PonderLock
A Quiet Stewardship

Privacy Policy

Last updated · May 26, 2026

This Privacy Policy describes how Turbulence Limited (“PonderLock,” “we,” “us”) collects, uses, and shares information when you use the PonderLock mobile application, this website, and related services (the “Service”). Our guiding principle is simple: collect as little as we can, keep what we must with care, and never make your attention the product.

Information we collect

We collect the following categories of information:

  • Account information. When you create an account, we collect your email address and, optionally, a display name. If you sign in with Apple or Google, we receive the identifiers those providers share with us.
  • App-usage and blocklist data. To make the Service work across your devices, we store the blocklists, schedules, and session history you create. This data is generated by your own configuration — we do not read the contents of the apps or websites you block.
  • Analytics and crash reports. We use Google Analytics to collect aggregated, de-identified information about how the Service is used — for example, which screens are opened, how long sessions last, approximate location derived from IP, device and browser type, and when a session fails — so that we can improve reliability and features. Where supported, we enable IP anonymization and disable advertising features in Google Analytics.
  • Purchase and subscription data. When you subscribe through the Apple App Store or Google Play, Apple or Google handles payment. We receive limited information from them and from RevenueCat — such as a subscription identifier, entitlement status, and country — so we can grant access to paid features.
  • Support correspondence. If you email us, we keep your message and our reply so we can help and keep a record of the conversation.

Family Controls and Screen Time on iOS

PonderLock uses Apple’s Family Controls framework — the public API behind Screen Time — to apply the shields and timers you choose for yourself. We use the framework solely for individual self-control on your own device. PonderLock does not act as an MDM tool, does not supervise minors, and does not connect a parent device to a child device. Authorization is requested as .individual and is granted by you, on your device.

The specific APIs we use, and what each one does:

  • FamilyActivityPicker — Apple’s system sheet that lets you pick the apps, categories, and web domains you want to gate. We only ever see the opaque tokens Apple returns; we never receive the real bundle identifiers, app names, or icons of the apps you pick.
  • ManagedSettings (ManagedSettingsStore) — used to apply the shield to the tokens you selected, and to clear or temporarily lift it when you choose to proceed after a Ponder Prompt.
  • DeviceActivity — used to receive a callback when a shielded app is launched so the companion Shield Action Extension can surface the Ponder Prompt, and to schedule the re-apply when a temporary unlock window expires.
  • Shield Action Extension — renders the “Pause to Ponder” shield itself. It runs in its own sandboxed extension process and reads only the friendly labels you saved in PonderLock’s App Group container.

Tokens stay on your device. The opaque ApplicationToken, ActivityCategoryToken, and WebDomainTokenvalues returned by the FamilyActivityPicker live in PonderLock’s App Group container (group.com.ponderlock.shared) and are read only by the main app and the Shield Action Extension. They are never transmitted to our servers, RevenueCat, Supabase, Google Analytics, or any other third party.

What we do receive from your blocking activity is limited to a small event log row when you interact with the Ponder Prompt — the identifier-shape (a short, app-readable string like Instagram that you saved alongside the token), the action you took (walked away or proceeded), and a timestamp. We use those events only to render your own history inside PonderLock and to improve the prompt copy over time. We do not log the contents of the apps you open, the URLs you visit, or anything beyond the choice you made on the shield.

You can revoke Family Controls authorization at any time in Settings → Screen Time → See All Activity → PonderLock, which immediately stops every shield. Reinstalling PonderLock or signing out also clears the on-device tokens.

Accessibility Service on Android

The Android equivalent of Family Controls is the Accessibility Service. PonderLock uses it for one purpose only: to detect when you launch an app on your block list, so the Ponder Prompt overlay can appear before that app is shown. The service reads only the foreground package name from TYPE_WINDOW_STATE_CHANGED events. It does not read screen content, keystrokes, form fields, passwords, or messages, and it does not record, upload, or transmit on-screen information off your device. You can revoke the permission at any time in Settings → Accessibility → PonderLock.

How we use your information

We use the information above to:

  • provide, maintain, and sync the Service across your devices;
  • authenticate you, protect your account, and prevent abuse of the Service;
  • grant access to paid features and handle renewals, refunds, and billing disputes through our payment providers;
  • diagnose bugs and crashes, and understand which features are useful so we can make the Service better;
  • communicate with you about the Service, including important updates to these policies;
  • comply with legal obligations.

We do not sell your personal information, and we do not use it for advertising.

Legal bases (for users in the EEA / UK)

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases: performance of our contract with you (to operate the Service and provide what you subscribed to), our legitimate interests (to secure the Service, prevent abuse, and improve reliability), your consent where we ask for it, and compliance with legal obligations.

Service providers we rely on

We share information with a small set of service providers who process it on our behalf under contractual commitments:

  • Supabase — authentication and encrypted storage of your account and blocklist data.
  • RevenueCat — subscription management and entitlement status, sitting in front of Apple and Google in-app purchases.
  • Apple and Google — app distribution and payment processing under their own privacy policies.
  • Google Analytics (Google LLC) — aggregated product analytics and crash telemetry. Google processes this data under its own privacy policy, and you can opt out via the Google Analytics opt-out browser add-on.

We may also share information when required by law, to enforce our Terms, or to protect the rights, safety, or property of PonderLock or others.

International data transfers

PonderLock is operated by Turbulence Limited, and the providers above may process data in countries other than the one you live in. Where required, we rely on appropriate transfer mechanisms — such as the European Commission’s Standard Contractual Clauses — to protect your information when it crosses borders.

How long we keep your information

We keep account and blocklist data for as long as your account is active. If you delete your account, we delete or anonymize your personal information within a reasonable period, except where we are required to keep it for legal, tax, or fraud-prevention reasons. Aggregated or de-identified analytics data may be retained indefinitely.

Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal information; to object to or restrict certain processing; and to withdraw consent where processing is based on it. You can exercise these rights by emailing us at hello@ponderlock.com. We will respond within the timeframe required by applicable law.

Children’s privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it.

Security

We use reasonable technical and organizational measures to protect your information, including encryption in transit, access controls, and vendor due diligence. No system is perfectly secure, and we cannot guarantee absolute security — if we learn of a breach affecting you, we will notify you as required by law.

Changes to this Policy

We may update this Privacy Policy from time to time. If changes are material, we will update the “Last updated” date above and, where appropriate, notify you in-app or by email.

Contact

Questions, concerns, or requests about your information? Write to hello@ponderlock.com.