Privacy Policy

1. Introduction

Welcome to PingRoom. This Privacy Policy explains how Mindzone Technologies LLC ("Mindzone," "we," "us," or "our"), a company registered and operating in the United Arab Emirates, collects, uses, discloses, and protects your personal information when you use the PingRoom mobile application (the "App"), our website at pingroom.io (the "Website"), and any related services (collectively, the "Service").

PingRoom is a push notification platform that allows users to create rooms, invite members via invite codes, and broadcast instant push notifications. The App is available on iOS and Android. By accessing or using our Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

This Privacy Policy is issued in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL") and its implementing regulations, as well as other applicable data protection laws and regulations.

2. Information We Collect

We collect and process different categories of information depending on how you interact with PingRoom. We are committed to collecting only the data that is necessary to provide and improve our Service.

2.1 Account Information

PingRoom supports two types of accounts:

• Guest Accounts: When you use PingRoom without registering, we create a guest account with a system-generated identifier. No personal information such as your name or email address is required for guest access.
• Verified Accounts: If you choose to upgrade your account, we collect your email address for authentication purposes. Verification is performed via a one-time password (OTP) sent to your email. We do not collect passwords, phone numbers, or social media credentials.

2.2 Device Information

To deliver push notifications, we collect the following device information:

• Device Push Token: A unique token issued by Apple Push Notification service (APNs) for iOS devices or Firebase Cloud Messaging (FCM) for Android devices. This token is required to deliver push notifications to your specific device.
• Platform Type: Whether your device runs iOS or Android, so we can route notifications through the correct delivery channel.
• App Version: The version of the PingRoom app installed on your device, used for compatibility checks and to determine whether an update is required.

2.3 Room & Notification Data

When you use PingRoom, we store data related to your rooms and notifications:

• Room Membership: Records of which rooms you have created or joined, your role within each room, and the room's configuration (name, icon, color, quick-action buttons).
• Notification Content: The title and body of notifications you send or receive, including metadata such as timestamps, the sender, the trigger source (manual, webhook, location trigger, or time trigger), and delivery status.
• Webhook Configurations: If you set up webhook integrations for a room, we store the webhook endpoint codes, secrets, and associated configuration.
• Time Trigger Settings: If you configure scheduled notifications, we store the schedule parameters (frequency, time, days) and the notification content to be sent.

2.4 Usage Data

We may collect anonymized and aggregated usage data to understand how users interact with PingRoom and to improve the Service. This may include:

• Features accessed and frequency of use
• App launch events and session duration
• Notification delivery success and failure rates
• Error logs and crash reports

This data is used in aggregate form and is not linked to your individual identity unless necessary for debugging a specific issue you report to us.

2.5 Location Data

3. How We Use Your Information

We use the information we collect for the following purposes:

• Deliver Push Notifications: Use your device token to route notifications from room members, webhooks, location triggers, and time triggers to your device via APNs or FCM.
• Authenticate Your Account: Verify your identity through email OTP for verified accounts and manage your session via JWT-based authentication.
• Maintain and Operate the Service: Manage rooms, memberships, quick actions, webhooks, location triggers, time triggers, and notification delivery records.
• Ensure Service Configuration: Provide your app with the correct service endpoints, check for required updates, and communicate maintenance status on launch.
• Improve the Service: Analyze aggregated usage patterns, notification delivery performance, and error reports to enhance reliability, fix bugs, and develop new features.
• Communicate with You: Send you service-related communications, such as OTP codes, account updates, or important changes to these terms (we do not send marketing emails).
• Comply with Legal Obligations: Process data as required to meet our obligations under UAE law and applicable regulations.

4. Push Notifications

Push notifications are the core functionality of PingRoom. Here is how the notification delivery system works:

• When you install PingRoom and grant notification permissions, your device's operating system generates a unique push token (an APNs token on iOS or an FCM token on Android).
• This token is registered with our notification delivery service, which is authenticated using your account's JWT token. The token is stored in our device_tokens database along with your platform type and app version.
• When a notification is sent to a room you belong to, our backend enqueues a delivery job. Our dedicated notification service then delivers the notification directly to Apple (APNs) or Google (FCM), which in turn delivers it to your device.
• We do not use any third-party push notification providers (such as OneSignal, Pusher, or similar services). Notification delivery is handled entirely by our own infrastructure communicating directly with Apple and Google's official push notification services.
• If your device token becomes invalid (for example, after uninstalling the app), Apple or Google will report the token as invalid, and our system will automatically remove it from our database.

You can disable push notifications at any time through your device's system settings. Disabling notifications will prevent delivery but will not affect your room memberships or other app functionality.

5. Legal Basis for Processing

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), we process your personal data on the following legal bases:

• Consent: Where you have given clear consent for us to process your personal data for a specific purpose, such as granting push notification permissions or providing your email address for account verification. You may withdraw your consent at any time.
• Contract Performance: Processing that is necessary to fulfill our contractual obligations to you — including delivering notifications, maintaining your rooms, and providing the core Service as described in our Terms of Service.
• Legitimate Interests: Processing that is necessary for our legitimate interests, provided those interests are not overridden by your rights. This includes maintaining the security and integrity of our Service, preventing fraud, analyzing aggregated usage data to improve the Service, and ensuring the technical reliability of notification delivery.
• Legal Obligation: Processing that is required to comply with UAE laws, regulations, or lawful requests from government authorities.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information to third parties. We share data only in the following limited circumstances:

6.1 Push Notification Delivery Providers

To deliver push notifications to your device, we transmit your device push token and notification payload to the following platform services:

• Apple Push Notification service (APNs): For iOS devices. Governed by Apple's Privacy Policy.
• Firebase Cloud Messaging (FCM): For Android devices. Governed by Google's Privacy Policy.

These are the official push notification services provided by Apple and Google respectively. We communicate with them directly from our own infrastructure. We do not use any third-party push notification aggregators or intermediary services.

6.2 Infrastructure Providers

Our Service is hosted on cloud infrastructure providers that may process data on our behalf. These providers are contractually obligated to protect your data and process it only according to our instructions.

6.3 Law Enforcement & Legal Requirements

We may disclose your personal information if required to do so by UAE law, regulation, legal process, or enforceable government request. We may also disclose information when we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation or lawful request from a competent authority in the UAE
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via a prominent notice within the App or by email before your personal information becomes subject to a different privacy policy.

7. Data Storage & Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it:

• Database Security: Your data is stored in PostgreSQL databases with encrypted connections (TLS/SSL). Access to the database is restricted to authorized services only.
• Authentication Security: User sessions are managed via JSON Web Tokens (JWT) with HMAC SHA-256 signing. Tokens are issued with a 30-day expiry and are validated on every authenticated request.
• On-Device Security: Authentication tokens are stored in your device's secure storage (Expo SecureStore), which leverages the iOS Keychain and Android Keystore for hardware-backed encryption.
• Transport Security: All communication between the App and our servers is encrypted using HTTPS (TLS 1.2 or higher).
• Notification Delivery Security: Communication with APNs uses HTTP/2 with JWT-based authentication. Communication with FCM uses OAuth 2.0 service account authentication.
• Access Control: Internal access to user data is restricted on a need-to-know basis and protected by authentication and authorization controls.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

• Account Data: Retained for as long as your account is active. If you delete your account, your personal data will be removed within 30 days, except where retention is required by law.
• Device Tokens: Automatically purged when Apple (APNs) or Google (FCM) reports them as invalid (e.g., after app uninstallation). Tokens that have not been seen for an extended period are also cleaned up periodically. The last activity timestamp is tracked to facilitate this cleanup.
• Notification Records: Notification delivery records (success/failure status, delivery duration) are retained for operational monitoring and debugging purposes. Notification content within rooms is retained for the lifetime of the room.
• Room Data: Room configurations, memberships, and associated settings are retained for as long as the room exists. When a room is deleted, all associated data is removed.
• Usage & Log Data: Aggregated usage data and server logs are retained for up to 12 months for analytical and operational purposes, after which they are deleted or further anonymized.

9. Your Rights under UAE PDPL

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), you have the following rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure: You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw your consent.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that it be transferred to another controller where technically feasible.
• Right to Object: You have the right to object to the processing of your personal data where processing is based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the UAE Data Office if you believe your data protection rights have been violated.

To exercise any of these rights, please contact us at privacy@pingroom.io. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

10. Children's Privacy

PingRoom is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to delete that information as promptly as possible.

If you are a parent or guardian and believe that your child under 13 has provided us with personal data, please contact us at privacy@pingroom.io so that we can take appropriate action.

11. International Data Transfers

Mindzone Technologies LLC is based in the United Arab Emirates. Your data may be processed and stored on servers located outside the UAE, including in jurisdictions where our cloud infrastructure providers operate.

When we transfer your personal data outside the UAE, we ensure that appropriate safeguards are in place in accordance with the requirements of the UAE PDPL, including:

• Ensuring the receiving jurisdiction provides an adequate level of data protection as determined by the UAE Data Office
• Implementing appropriate contractual safeguards with our service providers
• Applying supplementary technical and organizational measures to protect your data during transfer and processing

Push notification delivery inherently involves transmitting your device token and notification content to Apple (for APNs) and Google (for FCM), whose servers are distributed globally. This transfer is necessary to deliver the core functionality of the Service.

12. Cookies & Tracking Technologies

12.1 Website (pingroom.io)

Our marketing website at pingroom.io may use the following technologies:

• Essential Cookies: Minimal cookies necessary for the website to function correctly, such as session management.
• Analytics: We may use privacy-respecting analytics to understand website traffic and usage patterns. Any analytics data collected is aggregated and anonymized.

12.2 Mobile Application

The PingRoom mobile application does not use cookies. The App stores authentication tokens securely on your device using the platform's secure storage mechanism (iOS Keychain / Android Keystore) and persists application state locally using encrypted device storage. The App contacts our server on launch to retrieve service configuration (notification service URL, minimum version requirements, and maintenance status) — this request does not involve tracking cookies or advertising identifiers.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you through a prominent notice within the App or on our Website
• For significant changes that affect how we process your personal data, we may also send a notification to the email address associated with your verified account

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For data protection inquiries specifically related to your rights under the UAE PDPL, please include "PDPL Request" in the subject line of your email to help us route your request appropriately.