Personal or device-identifying data was sent to a host outside the app's own backend (typically analytics/ad SDKs).
How it's exploited
The run captured device or user identifiers (advertising ID, email, location) flowing to a domain that is not yours. That third party can correlate your users across apps and time.
Why it matters
Privacy-policy and regulatory exposure (GDPR/CCPA), store data-safety mismatches, and user trust damage.
How to fix it
Identify the SDK generating the flow (host is in the evidence) and decide deliberately whether you need it.
Configure the SDK's consent/data-minimization options; gate transmission on real user consent.
Update your privacy disclosures and store data-safety forms to match actual traffic.