Correct me if I am reading it wrong, but doesn't the Android source code for COVIDSafe collect and transmit the device ID (Settings.Secure.ANDROID_ID) as part of the registration info when you register? COVIDSafe supports Android 6.0+, but it wasn't until Android 8.0 that Android made this field unique to each combination of app-signing key, user, and device (rather than simply an unanonymized device ID). Device ID isn't mentioned in their privacy policy, so it would be a breach of their privacy policy, right? It would enable them to track your device, in addition to knowing your phone number, name, postcode, age range etc. You can change your phone number, but you can't change your device ID unless perhaps by doing a factory reset of the phone or buying a new phone that uses Android 8.0+.
See https://covidsafe.watch/
We need webdevs to send PRs and help out. Jump in discord. ️