Privacy Impact Assessment
Pursuant to Quebec's Act respecting the protection of personal information in the private sector (Loi 25 / Bill 64)
1. Purpose and Scope
This Privacy Impact Assessment (PIA) describes the personal information handled by DVR Time Traveler and the measures implemented to protect it. It is intended for procurement officers, privacy officers, and IT security reviewers at law enforcement agencies and public bodies evaluating the application for deployment.
2. Personal Information Inventory
The following table enumerates every category of personal information the application handles, where it resides, and whether it leaves the device.
| Data element | Storage | Transmitted? | Destination | Retention |
|---|---|---|---|---|
| Officer name, badge number, department/unit | Device only AES-256 encrypted | Never | β | Until user deletes or uses "Clear All Data" |
| Case numbers, DVR identification, event data | Device only AES-256 encrypted | Never | β | Until user deletes or uses "Clear All Data" |
| Case photos | Device only App sandbox | Never | β | Until user deletes or uses "Clear All Data" |
| DVR unlock patterns / credentials | Device only AES-256 encrypted | Never | β | Until user deletes or uses "Clear All Data" |
| Generated PDF reports | Device only | Never (shared only by explicit user action via OS share sheet) | β | Until user deletes |
| Notes (free text) | Device only AES-256 encrypted | Never | β | Until user deletes or uses "Clear All Data" |
| Device UUID (app-generated identifier) | Device + Server | Yes | License server (license.sdtech.app) | Server: until license deactivation + 30-day cleanup |
| Device name (OS-reported device name) | Server only | Yes | License server | Server: until license deactivation + 30-day cleanup |
| Device model, OS version, app version | Server only | Yes | License server | Server: until license deactivation + 30-day cleanup |
| Android hardware ID (Android only) | Server only | Yes (Android only) | License server | Server: until license deactivation + 30-day cleanup |
| License key | Device + Server | Yes | License server | Server: until license expiry + retention period |
| IP address | Server logs | Inherent to HTTPS connections | License server, Sentry, time source providers (Google, Cloudflare, Apple, Microsoft, TimeAPI.io) | License server: 30 days (validation logs auto-purged). Sentry: per Sentry retention policy. Time sources: per each provider's policy. |
| Document hash (SHA-256) | Server | Yes (hash only, not document content) | License server β RFC 3161 TSA | Server: indefinite (for timestamp verification) |
| Crash reports (stack traces, anonymized device info) | Sentry | Yes (production only, PII stripped) | Sentry (sentry.io, US-hosted) | Per Sentry retention settings (default: 90 days) |
3. What Is NOT Collected or Transmitted
The following data categories are never transmitted to any server under any circumstance:
- Officer name, badge number, or department
- Case numbers, DVR addresses, or event details
- Photos, notes, or DVR unlock patterns
- PDF report content (only the SHA-256 hash is used for trusted timestamping)
- Location or GPS data (the app does not request location permissions)
- Contacts, call logs, messages, or any other on-device data
- Behavioral analytics or usage patterns (no analytics SDK is integrated)
4. Purpose of Each Data Transmission
4.1 License Validation (license.sdtech.app)
Purpose: Verify that the user holds a valid subscription or enterprise license. Prevent unauthorized use and enforce per-device activation limits.
Data sent: License key, device UUID, device name, device model, OS version, app version, Android hardware ID (Android only), device compromised status.
Legal basis (Loi 25): Necessary for the performance of the subscription contract (Art. 8.3).
Minimization measures: The device UUID is generated by the app (not a hardware serial number). Validation logs containing IP addresses are automatically purged after 30 days.
4.2 RFC 3161 Trusted Timestamping
Purpose: Obtain a cryptographic timestamp proving the report existed at a specific time, for court admissibility.
Data sent: SHA-256 hash of the report's canonical content. No report content leaves the device.
Legal basis: Necessary to provide the contracted forensic timestamping feature (Art. 8.3).
4.3 Network Time Attestation
Purpose: Verify the accuracy of the device clock by querying the Date header from major web providers (Google, Cloudflare, Apple, Microsoft, TimeAPI.io).
Data sent: Standard HTTPS GET/HEAD requests with no custom headers, no cookies, no identifiers. Only the IP address is inherently visible to these providers.
Legal basis: Necessary for the legitimate forensic function of the application (Art. 8.3).
4.4 Crash Reporting (Sentry)
Purpose: Detect and fix application errors to maintain reliability.
Data sent: Error stack traces, device model, OS version, app version, anonymized device identifier. Default PII collection is disabled. A pre-transmission filter actively strips user email and IP address from every event.
Legal basis: Legitimate interest in maintaining application stability (Art. 8.3). Users may disable crash reporting via device OS developer settings.
4.5 Agency Logo Hosting (managed devices only)
Purpose: Allow organizations to push their branded logo to managed devices for inclusion in PDF reports.
Data sent: License key, device UUID, and current logo hashes (for sync). No case data.
5. Data Residency
| Component | Location | Provider |
|---|---|---|
| Case data (all sensitive content) | Officer's device only | β |
| License server | Cloudflare Workers (global edge, with D1 database) | Cloudflare, Inc. |
| Crash reporting | United States | Sentry (Functional Software, Inc.) |
| RFC 3161 timestamps | Routed via Cloudflare to configured TSA | Cloudflare / TSA provider |
Note on data sovereignty: No case data, officer identity, or investigation content transits through or is stored on any external server. The license server stores only technical identifiers required for subscription management. For organizations requiring Canadian-only data residency for all technical metadata, SDTech can configure a dedicated Cloudflare region on request.
6. Security Measures
- Encryption at rest: All sensitive local data is encrypted with AES-256 via the device keychain (iOS Keychain / Android Keystore).
- Encryption in transit: All network communications use TLS 1.2+ (HTTPS). Certificate pinning is enforced for the license server.
- URL allowlisting: The application restricts outbound connections to a hardcoded allowlist of domains. No arbitrary network calls are possible.
- No user accounts: The application does not require account creation, login, email address, or password.
- Audit logging: Administrative actions (MDM configuration changes, logo management) are logged locally with timestamps and badge identifiers for internal accountability.
- Device compromise detection: The application detects jailbroken/rooted devices and flags this status during license validation.
- GDPR Article 17 compliance: A "Clear All Data" feature allows complete and irreversible deletion of all locally stored data.
- Sentry PII filtering: Default PII collection is disabled. A pre-transmission filter strips email addresses and IP addresses from all crash reports.
7. Rights of Individuals (Loi 25, sections 27β40)
| Right | How it is exercised |
|---|---|
| Right of access (s. 27) | All case data is stored on the user's own device and is directly accessible. For license server records (device UUID, device name, IP logs), submit a request to [email protected]. Response within 30 days. |
| Right of rectification (s. 28) | Users can edit all local data directly in the app. For server-side records, contact [email protected]. |
| Right of deletion / de-indexing (s. 28.1) | Use "Clear All Data" to delete all local data. For server-side license records, use the "Deactivate" function or contact [email protected] for full account purge. |
| Right to data portability (s. 27(3)) | The "Notes Backup & Restore" feature exports user data in a structured, machine-readable format that can be transferred to another device. |
| Right to withdraw consent (s. 8.1) | No consent-based processing occurs. All data processing is based on contractual necessity (subscription) or legitimate forensic function. Users may stop using the app and delete all data at any time. |
8. Data Retention and Deletion
| Data category | Retention period | Deletion mechanism |
|---|---|---|
| All local case data | Indefinite (user-controlled) | "Clear All Data" function |
| License activation records (server) | Until deactivation + 30-day cleanup | Automatic on deactivation, or by request |
| Validation logs with IP (server) | 30 days | Automatic purge |
| Trusted timestamp records (server) | Indefinite (required for timestamp verification) | By request (note: deletion voids timestamp verifiability) |
| Crash reports (Sentry) | 90 days (default Sentry retention) | Automatic purge |
9. Sub-processors
| Sub-processor | Purpose | Data received | Location |
|---|---|---|---|
| Cloudflare, Inc. | License server hosting, edge compute, D1 database | Device ID, device info, license key, IP address, document hash | Global (edge), database region configurable |
| Sentry (Functional Software, Inc.) | Crash reporting | Anonymized error data, device model, OS version (PII stripped) | United States |
| Apple Inc. / Google LLC | In-App Purchase receipt validation (via app stores) | Purchase token, product ID | United States |
| RFC 3161 Time-Stamping Authority | Trusted timestamping of document hashes | SHA-256 hash (no document content) | Varies by TSA provider |
10. Risk Assessment Summary
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Unauthorized access to case data | Very low | High | Data is local-only, AES-256 encrypted, stored in OS keychain. No server-side attack surface for case data. |
| License server breach exposing device identifiers | Low | Low | Server stores only technical identifiers (UUID, device name, IP). No case data, no officer names, no badge numbers. IP logs auto-purged after 30 days. |
| Device name containing officer's real name (e.g. "Sylvain's iPhone") | Medium | Low | Organizations can standardize device naming via MDM policy to remove personal names. SDTech is evaluating removal of device name transmission in a future release. |
| Sentry crash report containing PII | Very low | Low | sendDefaultPii: false. Pre-transmission filter strips email and IP. No case data in stack traces. |
| IP address exposure to time source providers | Certain | Very low | Standard HTTPS behavior; no identifiers sent. IP alone does not identify an officer. Providers are major web services (Google, Cloudflare, Apple, Microsoft) with established privacy practices. |
11. Conclusion
DVR Time Traveler's architecture is designed on the principle that the safest way to protect sensitive data is to never transmit it. All investigation-related content remains on the officer's device at all times. The limited data that reaches external servers β device identifiers for license management, SHA-256 hashes for trusted timestamping, and anonymized crash reports β contains no case data, no officer identity, and no investigation details.
This assessment concludes that the privacy risk to individuals is low and that the application's data handling practices are consistent with the requirements of Loi 25 / Bill 64.
For questions or to exercise your privacy rights, contact: [email protected]
SDTech Mobile Application Inc. β Quebec, Canada