Privacy Policy.

PGPony is a privacy-first OpenPGP encryption tool for iOS and Android. This policy explains exactly what data the app touches, what stays on your device, the two optional features that may transmit limited data off your device when you explicitly initiate them, and the one feature on the pgpony.app website that accepts voluntary user submissions (the reviews form).

1. Data We Do Not Collect

PGPony does not collect, store, or transmit:

• Your name, address, phone number, or any identifying information
• Any analytics, telemetry, crash reports, or usage data
• Advertising identifiers or tracking cookies
• Your messages, files, encrypted content, or decrypted content
• Your private keys, passphrases, or any secret material
• The contents of your contact list (names, photos, phone numbers, or any contact data beyond what is described below)

We operate no servers and have no database of users. There is no account to create.

2. Data Stored Locally on Your Device

PGPony stores the following on your device only. None of it leaves your device unless you explicitly choose to share it:

• Your PGP keypairs — public keys and encrypted private keys, stored in the iOS Keychain (with Secure Enclave protection) or the Android Keystore (hardware-backed where supported)
• Imported contact public keys — stored locally for encryption
• App preferences and settings — stored locally
• Optional biometric lock state — uses your device's secure biometric system; PGPony never sees your biometric data

Uninstalling the app removes all of this data from your device.

3. Optional Features That Transmit Data Off-Device

Two features in PGPony transmit limited data to a third-party keyserver. Both are off by default, are only triggered by direct user action, and use HTTPS in transit.

3.1. Bulk Key Discovery

When you tap Bulk Scan on the Contacts screen, PGPony reads the email addresses associated with your device contacts and queries the public OpenPGP keyserver at keys.openpgp.org to check whether any of those email addresses have a published PGP key. If a match is found, the public key is downloaded and stored locally so you can encrypt to that contact.

What is transmitted to keys.openpgp.org during a bulk scan:

• Email addresses from your device contacts, one query per email

What is never transmitted:

• Contact names, phone numbers, photos, postal addresses, notes, or any other contact field
• Email addresses that are not part of an active scan
• Any data when you have not initiated a scan

You may cancel a bulk scan at any time. PGPony does not run bulk discovery automatically, in the background, or on a schedule.

3.2. Key Publishing

When you tap Publish to keys.openpgp.org on the Exchange screen, PGPony uploads your selected public key to keys.openpgp.org so that other people can find your public key by searching for the email address embedded in it.

What is transmitted to keys.openpgp.org during publishing:

• Your public key, including the user ID (typically your name and email address) you embedded in it during key generation

Your private key never leaves your device under any circumstances — only the public half is uploaded.

Publishing is a one-time, user-initiated action. PGPony does not republish your key automatically.

4. Third-Party Service: keys.openpgp.org

The two features above transmit data to keys.openpgp.org, a public OpenPGP keyserver operated independently by the Verifying Keyserver project. Their privacy policy is published at keys.openpgp.org/about/privacy.

If you have published a key and later want it removed from the keyserver, you can request deletion directly through keys.openpgp.org following the process described at keys.openpgp.org/about. Removal requests are handled by the keyserver operators, not by PGPony.

5. Permissions PGPony Requests

• Contacts (read-only) — used to display your contact list inside the app for matching against public keys you have already imported, and for the optional Bulk Scan feature. PGPony never modifies your contacts.
• Camera — used by the QR scanner so you can import public keys printed as QR codes. No images, video, or audio are recorded or stored.
• Biometrics — used only for the optional app lock. PGPony never receives or stores your biometric data; the device's secure subsystem handles all authentication.
• Internet — used only for the two optional keyserver features described above, and for optional WKD lookups (which query the recipient's own mail domain).
• Notifications (optional) — used only to deliver local key-expiration reminders that you can enable in settings. No push notification server is involved.

You may deny or revoke any permission in your device settings. The app will continue to function without permissions; the corresponding features will simply be unavailable.

6. Website Voluntary Submissions (Reviews)

The pgpony.app website hosts a reviews form where users can voluntarily submit a review of the app. This is the only feature on the website that accepts user input. It is entirely optional and triggered only when a user fills out the form and presses Submit.

What the reviews form stores:

• The review text you type
• The star rating you choose (1 to 5)
• An optional display name, if you provide one (blank submissions are shown as "anonymous")
• The platform you selected (iOS, Android, both, or unspecified)
• A timestamp of when the submission arrived (used internally for moderation; not displayed publicly except as a date)

What the reviews form does not store:

• Your IP address
• Your browser user-agent string
• Any cookies or session identifiers
• Any device fingerprint
• Your email address, phone number, or any identifier other than the optional display name you choose to type

Submitted reviews enter a moderation queue and are not displayed publicly until manually approved by the developer. Approved reviews are shown on the reviews page and may also appear on the homepage. To request removal of a review you submitted, email NorseHorse@norsehor.se with enough detail to identify the entry (date, rough wording, and optional display name).

The pgpony.app website also serves static pages (this page, the documentation, support, about, etc.). Like any web server, the underlying Apache server records standard access logs for operational diagnostics. These logs include IP addresses and request paths and are kept only as long as needed to investigate operational issues. They are never used for tracking, analytics, advertising, or profiling, and are not exposed or transmitted to any third party.

7. Children's Privacy

PGPony is not directed to children under 13. Because the app collects no personal data, it does not knowingly collect data from anyone, including children.

8. Data Deletion

To delete all PGPony data from your device, uninstall the app. There is no server-side data associated with you.

To delete a public key you previously published to keys.openpgp.org, follow the keyserver's own deletion process linked in section 4.

9. Security

All keyserver communication uses HTTPS (TLS 1.3). Private keys are stored on-device only — in the iOS Keychain (Secure Enclave) or Android Keystore (hardware-backed where available) — and may be additionally protected by an optional passphrase that you set during key generation. Without that passphrase, the private key cannot be used. PGPony has no mechanism to recover or reset a forgotten passphrase.

10. Changes to This Policy

If this policy changes materially, the effective date at the top of this page will be updated and the new version will be published at this URL. We recommend bookmarking this page or checking back periodically.

11. Contact

Questions about this policy can be sent to NorseHorse@norsehor.se.

PGPony is an independent privacy tool developed by NorseHorse, a solo indie developer.

← Back to PGPony  ·  Support & FAQ  ·  Terms of Use