Privacy Policy — InstantIoT

Last updated: May 26, 2026

1. Who we are

InstantIoT is built and maintained by Djoufack Tsobeng Jean Loick (the « Maintainer »), operating under the brand InstantIoT.

• Contact: bonjour@jeanloickdt.com
• Support: rejoindre@instantiot.io
• Website: https://instantiot.io

This Privacy Policy covers the entire InstantIoT ecosystem:

1. The InstantIoT mobile app for Android and iOS.
2. The InstantIoT Server, an open-source (AGPLv3) self-hosted relay you can install on your own machine.
3. The InstantIoT Arduino library (MIT), which runs on your ESP32 / ESP8266 / Arduino Uno R4 WiFi boards.

The Maintainer is the data controller for the limited diagnostic data described in Section 4 (Firebase). The Maintainer is not a controller or processor for the data you exchange between your phone, your board, and your self-hosted server in normal use — that data flows between systems you own.

2. What InstantIoT does

InstantIoT lets you build dashboards on your phone to control and monitor IoT devices (typically Arduino / ESP32 boards) over Wi-Fi or Bluetooth. There are two ways to connect:

• Direct Mode — your phone talks to a board directly. The board hosts its own Wi-Fi network (SoftAP), your phone joins it, no router or server in the middle.
• Server Mode — your phone and your boards both connect to an InstantIoT Server that you install yourself (on a computer, a Raspberry Pi, anywhere). Multi-device, time-series history, web admin. The server runs entirely on your infrastructure; we do not host it.

In both modes, your project, your devices, and your sensor data stay on systems you own.

3. Data we do NOT collect

We do not, in any operating mode:

• Ask you for an email, name, phone number, or address.
• Send your IoT widgets, project configurations, dashboards, sensor readings, or device tokens to any server we operate.
• Use advertising IDs or run advertising SDKs.
• Sell or share data with brokers, advertisers, or analytics resellers.
• Track you across other apps or websites.

4. Data we DO collect (opt-in, via Firebase)

The mobile app integrates Firebase Crashlytics and Firebase Analytics from Google to help us catch bugs and understand how the app is used at an aggregate level. Both are opt-in: when you first launch the app, you are asked to accept the Privacy Policy and Terms of Service; analytics collection only starts after that explicit acceptance. You can disable analytics at any time from the Resources screen in the app.

When enabled, Firebase may collect:

• Crash reports — stack traces of app crashes, the device model, the OS version, the app version. Used to fix bugs.
• Anonymous usage events — for example: « the user opened Direct Mode », « the user added a widget », « the user signed in to a server ». No content. No personally identifiable information.
• Pseudonymous device identifier issued by Firebase — used to deduplicate sessions, not linked to any user account on our side.

We do not link Firebase data to your IoT activity. Firebase data is processed by Google under Google’s Privacy Policy.

To disable analytics and crash reporting:

Mobile app → Resources tab → Settings → Analytics opt-in: OFF

Disabling stops further collection. Past anonymous data already on Firebase is automatically deleted after Firebase’s standard retention window (typically 14 months for Analytics, 90 days for Crashlytics events).

5. Data stored locally on your device

The mobile app stores the following on your phone, using Android DataStore / iOS UserDefaults and Room SQLite:

• Projects and dashboards you create
• Widget configurations and their last-known values (for restoring state)
• Connection settings (Wi-Fi SSIDs you joined for SoftAP devices, server addresses, JWT tokens for the servers you signed into)
• App preferences (theme, language, analytics opt-in)

This data stays on your device. Uninstalling the app removes it. You can also clear it from Android Settings → Apps → InstantIoT → Storage → Clear data.

6. Data on your self-hosted InstantIoT Server (Server Mode)

If you choose Server Mode, you install and run the InstantIoT Server yourself. The server stores, on its own machine:

• A SQLite database with: user accounts (you create them), projects, devices, widget definitions, time-series history of sensor values.
• A JWT secret used to sign authentication tokens.
• Automatic SQLite backups in a folder under your home directory.

The Maintainer never sees this data. You are the data controller for everything on your self-hosted server. Anyone you give access to that server can see what is on it; secure it accordingly.

The server is open source under GNU AGPLv3. You can audit it. Source: https://github.com/jeanloickdt/instantiot-server

7. Data flowing on your Arduino board

The InstantIoT Arduino library, running on your board, transmits widget commands and sensor values over Wi-Fi or Bluetooth to either:

• Your phone (Direct Mode), or
• Your self-hosted InstantIoT Server (Server Mode).

It does not connect to any other endpoint. The library is open source under MIT. Source: https://github.com/jeanloickdt/InstantIoT

8. Permissions used by the mobile app

The app requests the following permissions, only when needed:

Android

• Bluetooth (BLUETOOTH_SCAN / BLUETOOTH_CONNECT and legacy variants on Android ≤ 11) — to discover and pair with Bluetooth-capable boards (preview feature).
• Wi-Fi (ACCESS_WIFI_STATE, CHANGE_WIFI_STATE, NEARBY_WIFI_DEVICES on Android 13+) — to scan for and join the SoftAP Wi-Fi networks broadcast by your boards.
• Network (INTERNET, ACCESS_NETWORK_STATE, CHANGE_NETWORK_STATE) — required to reach your local Wi-Fi devices and any InstantIoT Server you connect to.
• Location (ACCESS_COARSE_LOCATION on Android ≤ 12, ACCESS_FINE_LOCATION) — Android requires location permission to obtain Wi-Fi scan results on Android 12 and below. We do not access, store, or transmit your physical location; we only need the scan results.
• POST_NOTIFICATIONS (Android 13+) — to show local notifications when your boards trigger alerts (e.g. an Emergency Button event).

iOS

• NSBluetoothAlwaysUsageDescription — for Bluetooth discovery (preview).
• NSLocalNetworkUsageDescription — required by iOS 14+ to communicate with local devices on your Wi-Fi.
• NSBonjourServices: _instantiot._tcp — to discover InstantIoT Servers on your LAN via mDNS.
• com.apple.developer.networking.HotspotConfiguration — to programmatically join the SoftAP Wi-Fi network of a board.

None of these permissions are used to collect personal data; they exist only to support the app’s core IoT functions.

9. Third-party services

Service	Purpose	Optional?	Where data goes
Firebase Crashlytics (Google)	Crash reports for bug fixing	Yes — opt-in	Google servers under Google’s policy
Firebase Analytics (Google)	Anonymous usage events	Yes — opt-in	Same

The app does not embed any other third-party SDK that transmits data off-device.

10. Children’s privacy

InstantIoT is a maker / DIY electronics tool aimed at developers and hobbyists. It does not knowingly collect personal data from children. It contains no advertising and complies with Google Play’s Families program where applicable.

11. International users

The app can be used worldwide. Your IoT data stays on your phone and your self-hosted server, both of which are physically wherever you are. Firebase data (if you opt in) is processed by Google on infrastructure that may include the United States and the European Union; refer to Google’s policy for details.

If you are in the EU / EEA / UK, you have the right under the GDPR to access, rectify, erase, restrict, or port any personal data we hold about you. Because we only hold anonymous Firebase data (and only if you opted in), in practice the most effective way to exercise these rights is:

1. Disable analytics in the app (see Section 4), which stops further collection.
2. Email us at bonjour@jeanloickdt.com — we will forward Firebase deletion requests to Google if needed.

12. Security

• The mobile app uses Android Keystore / iOS Keychain (where available) to protect server JWT tokens.
• The self-hosted server uses bcrypt (or equivalent) for password hashing and HS256 JWT for session tokens.
• TLS is supported by the server when you put it behind a reverse proxy with a certificate; in pure LAN mode, traffic is plain TCP / WebSocket within your network.
• Bluetooth / Wi-Fi SoftAP communications are not encrypted by default beyond the link-layer protections of those protocols. If you transmit sensitive data, prefer Server Mode behind TLS.

13. Changes to this policy

We may update this policy when the app or the ecosystem evolves. Material changes will be reflected by updating the « Last updated » date at the top, and where appropriate, surfaced in-app at the next launch. Continued use after an update constitutes acceptance.