Privacy Policy

Last updated: 19 May 2026

What's new. We now collect anonymous usage analytics (how many people use the app, when, and from which country) to help us understand how did:pic is being used. Events are pseudonymised at ingest with a server-side secret and survive account deletion in anonymised form. Details under "Anonymous usage analytics" below.

Plain-English summary. did:pic is a photo-sharing app built on AT Protocol. Your actual photos, posts, comments, and follow graph are stored on whichever PDS provider hosts your account (such as Bluesky, Blacksky, or Eurosky). We cache the public parts of that data so the app loads quickly, deliver push notifications when permitted, and apply our own moderation labels. We don't store your password. You can take your data and leave at any time.

This Privacy Policy explains how Luke Cashion-Lozell ("we", "us", "I") collects and handles personal information when you use the did:pic mobile app, the did:pic AppView service, and the didpic.app website (together, the "Service"). We're based in Queensland, Australia. This policy follows the Australian Privacy Principles ("APPs") under the Privacy Act 1988 (Cth). If you're in the EU, UK, or California, additional protections may apply — see "Your rights" below.

What we collect

From your PDS

When you sign in with AT Protocol, you choose a provider (Bluesky, Blacksky, Eurosky, or another) to host your account. Your actual records — profile, posts, comments, likes, follows — live on that provider's PDS. We don't host them. We read the public records from the AT Protocol firehose (a public stream of records) and cache them in our AppView so the app is fast.

Specifically, we cache the following public data about you:

Your DID (such as did:plc:... or did:web:...)
Your handle (e.g. alice.bsky.social)
Your display name, bio, avatar, and banner
Your posts, including image references, captions, and timestamps
Your likes, comments, follows, and self-applied content labels (e.g. NSFW)
Counts derived from the above (followers, likes received, etc.)
Your follow graph on Bluesky, used as a discovery ranking signal

All of this is public on AT Protocol by design — anyone with access to the firehose can read it. We don't store private records.

From your device

Push notification tokens, only if you grant notification permission. Used to deliver pushes via the Expo Push service. Stored against your account so we know where to send.
Notification seen state — a timestamp marking how recently you've checked your notifications.
Account preferences stored on our AppView (content-label preferences, last-viewed feed, alt-text prompts and filters). Keyed to your DID and auth-gated — only readable and writable by you. We'd happily put these in the AT Protocol preferences blob on your PDS, but the PDS rejects any preference shape not in the app.bsky.* namespace, so for now they live with us.
On-device only — age-verification result and theme preference stay local.
Cached blob images stored in your device's app cache. Deleted when you clear the cache or uninstall.

Sign-in

OAuth-only. You authenticate with your PDS; your PDS issues us a token. We never see your password.

Age verification

If you choose to verify your age (required to change moderation settings), we use the operating system's age-range API — Apple's Declared Age Range on iOS, Google's Play Age Signals on Android. The OS tells us only whether you're 18 or older. We don't receive your actual age or date of birth. The pass/fail result is stored on your device only.

Anonymous usage analytics

To understand how did:pic is being used (how many people are active, when, and from where), the app emits a small set of anonymous events to the AppView: app opens, screen changes, signups, posts, likes, comments, follows, subscriptions, and blocks. No event payload contains the content of a post, the text of a comment, or anyone's identity in cleartext.

Each event carries:

A timestamp and event name (e.g. post_created)
An anonymised user identifier — same person across two sessions gets the same identifier (so we can count distinct users), but the identifier itself doesn't carry your DID, handle, or any other identifying detail.
Your country, derived from your IP address at ingest time. The IP itself is not stored.
Your platform (iOS or Android) and app version.
For some events, a small bag of flags (e.g. whether a post included alt text). Capped at 1KB.

Raw events are kept for 90 days, then automatically deleted. A daily roll-up — counts of events per day per country per platform, with no per-user data — is retained indefinitely for long-term trend charts.

On account deletion: we don't delete your analytics events — the identifier on each event is anonymised, so they no longer relate to you once your account is gone. Keeping them lets us preserve accurate historical aggregates (DAU, country mix). The 90-day raw retention then naturally ages out the events themselves.

We don't share this data with any third party. There are no ad SDKs, no Google Analytics, no Firebase. Everything stays on our AppView.

Server-side moderation labels

Our moderation team may apply content labels (such as nsfw) to specific posts or accounts that violate our Community Guidelines. These labels are public — they're served alongside the relevant posts and accounts in the AppView's responses.

How we use it

Operating the Service (showing you posts, delivering notifications)
Responding to your support enquiries
Enforcing our Community Guidelines and Terms of Service
Complying with legal obligations
Preventing abuse, spam, and security threats

Who we share it with

Your chosen PDS provider — your actual data lives with them. Their privacy policy applies to that data.
Expo Push (expo.dev) — push notification delivery service. Receives push tokens and notification payloads (title + body + minimal metadata).
Cloudflare Pages — our website host. Standard request logs only.
Apple App Store and Google Play Store — they distribute the app. Their privacy policies apply to app-store interactions.
Australian or foreign government / law enforcement, if compelled by a valid legal request.

We do not sell your personal information. We don't share it with advertisers. We don't run analytics that profile you.

How long we keep it

AppView cache: as long as it's on the firehose and your account is active.
Push tokens: until you sign out, change accounts, or your device's token expires / gets reported invalid.
Local device data: until you uninstall the app or clear app storage.
Server-side labels: until the underlying content is removed or the label is revoked.
Anonymous analytics events: raw events 90 days, then automatic purge. Daily aggregate rollups (no per-user data) retained indefinitely.

Your rights

You have the following rights under the APPs and (where applicable) GDPR, UK GDPR, and CCPA:

Access the personal information we hold about you
Correct inaccurate information
Delete your account and the data we cache — see Account Deletion
Withdraw consent, e.g. revoke notification permission via OS settings
Complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

To exercise any of these, email [email protected]. We aim to respond within 30 days.

Children

did:pic is intended for users aged 13 and older. Some features (notably moderation settings for adult-labelled content) require age verification establishing you are 18 or older. We don't knowingly collect data from anyone under 13. If you believe a child under 13 has signed up, contact [email protected] and we will close the account. See our Minors Policy for more.

Changes to this policy

If we make material changes, we'll update the "Last updated" date and post a notice in the app and on this page. Continued use after changes constitutes acceptance.

Contact

Privacy email: [email protected]
Operator: Luke Cashion-Lozell, Queensland, Australia