相册PP 隐私政策
更新日期:2026年4月9日 | 生效日期:2026年4月9日
📋 核心承诺 — 用一句话说清楚
- 所有照片和视频仅存储在您的设备本地或您自己的 iCloud Drive 中,开发者无法访问。
- 我们不收集、不上传、不出售任何个人数据或媒体文件。
- 崩溃日志收集默认关闭,且不含任何个人信息或媒体内容。
- 所有媒体文件均采用 AES-256-GCM 军用级加密保护。
- 您可以随时删除全部数据,卸载即彻底清除本地存储。
1信息收集
- 本应用不会主动收集任何个人身份信息(姓名、电话、邮箱、生物特征等)。
- 本应用不会收集设备标识符(IDFA/IDFV)、精确位置或浏览记录。
- 应用运行所需的所有数据均存储在您设备的本地沙盒目录,开发者无法访问。
- 您设置的密码经哈希处理后由 iOS 钥匙串(Keychain)加密保存,开发者无法获取明文密码。
2相册访问权限
- 本应用需要访问系统相册,仅用于将您主动选择的照片和视频导入加密存储空间。
- 仅在您明确选择导入操作时读取相册内容,不会在后台扫描或读取您未选择的内容。
- 导入完成后,原始文件仍保留在系统相册中,本应用不会修改或删除系统相册的任何内容。
- 您可随时在 iOS 系统设置中撤回相册访问权限,已导入内容不受影响。
- 若您通过分享扩展(Share Extension)从其他应用将照片或视频分享到本应用,仅处理您在该次分享操作中明确选中的项目,并在设备本地写入加密存储;我们不会因此获得任何额外访问权限,也不会上传上述内容至开发者服务器。
本应用使用 Apple 的 PHPickerViewController 进行相册选择,该组件由系统提供,照片选择过程发生在您的设备上,无需授予应用完整相册访问权限。
3数据存储与加密
- 所有导入的照片和视频存储于应用沙盒目录,受 iOS 系统级沙盒保护,其他应用无法访问。
- 媒体文件采用 AES-256-GCM 算法分块加密(每块 4MB),全程不产生未加密的临时文件。
- 加密密钥由 PBKDF2-SHA256(100,000 次迭代)从您的密码派生,仅在解锁时保存在内存中,锁定后立即清除。
- 每个空间使用独立的随机盐值,防止彩虹表攻击。
- 所有文件还受 iOS 文件保护(
FileProtection.complete)额外保护,设备锁定后操作系统拒绝任何读取请求。 - 缩略图缓存仅保存在设备本地,不会同步到 iCloud 或任何外部服务。
开发者无法访问您的数据:媒体文件和元数据均在设备上加密,即便开发者能物理接触到设备,也无法在不知道密码的情况下读取任何内容。
4iCloud 同步
- iCloud 同步为可选功能,默认关闭,需在设置中主动开启。
- 开启后,媒体文件在上传前已完成 AES-256-GCM 加密,Apple 服务器上存储的是密文,无法读取原始内容。
- 数据存储在您的个人 iCloud Drive 中,开发者没有任何途径访问您的 iCloud 存储。
- iCloud 数据传输和存储受 Apple 隐私政策约束:apple.com/legal/privacy。
- 您可随时在应用设置中关闭 iCloud 同步,并选择是否删除已同步到云端的数据。
5数据归档与导出
- 归档功能允许您将媒体资源打包为 .ppa 格式的归档文件,方便备份和跨设备迁移。
- 加密归档使用您设置的密码进行 AES-256-GCM 加密,未经正确密码无法解密。
- 归档文件的导出和分享完全由您控制,本应用不会自动上传或分享任何归档文件。
- 请妥善保管归档密码,忘记密码将导致归档文件永久无法访问,我们无法提供恢复。
6崩溃日志与分析
- 本应用集成了 Firebase Crashlytics 用于收集崩溃日志,以改善应用稳定性。
- 崩溃报告默认关闭,仅在您主动启用后才会收集数据。
- 崩溃日志仅包含技术性错误信息,具体如下:
| 包含内容 | 不包含内容 |
|---|---|
| 崩溃时的调用堆栈(匿名) | 您的照片或视频 |
| 设备型号(如 iPhone 15) | 您的密码或密钥 |
| iOS 版本号 | 任何个人身份信息 |
| 应用版本号 | 位置信息 |
| 崩溃发生时间(UTC) | 媒体文件名称或路径 |
- 崩溃日志数据由 Google Ireland Limited(爱尔兰都柏林)处理,可能传输至美国,受 Google 数据处理条款和欧盟标准合同条款(SCCs)保护。
- 您可随时在应用设置中关闭崩溃报告,已收集的数据将在 90 天后自动删除。
7我们不收集的数据
为明确起见,本应用从不收集以下数据:
- 广告标识符(IDFA / IDFV)
- 精确或模糊地理位置
- 联系人信息
- 浏览历史或搜索记录
- 设备上安装的其他应用列表
- 用户行为分析数据(页面停留时长、点击路径等)
- 健康或生物特征数据
- 财务或支付信息
- 您的媒体文件缩略图、预览或任何内容
本应用已通过 Apple 隐私清单审查(PrivacyInfo.xcprivacy),声明的数据访问类型仅限于:崩溃数据(可选)、文件时间戳读取、磁盘空间查询,以及 UserDefaults 用于保存应用偏好设置。
8Cookie 与追踪技术
本应用是原生 iOS 应用,不使用浏览器 Cookie 或任何网络追踪技术(Web Beacon、像素追踪、指纹识别等)。我们也不进行跨应用或跨网站追踪。
本应用的隐私清单中 NSPrivacyTracking 字段值为 false,即明确声明本应用不追踪用户。
9数据处理的法律依据(GDPR)
对于欧盟/欧洲经济区用户,以下是我们处理数据的法律依据:
| 处理活动 | 法律依据 | GDPR 条款 |
|---|---|---|
| 相册访问权限 | 您的明确同意 | 第 6(1)(a) 条 |
| 密码哈希存储 | 履行合同(提供核心功能) | 第 6(1)(b) 条 |
| iCloud 同步(可选) | 您的明确同意 | 第 6(1)(a) 条 |
| 崩溃日志收集(可选) | 您的明确同意 | 第 6(1)(a) 条 |
| 应用偏好设置存储 | 履行合同(提供核心功能) | 第 6(1)(b) 条 |
您可随时撤回同意,撤回不影响撤回前基于同意的处理活动的合法性。
10您的数据权利
根据适用法律(包括 GDPR、LGPD 等),您享有以下权利:
- 访问权:了解我们是否处理您的个人数据。由于我们不在服务器收集数据,此权利已自动满足。
- 更正权:您可在应用内直接修改标签、分类等元数据。
- 删除权(被遗忘权):可随时在应用内删除照片和视频;卸载应用将删除全部本地数据;也可在设置中清除 iCloud 数据。
- 限制处理权:可随时关闭 iCloud 同步和崩溃报告功能。
- 数据可携权:使用归档功能可将所有数据导出为标准归档文件。
- 反对权:如有异议,可通过下方联系方式与我们沟通。
- 撤回同意权:可在系统设置中撤回相册权限,在应用内关闭 iCloud 同步和崩溃报告。
- 自动决策豁免权:本应用不进行任何自动化决策或用户画像。
如需行使上述权利,请通过下方联系方式与我们联系,我们将在 30 天内回复。
11加州居民权利(CCPA/CPRA)
如果您是加利福尼亚州居民,根据《加州消费者隐私法案》(CCPA)及其修正案(CPRA),您还享有以下权利:
- 知情权:了解收集的个人信息类别及用途。(我们收集的唯一可选数据是崩溃日志中的技术信息,详见第 6 节。)
- 删除权:要求删除我们持有的您的个人信息(关闭崩溃报告后,现有日志将在 90 天内自动删除)。
- 更正权:要求更正不准确的个人信息。
- 选择退出销售/共享权:我们不出售、不共享您的个人信息用于任何商业目的,此权利已自动满足。
- 限制使用敏感个人信息权:我们不收集任何敏感个人信息。
- 非歧视权:无论您是否行使上述权利,我们均向您提供相同质量和价格的服务。
如需行使 CCPA 权利,请发送邮件至 pprun2026@gmail.com,邮件主题注明"CCPA 权利请求"。我们将在 45 天内(可延长 45 天并提前告知)回复。
12第三方服务
本应用使用的第三方服务仅限于:
| 服务 | 提供商 | 用途 | 是否可选 | 隐私政策 |
|---|---|---|---|---|
| iCloud Drive | Apple Inc. | 加密数据同步与备份 | 是(默认关闭) | 查看 |
| Firebase Crashlytics | Google Ireland Limited | 崩溃日志收集(匿名) | 是(默认关闭) | 查看 |
本应用不包含任何广告 SDK、社交媒体追踪像素、用户行为分析 SDK 或第三方数据经纪服务。
13儿童隐私
- 本应用不面向 16 岁以下未成年人(欧盟地区)或 13 岁以下儿童(美国及其他地区)。
- 本应用不会有意收集未成年人的任何个人信息。
- 如您是家长或监护人,发现您的孩子在未经同意的情况下使用了本应用,请通过下方联系方式告知我们。
14数据保留
| 数据类型 | 存储位置 | 保留期限 |
|---|---|---|
| 媒体文件(照片/视频) | 设备本地沙盒 | 直到您手动删除或卸载应用 |
| 加密元数据 | 设备本地 + iCloud(如启用) | 直到您手动删除 |
| 密码哈希 | iOS 钥匙串(设备) | 直到您删除空间或卸载应用 |
| 缩略图缓存 | 设备本地缓存目录 | 应用可自动清理;卸载时删除 |
| 崩溃日志(如启用) | Firebase 服务器(美国) | 90 天后自动删除 |
本应用不在任何开发者服务器上存储您的数据,不存在服务器端数据保留问题。
15国际数据传输
- 您的媒体文件不会被传输至任何开发者服务器。
- 如您启用 iCloud 同步,数据传输受 Apple 数据处理协议和适用法律保护,Apple 可能在多个国家/地区处理和存储数据。
- 如您启用崩溃报告,技术性日志数据可能传输至位于美国的 Google 服务器,该传输依据欧盟标准合同条款(SCCs)和 Google 数据处理条款提供法律保障。
16向监管机构投诉的权利
如果您认为本应用的数据处理活动违反了适用的数据保护法律,您有权向相关数据保护监管机构投诉:
- 欧盟/欧洲经济区用户:可向您所在成员国的数据保护主管部门(DPA)投诉,各国 DPA 名单详见 欧洲数据保护委员会官网。
- 英国用户:可向信息专员办公室(ICO)投诉,网址:ico.org.uk。
- 其他地区用户:请联系您所在国家/地区的数据保护主管机构。
在提交监管投诉前,我们建议您先通过下方联系方式与我们沟通,我们承诺在收到投诉后 30 天内妥善解决问题。
17隐私政策变更
- 我们可能不时更新本隐私政策以反映功能变化或法律要求。
- 重大变更将通过应用内通知或应用更新说明告知您,并在生效前至少提前 7 天通知。
- 您在变更生效后继续使用本应用,即表示您接受更新后的隐私政策。
- 建议您定期查看本页面以了解最新内容。
18联系我们
如您对本隐私政策有任何疑问、意见或需要行使数据权利,请通过以下方式联系我们:
PP Album Privacy Policy
Updated: April 9, 2026 | Effective: April 9, 2026
📋 Core Commitment — In Plain English
- All photos and videos are stored only on your device or in your own iCloud Drive — developers cannot access them.
- We do not collect, upload, or sell any personal data or media files.
- Crash reporting is off by default and never includes personal data or media content.
- All media files are protected with AES-256-GCM military-grade encryption.
- You can delete all data at any time; uninstalling the app completely wipes local storage.
1Information Collection
- The App does not actively collect any personally identifiable information (name, phone number, email, biometric data, etc.).
- The App does not collect device identifiers (IDFA/IDFV), precise location data, or browsing history.
- All data required for App functionality is stored in the local sandbox on your device, inaccessible to the developer.
- Passwords are hashed and stored by the iOS Keychain in encrypted form; the developer cannot retrieve your plaintext password.
2Photo Library Access
- The App requires photo library access solely to import photos and videos you actively select into encrypted storage.
- The App only reads photo library content when you explicitly initiate an import — it does not scan or access other content in the background.
- After import, originals remain in your system photo library. The App does not modify or delete any system library content.
- You may revoke photo library access at any time in iOS Settings. Existing imported content is unaffected.
- If you use the Share Extension to send photos or videos from other apps into the App, only the items you explicitly share in that action are processed and written to encrypted local storage. This does not grant us any additional access, and nothing is uploaded to developer servers.
The App uses Apple's PHPickerViewController for photo selection — a system component that lets you choose photos without granting the App full library access.
3Data Storage & Encryption
- All imported media is stored in the App's sandbox directory, protected by iOS system sandboxing.
- Files are encrypted in 4 MB chunks using AES-256-GCM. No unencrypted temporary files are created during the process.
- Encryption keys are derived from your password using PBKDF2-SHA256 (100,000 iterations) and held in memory only while the App is unlocked — cleared immediately on locking.
- Each space uses an independent random salt to prevent rainbow table attacks.
- Files are further protected by iOS
FileProtection.complete— the OS denies all read requests when the device is locked. - Thumbnail caches are stored locally only and are never synced externally.
Developer access is technically impossible: All media and metadata are encrypted on-device; even physical access to your device reveals nothing without your password.
4iCloud Sync
- iCloud sync is an optional feature, disabled by default.
- When enabled, files are AES-256-GCM encrypted before upload — Apple's servers store ciphertext only.
- Data is stored in your personal iCloud Drive; the developer has no access to your iCloud storage.
- iCloud transfers and storage are governed by Apple's Privacy Policy: apple.com/legal/privacy.
- You can disable iCloud sync at any time in the App's settings, with the option to delete existing synced data.
5Archive & Export
- The archive feature lets you package media into .ppa format archive files for backup and cross-device migration.
- Encrypted archives use AES-256-GCM with your chosen password and cannot be decrypted without it.
- Export and sharing of archive files is entirely under your control; the App never automatically uploads or shares archive files.
- Please keep archive passwords safe. Forgotten passwords result in permanently inaccessible archives — recovery is not possible.
6Crash Analytics
- The App integrates Firebase Crashlytics for crash log collection to improve stability.
- Crash reporting is disabled by default and only activates after you explicitly enable it in Settings.
- Crash logs contain only technical error information:
| What's Included | What's Never Included |
|---|---|
| Anonymous crash stack traces | Your photos or videos |
| Device model (e.g., iPhone 15) | Your passwords or keys |
| iOS version number | Any personal identity information |
| App version number | Location data |
| Crash timestamp (UTC) | File names or paths |
- Crash log data is processed by Google Ireland Limited (Dublin, Ireland) and may be transferred to the United States, safeguarded by EU Standard Contractual Clauses (SCCs).
- You may disable crash reporting at any time. Collected data is automatically deleted after 90 days.
7Data We Don't Collect
For the avoidance of doubt, the App never collects:
- Advertising identifiers (IDFA / IDFV)
- Precise or approximate location data
- Contact information
- Browsing history or search records
- List of apps installed on your device
- User behavior analytics (time-on-screen, tap paths, etc.)
- Health or biometric data
- Financial or payment information
- Thumbnails, previews, or content of your media files
The App has passed Apple's Privacy Manifest review (PrivacyInfo.xcprivacy). Declared API access types are limited to: crash data (opt-in), file timestamps, disk space queries, and UserDefaults for app preferences.
8Cookies & Tracking
This is a native iOS application. It does not use browser cookies or any web-based tracking technology (web beacons, tracking pixels, fingerprinting). We also do not perform cross-app or cross-site tracking.
The App's privacy manifest sets NSPrivacyTracking to false, explicitly declaring that the App does not track users.
9Legal Basis for Data Processing (GDPR)
For users in the EU/EEA:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Photo library access | Your explicit consent | Art. 6(1)(a) |
| Password hash storage | Contractual necessity (core functionality) | Art. 6(1)(b) |
| iCloud sync (optional) | Your explicit consent | Art. 6(1)(a) |
| Crash log collection (optional) | Your explicit consent | Art. 6(1)(a) |
| App preference storage | Contractual necessity (core functionality) | Art. 6(1)(b) |
You may withdraw consent at any time without affecting the lawfulness of prior processing.
10Your Data Rights
Under applicable law (GDPR, LGPD, and others), you have the right to:
- Access: Know whether we process your personal data. Since we collect no data server-side, this is automatically satisfied.
- Rectification: Correct tags, categories, and metadata directly within the App.
- Erasure: Delete any media within the App; uninstall to wipe all local data; clear iCloud data in Settings.
- Restriction of Processing: Disable iCloud sync and crash reporting at any time.
- Data Portability: Export all data as archive files using the archive feature.
- Objection: Contact us and we will address your concern promptly.
- Withdraw Consent: Revoke photo library access in iOS Settings; disable iCloud sync and crash reporting in-app.
- Automated Decision-Making Exemption: The App performs no automated decision-making or profiling.
To exercise these rights, contact us at the address below. We respond within 30 days.
11California Residents' Rights (CCPA/CPRA)
California residents have additional rights under CCPA and CPRA:
- Right to Know: Know what categories of personal information we collect. (The only optional data we collect is anonymous technical crash logs — see Section 6.)
- Right to Delete: Request deletion of your personal information. (Crash logs auto-delete within 90 days of disabling crash reporting.)
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: We do not sell or share your personal information — this right is automatically honored.
- Right to Limit Sensitive Personal Information: We collect no sensitive personal information.
- Right to Non-Discrimination: We provide the same service regardless of whether you exercise these rights.
To exercise CCPA rights, email pprun2026@gmail.com with "CCPA Rights Request" in the subject. We respond within 45 days (extendable by 45 days with prior notice).
12Third-Party Services
| Service | Provider | Purpose | Optional | Privacy Policy |
|---|---|---|---|---|
| iCloud Drive | Apple Inc. | Encrypted data sync & backup | Yes (off by default) | View |
| Firebase Crashlytics | Google Ireland Ltd | Anonymous crash log collection | Yes (off by default) | View |
The App contains no advertising SDKs, social media tracking pixels, behavioral analytics SDKs, or data broker integrations.
13Children's Privacy
- The App is not intended for individuals under 16 (EU) or 13 (US and other regions).
- We do not knowingly collect any personal information from minors.
- If you are a parent or guardian and believe your child has used the App without consent, please contact us.
14Data Retention
| Data Type | Storage Location | Retention Period |
|---|---|---|
| Media files | Local device sandbox | Until manually deleted or App uninstalled |
| Encrypted metadata | Local + iCloud (if enabled) | Until manually deleted |
| Password hash | iOS Keychain (device) | Until space deleted or App uninstalled |
| Thumbnail cache | Local cache directory | App may auto-clean; deleted on uninstall |
| Crash logs (if enabled) | Firebase servers (US) | Auto-deleted after 90 days |
The App stores no data on any developer server, so there is no server-side data retention.
15International Data Transfers
- Your media files are never transferred to any developer server.
- If iCloud sync is enabled, transfers are governed by Apple's Data Processing Agreement.
- If crash reporting is enabled, technical logs may be transferred to Google servers in the US, safeguarded by EU Standard Contractual Clauses (SCCs).
16Right to Lodge a Complaint
You have the right to lodge a complaint with the relevant supervisory authority:
- EU/EEA users: Contact your national Data Protection Authority. Full list at edpb.europa.eu.
- UK users: Contact the ICO at ico.org.uk.
- Other regions: Contact your local data protection authority.
We encourage you to contact us first at pprun2026@gmail.com. We commit to responding within 30 days.
17Changes to This Policy
- We may update this Privacy Policy from time to time to reflect changes in features or legal requirements.
- Material changes will be communicated via in-app notification or App release notes at least 7 days before taking effect.
- Continued use after the effective date constitutes acceptance of the updated Policy.
- We recommend periodically reviewing this page.
18Contact Us
For questions about this Privacy Policy, or to exercise your data rights:
PP Album — Privacy Contact
Emailpprun2026@gmail.com
ResponseWithin 30 calendar days (45 days for CCPA requests)
Languages中文, English