The only information which gets accessed and transmitted are listed below:
1. Application Name
2. Application Package Name
3. Application Version Number
4. Application Version Name
5. SecureMe – Droid Search Depth setting (1-5 only)
6. SecureMe – Droid Vulnerability Details settings (1 or 0)
You aren't sending anyone your APKs. The application exists to make searching Mitre's CVE database more convenient and automagic.
The developers are security consultants at Security Compass. The application is hosted in Montreal, Canada. (I work there as well, and can ask them to add an FAQ about this this stuff.)
Any chance of opening up the code for the client app? Given that the database is basically your golden egg, and given that this is security software, it would make sense to open it up.
I am member of the team behind SecureMe Droid. Right now we don't plan on open sourcing the Android code. But I would like to mention that the source code is not obfuscated.
What laws are they subject to?