Punchlist Privacy Policy

Last Updated: July 12, 2026

This Privacy Policy explains how the Punchlist iOS app (com.domoretech.punchlist, the "App") and its open-source companion package punchlist-mcp handle information. It is provided by DoMore Tech LLC ("DoMore Tech," "we," "us"), the developer and publisher of the App and, where data-protection law uses the term, the "data controller" for the limited data described in Section 4.7 (analytics and crash reporting). Your use of the App is also governed by our Terms of Service.

1. The Short Version

2. Scope

This policy covers the App and the punchlist-mcp package we publish. It does not cover third-party services you choose to use with your session data — in particular, any AI/LLM provider or coding assistant you feed your sessions to. Those services have their own privacy policies, and what you share with them is your decision and outside our control.

3. How Punchlist Is Built (Architecture)

Punchlist records your device's screen system-wide via an Apple ReplayKit broadcast extension while you narrate, transcribes your narration on-device, and produces a session bundle containing:

Because the recording is system-wide, a session can capture any app on your screen, notifications, audio from other apps, and anything your microphone hears — including other people. See Section 9 on incidental third-party data.

All of this is stored locally in the App's container on your device. It moves off your device only through opt-in channels: the two described in Sections 4.3 and 4.4, which deliver data to destinations you own and control, and — if you accept an invitation to be a tester for another developer's app — the tester-feedback channel described in Section 4.9, which delivers your feedback submission to that developer.

4. Data We Handle, Category by Category

4.1 Recordings, screenshots, transcripts, and audio (your content)

Created and stored on your device only, unless you enable an opt-in transfer channel below. DoMore Tech never receives this content. Raw microphone audio (audio.m4a) remains in the session folder on your device until you delete the session. The App does not create or retain any voiceprint or other biometric identifier; audio is processed only to produce a text transcript.

4.2 Local storage and deletion

Sessions live in the App's private App Group container on your device, protected by iOS's default file protection (encrypted at rest by the operating system; the App does not add its own passphrase layer). Deleting a session in the App deletes its entire folder. If cloud sync is on, the deletion also deletes the corresponding record from your iCloud database (queued and retried if you are offline).

4.3 Optional iCloud sync (off by default)

If you turn on cloud sync, the App uploads to the CloudKit private database in your own iCloud account (container iCloud.com.domoretech.punchlist):

Video and raw audio are never uploaded to iCloud. Your private iCloud database is controlled by your Apple account; DoMore Tech has no ability to read its contents. Turning cloud sync off will delete the App's entire zone — all synced sessions — from your iCloud database. That deletion cannot reach copies already fetched to your computers or remote environments (Section 4.5); only you can delete those. iCloud is provided by Apple under Apple's privacy terms (Section 6).

4.4 Optional local-network transfer (off by default)

You can pair the App with a computer you own on your local network. Pairing uses a 6-digit code exchanged for an access token over a TLS-encrypted connection (see Section 11 for security details). A paired computer can download the full session bundle, which — unlike iCloud sync — includes the raw microphone audio (audio.m4a) and any crash-diagnostic file.

Plain statement about your audio: your narration audio recording never leaves your device, except when you yourself transfer a full session bundle over your local network to a computer you have paired. It is never sent to DoMore Tech or uploaded to iCloud by the App (the text transcript of your narration, however, does sync to your iCloud if you enable cloud sync — see Section 4.3).

4.5 The punchlist-mcp package (runs on your own computer)

The open-source punchlist-mcp package pulls sessions from your phone over the local network or from your iCloud database via Apple's CloudKit Web Services. On your computer it:

It also offers a user-initiated export_icloud_credentials tool that obtains a CloudKit Web Services web-authentication token via Apple ID sign-in in your browser and prints it as environment variables so you can use it in a remote, headless, or CI environment. Treat that token like your password. It is a web-authentication token tied to your Apple ID's CloudKit web session — treat it as granting whatever access that session grants, not merely access to this App's data — and anyone who has it can, at minimum, read the sessions you have synced. Only export it deliberately, only paste it into environments you trust, and revoke it when you are done: sign out of the associated iCloud web session, or rotate your Apple ID sessions (for example, by changing your Apple ID password), to invalidate it.

Important: deleting a session on your phone does not delete copies already fetched to your computers or remote environments, and anything you hand to an LLM or agent is governed by that provider's terms, not ours. You manage those copies.

4.6 Identifiers

4.7 Analytics and crash reporting (Google Firebase)

The shipped App (main app only, not the broadcast extension) includes Google Firebase Analytics and Crashlytics. The complete list of custom analytics events we log is:

EventParameters
session_savedsession type, entry count
session_processedsource (e.g., LAN or cloud)
device_paired
crash_report_filed
cloud_uploadsuccess (true/false)

In addition to these custom events, Firebase automatically collects standard events and telemetry — such as first_open, session_start, and screen_view, along with an app-instance identifier and device/usage metadata — as described in Google's privacy documentation (Section 6).

This is your choice. In the EEA and UK, analytics and crash sharing is off by default and only ever starts if you opt in (during onboarding or later in Settings). Everywhere else, it is on by default and Settings includes a "Share anonymous usage & crash reports" toggle; turning it off immediately stops both Firebase Analytics and Crashlytics collection. Details in Section 7.

No screenshot, transcript, video, or audio content is ever included in analytics events. Crashlytics sends crash stack traces and device metadata (device model, OS version, app version, and similar diagnostics) to Google when the App crashes. A Google ads-related SDK component is present transitively via Firebase, but advertising features are disabled: the App shows no ads, requests no App Tracking Transparency permission, and does no cross-app tracking.

Separately, Apple's MetricKit framework provides the App with crash diagnostics on-device; the App turns these into "crash sessions" that flow through the same local pipeline as your other sessions (they stay on your device unless you sync or transfer them, like any session).

4.8 Speech-model downloads (Hugging Face)

If you choose the optional whisper.cpp transcription engine, the App downloads model files from huggingface.co. This is a download only: no recordings, transcripts, or personal data are sent to Hugging Face. Like any web download, Hugging Face's servers see your IP address when serving the file.

4.9 Tester Feedback Mode (sharing a session with an app's developer)

Tester Feedback Mode is an optional feature that lets a developer invite other people ("testers") to record feedback sessions on the developer's app and send them to the developer. It is the one part of Punchlist where a session you record is delivered to another person rather than staying only in your own hands. It is off unless you are invited: a developer creates a "feedback group" for their app and shares an invite link (an Apple CloudKit share URL); opening that link adds the shared app to your Apps screen, marked as a feedback group.

If you are a tester (you accepted an invite):

If you are a developer (you invited testers):

Retention and auto-deletion: a feedback group automatically expires 90 days after it is created. At expiry the invite is revoked and the tester-submitted records are deleted from iCloud. A developer can also end/process a session or delete the group sooner, and a tester can retract a sent session — each of which deletes the corresponding record from iCloud earlier. As always, copies already fetched to a computer are outside the App's reach.

DoMore Tech's role is unchanged: we still operate no server that receives these sessions and cannot see their contents. The data moves between a tester's device and the inviting developer's iCloud using Apple's CloudKit sharing, both outside our access.

5. What We Do NOT Do

6. Third-Party Service Providers

ProviderWhat it does for the AppData involvedPrivacy policy
Google (Firebase Analytics, Crashlytics) Usage analytics and crash reporting Events in Section 4.7, crash stack traces, device metadata, app-instance identifiers firebase.google.com/support/privacy
Apple iCloud/CloudKit (your private database), on-device speech recognition, ReplayKit screen recording, MetricKit crash diagnostics, App Store distribution Your synced sessions (in your iCloud account, not accessible to us); on-device processing apple.com/legal/privacy
Hugging Face Hosts optional whisper.cpp speech-model files for download Download request only (IP address to serve the file); no user content sent huggingface.co/privacy

7. Legal Bases for Processing (GDPR/UK GDPR)

Where the EU or UK General Data Protection Regulation applies, our legal bases are:

Your analytics choice, region by region:

In both cases: turning the toggle off immediately stops both Firebase Analytics and Crashlytics collection, and turning it on re-enables them. Under the hood, collection is disabled at app launch (via configuration keys) until the App applies your stored choice, so data is never collected contrary to your setting; your choice is made once and is not reset by app updates. If you stop sharing, you can also ask us to have Google delete the analytics data already associated with your app instance (Section 8).

8. Data Retention and Deletion

9. Recordings May Capture Other People (Incidental Third-Party Data)

Because screen recording is system-wide and the microphone is live, your sessions can incidentally capture other people's information — voices in the room, their messages or notifications appearing on your screen, and content from other apps. The App shows you a one-time notice about this before your first recording, but it has no mechanism to obtain those people's consent for you.

You are the controller of what you record. DoMore Tech never receives or processes the contents of your recordings, and we cannot see, moderate, or delete third-party data inside them. You are responsible for complying with recording-consent, wiretap, and privacy laws that apply to you, and for honoring any request by a recorded person to delete their data from your copies. This is covered in more detail in Section 6 of the Terms of Service.

10. Your Rights

Because your content lives on your own device, your own iCloud account, and your own computers, the most important rights — access, portability, and deletion — are self-service: open the App and your files, export or delete sessions, disable sync, and delete cached copies on your computers.

For the limited data we are responsible for (analytics and crash reporting):

11. Security

No system is perfectly secure; the design goal is that even a breach of DoMore Tech could not expose your recordings, because we never have them.

12. International Data Transfers

Your session content is transferred only where you send it (your iCloud account, your computers). The analytics and crash data described in Section 4.7 is processed on Google's global infrastructure, and iCloud data is processed on Apple's infrastructure, which may involve transfers to the United States and other countries. Google and Apple maintain recognized transfer safeguards (such as EU Standard Contractual Clauses and, where applicable, EU–US Data Privacy Framework participation) as described in their privacy documentation linked in Section 6.

13. Children's Privacy

Punchlist is a developer tool and is not directed to children. It is not intended for use by anyone under 13 (or under 16 in the EEA/UK, or the applicable minimum age where you live), and we do not knowingly collect personal information from children. If you believe a child has used the App and analytics data may have been collected, contact us at [email protected] and we will work to delete it.

14. Changes to This Policy

We may update this policy as the App evolves (for example, if we add features that change how data flows, or introduce paid features). Material changes will be announced with reasonable notice — in the App, in release notes, or where this policy is published — and the "Last Updated" date above will change. Earlier versions are available on request.

15. Contact

DoMore Tech LLC — developer and publisher of Punchlist
Address: 2222 W Grand River Ave, Ste A, Okemos, MI 48864
Email: [email protected]
Phone: 517-649-1260

Questions, privacy-rights requests, and complaints about the App should be directed to DoMore Tech at the address above. Apple is not a party to, and is not responsible for, the App's privacy practices; the agreement governing your use of the App is between you and DoMore Tech only, as described in the Terms of Service.