Last updated: June 10, 2026

This Privacy Policy describes how Fortago (“we”, “our”, or “the app”) collects, uses, and stores information when you use the Fortago Android application.

1. What Fortago Does

Fortago is a closed-access Android application for managing and locating Bluetooth Low Energy (BLE) tracking tags within an organization. Access is granted by an administrator and is not open to the general public.

2. Information We Collect

2.1 Device Identifier

When you first open the app, it reads your device’s Android ID (Settings.Secure.ANDROID_ID). This ID is used as your account identifier on the backend. It is never displayed to you in any user-facing element, but it is stored on our servers tied to your account.

2.2 Authentication Credentials

A random password is generated on first launch and stored in the device’s secure storage (expo-secure-store). This password, combined with your Android ID, authenticates your device to the backend. The password is stored as a cryptographic hash (Scrypt) on the server and is never transmitted in plain text after account creation.

2.3 Account and User Data

Your administrator creates a named user account and assigns you to one or more organizational units before you can sign in. The following data is stored on the server for your account:

  • A display name assigned by your administrator
  • Your Android ID (used as the account identifier)
  • Whether you have administrator privileges
  • The list of organizational units you belong to

2.4 BLE Tag Data

When a tag is added or interacted with, the following information is stored on the server:

  • A user-given tag name and optional description
  • The BLE device’s MAC address / unique device ID
  • The BLE device’s advertised name at the time it was added
  • A timestamp of when the tag was last seen
  • The tag’s last-known battery level percentage

This data is updated every time any user scans and detects a tag.

2.5 Bluetooth Scan Data

When you perform a scan, the app uses your device’s Bluetooth hardware to discover nearby BLE devices. During a scan:

  • Device IDs (MAC addresses) and advertised names of discovered devices are read
  • Signal strength (RSSI) is measured and converted to a percentage
  • Only devices that match tags already registered in your organization are acted upon
  • Raw scan results for non-matching devices are discarded immediately and never sent to any server

The app does not continuously scan in the background. Scanning only occurs while the app is open and actively in use.

2.6 No Analytics or Crash Reporting

Fortago does not include any third-party analytics, advertising SDKs, or crash reporting services. No behavioral data, usage patterns, or crash logs are sent to third parties.

3. Permissions

The app requests the following Android permissions:

Permission Purpose
BLUETOOTH_SCAN Discover nearby BLE tags (Android 12+)
BLUETOOTH_CONNECT Connect to a tag to ring it or read its battery (Android 12+)
ACCESS_FINE_LOCATION Required by Android to perform Bluetooth scanning (Android 11 and below)
BLUETOOTH Legacy Bluetooth permission (Android 11 and below, capped at API 30)
BLUETOOTH_ADMIN Legacy Bluetooth admin permission (Android 11 and below, capped at API 30)

Location permission is only requested because Android requires it for Bluetooth scanning on older OS versions. The app does not collect, read, store, or transmit your GPS location or any location data.

4. How Information Is Used

All collected data is used solely for the following purposes:

  • Authenticating your device to the Fortago backend
  • Displaying your assigned tags and their status
  • Updating tag last-seen timestamps and battery levels when detected
  • Allowing administrators to manage tags and user accounts

Your data is not sold, shared with third parties, or used for advertising.

5. Data Storage and Security

Data is stored on Convex infrastructure. Passwords are never stored in plain text - they are hashed using the Scrypt algorithm before being persisted. All communication between the app and the backend occurs over HTTPS.

Your device password is stored locally using Android’s secure storage mechanism, which encrypts the value at rest using the device’s hardware-backed keystore where available.

6. Data Retention and Deletion

User accounts and tag data persist until an administrator removes them. There is no self-service account deletion within the app. To request deletion of your account and associated data, contact your organization’s Fortago administrator.

7. Children’s Privacy

Fortago is not intended for use by children under 13 years of age and does not knowingly collect data from children.

8. Changes to This Policy

If this policy changes materially, the “Last updated” date at the top of this document will be revised. Continued use of the app after changes constitutes acceptance of the updated policy.

9. Contact

For privacy-related questions or data deletion requests, contact us at hi@fortago.app.