of active restrictions within their specific project scope (the ban_list). To strictly prevent long-term transaction tracing and unauthorized data exposure, unique ban receipt tokens (ban-id) are securely masked and truncated to their first 5 hex characters within these developer-facing interfaces.
Automatic Omission: Expired ban records are instantly and automatically filtered out of all active administrative listings, ensuring outdated restriction data remains inaccessible.

Unique IDs are valid for a period of sixty (60) days from the date of generation or last renewal. After this period, the unique ID is considered expired. Once expired:

No project or application can access or retrieve the expired unique ID
The expired unique ID will be purged from active records upon the next applicable request from that project
A new unique ID will only be generated if and when you re-authenticate or re-engage with that specific application that uses Kubian services
The new unique ID will be a fresh, independently generated value with no linkage to the prior expired identifier
Any active or remaining developer-initiated bans associated with the expired unique ID are rendered obsolete and effectively lifted, as the fresh identifier shares no technical lineage with the old record.

Kubian does not provide any mechanism for developers or third parties to recover, reconstruct, or retrieve an expired unique ID. Once purged, it is permanently inaccessible through our systems.

4. Data Sharing

We do not sell or share your personal data for cross-context behavioral advertising as defined under the Oregon Consumer Privacy Act (OCPA). Information is not shared with outside third-party entities unless legally required (e.g., via subpoena or court order) or necessary for infrastructure operations and security enforcement.

We may share information with trusted third-party service providers who perform services on our behalf, such as payment processing, hosting, and infrastructure security. These providers are contractually obligated to protect your data and use it only for the services they provide.

5. Data Security

We implement robust security measures, including hashing (e.g., bcrypt for passwords), encryption, and IP tracking, to protect against unauthorized access, alteration, disclosure, or destruction of your personal information and project keys.

We limit access to personal data to authorized systems and personnel strictly required for operational and security purposes.

6. Data Retention

We retain your personal data and project metrics for as long as your account is active. Usage statistics and anomaly logs may be retained longer for security analysis and to combat future automated abuse. Upon account deletion, personal data is purged in accordance with Oregon law, except where retention is required for security forensics.

Deletion requests are processed within a reasonable timeframe, generally within 30 days, unless retention is required for legal, security, or fraud prevention purposes.

Notwithstanding the standard 60-day unique ID retention window described in Section 3, Kubian reserves the right to retain device-level signals, attestation records, hardware certificate identifiers, and associated metadata beyond the standard retention period where a device has a known or documented history of any of the following:

Attempts to bypass, circumvent, or interfere with Kubian's attestation or integrity verification systems
Submission of falsified, spoofed, or manipulated attestation responses
Repeated integrity violations including rooted environments, unlocked bootloaders, or compromised boot chains across multiple projects or sessions
Hardware certificate revocation due to accumulated integrity violations
Known patterns associated with automated abuse, emulation farming, or coordinated bypass attempts
Any activity flagged as a potential threat to infrastructure, security, or other users of Kubian services

In such cases, retained data is used exclusively for security enforcement, platform integrity, fraud prevention, and, where applicable, cooperation with law enforcement or legal proceedings. Such data will not be used for advertising, profiling, or purposes unrelated to security and compliance.

7. Developer Disclosure Obligation

Any developer, company, or individual ("Developer") that integrates Kubian services into their application, product, or platform is required to provide clear, conspicuous, and accurate disclosure to their end users regarding the data collected by Kubian as part of their service.

At a minimum, this disclosure must include a reference to or summary of the data collection practices described in this Privacy Policy, including but not limited to:

The collection of hardware device identifiers and attestation signals
The generation and use of project-scoped unique device identifiers
The execution and enforcement of application-level device bans utilizing these unique identifiers
The 60-day retention window applicable to unique identifiers
The use of device integrity signals for security and fraud prevention purposes

Developers are required to either directly incorporate the relevant provisions of this Privacy Policy into their own application privacy policy or provide a clearly accessible link to Kubian's Privacy Policy located at https://kubian.staticlabs.app/Privacy-Policy.

Failure to provide adequate disclosure to end users constitutes a material breach of the Developer's obligations under Kubian's Terms of Service. In the event that Kubian or Static Labs LLC incurs any legal liability, claim, regulatory action, fine, penalty, or enforcement action arising from or related to a Developer's failure to properly disclose Kubian's data collection practices to their end users, the Developer agrees to:

Indemnify and hold harmless Kubian and Static Labs LLC from and against any and all resulting claims, damages, losses, costs, and legal fees
Accept full legal and financial accountability for any harm suffered by end users resulting from the Developer's non-disclosure
Cooperate fully with any regulatory inquiry or legal proceeding arising from the Developer's failure to comply with this obligation

Kubian reserves the right to suspend or terminate access to its services for any Developer found to be in violation of this disclosure obligation, without prejudice to any other legal remedies available.

8. User Rights (OCPA)

In accordance with Oregon law, you have the right to access, correct, or delete your personal data held by Kubian. You may also request a portable copy of your data. To exercise these rights, please submit a request through the official dashboard support channel.

You may also contact us directly at [email protected] regarding privacy-related requests.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will become effective upon posting. Continued use of the service after such changes constitutes your acceptance of the updated policy.

Return to Dashboard Privacy Policy Terms of Service DCA (Developer Creation Agreement) DLAC (Developer Licensing Application Changing) Purchasing Inquiries