docs: Privacy Policy + Play Store Data Safety + in-app link (#202)#267
Conversation
What ships - docs/PRIVACY.md: canonical Privacy Policy. Substance covers the full v1.6.x feature surface — Address Book contacts, V2 Keystore + Argon2id PIN, sync state, DAO compensation cache, GitHub Releases poll for the in-app updater, Custom Tabs hand-off for the public block explorer. Includes jurisdictional notes for GDPR and CCPA/CPRA (both essentially no-ops because no data is collected). Lists every permission the manifest declares and the specific feature each one supports. - docs/PLAY_STORE_DATA_SAFETY.md: copy-pasteable Data Safety form answers for the Play Console. Top-level "No" for data collection, per-permission rationale table, network-access explanation, deletion paths, reviewer guidance pointing at the exact directories in the source tree they can audit. Includes the change procedure so future contributors know to keep the file in sync with the Play Console submission. - Settings → Privacy Policy: new SettingsLinkRow in the About section. Uses Lucide.ShieldCheck (already imported in the same file), opens https://pocket-node.com/privacy via the shared Custom Tabs helper. New PRIVACY_URL constant + new `settings_privacy_policy` string resource. - .gitignore: whitelisted the two new docs/ files alongside USER_GUIDE.md and GRANT_COMPLETION_REPORT.md. Why pocket-node.com (not pocketnode.app) Per the v2.0.0 launch plan, pocket-node.com is the new canonical public domain. The in-app PRIVACY_URL points there directly so the link is right out of the gate when the domain goes live. A follow-up commit will sweep the website's metadataBase and the other pocketnode.app references in the codebase. Refs #202, #200
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthroughThis PR adds comprehensive privacy and compliance documentation to the Pocket Node app. It introduces a Privacy Policy document detailing data handling practices, a Play Store Data Safety form describing data collection and encryption, and integrates a direct link to the privacy policy in the Android Settings interface. ChangesPrivacy and Compliance Documentation
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f5933dea08
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| The only network traffic the app generates is: | ||
| - Peer-to-peer libp2p connections from the embedded CKB light client to public Nervos CKB nodes. The libp2p transport in use is Noise + Yamux over TCP, which encrypts all peer-to-peer traffic. | ||
| - HTTPS to GitHub's public Releases API for the optional in-app updater. | ||
| - HTTPS to public CKB block explorers when the user taps a transaction or block link. |
There was a problem hiding this comment.
This section states that the listed three items are the app’s only network traffic, but the app also performs HTTPS calls to fiat price APIs (https://api.coingecko.com/... and fallback https://api.binance.com/...) in PriceRepository.fetchFromCoinGecko/fetchFromBinance, and that path is invoked from HomeViewModel.initializeWallet() via fetchPrice() without any separate opt-in. Shipping these incomplete statements as the Play Console source-of-truth can produce an inaccurate Data Safety submission.
Useful? React with 👍 / 👎.
| In addition, the App may connect to two specific public services if you opt in: | ||
|
|
||
| - **GitHub Releases API** to check for new versions of the App when the in-app updater is enabled. The request is a public unauthenticated read; no identifying information is sent beyond your IP address (visible to GitHub as the request origin). | ||
| - **Public CKB block explorer** when you tap a transaction or block link in the App. These open in your phone's browser via Custom Tabs; the explorer operator's privacy policy applies to that session. |
There was a problem hiding this comment.
The policy says the app may contact only two public services (GitHub Releases and block explorers) and only if the user opts in, but runtime code also calls CoinGecko/Binance for CKB/USD pricing (PriceRepository) and HomeViewModel triggers that fetch during wallet initialization. This makes the published privacy description materially inaccurate for normal app usage and should be corrected to match actual network behavior.
Useful? React with 👍 / 👎.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/PRIVACY.md (1)
104-105:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUse a single canonical authority statement.
Line 104 says both copies are authoritative, which can create legal ambiguity if they ever diverge. Keep one canonical source and label the other as a mirror.
Proposed wording adjustment
-This Privacy Policy is also published at [pocket-node.com/privacy](https://pocket-node.com/privacy) and at [docs/PRIVACY.md](https://github.com/RaheemJnr/pocket-node/blob/main/docs/PRIVACY.md) in the source repository. Either copy is the authoritative version for end users. +This Privacy Policy is published at [pocket-node.com/privacy](https://pocket-node.com/privacy). The copy at [docs/PRIVACY.md](https://github.com/RaheemJnr/pocket-node/blob/main/docs/PRIVACY.md) is a repository mirror.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/PRIVACY.md` around lines 104 - 105, The paragraph in PRIVACY.md currently states both online copies are authoritative, creating ambiguity; update that sentence to designate a single canonical source (either the website URL pocket-node.com/privacy or the repository docs/PRIVACY.md) and explicitly label the other location as a mirror. Edit the sentence in the file (the paragraph referencing pocket-node.com/privacy and docs/PRIVACY.md) so it reads that the chosen source is the authoritative policy and the alternate is a mirror copy for convenience.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/PLAY_STORE_DATA_SAFETY.md`:
- Around line 62-64: Add a language hint to the fenced code block containing the
privacy URL so markdownlint MD040 is avoided: change the opening fence from ```
to ```text for the block that currently contains
"https://pocket-node.com/privacy" (the fenced code block in
PLAY_STORE_DATA_SAFETY.md) so the block explicitly declares its language.
- Around line 72-73: The "No publisher-operated servers" claim conflicts with
later mentions of automatic light-client peer traffic and optional updater
polling; update the first bullet to explicitly acknowledge that while the app
has no publisher-operated analytics/auth servers, it does initiate automatic
peer-to-peer traffic for the light client and optional updater polling. Edit the
"No publisher-operated servers" bullet (and anywhere it asserts "every byte...
is user-initiated") to say user actions drive most traffic but the app also
performs automatic light-client peer networking (see external/ckb-light-client)
and optional updater polling (see the updater module under
android/app/src/.../data/update), and keep the openness note about verifiability
and QR scanner code unchanged.
In `@docs/PRIVACY.md`:
- Around line 22-23: Replace the overbroad sentence "Nothing leaves your phone
unless you explicitly initiate a blockchain transaction" with a precise
statement that acknowledges background network operations used by the app (e.g.,
peer sync, update checks, explorer queries). Edit the privacy text to say that
user-generated content is kept locally but certain metadata and network requests
(peer synchronization, update checks, and optional explorer queries) may be sent
or fetched automatically; mention that explicit transactions to the blockchain
are separate and require user action. Ensure the revised sentence appears where
the original claim is currently written so readers see the corrected data-flow
description.
---
Outside diff comments:
In `@docs/PRIVACY.md`:
- Around line 104-105: The paragraph in PRIVACY.md currently states both online
copies are authoritative, creating ambiguity; update that sentence to designate
a single canonical source (either the website URL pocket-node.com/privacy or the
repository docs/PRIVACY.md) and explicitly label the other location as a mirror.
Edit the sentence in the file (the paragraph referencing pocket-node.com/privacy
and docs/PRIVACY.md) so it reads that the chosen source is the authoritative
policy and the alternate is a mirror copy for convenience.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 36b0a79a-1a3a-47e6-ab45-08cb088a0197
📒 Files selected for processing (5)
.gitignoreandroid/app/src/main/java/com/rjnr/pocketnode/ui/screens/settings/SettingsScreen.ktandroid/app/src/main/res/values/strings.xmldocs/PLAY_STORE_DATA_SAFETY.mddocs/PRIVACY.md
| ``` | ||
| https://pocket-node.com/privacy | ||
| ``` |
There was a problem hiding this comment.
Add a language hint to the fenced code block.
This avoids markdownlint MD040 warnings.
Proposed fix
-```
+```text
https://pocket-node.com/privacy</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 62-62: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/PLAY_STORE_DATA_SAFETY.md` around lines 62 - 64, Add a language hint to
the fenced code block containing the privacy URL so markdownlint MD040 is
avoided: change the opening fence from ``` to ```text for the block that
currently contains "https://pocket-node.com/privacy" (the fenced code block in
PLAY_STORE_DATA_SAFETY.md) so the block explicitly declares its language.
| 1. **No publisher-operated servers.** Every byte the app sends leaves the device by user-initiated action (a transaction broadcast or a manual QR scan). There is no analytics endpoint, no auth server, no push notification gateway, no remote feature flag service, no remote logging. | ||
| 2. **Open source.** The reviewer can verify every Data Safety claim by reading the source at `https://github.com/RaheemJnr/pocket-node`. The light client's network traffic lives in `external/ckb-light-client/`; the in-app updater lives in `android/app/src/main/java/com/rjnr/pocketnode/data/update/`; the QR scanner lives in `android/app/src/main/java/com/rjnr/pocketnode/ui/screens/scanner/`. There is no other network code. |
There was a problem hiding this comment.
Fix contradictory “user-initiated only” network claim.
Line 72 says every byte sent is user-initiated, but the same doc states automatic light-client peer traffic (and optional updater polling). This inconsistency can hurt Play review credibility.
Proposed wording adjustment
-1. **No publisher-operated servers.** Every byte the app sends leaves the device by user-initiated action (a transaction broadcast or a manual QR scan). There is no analytics endpoint, no auth server, no push notification gateway, no remote feature flag service, no remote logging.
+1. **No publisher-operated servers.** The app communicates directly with public CKB peers for wallet functionality, and optionally with public services explicitly described above (GitHub Releases API, explorer links). There is no analytics endpoint, no auth server, no push notification gateway, no remote feature flag service, and no remote logging.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/PLAY_STORE_DATA_SAFETY.md` around lines 72 - 73, The "No
publisher-operated servers" claim conflicts with later mentions of automatic
light-client peer traffic and optional updater polling; update the first bullet
to explicitly acknowledge that while the app has no publisher-operated
analytics/auth servers, it does initiate automatic peer-to-peer traffic for the
light client and optional updater polling. Edit the "No publisher-operated
servers" bullet (and anywhere it asserts "every byte... is user-initiated") to
say user actions drive most traffic but the app also performs automatic
light-client peer networking (see external/ckb-light-client) and optional
updater polling (see the updater module under android/app/src/.../data/update),
and keep the openness note about verifiability and QR scanner code unchanged.
| All data generated by the App is stored locally on your Android device. Nothing leaves your phone unless you explicitly initiate a blockchain transaction. Locally stored data includes: | ||
|
|
There was a problem hiding this comment.
Correct the data-flow claim in Line 22.
“Nothing leaves your phone unless you explicitly initiate a blockchain transaction” conflicts with your own documented peer sync/update-check/explorer flows. This overclaim can create disclosure mismatch risk.
Proposed wording adjustment
-All data generated by the App is stored locally on your Android device. Nothing leaves your phone unless you explicitly initiate a blockchain transaction. Locally stored data includes:
+All data generated by the App is stored locally on your Android device. The app performs network communication only as described in the “Network communications” section (peer sync, optional update checks, optional explorer opens). Locally stored data includes:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| All data generated by the App is stored locally on your Android device. Nothing leaves your phone unless you explicitly initiate a blockchain transaction. Locally stored data includes: | |
| All data generated by the App is stored locally on your Android device. The app performs network communication only as described in the "Network communications" section (peer sync, optional update checks, optional explorer opens). Locally stored data includes: | |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/PRIVACY.md` around lines 22 - 23, Replace the overbroad sentence
"Nothing leaves your phone unless you explicitly initiate a blockchain
transaction" with a precise statement that acknowledges background network
operations used by the app (e.g., peer sync, update checks, explorer queries).
Edit the privacy text to say that user-generated content is kept locally but
certain metadata and network requests (peer synchronization, update checks, and
optional explorer queries) may be sent or fetched automatically; mention that
explicit transactions to the blockchain are separate and require user action.
Ensure the revised sentence appears where the original claim is currently
written so readers see the corrected data-flow description.
1 participant
Summary
Canonical Privacy Policy, Play Store Data Safety reference, and the in-app link from Settings to the public Privacy Policy.
docs/PRIVACY.mdCanonical Privacy Policy covering the v1.6.x feature surface end-to-end. Sections:
privacy@pocket-node.comThe doc is also the source the website's
/privacypage will eventually render from (sync mechanism mirrorsUSER_GUIDE.md).docs/PLAY_STORE_DATA_SAFETY.mdCopy-pasteable answers for the Play Console Data Safety form:
In-app link
SettingsScreen.ktgets a new Privacy Policy row under About → Open Source. UsesLucide.ShieldCheck(already imported), openshttps://pocket-node.com/privacyvia the existing Custom Tabs helper. Newsettings_privacy_policystring resource.Why
pocket-node.com(notpocketnode.app)Per the v2.0.0 launch plan,
pocket-node.comis the new canonical public domain. The in-appPRIVACY_URLpoints there directly. A follow-up sweep will update the website'smetadataBaseand otherpocketnode.appreferences.Test plan
./gradlew compileDebugKotlinsucceedsLucide.ShieldCheckicon already imported (no new import needed)settings_privacy_policystring resource present invalues/strings.xmlhttps://pocket-node.com/privacy(requires domain to be live)Refs #202, #200, #205
Summary by CodeRabbit
New Features
Documentation