Punchlist Privacy Policy
Last Updated: July 12, 2026
See also: Terms of Service
This Privacy Policy explains how the Punchlist iOS app (com.domoretech.punchlist, the "App") and its open-source companion package punchlist-mcp handle information. It is provided by DoMore Tech LLC ("DoMore Tech," "we," "us"), the developer and publisher of the App and, where data-protection law uses the term, the "data controller" for the limited data described in Section 4.7 (analytics and crash reporting). Your use of the App is also governed by our Terms of Service.
1. The Short Version
- Your recordings stay in your hands. Screen recordings, screenshots, audio, and transcripts are created and stored on your device. If you turn on optional cloud sync, they go to your own private iCloud database — which we cannot access. If you pair a computer, they go to your own computer over your local network. DoMore Tech operates no server that receives your recordings, and we never see their contents.
- Transcription happens on your device. Speech recognition uses Apple's on-device recognizer (with the on-device-only flag set) or an optional on-device whisper.cpp model. Your narration is not sent to us or to a speech-recognition cloud service by the App.
- We collect a small amount of anonymous-style usage and crash data through Google Firebase Analytics and Crashlytics (details, including the events we log, in Section 4.7). In the EEA and UK this is off unless you opt in; elsewhere it is on by default and you can turn it off at any time in Settings (Section 7). No screenshots, transcripts, or audio are ever included in analytics or crash reports.
- Tester feedback is the one exception. If a developer invites you as a tester for their app and you accept, the feedback sessions you record and choose to send go to that developer's iCloud — screenshots and the text transcript of your narration only, never your video or audio. You consent first, can review before sending, and can retract afterward; even then, DoMore Tech never receives them. See Section 4.9.
- No accounts. No ads. No tracking across apps. No sale of data. No IDFA.
2. Scope
This policy covers the App and the punchlist-mcp package we publish. It does not cover third-party services you choose to use with your session data — in particular, any AI/LLM provider or coding assistant you feed your sessions to. Those services have their own privacy policies, and what you share with them is your decision and outside our control.
3. How Punchlist Is Built (Architecture)
Punchlist records your device's screen system-wide via an Apple ReplayKit broadcast extension while you narrate, transcribes your narration on-device, and produces a session bundle containing:
manifest.json— session metadata plus the full transcript text with word timestamps;- screenshot PNGs of detected screens;
recording.mp4— the screen-recording video;audio.m4a— the raw microphone audio;- for crash-diagnostic sessions, a
crash_diagnostic.jsonfile.
Because the recording is system-wide, a session can capture any app on your screen, notifications, audio from other apps, and anything your microphone hears — including other people. See Section 9 on incidental third-party data.
All of this is stored locally in the App's container on your device. It moves off your device only through opt-in channels: the two described in Sections 4.3 and 4.4, which deliver data to destinations you own and control, and — if you accept an invitation to be a tester for another developer's app — the tester-feedback channel described in Section 4.9, which delivers your feedback submission to that developer.
4. Data We Handle, Category by Category
4.1 Recordings, screenshots, transcripts, and audio (your content)
Created and stored on your device only, unless you enable an opt-in transfer channel below. DoMore Tech never receives this content. Raw microphone audio (audio.m4a) remains in the session folder on your device until you delete the session. The App does not create or retain any voiceprint or other biometric identifier; audio is processed only to produce a text transcript.
4.2 Local storage and deletion
Sessions live in the App's private App Group container on your device, protected by iOS's default file protection (encrypted at rest by the operating system; the App does not add its own passphrase layer). Deleting a session in the App deletes its entire folder. If cloud sync is on, the deletion also deletes the corresponding record from your iCloud database (queued and retried if you are offline).
4.3 Optional iCloud sync (off by default)
If you turn on cloud sync, the App uploads to the CloudKit private database in your own iCloud account (container iCloud.com.domoretech.punchlist):
- a zip of the session's screenshots;
- the session's
manifest.json, which includes the full transcript text; - metadata: session ID, a random per-install 8-character device identifier, your device's marketing name (e.g., "iPhone 16 Pro"), app version, the name of the app the session is about, timestamps, and entry/size counts.
Video and raw audio are never uploaded to iCloud. Your private iCloud database is controlled by your Apple account; DoMore Tech has no ability to read its contents. Turning cloud sync off will delete the App's entire zone — all synced sessions — from your iCloud database. That deletion cannot reach copies already fetched to your computers or remote environments (Section 4.5); only you can delete those. iCloud is provided by Apple under Apple's privacy terms (Section 6).
4.4 Optional local-network transfer (off by default)
You can pair the App with a computer you own on your local network. Pairing uses a 6-digit code exchanged for an access token over a TLS-encrypted connection (see Section 11 for security details). A paired computer can download the full session bundle, which — unlike iCloud sync — includes the raw microphone audio (audio.m4a) and any crash-diagnostic file.
Plain statement about your audio: your narration audio recording never leaves your device, except when you yourself transfer a full session bundle over your local network to a computer you have paired. It is never sent to DoMore Tech or uploaded to iCloud by the App (the text transcript of your narration, however, does sync to your iCloud if you enable cloud sync — see Section 4.3).
4.5 The punchlist-mcp package (runs on your own computer)
The open-source punchlist-mcp package pulls sessions from your phone over the local network or from your iCloud database via Apple's CloudKit Web Services. On your computer it:
- caches fetched session data at
~/.punchlist-mcp/cache; - stores its secrets (device pairing tokens and, if you use it, the iCloud web-authentication token) in the macOS login Keychain (service
punchlist-mcp), with~/.punchlist-mcp/config.jsonholding only references to the Keychain entries; on other platforms and in headless/remote environments, where no Keychain is available, secrets fall back to plaintext storage inconfig.jsonwith owner-only (0600) file permissions. Existing plaintext configurations are migrated to the Keychain automatically on first load on macOS.
It also offers a user-initiated export_icloud_credentials tool that obtains a CloudKit Web Services web-authentication token via Apple ID sign-in in your browser and prints it as environment variables so you can use it in a remote, headless, or CI environment. Treat that token like your password. It is a web-authentication token tied to your Apple ID's CloudKit web session — treat it as granting whatever access that session grants, not merely access to this App's data — and anyone who has it can, at minimum, read the sessions you have synced. Only export it deliberately, only paste it into environments you trust, and revoke it when you are done: sign out of the associated iCloud web session, or rotate your Apple ID sessions (for example, by changing your Apple ID password), to invalidate it.
Important: deleting a session on your phone does not delete copies already fetched to your computers or remote environments, and anything you hand to an LLM or agent is governed by that provider's terms, not ours. You manage those copies.
4.6 Identifiers
- No accounts, no email addresses, no phone numbers. The App has no sign-up.
- No advertising identifier (IDFA) and no identifierForVendor.
- A random 8-character device identifier is generated on install (from a secure random source) and used solely to tell your devices apart in your own iCloud data. It is not derived from your hardware and cannot identify you to us.
- Session metadata and crash reports include your device model marketing name, OS version, and app version.
4.7 Analytics and crash reporting (Google Firebase)
The shipped App (main app only, not the broadcast extension) includes Google Firebase Analytics and Crashlytics. The complete list of custom analytics events we log is:
| Event | Parameters |
|---|---|
session_saved | session type, entry count |
session_processed | source (e.g., LAN or cloud) |
device_paired | — |
crash_report_filed | — |
cloud_upload | success (true/false) |
In addition to these custom events, Firebase automatically collects standard events and telemetry — such as first_open, session_start, and screen_view, along with an app-instance identifier and device/usage metadata — as described in Google's privacy documentation (Section 6).
This is your choice. In the EEA and UK, analytics and crash sharing is off by default and only ever starts if you opt in (during onboarding or later in Settings). Everywhere else, it is on by default and Settings includes a "Share anonymous usage & crash reports" toggle; turning it off immediately stops both Firebase Analytics and Crashlytics collection. Details in Section 7.
No screenshot, transcript, video, or audio content is ever included in analytics events. Crashlytics sends crash stack traces and device metadata (device model, OS version, app version, and similar diagnostics) to Google when the App crashes. A Google ads-related SDK component is present transitively via Firebase, but advertising features are disabled: the App shows no ads, requests no App Tracking Transparency permission, and does no cross-app tracking.
Separately, Apple's MetricKit framework provides the App with crash diagnostics on-device; the App turns these into "crash sessions" that flow through the same local pipeline as your other sessions (they stay on your device unless you sync or transfer them, like any session).
4.8 Speech-model downloads (Hugging Face)
If you choose the optional whisper.cpp transcription engine, the App downloads model files from huggingface.co. This is a download only: no recordings, transcripts, or personal data are sent to Hugging Face. Like any web download, Hugging Face's servers see your IP address when serving the file.
4.9 Tester Feedback Mode (sharing a session with an app's developer)
Tester Feedback Mode is an optional feature that lets a developer invite other people ("testers") to record feedback sessions on the developer's app and send them to the developer. It is the one part of Punchlist where a session you record is delivered to another person rather than staying only in your own hands. It is off unless you are invited: a developer creates a "feedback group" for their app and shares an invite link (an Apple CloudKit share URL); opening that link adds the shared app to your Apps screen, marked as a feedback group.
If you are a tester (you accepted an invite):
- Consent first. Before your first feedback capture, the App shows a consent screen explaining what is captured, that it goes to the app's developer (not to DoMore Tech), that your spoken narration is included as text, and that the group expires after 90 days. You must agree to proceed.
- What your submission contains: the screenshots of the screens you visited and the session
manifest.json(session metadata plus the full text transcript of your narration) — and nothing else. Your screen-recording video and raw microphone audio are never included; no video file and no audio file leave your device through this feature. - Where it goes: your submission is uploaded into the developer's own iCloud (a shared area of the developer's private CloudKit database). It counts against the developer's iCloud storage, not yours; submitting never uses your iCloud storage. The recipient is the developer who invited you — DoMore Tech does not receive, host, or access your submission.
- Review before sending: you can review the captured screens and transcript and drop frames or the whole session before anything is sent, and you can decline to send.
- Retraction: after you send a session you can retract it, which deletes that session's record from the developer's iCloud. Retraction cannot reach a copy the developer has already fetched to their own computer or tools — once fetched, that copy is outside the App's control, the same as any file someone has already downloaded.
- Block/leave: the developer can remove you from the group at any time, which ends your access and stops further submissions; you can also leave the group yourself.
- Only the inviting developer receives your submissions through the App.
If you are a developer (you invited testers):
- Tester submissions arrive in your own iCloud and are yours to triage. Because you are receiving other people's recordings of feedback, you — not DoMore Tech — decide what to do with them, and you are responsible for handling them lawfully, including any personal information they contain about the tester or others (see the Terms of Service).
- You can end or process a session, remove a tester, or delete the whole group; doing so deletes the affected tester submissions from your iCloud. Copies you have already fetched to your computer or other tools are managed by you.
- A group is limited to the platform's maximum of testers per group (currently 100, set by Apple's CloudKit sharing limit).
Retention and auto-deletion: a feedback group automatically expires 90 days after it is created. At expiry the invite is revoked and the tester-submitted records are deleted from iCloud. A developer can also end/process a session or delete the group sooner, and a tester can retract a sent session — each of which deletes the corresponding record from iCloud earlier. As always, copies already fetched to a computer are outside the App's reach.
DoMore Tech's role is unchanged: we still operate no server that receives these sessions and cannot see their contents. The data moves between a tester's device and the inviting developer's iCloud using Apple's CloudKit sharing, both outside our access.
5. What We Do NOT Do
- We do not require or offer accounts, and we collect no names, emails, or contact details through the App.
- We do not receive, store, or access your recordings, screenshots, transcripts, or audio.
- We do not sell or rent personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined in the California Consumer Privacy Act).
- We show no ads, use no ad networks, and do no tracking across other companies' apps or websites (no IDFA/ATT).
6. Third-Party Service Providers
| Provider | What it does for the App | Data involved | Privacy policy |
|---|---|---|---|
| Google (Firebase Analytics, Crashlytics) | Usage analytics and crash reporting | Events in Section 4.7, crash stack traces, device metadata, app-instance identifiers | firebase.google.com/support/privacy |
| Apple | iCloud/CloudKit (your private database), on-device speech recognition, ReplayKit screen recording, MetricKit crash diagnostics, App Store distribution | Your synced sessions (in your iCloud account, not accessible to us); on-device processing | apple.com/legal/privacy |
| Hugging Face | Hosts optional whisper.cpp speech-model files for download | Download request only (IP address to serve the file); no user content sent | huggingface.co/privacy |
7. Legal Bases for Processing (GDPR/UK GDPR)
Where the EU or UK General Data Protection Regulation applies, our legal bases are:
- Your recordings and session content: processed by software running on your device and moved only to destinations you own, at your instruction. To the extent this involves us at all, the basis is performance of a contract (providing the App you asked for); in substance, you — not we — hold this data.
- Optional iCloud sync and local-network transfer: consent, given by your affirmative act of enabling each feature (both are off by default), withdrawable at any time by turning the feature off (turning off iCloud sync will also delete the App's data from your iCloud database).
- Analytics and crash reporting (Section 4.7) — in the EEA and UK: your consent. If your device's region is in the European Economic Area or the United Kingdom, analytics and crash sharing is off by default and is enabled only if you opt in. You can withdraw consent at any time by turning it off in Settings.
- Analytics and crash reporting — elsewhere: our legitimate interests in understanding aggregate usage and fixing crashes in a free indie app, balanced by strict data minimization (no content, no advertising identifiers, no cross-app tracking) and by an opt-out you can exercise at any time.
Your analytics choice, region by region:
- EEA and UK (opt-in): on first launch, the onboarding screen offers an optional "Share anonymous usage & crash reports" toggle, off by default, with the note "Optional — helps fix bugs. Never includes your recordings or transcripts. Change anytime in Settings." Nothing is sent to Firebase — not even the automatic
first_openevent — unless and until you turn it on. Your region is determined from your device's locale region setting (EU member states plus Iceland, Liechtenstein, Norway, and the United Kingdom). - Everywhere else (opt-out): sharing is on by default, with no onboarding prompt; the same "Share anonymous usage & crash reports" toggle is in Settings > Privacy.
In both cases: turning the toggle off immediately stops both Firebase Analytics and Crashlytics collection, and turning it on re-enables them. Under the hood, collection is disabled at app launch (via configuration keys) until the App applies your stored choice, so data is never collected contrary to your setting; your choice is made once and is not reset by app updates. If you stop sharing, you can also ask us to have Google delete the analytics data already associated with your app instance (Section 8).
8. Data Retention and Deletion
- On your device: sessions are kept until you delete them in the App; deleting a session removes its entire folder, including raw audio.
- Your iCloud database: synced sessions are kept until you delete the session (deletion propagates to iCloud, queued if you are offline) or disable cloud sync (which will delete the App's entire iCloud zone). Deleting the App's iCloud data is also possible through Apple's iCloud storage management.
- Copies on your computers and remote environments: managed by you. Deleting a session on the phone, or disabling cloud sync, does not — and cannot — delete copies already fetched by
punchlist-mcp(e.g.,~/.punchlist-mcp/cache) or shared with third parties such as LLM providers. Neither we nor the App can reach those copies; only you can delete them, where you put them. - Tester feedback submissions (Section 4.9): if you submit feedback as a tester, your submission is kept in the inviting developer's iCloud until the developer processes or deletes it, you retract it, or the feedback group reaches its 90-day expiry — whichever comes first — at which point the record is deleted from iCloud. Copies the developer has already fetched to their own computer are outside the App's control; only the developer can delete those.
- Analytics and crash data: retained by Google Firebase — our Firebase Analytics retention setting is 14 months for identifier-associated event data, after which it is deleted or aggregated; we do not maintain a separate copy.
9. Recordings May Capture Other People (Incidental Third-Party Data)
Because screen recording is system-wide and the microphone is live, your sessions can incidentally capture other people's information — voices in the room, their messages or notifications appearing on your screen, and content from other apps. The App shows you a one-time notice about this before your first recording, but it has no mechanism to obtain those people's consent for you.
You are the controller of what you record. DoMore Tech never receives or processes the contents of your recordings, and we cannot see, moderate, or delete third-party data inside them. You are responsible for complying with recording-consent, wiretap, and privacy laws that apply to you, and for honoring any request by a recorded person to delete their data from your copies. This is covered in more detail in Section 6 of the Terms of Service.
10. Your Rights
Because your content lives on your own device, your own iCloud account, and your own computers, the most important rights — access, portability, and deletion — are self-service: open the App and your files, export or delete sessions, disable sync, and delete cached copies on your computers.
For the limited data we are responsible for (analytics and crash reporting):
- GDPR / UK GDPR: you have rights of access, rectification, erasure, restriction, objection (including to legitimate-interests processing such as analytics — the quickest way to object is the Settings toggle described in Section 7), and portability, and the right to lodge a complaint with your supervisory authority (or the UK ICO). Contact us at [email protected] to exercise them; note that analytics data is not linked to your name or contact details, so we may need you to provide technical identifiers (or we may be unable to identify your data at all, in which case we will tell you).
- California (CCPA/CPRA): you have the right to know, delete, and correct personal information, and the right to non-discrimination for exercising your rights. We do not sell personal information and do not share it for cross-context behavioral advertising, so there is nothing to opt out of under "Do Not Sell or Share." We also do not use or disclose sensitive personal information for purposes requiring a right to limit.
- Other jurisdictions: we will honor analogous rights under other applicable privacy laws (e.g., other U.S. state laws, PIPEDA) on request.
11. Security
- Local network transfer: TLS-only in-app server (it refuses to start without a TLS identity), a P-256 identity stored in the iOS Keychain, certificate pinning established at pairing (trust-on-first-use — so the first pairing should be done on a network you trust), 6-digit pairing codes exchanged for 32-byte bearer tokens, HMAC-signed requests with replay (nonce) protection, and throttling against pairing brute-force attempts.
- On device: iOS's built-in file protection encrypts session data at rest; the App does not implement an additional passphrase layer.
- On your computer: on macOS,
punchlist-mcpstores pairing tokens and iCloud web-auth tokens in your login Keychain (servicepunchlist-mcp); on other platforms and in headless/remote environments it falls back to a plaintext file readable only by your user account (0600) — protect those environments accordingly. The credential-export tool shows a security warning with revocation guidance at export time; treat exported iCloud web-auth tokens like passwords (Section 4.5).
No system is perfectly secure; the design goal is that even a breach of DoMore Tech could not expose your recordings, because we never have them.
12. International Data Transfers
Your session content is transferred only where you send it (your iCloud account, your computers). The analytics and crash data described in Section 4.7 is processed on Google's global infrastructure, and iCloud data is processed on Apple's infrastructure, which may involve transfers to the United States and other countries. Google and Apple maintain recognized transfer safeguards (such as EU Standard Contractual Clauses and, where applicable, EU–US Data Privacy Framework participation) as described in their privacy documentation linked in Section 6.
13. Children's Privacy
Punchlist is a developer tool and is not directed to children. It is not intended for use by anyone under 13 (or under 16 in the EEA/UK, or the applicable minimum age where you live), and we do not knowingly collect personal information from children. If you believe a child has used the App and analytics data may have been collected, contact us at [email protected] and we will work to delete it.
14. Changes to This Policy
We may update this policy as the App evolves (for example, if we add features that change how data flows, or introduce paid features). Material changes will be announced with reasonable notice — in the App, in release notes, or where this policy is published — and the "Last Updated" date above will change. Earlier versions are available on request.
15. Contact
DoMore Tech LLC — developer and publisher of Punchlist
Address: 2222 W Grand River Ave, Ste A, Okemos, MI 48864
Email: [email protected]
Phone: 517-649-1260
Questions, privacy-rights requests, and complaints about the App should be directed to DoMore Tech at the address above. Apple is not a party to, and is not responsible for, the App's privacy practices; the agreement governing your use of the App is between you and DoMore Tech only, as described in the Terms of Service.