Michael Freno
e33ddf3002
- Add Apple Sign-In backend (JWKS verification, account linking, session management) - Implement push notification deep linking with NotificationDeepLinkRouter - Add jailbreak detection, runtime integrity monitoring, secure enclave service - Implement OAuth social login, token refresh, and secure logout flows - Add image caching (memory/disk), optimizer, upload queue, async semaphore - Implement notification analytics, type preferences, and category setup - Expand UI test suite with UITestBase, accessibility, auth flow, performance tests - Add CI pipeline for iOS UI tests (3 device sizes) and performance benchmarks - Restructure Xcode project to manual groups with KordantWidgets target - Add SwiftLint, Swift Collections/Algorithms/GoogleSignIn dependencies - Update project.yml for XcodeGen with new targets and configurations
11 KiB
11 KiB
iOS App Privacy & Data Usage Documentation
Last Updated: 2026-06-02 App Version: 1.0.0 Target OS: iOS 17.0+
1. Overview
Kordant is a personal security monitoring application that provides data breach detection, dark web monitoring, voice impersonation detection (VoicePrint), spam call filtering (SpamShield), and identity protection services. This document describes all data collection, usage, and privacy practices for the iOS app.
2. Data Collection Inventory
2.1 Data Collected by the App
| Data Type | Category | Collected | Purpose | Linked to User | Used for Tracking |
|---|---|---|---|---|---|
| Name | Contact Info | Yes — via registration, Apple Sign-In, or Google Sign-In | Account creation, personalization | Yes | No |
| Email Address | Contact Info | Yes — via registration or OAuth providers | Account authentication, breach notifications | Yes | No |
| Audio Recordings | User Content | Yes — during VoicePrint enrollment | Voice biometric signature for caller verification | Yes | No |
| User ID | Identifiers | Yes — server-assigned UUID | Account identification, API requests | Yes | No |
| Device ID | Identifiers | Yes — push notification token | Remote notification delivery | Yes | No |
| Product Interaction | Usage Data | Yes — if ATT granted | Analytics to improve app features | No | No |
| Crash Data | Diagnostics | Yes — system crash reports | Bug fixing, app stability | No | No |
2.2 Data NOT Collected
The following data types are not collected by Kordant:
- Precise Location — No GPS or location services used
- Coarse Location — No geolocation capabilities
- Contacts — No device contacts access
- Photos — No photo library access
- Videos — No video capture or upload
- Health & Fitness — No health data access
- Financial Info — No payment card or banking info stored
- Browsing History — No browser data access
- Search History — No search history collection
- Sensitive Info — No race, religion, sexual orientation, or other sensitive data
2.3 Data Collection Points
Authentication Flow
- What's collected: Name, email, user ID
- Where: Sign-up screen, Apple Sign-In, Google Sign-In
- How: User provides during registration; OAuth providers return with consent
- Storage: Keychain (encrypted at rest)
VoicePrint Enrollment
- What's collected: Voice recording (16kHz 16-bit PCM, 5–30 seconds)
- Where: VoicePrint enrollment screen → RecordingScreen
- How: User records a voice sample through the microphone
- Storage: Encrypted and sent to backend; local temp file deleted after upload
- User control: Fully opt-in; can be deleted at any time
Push Notifications
- What's collected: Device token (APNs)
- How: System provides device token after user grants notification permission
- Storage: Sent to backend for push targeting; stored in keychain
- Purpose: Deliver real-time security alerts
Anonymous Analytics (if ATT granted)
- What's collected: App interaction events, screen views, feature usage
- How: System App Tracking Transparency prompt
- Storage: Aggregated; not linked to user identity
- User control: ATT prompt can be denied; can be re-enabled in Settings
Crash Reporting
- What's collected: Crash logs, device model, OS version, timestamp
- How: System crash reporter
- Storage: Apple's crash reporting service
- User control: Can be disabled in device Settings → Privacy → Analytics & Improvements
3. Required Reason API Declarations
The following Apple APIs require declared usage reasons in the privacy manifest:
3.1 File Timestamp API (contentModificationDateKey)
- Files using:
ImageCacheService.swift - Usage: Reading file modification dates for LRU cache eviction
- Reason: Cache management — identifying oldest cached images for removal when disk quota is exceeded
- Declared reason code:
C617.1
3.2 Disk Space API (totalFileAllocatedSizeKey)
- Files using:
ImageCacheService.swift - Usage: Checking total disk usage of image cache to enforce 100MB quota
- Reason: Cache management — checking available/total disk capacity before writing cache files
- Declared reason code:
CA92.1
3.3 User Defaults API (UserDefaults)
- Files using:
CacheManager.swift— Caching API responses with TTLATTService.swift— Tracking ATT prompt stateWidgetDataManager.swift(also in widget extension) — Reading widget data from shared containerAuthService.swiftvia Keychain — Session management
- Usage: Reading and writing app preferences, cached data, and shared widget data
- Reason: App functionality — storing user preferences and cached data within the app
- Declared reason code:
79D5.1
4. Permission Descriptions
| Permission | Usage Description | String Key |
|---|---|---|
| Camera | "Kordant uses the camera to scan documents and verify your identity." | NSCameraUsageDescription |
| Face ID | "Use Face ID to securely access your Kordant account." | NSFaceIDUsageDescription |
| Microphone | "Kordant needs microphone access to enroll your voice for clone detection." | NSMicrophoneUsageDescription |
| App Tracking | "Kordant uses tracking to analyze app usage and improve your experience. Your data is never shared with third parties for advertising." | NSUserTrackingUsageDescription |
| Notifications | Permission is requested at runtime via UNUserNotificationCenter for security alerts |
(Handled in code) |
All permission descriptions are available for localization in the app's Info.plist and can be translated in InfoPlist.strings files.
5. Data Storage & Security
| Data | Storage | Encryption | Accessibility |
|---|---|---|---|
| JWT Tokens | Keychain | Hardware-backed | kSecAttrAccessibleWhenUnlockedThisDeviceOnly |
| Refresh Tokens | Keychain | Hardware-backed | kSecAttrAccessibleWhenUnlockedThisDeviceOnly |
| User Profile (cached) | Keychain | Hardware-backed | kSecAttrAccessibleWhenUnlockedThisDeviceOnly |
| Biometric Keys | Keychain (Access Control) | Secure Enclave-backed | kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly |
| Image Cache | File System (+ URLCache) | Not encrypted (performance) | Temporary; auto-purged |
| API Cache | UserDefaults | App sandbox | TTL-based expiration |
| Voice Recordings | Temp file → Backend | Encrypted in transit (TLS) | Deleted after upload |
| Widget Data | App Group UserDefaults | App sandbox | Shared between app and widgets |
6. Third-Party SDK Privacy
6.1 GoogleSignIn-iOS (SPM)
| Aspect | Details |
|---|---|
| Version | 7.0.0+ |
| Data collected by SDK | Google account email, name, ID token (with user consent) |
| Privacy manifest | Included by Google in SDK v7+ |
| Privacy link | https://policies.google.com/privacy |
| Purpose | OAuth authentication — user-initiated sign-in |
| Data sharing | No data shared with Google beyond OAuth tokens (Kordant does not use Google Analytics or other Google services) |
6.2 Apple Swift Packages
The following Apple SPM packages are used and do not collect data:
swift-collections— Data structure utilitiesswift-algorithms— Algorithm utilities
7. App Privacy Nutrition Label (App Store Connect)
7.1 Data Linked to You
The following data types are collected and linked to your identity:
| Data Type | Purpose |
|---|---|
| Name | App Functionality, Product Personalization |
| Email Address | App Functionality |
| Audio Data | App Functionality (VoicePrint) |
| User ID | App Functionality |
| Device ID | App Functionality (Push Notifications) |
7.2 Data NOT Linked to You
| Data Type | Purpose |
|---|---|
| Product Interaction | Analytics |
| Crash Data | Developer Analytics |
7.3 Data Used for Tracking
None. Kordant does not use any collected data for tracking.
7.4 Privacy Nutrition Label Configuration
To configure the App Store privacy nutrition label:
- Log into App Store Connect
- Navigate to your app → App Privacy tab
- Under Data Collection, add each data type listed above
- For each:
- Mark as Linked to User or Not Linked to User as indicated
- Select the purposes from the dropdown
- Mark Used for Tracking as No
- Under Required Reason APIs, upload the
PrivacyInfo.xcprivacyfile - Under Third-Party SDKs, list GoogleSignIn-iOS
- Provide a Privacy Policy URL
8. User Controls & Opt-Out
| Data Collection | User Control | How to Opt-Out |
|---|---|---|
| Name, Email | Mandatory for account | Delete account in Settings |
| Voice Recordings | Fully opt-in | Delete VoicePrint enrollment in VoicePrint settings |
| Push Notifications | Deny permission | Disable in iOS Settings → Notifications → Kordant |
| Analytics / ATT | System prompt | Deny ATT prompt; change in Settings → Privacy → Tracking |
| Crash Reporting | System setting | Settings → Privacy → Analytics & Improvements → Share With App Developers |
9. Data Retention
| Data Type | Retention Period | Deletion Mechanism |
|---|---|---|
| Account data (name, email) | Until account deletion | Account deletion request processed within 30 days |
| Voice recordings | Until VoicePrint deletion | Immediate deletion on user request |
| Push notification device token | Until logout or token refresh | Removed on logout |
| Image cache | 7 days (disk) / app lifecycle (memory) | Auto-purged; LRU eviction when exceeding 100MB |
| API response cache | 5 minutes default TTL | Auto-expired; purged on memory warning |
| Crash data | 90 days | System-managed |
| Analytics data | 12 months (aggregated) | Not linked to individual users |
10. Compliance Checklist
- PrivacyInfo.xcprivacy created and in project
- NSPrivacyTracking declared (false)
- All collected data types declared with accurate linkage and tracking flags
- Required reason APIs declared with valid reason codes
- Permission descriptions localized and in Info.plist
- NSUserTrackingUsageDescription added for ATT
- Widget extension has own PrivacyInfo.xcprivacy (UserDefaults access)
- Spam Shield extension has own PrivacyInfo.xcprivacy
- Third-party SDKs audited (GoogleSignIn has privacy manifest)
- Project.yml includes privacy manifests in target sources
- App Privacy nutrition labels configured in App Store Connect
- Privacy Policy URL published on app website
- No privacy manifest warnings on build
- Privacy labels match actual data collection
11. Updating This Document
Update this document when:
- A new data collection feature is added
- A new permission is requested
- A third-party SDK with data collection is integrated
- Data retention policies change
- A new Required Reason API is used
Always ensure the PrivacyInfo.xcprivacy file is updated simultaneously with this document.