What Loccali is, and what this policy covers
Loccali is a Shortcuts companion that runs on iPhone, iPad, and — as of version 1.2.0 — natively on Mac. It lets you store typed values (strings, integers, booleans, decimals, dates, locations, arrays, and files) and read or write them from any Apple Shortcut. The values themselves live on your device and in your private iCloud database. This policy describes the much smaller slice of data that leaves your device: anonymous analytics, crash diagnostics, in-app purchase events, and the signals AdMob collects to serve ads on the free tier of iPhone and iPad (Mac never loads ads).
Who is responsible
The data controller is Pierre Janineh. For any privacy question or data request, write to loccali@pierrejanineh.com — that inbox is monitored personally and replies usually come within a week.
What Loccali sends off your device
Three sources, each with a narrow scope:
- Firebase Analytics receives anonymous product-usage events: how often the app is opened, which screens are viewed, which Shortcut intents fire (create, edit, read, remove), the type of variable involved (string, integer, etc.), in-app purchase attempts and successes, ad-funnel steps, and CloudKit sync outcomes. Variable names that you type are included as an event parameter so I can see, in aggregate, what kinds of names people pick — the values you store are never sent. A Firebase-assigned installation ID accompanies each event; it is not linked to your name, email, or Apple ID.
- Firebase Crashlytics receives a stack trace and minimal device fingerprint (model, OS version, locale) when the app crashes or hits a logged error.
- Google AdMob loads rewarded interstitial ads on the free tier of iPhone and iPad. The Mac build excludes the AdMob SDK entirely — Mac users on the free tier reach the same daily action quota but never see an ad. On iOS, AdMob's SDK collects a device-level identifier and ad-interaction signals (impressions, clicks, completions). Loccali does not currently show an App Tracking Transparency prompt, so the system advertising identifier (IDFA) is not available to AdMob — but Apple still treats AdMob's collection as tracking under the App Store's definition, which is why the App Store nutrition label declares "Yes" for tracking on Device ID, Product Interaction, and Advertising Data.
What stays on your device (and in your iCloud)
The variables you create — every name, every typed value, every file you wrap as a File variable — are stored in Core Data and synced through NSPersistentCloudKitContainer to your private iCloud database. Free-tier users also have a small daily action-quota counter that syncs through iCloud key-value storage so the quota matches across iPhone, iPad, and Mac (it contains only an integer count and the date it was last reset; no variable contents). Apple operates both stores; I have no read access to them, no admin tooling that could reach them, and no copies on any server I run. Deleting a variable on one device removes it everywhere within a few seconds; deleting Loccali clears the local copy; signing out of iCloud or wiping the iCloud database clears the rest. Apple's iCloud terms govern that data — see apple.com/privacy.
Why each piece is collected
| Data | Why | |---|---| | Product-usage events | Decide which Shortcut features are worth investing in; spot regressions after a release | | Crash + error diagnostics | Reproduce and fix bugs without you having to file a report | | Ad-related signals (free tier) | Fund the free tier; measure whether the rewarded-ad funnel is healthy enough to keep relying on | | Purchase events | Confirm the StoreKit funnel works — what percentage of paywall views convert, where attempts fail |
The legal basis under GDPR Art. 6(1)(f) is legitimate interest in keeping the app stable and improvable. AdMob processing on the free tier rests on legitimate interest in funding the product. The cleanest way to opt out is purchasing Loccali Pro — that unloads the AdMob SDK entirely, so no ad-related signals are collected at all.
Who else touches the data, and on what terms
The full list of third parties is short:
- Google (Firebase + AdMob) — analytics, crash reporting, advertising. Acts as a processor for analytics and crash data; for advertising, AdMob is an independent controller that may combine the device-level identifier with signals from other apps and sites. See Google's policies at policies.google.com/privacy and policies.google.com/technologies/ads.
- Apple — iCloud (your stored variables and quota counter), StoreKit (Pro purchases), App Store distribution. Loccali Pro is sold three ways: an auto-renewable monthly subscription, an auto-renewable yearly subscription, and a one-time lifetime unlock. All three are managed entirely by Apple — billing, renewal, family sharing, refunds, and cancellation happen in App Store settings, never inside Loccali. The app sees only a verified entitlement signal (whether the user is currently entitled to Pro) plus the SKU purchased, which is logged to Firebase Analytics for funnel analysis. Users who bought the original one-time "Pro" SKU before the 1.2.0 subscription cutover keep that entitlement permanently — their receipt is the same StoreKit transaction Apple has always held; the app simply recognises the legacy product ID and grants access to every feature that existed at the cutover. New features added after the cutover are gated to current subscribers and lifetime unlocks, but no extra data is collected from legacy users to make that distinction — it is purely a local check against the receipt Apple already manages. Apple handles its own data collection per apple.com/privacy; Loccali never sees your payment card, billing address, or Apple ID.
I do not sell user data, do not run mailing lists, and do not maintain any backend that stores personal data.
How long anything is kept
- Firebase Analytics events: 14 months, then automatically deleted.
- Crashlytics records: 90 days.
- AdMob ad-serving data: governed by Google's retention defaults.
- Your variables in iCloud: until you delete them or remove the app from iCloud — there is no expiry imposed by Loccali.
Your control surface
You can:
- Delete individual variables inside Loccali, which propagates through CloudKit to your other devices.
- Wipe everything at once by deleting Loccali from one device with iCloud syncing on, then signing out of iCloud or deleting the app's iCloud data via Settings → Apple ID → iCloud → Manage Storage.
- Reduce ad personalization signals via Settings → Privacy & Security → Apple Advertising → Personalized Ads (off).
- Skip ads entirely by purchasing Loccali Pro — the AdMob SDK is not loaded for Pro users.
On data subject rights under GDPR (access, rectification, erasure, portability): I do not collect any data that identifies you. There is no name, email, account, or other personal identifier on file — only an opaque Firebase installation ID that you yourself cannot read or share, and the anonymous events keyed to it. Under GDPR Art. 11(2), where the controller cannot identify the data subject, those rights only apply if you can supply enough additional information to link yourself to the data; in Loccali's case there is no realistic way for you to do that, and there is no meaningful export to produce. If you nonetheless want to discuss your data, write to loccali@pierrejanineh.com. You retain the right to lodge a complaint with your national data protection authority at any time.
Updates to this policy
When this document changes, the new version replaces the old one at this URL — there is no archive. The "last updated" date below tracks the most recent edit; substantial changes (new third-party SDK, new data category) are also called out in the next release's What's New screen so you see them in-app.
Contact
Email: loccali@pierrejanineh.com
Last updated
May 9, 2026.