privacy policy

bingbong is designed to collect as little information about you as possible. This page explains what we collect, why, and what your rights are. If anything here is unclear, email burkejohn1999@gmail.com and I'll answer.

Who we are

bingbong is a personal project run by John Burke, based in Dublin, Ireland. I'm the data controller for the purposes of the EU and UK GDPR.

What bingbong is

bingbong is a cross-platform app for sending custom sound notifications to friends in shared groups. There are no user accounts, no profiles, no public feed. Sounds and group contents live on your device and inside shareable .bingbong files — never on our servers.

What we collect

Device push notification tokens. When you use the app, your device generates an anonymous identifier used by Firebase Cloud Messaging (for both iOS and Android) to deliver notifications. We store this token so we can route a "bong" from one group member to the others. We don't store any other information about your device — no model, OS version, or anything else alongside the token. The token is not linked to your name, email, or any account.

Group routing data. We store group ("bong") IDs and the device tokens that belong to each group, so the server knows which devices to notify when someone presses a button. For each bong, we store the time it was created — but not who created it. We do not store group names, sound files, sound labels, individual sounds ("bings"), or any content from your groups.

Rate limiting timestamps. We briefly record when a bong was sent in a group to enforce the one-bong-per-five-seconds rate limit. These timestamps aren't tied to individuals.

Aggregate event counts. We track simple counts (e.g. how many bings were sent across the system) for basic operational visibility. These counts contain no personal information.

Anonymous website analytics. The bingbong.to website (but not the mobile app) uses Plausible Analytics to count page visits and button clicks. Plausible doesn't use cookies, doesn't store IP addresses, and doesn't build profiles. It records page URL, referrer, browser type, and a country derived from your IP (the IP itself is hashed daily and discarded). No persistent identifier is created.

Crash reports. The mobile apps use Firebase Crashlytics to report crashes so we can fix bugs. Crash reports include device model, OS version, app version, and a stack trace. They don't include your sounds, group contents, or anything you've sent.

Server logs. Firebase Hosting and our backend automatically log requests (IP address, timestamp, URL) for security and debugging. Logs are retained for approximately 30 days.

What we don't collect

• No accounts, no email addresses, no names
• No cookies on the website
• No tracking across sessions or sites
• No sound files, group names, group contents, or any media on our servers
• No location data beyond the country-level info Plausible derives from IP
• No advertising identifiers, no marketing data

We don't sell or share data with advertisers, data brokers, or anyone else for commercial purposes.

Legal basis for processing (GDPR)

Under GDPR, we rely on the following legal bases:

• Performance of a service: processing your push notification token to deliver the notifications you've signed up to receive
• Legitimate interest: anonymous analytics and crash reporting, used to keep the service running and fix bugs, with minimal impact on your privacy
• Consent: where you've explicitly opted in (e.g. enabling push notifications on your device)

You can withdraw consent for push notifications at any time by disabling them in your device settings.

Who processes your data

• John Burke (Dublin, Ireland) — operator of bingbong
• Google / Firebase (Google Ireland Limited) — hosting, push notification delivery (FCM), crash reporting (Crashlytics)
• Plausible Insights OÜ (Estonia, EU) — anonymous website analytics
• Apple App Store / Google Play — app distribution; subject to their own privacy policies

Data processing agreements are in place with each of these providers as required by GDPR.

How long we keep data

• Push notification tokens: until you uninstall the app, disable notifications, or the token expires (typically a few months of inactivity), after which it's deleted automatically
• Group routing data: until the group is deleted by its members
• Rate limiting timestamps: a few seconds, then discarded
• Aggregate event counts: indefinitely (no personal information)
• Crash reports: 90 days
• Server logs: ~30 days
• Plausible analytics data: indefinitely (contains no personal information)

Your rights

Under GDPR, you have the right to:

• Know what data we hold about you
• Request a copy of your data
• Request correction or deletion of your data
• Object to or restrict processing
• Lodge a complaint with a supervisory authority (in Ireland, that's the Data Protection Commission)

To exercise any of these rights, email burkejohn1999@gmail.com. Because we don't have user accounts, the main practical request is "delete my device token," which we can do if you tell us roughly when you used the app and from which platform.

Children

bingbong is not directed at children under 16. We don't knowingly collect data from children. If you believe a child has used the app and you'd like their device token removed, contact us.

International transfers

Some of our processors (Google, Apple, Plausible) operate infrastructure in multiple countries. Where data is transferred outside the EEA, it's covered by Standard Contractual Clauses or equivalent safeguards as required by GDPR.

Changes to this policy

If we change this policy, we'll update the date at the top and note significant changes in the app or on the website. We won't make material changes that reduce your privacy without telling you.

Contact

For any privacy questions or requests:

Email: burkejohn1999@gmail.com
Operator: John Burke, Dublin, Ireland