We don't collect any of these because we don't run the servers that would receive them. There is no watch witch backend.

• Personal information (name, email address, phone number).
• Account credentials — there are no accounts.
• Usage analytics or telemetry — no SDKs, no event pipeline, no “phone-home” on launch or use.
• Crash reports routed to a third party.
• Advertising identifiers, device fingerprints, or behavioural data.
• The content of the videos you stream — they travel directly from your phone to your TV over your local network.

The only network destinations the app talks to are on your own LAN. It does not contact a remote server we control during normal operation.

Some data is stored on the phone itself and never leaves it:

• The list of files you've recently shared, so the UI can re-offer them.
• Your DLNA-friendly device name, defaulted from the phone's hostname so clients on the LAN can recognise it.
• App preferences (which subtitle track you last picked, layout state, etc.).

This data lives in the app's private Android storage. Uninstalling the app removes it. Clearing the app's data from system settings removes it. We have no way of accessing it.

While a share is active:

• The phone broadcasts an SSDP advertisement to the link-local multicast group 239.255.255.250 so DLNA clients on the same Wi-Fi can discover it.
• DLNA clients on the same LAN can request the share's metadata as DIDL-Lite XML over HTTP.
• The TV (or other client you select) reads the file's bytes via HTTP byte-range requests over the LAN.

None of this leaves your local network. SSDP is link-local and does not traverse a router. The HTTP server only listens on the phone's Wi-Fi interface. There is no NAT-traversal, STUN, TURN, relay server, or remote bridge.

Android requires explicit grants for the system surfaces we touch. Each one is requested for a single, narrow reason:

• READ_MEDIA_VIDEO (or its predecessor on older Android) — so you can pick the file you want to share. We read only the file you select; we don't enumerate your library in the background.
• INTERNET + ACCESS_WIFI_STATE — so the in-app HTTP server can bind to your Wi-Fi interface and SSDP can multicast.
• FOREGROUND_SERVICE_MEDIA_PLAYBACK — so the share keeps running when you lock the phone or switch apps.
• POST_NOTIFICATIONS (Android 13+) — to show the persistent “sharing now” notification, which doubles as the kill-switch.

We do not request location, contacts, microphone, camera, calendars, or any background sync permissions.

watch witch isn't directed at children under 13, and we don't knowingly collect data about them — because we don't collect data about anyone. The app behaves identically regardless of who is holding the phone.

watch witch is open source. The full source is on GitHub, so you can audit exactly which network calls the app makes and which permissions it touches.

We don't bundle third-party analytics, crash-reporting, or advertising SDKs. The app links against system Android libraries and a small set of upstream open-source components, all listed alongside their licenses in the repository.

Because we're in open beta, this document will evolve. When something material changes — a new permission, a new network endpoint, a behavioural shift — we bump the effective date at the top, call out what changed in the GitHub release notes, and keep the full revision history of this page in the repository alongside the code.

If something here is unclear, or if you spot a discrepancy between what this document says and what the app actually does, file an issue at github.com/fuck-eer/watch-witch-releases/issues or write to hello@watch-witch.app. The app not matching its policy is, to us, a bug.