What we collect, why, and how to delete it

Privacy policy

Last updated 14 May 2026 中文版本

This policy explains what data Pond collects, why, where it lives, and what you can do about it. We try to keep it short, plain, and honest. Pond is a small social app for sharing short video and photo "drops" with people you choose. We aim to collect the minimum data the app needs to work.

1. Data we collect

Account data

• Email and password, or Sign in with Apple. Used to sign you in. Passwords are not stored by us — they are managed by Firebase Authentication (Google) using salted hashes. If you choose Sign in with Apple, Apple may return a private-relay email; we treat that like any other email on file and don't try to unmask it.
• Display name, username, optional bio, optional location label, optional avatar. Visible to other Pond users you've joined a pool with.
• User ID (UID). An opaque identifier issued by Firebase Authentication that ties your records together.

Content you create

• Drops. Short videos (with audio) and photos you record using the in-app camera, or images you pick from your device's photo library through the system picker. Recording uses your camera and, for videos, your microphone — both gated by the system permission prompts at first use, and revocable at any time from your device settings. Each drop has an optional caption and a "muted" flag that hides audio during playback. Files are stored in Firebase Storage under clips/<your-uid>/.
• Avatars. Profile photos you upload, stored in Firebase Storage under your UID.
• Pool membership and metadata. Pool name, members, invite code, and the drops shared into the pool.
• Messages and reactions. Text replies, quoted clip context, and emoji reactions on drops and messages.
• Vlog exports. When you export a day from your My pond, the server stitches that day's drops into a single mp4 and writes it to Firebase Storage under vlog-exports/<your-uid>/ so you can download or share it. Only you can read your own exports.
• Moderation reports and blocks. When you tap Report on a drop, message, or pool member, we store the report you submitted (target, pool, and reason). When you block another user, we store their UID under users/<your-uid>/blockedUsers/ so the app can hide their content from you. You can review and unblock from Profile → Blocked Users.

Device and notification data

• Push token. If you opt in to notifications, Pond stores an Expo / FCM / APNs push token for the current device so we can send "new drop" alerts. The token is tied to your UID and the device, not to your name or email. You can disable it any time from the Profile screen — we mark the token disabled and stop sending to it. Tokens that fail repeatedly are removed automatically.
• App version and platform (iOS / Android). Sent with some requests so we can support old builds and roll out fixes.
• Locally cached media. Drops you watch are cached on your device under a 200 MB LRU cache to avoid re-downloading. Cache stays on your device. You can clear it any time from Profile → Storage.
• Saving drops to your Photos library. If you choose to save a drop or a vlog export, Pond writes a copy into your device's Photos library. The saved copy lives only on your device; Pond does not read your Photos library back.

Crash and diagnostic data (Sentry)

We use Sentry to record errors and crashes so we can fix them. The Sentry SDK is initialized inside the app and may capture:

• The error and its stack trace.
• Non-personal context tags such as flow, reason, errorCode, mediaKind, captionLength, destinationLogCount, platform, and the app version.
• Breadcrumbs — recent in-app events leading up to the error (e.g. "camera became ready", "retrying capture").
• Coarse device info supplied by the Sentry SDK (OS version, device model class, locale).

We deliberately do not attach person-tied identifiers (email, username, UID, profile fields, person-tied IDs, tokens) to Sentry events. Person-tied IDs are kept only in the device's developer console under __DEV__ and never leave the device. Sentry events are stored on Sentry's infrastructure under our project and retained according to Sentry's defaults (typically 90 days).

Analytics

Pond does not initialize any product analytics SDK and does not record analytics events about your behavior. If we add product analytics in the future, we will update this policy and announce the change in the app before turning it on.

Things we do not collect

• Your contacts, calendars, or location (the optional "location label" in your profile is just a free-text string you type in).
• Advertising identifiers (IDFA / GAID). Pond shows no ads and runs no third-party ad SDKs.
• Tracking across other apps or websites.

2. Where your data lives

Pond runs on Firebase (Google) and a small set of services:

• Firebase Authentication — email + password sign-in.
• Cloud Firestore — profiles, pools, messages, reactions, push-token records, rate-limit counters, remote-config, and your blocked-users list. Reads and writes are gated by Firestore Security Rules so only the right user can see them.
• Firebase Storage — drop video and photo files, avatars, and server-compiled vlog exports of your My pond. Access is gated by Storage Security Rules. Download URLs use Firebase Storage tokens; the app caches them client-side for up to seven days and re-issues if a token is rotated.
• Firebase Cloud Messaging (FCM) and Apple Push Notification service (APNs), via Expo Push, to deliver notifications.
• Firebase Cloud Functions — server-side checks (drop quota, finalization, feedback intake, moderation-report intake).
• Sentry — error and crash reports, as described above.
• GitHub — feedback you submit through the in-app Send feedback form is filed as an issue in a private GitHub repository that only the Pond team can read. We append your Firebase user ID (UID) — an opaque identifier, not your email or username — to the bottom of the issue body so we can route follow-ups to the right account. Your email and username are not posted. Moderation reports you file from inside the app (the Report action on a drop, message, or pool member) are filed into the same private repository and additionally include the reporter's UID, the reported user's UID, the pool ID, and the reason you selected.

Firebase data may be processed in any Google Cloud region. Sentry events are processed on Sentry's infrastructure. Push tokens are relayed through Expo, FCM, and APNs.

3. Why we collect it

• To run the app. Sign-in, posting drops, joining pools, sending messages, showing your timeline — all require the data above.
• To deliver notifications you've opted into.
• To diagnose crashes and fix bugs (Sentry).
• To enforce safety and rate limits — feedback rate-limit docs, drop quotas, content filtering, and moderation reports, to keep the service usable for everyone.
• To respond to you when you send feedback or report a problem.

We do not sell your data. We do not use your data for advertising or for training third-party AI models.

4. Who can see what

• Your profile fields (display name, username, bio, location label, avatar) are visible to other Pond users who share a pool with you.
• Your drops, captions, and chat messages are visible to the members of the pools you posted them into.
• Your "My pond" timeline (the personal index of every drop you've recorded) is visible only to you.
• Your blocked-users list is visible only to you.
• Email and push tokens are never shown to other users.

5. How long we keep it

• Profile, pool, drop, message, and reaction data — kept while your account is active.
• Push-token records — kept while the token is registered. Disabled and stale tokens are removed.
• Sentry events — retained per Sentry's project defaults (typically up to 90 days).
• Server logs — short-lived (typically 30 days) and used only for operations and abuse defense.
• Locally cached media — capped at 200 MB on your device and managed by an LRU policy.
• Moderation reports — kept as long as we need them to review the report and (where warranted) act on it. After action they may be retained in our private issue tracker for audit and pattern analysis.

6. Deleting your account and data

You can delete your account at any time:

1. Open the app and go to Profile.
2. Tap Delete Account at the bottom of the screen.
3. Confirm. The app will start the deletion flow.

When you delete your account we:

• Delete the Firebase Authentication record for your UID, so no one can sign back in as you.
• Delete your profile document, your "My pond" index, your registered push tokens, your blocked-users list, and your membership in the pools you joined.
• Delete every pool you created — including the drops and messages other members posted into it. Members of those pools lose access at the same time, so consider transferring or warning them before you delete your account if a pool matters to them.
• Delete your drop files, avatar, and any server-compiled vlog exports from Firebase Storage under your UID.
• Cancel rate-limit counters tied to your UID (feedback, interaction, vlog export, and account-deletion).

When you confirm deletion in the app, the steps above run immediately — there is no holding period. The 30-day window further down applies only to the offline fallback for users who can't reach the in-app flow, and to backup-tape rotation.

Some content cannot be removed automatically because it is intertwined with other people's experience: chat messages and reactions you've sent into pools may remain visible to that pool, with your name replaced by "Former member"; cached copies of your drops on other members' devices stay until their local cache rotates them out (capped at 200 MB, LRU). Operational logs and Sentry events age out per the schedule above.

Backups may keep copies for up to 30 days after deletion before they are fully overwritten.

If you can't reach the in-app delete flow (for example, you've lost access to the device), you can request deletion via the in-app Send feedback form on another device. We will verify ownership through your registered email and complete the deletion within 30 days.

7. Children

Pond is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete it.

Some regions set a higher digital age of consent — in parts of the EEA, for example, processing a minor's personal data requires parental consent below age 16. In those regions you must meet your local minimum age, or have a parent or guardian's consent, to use Pond.

8. Security

We use HTTPS for all network traffic. Firestore and Storage Security Rules restrict reads and writes to the right user, with separate rules for get versus list on most collections. Passwords are managed by Firebase Authentication, which stores salted hashes. We log access at the SDK boundary only, with person-tied identifiers (email, username, UID) kept out of remote crash reports. No system is perfectly secure, but if a breach affects you, we will notify you in line with applicable law.

9. Your rights

Depending on where you live (e.g. EEA, UK, California), you may have the right to access, correct, port, or delete your personal data, and to object to or restrict certain processing. To exercise any of these rights, contact us through the in-app feedback form. We will verify ownership through your registered email before acting on a request.

California residents: Pond does not "sell" or "share" your personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding 12 months. You have the right to know, delete, correct, and limit the use of your information; the paragraph above describes how to exercise it.

10. International transfers

If you use Pond from outside the regions where Firebase, Sentry, Expo, FCM, or APNs operate, your data will cross borders to those regions. We rely on the providers' standard contractual clauses or equivalent safeguards.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the current version. Material changes will be announced in the app or by email before they take effect.

12. Contact

For privacy questions, data requests, or account deletion: open the Profile tab and tap Send feedback, or email us at pond-eng@googlegroups.com.