Privacy Policy
Effective & last updated: June 2026 · Version 1.0
This Privacy Policy explains how Black & White Studio ("we", "us", "Mobile Fleet")
collects, processes, stores and protects information when you or your organization uses the
Mobile Fleet Mobile Device Management platform — including the web dashboard,
backend services, mobile device agent, and any related APIs (collectively, the "Service").
Privacy in one line. Mobile Fleet processes tenant configuration and managed-device telemetry on behalf of your organization (the data controller). We act as a data processor under GDPR. Customer data lives in your chosen region — or fully inside your own infrastructure on the self-hosted tier — and we never sell, share, or use it to train AI models.
1. Who we are
Mobile Fleet is owned and operated by Black & White Studio, based in Dhaka,
Bangladesh. For SaaS customers, we are the data processor; your organization is the data controller.
For self-hosted Enterprise customers, you are both the controller and processor — we receive no
customer data.
2. Information we collect
2.1 Tenant & admin account information
- Organization name, business address, billing contact.
- Administrator name, work email, role, hashed password (Argon2id) or SSO subject identifier.
- Tenant configuration: device groups, policy templates, app catalog entries.
- API keys and enrollment tokens (hashed at rest).
2.2 Managed device telemetry
- Device identifiers: serial number, IMEI, Android ID, manufacturer, model, OS version, build fingerprint.
- State: battery, storage, connectivity, last-seen timestamp, root/tamper signals.
- Installed app inventory on managed devices.
- Location data only if geofencing is enabled by the tenant administrator.
- Command and policy events generated by the administrator (lock, wipe, install, kiosk).
2.3 Audit & usage logs
- Administrator logins, IP addresses, user-agent strings, MFA events.
- Every privileged action (policy change, device command, billing change) — immutable and timestamped.
- Backend service logs (errors, latency, request paths). Stripped of PII where possible.
2.4 Billing data
- Plan tier, number of devices enrolled, invoice history.
- Payment method tokens (processed by our payment processor — we never see raw card numbers).
3. How we use it
- Service operation. Authenticate admins, enroll devices, deliver real-time MQTT commands, generate reports.
- Security. Detect intrusions, abuse, suspicious enrollment patterns, and respond to incidents.
- Compliance. Produce audit-ready logs for ISO 27001, SOC 2, HIPAA, GDPR and PCI-DSS engagements run by you or your auditor.
- Billing. Calculate device-count usage, send invoices, recover failed payments.
- Support. Reproduce issues you report, with your explicit consent, via short-lived support sessions.
- Product improvement. Aggregated, de-identified metrics only — never personal or device-identifying data.
We do not sell or rent personal data. We do not use customer or device data to train AI/ML models. We do not share data with advertising networks.
4. Controller vs processor
Under the EU GDPR and UK DPA, your organization is the data controller for the
information you push into Mobile Fleet (devices, admins, audit logs, location data). We process
that data only on your documented instructions, as set out in our Data Processing
Addendum (DPA), available on request to dpa@blacknwhitestudio.com.
5. Device-side data
The Mobile Fleet device agent runs in Android Device Owner mode on phones your
organization has enrolled. It can:
- Read device state (model, OS, battery, storage, network type, installed apps).
- Apply policies (PIN, encryption, kiosk, Wi-Fi, restrictions).
- Read location only when the organization enables geofencing.
- Receive and execute administrator commands (lock, wipe, install, locate).
The agent does not read SMS, WhatsApp, personal photos, gallery contents, or
browsing history unless your organization explicitly enables corresponding policies (e.g.,
browser URL logging). End users on managed devices are informed via on-device notices on first
enrollment.
6. Where data is stored
- Multi-tenant SaaS: hosted in one of our regional clusters — EU (Frankfurt), US (Virginia), APAC (Singapore) or South Asia (Mumbai/Dhaka). Tenants choose at signup; data does not leave the chosen region.
- Self-hosted Enterprise: all data resides inside your own VPC/data center. We never receive it.
- Backups: encrypted with AES-256, stored within the same region as the primary tenant.
7. Encryption & security
- TLS 1.3 for every HTTP request and MQTT connection.
- Mutual TLS (mTLS) between device agents and the MQTT broker.
- JWT access tokens (short-lived) + rotating refresh tokens.
- Argon2id password hashing; secrets in HashiCorp Vault or KMS (per region).
- Row-level multi-tenant isolation enforced at the ORM and database layer.
- Daily encrypted backups with point-in-time recovery up to 30 days (paid tiers).
- Annual third-party penetration test; quarterly internal vulnerability scans.
8. Third-party subprocessors
We use a small, audited list of subprocessors to run the Service:
- Cloud infrastructure — AWS / GCP (per region) for compute, storage, networking.
- Email delivery — for transactional emails (verification, invoices, alerts).
- Payment processing — Stripe (PCI-DSS Level 1) for cards and ACH.
- Error monitoring — Sentry, with PII scrubbing on by default.
- Push delivery — Firebase Cloud Messaging for wake-up signals on idle devices.
A full, current list is available at dpa@blacknwhitestudio.com.
9. Retention & deletion
- Active tenant data is retained for the lifetime of the subscription.
- Audit logs: 30 days (Starter), 1 year (Business), unlimited (Enterprise).
- On account closure, customer data is purged within 30 days (encrypted backups within 90 days).
- You may export your data at any time via the dashboard or API.
10. Your rights
Depending on your jurisdiction (GDPR, UK DPA, CCPA, PIPEDA, Bangladesh DPA), you may have the right
to access, correct, port, restrict, or delete the personal data we hold about you. You can exercise
these rights by emailing privacy@blacknwhitestudio.com.
We respond within 30 days.
For data we process on behalf of your employer (audit logs of your admin actions, telemetry of a
device assigned to you), please contact your IT/HR department first — they are the data controller.
11. Cookies & analytics
- The web dashboard uses essential cookies for authentication and CSRF protection.
- No advertising cookies. No third-party tracking pixels.
- Marketing pages (this site) use privacy-respecting, aggregate-only analytics. No personal profile is built.
12. Children's data
Mobile Fleet is a B2B platform intended for enrolled corporate devices. We do not knowingly collect
information from individuals under 16. If a school or education customer enrolls student devices,
that customer is the data controller and is responsible for any required parental consent.
13. Changes to this policy
We may update this Privacy Policy to reflect changes in the Service, in subprocessors, or in
applicable law. Material changes will be announced in the admin dashboard and by email to billing
contacts at least 30 days before they take effect.
14. Contact us