Updated Date: May 24th, 2018
As Cydia adds more features, the implications of those new features on user information will be added to this document, and the date updated.
(This document was written on July 15th of 2012. Some of the information is "obsolete", due to services no longer offered, and has been struck.)
Cydia does not maintain its own user account system and instead uses external services such as Facebook and Google for user authentication.
Cydia accesses the name and profile picture of users who are logged in; this is used in a dialog reminding the user which account they are currently using.
Cydia does not disclose purchases made to other users; in particular, Cydia will not publish information on purchases to a user's social network.
If in the future Cydia allows users to share information in this fashion, it will require the user to take specific and obvious action to cause the share.
(To be clear, no social information is "stored": information is merely "accessed" for the user interface. Future functionality is no longer being planned.)
Software licenses purchased from Cydia are associated with the user's authentication account (Facebook or Google), and not to the user's device.
Instead, devices are then "linked" to user accounts by explicit user action; this association is made using the device's unique identifier (aka UDID).
When vendors of products with DRM verify purchases with Cydia, they are done via UDID, which is looked up through to user account and checked.
Device identifiers are sent to all third-party repositories during the repository update stage, as well as during the downloads of specific packages.
Information on which parts of Cydia are "new" (have not been seen by a user) are stored purely by device identifier, and not by user authentication account.
(Cydia is provided these UDIDs explicitly by the user, and then "stores" this information under a legal basis of fraud prevention as a payment processor.)
(Information sent to third-party repositories is not sent through Cydia. Information sent to Cydia's repositories validates permissions and is not "stored".)
IP addresses are used and stored by Cydia during the purchasing process, including as an alternative to shipping addresses for some purchase types.
Standard HTTP access logs are kept of requests to Cydia's servers, including the IP address of the user, timestamp, and the URL of the resource accessed.
Connections to Cydia are through third-party content-delivery networks and third-party load balancers; each of these services may log user access.
Cydia is a web browser: most of the content and packages displayed in Cydia comes from third-party sites; any of these websites may log user access.
(Cydia believes Amazon does not keep connection logs. CDNetworks keeps temporary logs that we do not access; Cydia is working on getting those disabled.)
(Cydia used to collect IP addresses from purchasers for anti-fraud purposes. While useful, this information was seldom accessed, and is no longer collected.)
Some third-party services are used for purchase processing and analytics; these services may store cookies that are not under Cydia's direct control.
Cydia is a web browser: most of the content and packages displayed in Cydia comes from third-party sites; any of these websites may store cookies.
(The Cydia client doesn't "store" logins across invocations of the application, and these cookies are of course not "stored" on a server, only locally.)
(Cydia has no control over third-party websites and any information provided by the client to these third party websites is not "stored" on Cydia's servers.)
(Cydia used to use third-party analytics providers, however these were ineffective, were discarding most of the information anyway, and never accessed.)
To comply with local sales tax laws in the United States and the European Union, Cydia must track the shipping address provided for all purchases.
Vendors selling products through Cydia have access to information from their customer list: name, e-mail address, country or state, and device identifier.
From time to time, Cydia provides aggregate statistics on users to the public in the form of histograms, pie-charts, and color-shaded maps.
(This information is "stored" under the legal basis that Cydia must maintain this information to comply with accounting and tax laws in the EU and US.)
(Aggregate information does not include or rely on personally identifiable information, and is for purposes of being transparent with Cydia's accounting.)
(Cydia is auditing the usage of customer lists provided to vendors, and is likely to discontinue this service given that Cydia is largely no longer used :/.)
The external payment processors used by Cydia (PayPal and Amazon) do not and will not disclose information on users' bank/credit accounts to Cydia.
This means that Cydia does not at any time, even momentarily, have access to credit card or bank account numbers of users using PayPal or Amazon.
If a user opts to "leave my payment information on file", Cydia only stores a token provided by the chosen payment processor: not actual account details.
Users may cancel outstanding account access tokens at any time using the website of the payment provider (currently, this is Amazon Payments).
(As Cydia never has access to payment information, none of this information is "stored"; only the token that the user explicitly requests to be left is "stored".)
Cydia automatically requests signature hash (aka, "SHSH") for a user's device from Apple and stores it for a user's future usage to downgrade/restore.
The information sent to Apple as part of this process is not personal data and has very low entropy: it can not be used to single out a specific device.
In fact, some users (including Cydia) have on occasion submitted large numbers of "guessed" identifiers to Apple in order to help out other users.
There is no way for a user to prove that the information in the SHSH database actually belongs to them: again, there is no personal detail used as part of it.
(Cydia no longer offers the service of requesting signature hashes and thereby no longer collects and "stores" this information from a user.)
Cydia is a tool that allows third-party repositories to distribute packages and products, each produced by third-party developers, to users and customers.
(Cydia does not provide any service to "store" information on behalf of third-parties and is not involved in implementing any third-party software.)