Mobile Application Privacy Policy
MadeiraGovID for iOS and Android — Personal Data Processing
This policy describes the processing of personal data carried out by the MadeiraGovID mobile application for iOS and Android, and complements the portal Privacy Policy id.madeira.gov.pt with respect to aspects specific to the mobile environment. Regulation (EU) 2016/679 (GDPR) applies.
1. Entity Operating the Mobile Application
The MadeiraGovID mobile application is provided by the Regional Government of Madeira (GRM) as an extension of the MadeiraGovID Single Sign-On portal, and is intended to allow users to authenticate with GRM services from a mobile device, with multi-factor authentication, QR sign-in code reading and account management features. The application is compatible with iOS 15 and later and Android 9 (API 28) and later.
For technical questions about the application, please contact id@madeira.gov.pt.
2. Data Controller
Personal data collected by the MadeiraGovID mobile application are processed under the responsibility of the Regional Government of Madeira, in accordance with the principles set out in the portal Privacy Policy.
3. Confidentiality, Security and Privacy
The application processes data in a fair and transparent manner, in accordance with Article 32(1) GDPR. In the mobile environment the following additional technical safeguards are applied:
- credentials, identifiers and tokens are stored in the operating system's secure storage (Keychain on iOS, EncryptedSharedPreferences on Android), backed by hardware where available;
- an asymmetric key pair (ECDSA P-256) is generated for each installation and kept in the device secure enclave; it is used to sign every request issued to the backend;
- biometric verification is delegated to the operating system (Face ID, Touch ID on iOS; BiometricPrompt on Android); the application never accesses or stores biometric data.
4. Categories of Personal Data Processed
The following categories of data are collected and processed, depending on the operation the user wishes to perform:
- Identification and contact data: name, username, email address and, where applicable, civil identification number (NIC) and tax identification number (NIF);
- Authentication data: OIDC tokens (access, refresh and identity), multi-factor authentication codes, recovery codes and associated factors;
- Device data: unique installation identifier (UUID), device name, model, operating system and version, public key generated for request signing, and push notification token (FCM on Android and APNs on iOS);
- Document images: photographs of the front and back of the Portuguese Citizen Card, captured exclusively for OCR validation on the backend; transmitted over encrypted channels and not retained locally after upload;
- Validated identifiers: only after validation via Citizen Card or Chave Móvel Digital — NIC, NIF, date of birth, social security identification number (NISS) and, where applicable, institutional email addresses (gov.pt, edu.pt);
- Biometric data: never accessed or stored by the application. Biometric verification is performed by the operating system's secure subsystem, which only returns a boolean result (success or failure) and, where supported, a cryptographic assertion bound to the operation;
- Audit and session records: records of relevant account actions (sign-ins, credential changes, device registration and revocation, session revocation), tied to the device identifier.
5. System Permissions Requested
The application requests only the permissions strictly necessary for its operation. Permissions may be granted or revoked at any time in the operating system settings. Denying a permission limits the corresponding feature but does not prevent use of the rest of the application.
| Platform | Permission | Purpose |
|---|---|---|
| Android | INTERNET, ACCESS_NETWORK_STATE |
Communication with the MadeiraGovID authentication servers. |
| Android | CAMERA |
Reading sign-in QR codes and capturing Citizen Card images for validation. |
| Android | USE_BIOMETRIC |
Biometric verification delegated to the operating system. |
| Android | POST_NOTIFICATIONS |
Reception of authentication notifications (2FA requests, QR sign-in, security alerts). |
| Android | VIBRATE |
Haptic feedback during sensitive operations. |
| iOS | NSCameraUsageDescription |
Reading QR codes and capturing Citizen Card images. |
| iOS | NSFaceIDUsageDescription |
Biometric authentication via Face ID. |
| iOS | UIBackgroundModes: remote-notification |
Receiving push notifications in the background. |
6. Push Notifications
Push notifications are delivered via Firebase Cloud Messaging (FCM) on Android and Apple Push Notification Services (APNs) on iOS, operated by Google Ireland Ltd. and Apple Distribution International, respectively, acting as processors. The processing is based on the performance of the contract with the user (Article 6(1)(b) GDPR), since notifications are indispensable to the multi-factor authentication and QR approval flows. The notification token is associated server-side with the registered device identifier.
Notifications cover multi-factor authentication requests (number matching), QR sign-in approvals and security alerts. Push notifications remain active in either of the telemetry modes described in the next section, as they are essential to the service.
7. Telemetry, Diagnostics and Usage Analytics
The application uses Firebase Analytics and Firebase Crashlytics, operated by Google Ireland Ltd., respectively for aggregate statistical analysis of application usage and for crash and stability diagnostics.
The application does not collect advertising identifiers or any data destined for advertising purposes. Specifically, in either operating mode:
- the Android Advertising ID (AAID), iOS Identifier for Advertisers (IDFA) and Android SSAID are not collected;
- advertising personalisation signals (Google Signals, ad personalization) are permanently disabled;
- Consent Mode V2 parameters
ad_storage,ad_user_dataandad_personalizationare pinned todenied.
At first launch, and at any time under Settings > Privacy > Telemetry preferences, the user is asked to choose between two modes:
| Mode | Persistent analytics identifiers | Legal basis |
|---|---|---|
| Accept all | Collected: Firebase Analytics records a persistent app_instance_id that allows session correlation and produces retention and multi-session funnel reports. |
Consent — Article 6(1)(a) GDPR. |
| Essentials only | Not collected: Firebase Analytics operates in Consent Mode V2 Advanced, sending only aggregated cookieless pings (behavioral modeling), processed by Google without association to a specific device. | Legitimate interests — Article 6(1)(f) GDPR, with data minimisation measures (no identifiers, no advertising, truncated IP). |
In both modes:
- Firebase Crashlytics remains active and receives crash reports (stack traces) for service stability purposes; reports do not contain personally identifying data;
- the IP address is processed by Google in European data centres and truncated before any storage, in accordance with the EU Data Mode applied to Google Analytics 4 and Firebase (in force since October 2020). The IP is not used to build identifiers or precise geolocation;
- advertising features are disabled at Firebase project level.
The processor is Google Ireland Ltd., under the Firebase Data Processing Terms available at firebase.google.com/terms/data-processing-terms. Any transfers to third countries are carried out under the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914. The user may object to the processing of telemetry, under Article 21 GDPR, via the contact in Section 13.
8. International Transfers
Telemetry, diagnostics and notification data are processed by Google on infrastructure located within the European Economic Area. Any transfers to third countries, notably the United States, are carried out under the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
9. Retention Periods
- security logs (timestamp, IP, device) are kept for a maximum of 90 days, in line with the portal;
- Citizen Card images are deleted upon completion of the OCR and validation process;
- the application's local cache is purged on sign-out;
- device cryptographic keys are deleted upon revocation or reinstallation;
- Firebase telemetry data is retained for the minimum period set in the admin panel (2 months for event-level data).
10. Access, Security and User Identification
Account access in the application is protected by password and, optionally, a second authentication factor (TOTP authenticator, push number matching or recovery codes). Biometric verification, when enabled, acts as a local second factor, fully delegated to the operating system's secure subsystem.
11. Rights of Data Subjects
Under Articles 15 to 22 GDPR, data subjects have the rights to access, rectify, erase, restrict, receive portability of or object to the processing of their data, and to withdraw consent. These rights may be exercised directly in the application via:
- viewing and revoking active sessions;
- removing previously validated identifiers;
- changing email and password;
- enabling or disabling second factor authentication;
- signing out, which purges the local secure storage;
- remotely revoking the device registration;
- changing telemetry preferences at any time.
12. Cookies and Analogous Technologies
Being a native application, the MadeiraGovID mobile app does not use cookies. It does, however, use local storage and persistent identifiers with analogous purposes, described in detail in the Mobile Application Storage and Identifiers Policy.
13. Data Protection Officer and Supervisory Authority
To exercise the rights described in this policy, or for any question concerning the processing of personal data — including the right to object to telemetry processing — please contact the Data Protection Officer of the Regional Government of Madeira:
Gabinete para a Conformidade Digital e Proteção de Dados (GCPD)
Palácio do Governo Regional — Avenida Zarco, 9004-527 Funchal, Portugal
Phone: (+351) 291 145 175
Email: gcpd@madeira.gov.pt
If you consider that the processing of your personal data infringes the GDPR, you are also entitled to lodge a complaint with the Portuguese supervisory authority:
CNPD — Comissão Nacional de Proteção de Dados
Av. D. Carlos I, 134, 1.º — 1200-651 Lisboa, Portugal
Phone: (+351) 213 928 400
Email: geral@cnpd.pt
14. Updates to this Policy
This policy may be updated to reflect changes in the application or the legal framework. Material updates are notified on the first launch following the application update.
Last updated: 13 May 2026.