Ping — Privacy Policy

                Our commitment: Ping is built around a simple idea — check-ins are private to you and the people you choose to share them with. We don't run a backend that stores your check-ins. We don't sell data. We don't run ads. We don't have servers. There is nothing about you in a database we control.
            

1. Introduction

Ping is published by Smart Kiitös Oy (Finnish business ID 3231458-1). This policy explains what information Ping touches, where it lives, and what choices you have.

If anything is unclear, email us: [email protected]

2. What We Collect

Short version: we don't run a server that collects your data.

Ping has no Smart Kiitös-operated backend that stores your check-ins, mood, photos, notes, or social graph. We don't have a database with your name in it.

What this means in practice:

Your data lives on your iPhone (local) and in your own iCloud (synced).
We cannot read your check-ins, even if we wanted to.
We cannot recover lost data — if you sign out of iCloud and delete the app, your data is gone.

The one path that sends data outside your device + iCloud is the Report flow (see Section 6). That flow uses your default Mail app to email our support address. Nothing else leaves the device.

3. What's Stored Locally

Ping uses SwiftData inside an App Group container on your device to store:

Your name and emoji avatar (you provided)
Your check-in window settings (start hour, end hour, active days)
Your check-in history (mood, optional note, optional photo, timestamp)
Your friend list metadata (display names from CKShare invites, friendship streak counts, last-nudge timestamps)
Your emergency contact list (name, phone, relationship, escalation timing)

This data stays on your device. The app does not send it to any server we operate.

4. What's Synced Between You and Friends (via CKShare)

When you add a friend in Ping, the app creates a CloudKit Share (CKShare) under your own iCloud account. Your check-ins are written into that shared CloudKit zone. Your friends' devices read from that zone using their own iCloud credentials.

Important properties of this design:

Data is stored on Apple's iCloud infrastructure, governed by Apple's privacy policy. We do not see it.
Only CKShare participants (people you explicitly invited) can read your shared check-ins.
CKShare invitations carry your display name and emoji so participants know who is sharing with them. We do not read your iOS Contacts to populate this.
Photos in your check-ins are stored as CloudKit assets in the shared zone. They are accessible to share participants only.

When you remove a friend (long-press a friend card → "Block & remove"), Ping calls CKShare.removeParticipant. The friend's device loses read access; their existing local copies of past check-ins remain on their device unless they delete them.

5. Subscription Data

Ping Pro purchases run through Apple StoreKit. We never see your Apple ID, payment method, billing address, or any payment details. Apple sends Ping a receipt token; we use it only to verify locally that the subscription is active.

Apple's privacy policy applies to subscription data: apple.com/legal/privacy.

6. Report Flow (the only path that emails out)

If you report a friend for abusive content (long-press friend → "Report"), Ping opens your default Mail app with a prefilled message to [email protected]. The email body contains:

The reason you selected (Spam / Harassment / Sexual / Hate / Other)
The reported friend's CloudKit record ID (an opaque identifier — not the friend's name)
Your own user ID (so we can match the report to the share relationship)
App version, iOS version, device model, and timestamp (so we can debug)

The email does not include the friend's name, your name, or any check-in content. We respond to reports within 24 hours per the Terms of Service.

If your device has no Mail account configured, Ping shows an alert with a "Copy support email" action so you can email us another way.

7. What We Don't Do

                We collect nothing. Ping has no servers, no analytics, and no way to access your data.
            

Ping does not:

Run a third-party analytics SDK (no Firebase, Mixpanel, Amplitude, etc.)
Show advertisements
Use third-party advertising or tracking SDKs (no AppsFlyer, Adjust, Branch, etc.)
Read your iOS Contacts (we use CKShare metadata only for friend names)
Read your location or use GPS
Read your full Photo Library (PhotosUI shows the picker; only the photo you select enters the app)
Read your microphone, calendar, or other system data
Sell, rent, or share your data with third parties

The App Store privacy "nutrition label" for Ping reflects this: minimal data linked to you, no data used for tracking.

8. Children

Ping is not intended for children under 13. Some regions require a higher minimum age. We do not knowingly collect personal data from children under 13.

If you believe a child under 13 is using Ping, contact [email protected] and we will help remove the account. Apple's Family Sharing and parental controls are the proper tools for managing children's app access.

9. Data Retention & Deletion

Your data is retained as long as it lives in your iCloud and on your device.

To delete your local data

Delete the Ping app from your iPhone. Local SwiftData and the App Group container are removed by iOS.

To remove yourself from shared data

Open each CKShare you participate in (under iOS Settings → [Your Apple ID] → iCloud → Manage Storage → CloudKit, or directly from inside Ping by removing each friend) and remove yourself.

Friends you previously shared with retain their local copies of your past check-ins until they delete the app or remove the share on their end. We cannot reach into another user's iCloud to delete your past check-ins.

To delete iCloud-stored data entirely

Sign out of iCloud after deleting the app, or use Settings → [Your Apple ID] → iCloud → Manage Storage to remove Ping's CloudKit data.

We don't keep server-side copies, so there's no central account for us to delete.

10. International Transfers

Ping data lives in Apple iCloud regions. Apple chooses the storage region based on your Apple ID's country setting and Apple's infrastructure decisions. Apple's data transfer practices apply.

Because Ping does not operate its own servers, no Smart Kiitös-controlled cross-border transfer happens.

11. Security

Transport: All CloudKit traffic uses TLS by Apple's defaults.
At rest: Data on your device is encrypted using Apple's standard on-device encryption (the iPhone's data protection class).
Authentication: Access to shared data requires a valid iCloud account. CKShare participation is enforced by Apple's CloudKit access control.

We rely on Apple's platform security. We do not have a custom server attack surface because we do not have a custom server.

If you discover a security issue, please email [email protected]. We respond to security reports within 24 hours.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest revision. For material changes, we'll notify you in-app on next launch.

Continued use of Ping after changes take effect means you accept the updated policy.

13. Contact

Email: [email protected]

For privacy questions, data deletion help, security reports, or any other concern. We respond within 24 hours.