🌍 Exchange App
Privacy & Security Policy
Last Updated: March 26, 2026 | Version 1.0.0
1. 📱 App Overview
Exchange App is a Flutter-based mobile application designed for currency exchange and
gold trading operations. The application facilitates buying and selling of currencies and gold commodities,
provides real-time exchange rate updates, and maintains user account balances and transaction history.
Application Capabilities:
- Real-time currency exchange rate updates
- Buy and sell gold transactions
- User account management and authentication
- Transaction history and balance tracking
- Push notifications for market updates
- Real-time data synchronization across devices
2. 📊 Data Collection & Usage
A. User Account Information
We collect the following information during user registration and account setup:
- Username: Used for account identification and login
- Password: Encrypted and stored securely (never in plain text)
- Email Address: For account recovery and communication purposes
- Phone Number: For contact and verification purposes
- User ID: Unique identifier for database operations
- Connect Customer ID: Integration identifier for payment/trading systems
B. Transaction Data
All exchange and trading activities are recorded, including:
- Currency type and quantity
- Exchange rates at time of transaction
- Transaction amount and type (buy/sell)
- Gold deposits and requirements
- Transaction timestamps
- Profit/Loss calculations
C. Device & Behavioral Data
- Device information (model, OS)
- FCM (Firebase Cloud Messaging) tokens
- App usage patterns
- Session information
Purpose: Data is collected to provide personalized services, maintain transaction records,
ensure security, prevent fraud, and improve user experience.
3. 🔐 User Authentication & Security
Authentication Mechanism
The application implements a token-based authentication system:
- Login Process: Users provide username and password credentials
- Token Generation: Upon successful authentication, an authentication token (Bearer token) is issued
- Token Storage: Tokens are stored securely using GetStorage (encrypted local storage)
- Token Usage: All API requests include the token in the Authorization header
Security Features
- Failed Login Lockout: Account locks after multiple failed login attempts
- Progressive Lockout Timing: Lockout duration increases with repeated attempts (30s → 60s → 120s+)
- Password Visibility Toggle: Users can show/hide password during entry
- Session Management: Active session tracking and session timeout mechanisms
- Bearer Token Authentication: All API endpoints require valid authorization tokens
⚠️ Important: Never share your login credentials or authentication tokens.
The application will never ask for your password through unsecured channels.
4. 💾 Data Storage & Security
Local Data Storage
The application uses GetStorage for local data persistence:
| Data Item |
Storage Type |
Encryption Status |
| Authentication Token |
GetStorage (Local) |
Encrypted |
| User Information |
GetStorage (Local) |
Encrypted |
| Session Data |
GetStorage (Local) |
Encrypted |
| App Preferences |
GetStorage (Local) |
Encrypted |
| Failed Login Attempts |
GetStorage (Local) |
Encrypted |
Server-Side Storage
User and transaction data is stored on secure backend servers with:
- Database encryption at rest
- Regular backups
- Access controls and user permission management
- Audit logging of data access
✓ Security Implemented: All sensitive data is encrypted both in transit (HTTPS)
and at rest (database encryption).
5. ⚡ Real-Time Services
Ably Real-Time Messaging
The application uses Ably (real-time messaging platform) to deliver instant updates
for exchange rate changes and transaction notifications.
- Service: Real-time pub/sub messaging
- Purpose: Instant rate updates and event notifications
- Channel: exchange_rates
- Data Transmitted: Exchange rates, transaction status updates
- Security: Channel-based access control with API key authentication
Pusher Channels
Pusher Channels is used for additional real-time event distribution:
- Cluster: ap1 (Asia Pacific)
- Purpose: Real-time order updates and notifications
- Trigger Events: On exchange transactions, rate changes
- Data Encrypted: All data transmitted over secure WebSocket connections
6. 🔔 Push Notifications & Messaging
Firebase Cloud Messaging (FCM)
The application uses Firebase Cloud Messaging for push notifications:
- FCM Token: Unique identifier generated per device installation
- Token Management: Tokens are refreshed automatically and sent to the server
- Permissions: App requests notification permissions (Android 13+ and iOS)
- Data Sent to Server:
- User ID
- Connect Customer ID
- FCM Token
Notification Types
- Market Updates: Exchange rate changes and alerts
- Transaction Confirmations: Buy/sell order confirmations
- Reminders: Scheduled reminders for pending actions
- System Alerts: Important account or security notifications
Local Notifications
The app uses Flutter Local Notifications plugin for local, on-device notifications
without requiring internet connectivity.
7. 📱 Device Information Collection
Collected Device Data
The application collects the following device information:
| Data Point |
Android |
iOS |
Purpose |
| Device ID |
Yes (unique ID) |
Yes (Vendor ID) |
Device identification, security, fraud prevention |
| Phone Model |
Yes |
Yes |
App compatibility, support, analytics |
| OS Version |
Yes |
Yes |
Compatibility verification |
Device Service Plugin
Uses device_info_plus plugin for secure device identification.
Device information is encrypted during transmission and stored securely.
8. 🌐 API Endpoints & Data Transmission
Base API Configuration
Default Server: http://192.168.1.7:80/api
Alternative Servers: https://dlp01.shop/api (production)
Image Server: http://192.168.1.7:80/storage
Key API Endpoints
| Endpoint |
Method |
Purpose |
Authentication |
| /exchange-rates |
GET |
Fetch current exchange rates |
Bearer Token |
| /save_exchange |
POST |
Submit exchange transaction |
Bearer Token |
| /buy-sale-gold |
GET |
Fetch user's buy/sell orders |
Bearer Token |
| /save-fcm-token |
POST |
Register device for notifications |
Bearer Token |
Data Transmission Security
- Protocol: HTTPS (encrypted SSL/TLS) for production
- Headers:
- Content-Type: application/json
- Accept: application/json
- Authorization: Bearer {token}
- Payload Encryption: All data in JSON format
- Error Handling: Server returns status codes and error messages
9. 🔗 Third-Party Services & Dependencies
Core Dependencies
| Service/Package |
Version |
Purpose |
| Firebase Core |
^4.4.0 |
Firebase initialization and services |
| Firebase Messaging |
^16.1.1 |
Push notifications (FCM) |
| Ably Flutter |
^1.2.43 |
Real-time messaging for rate updates |
| Pusher Channels |
^2.6.0 |
Real-time event distribution |
| HTTP |
^1.4.0 |
API communication |
| GetStorage |
^2.1.1 |
Encrypted local data storage |
| Get |
^4.7.2 |
State management and navigation |
| Flutter Local Notifications |
^20.1.0 |
Local notification system |
| Device Info Plus |
^12.3.0 |
Device information collection |
| Permission Handler |
^12.0.1 |
Runtime permission management |
| Flutter Timezone |
^5.0.1 |
Timezone detection and management |
| Intl |
^0.20.2 |
Internationalization and date formatting |
| Google Fonts |
^6.2.1 |
Custom typography |
Data Sharing with Third Parties
Your data may be shared with the following third-party services to provide the application's functionality:
- Firebase: Analytics, crash reporting, cloud messaging
- Ably: Real-time event messaging
- Pusher: Real-time channel subscriptions
- Backend Server: User authentication, transaction processing, data storage
Note: We do not sell or trade user data to third parties. Data is shared only
to the extent necessary to provide application services.
10. 🛡️ Security Measures
Implementation Security
- Encrypted Storage: GetStorage provides AES encryption for local data
- HTTPS/TLS: All API communications use encrypted protocols
- Token-Based Auth: Bearer token authentication for all API calls
- Session Management: Automatic session validation and timeout
- Password Security: Never stored in plain text, hashed server-side
- Input Validation: Server-side validation of all user inputs
- Error Handling: Secure error messages without exposing sensitive information
Account Security
- Multi-Attempt Lockout: Account lockout after failed login attempts
- Progressive Lockout: Increasing lockout duration
- Session Termination: Logout clears all local session data
- Device Binding: Device-specific identifiers for security
Data Protection
- Encryption in transit (HTTPS)
- Encryption at rest (local and server)
- Access controls and permission management
- Regular security audits
- Compliance with data protection regulations
Recommended User Practices
- Use strong, unique passwords
- Keep your device and app updated
- Do not share your login credentials
- Use a secure device lock (PIN, biometric)
- Enable notifications for transaction alerts
- Logout when finished using the app
- Monitor your account for unauthorized activity
11. 👤 User Rights & Data Access
Your Rights
Under applicable data protection laws, you have the right to:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your account and associated data
- Portability: Request data in portable format
- Objection: Object to certain data processing activities
- Restriction: Request restriction of data processing
Data Retention Policy
- Active Users: Data retained while account is active
- Inactive Accounts: Retained for 24 months after last activity
- Transaction Records: Retained for 7 years for compliance
- Device Tokens: Retained while app is installed
- Deleted Accounts: Permanently deleted after 30-day grace period
How to Exercise Your Rights
To exercise any of these rights, please contact our support team with a detailed request.
We will respond within 30 days.
13. 📋 Additional Information
Compliance & Standards
- GDPR Compliant (where applicable)
- CCPA Compliant (where applicable)
- Local data protection regulations compliance
- Industry security standards (SSL/TLS 1.3+)
- PCI DSS compliance for financial transactions
Application Technical Details
- Framework: Flutter 3.8.1+
- Platforms: Android, iOS
- State Management: GetX
- Database: Local: GetStorage | Remote: Server Database
- API Architecture: RESTful with Bearer Token Auth
Version History
- v1.0.0: Initial release with basic exchange functionality
14. ⚖️ Legal Disclaimers
- This application is provided "as-is" without warranties
- Users are responsible for maintaining password confidentiality
- We are not liable for unauthorized access due to user negligence
- Exchange rates and financial data are for informational purposes only
- Currency fluctuations and market risks are user responsibility
- We reserve the right to suspend accounts for fraudulent activity
- Service availability may be interrupted for maintenance or updates