Who We Are
Hongi is an identity-verification mobile application developed and operated by Lovit BV, a company registered in Belgium (Asse). In this policy, "we", "our", and "us" refer to Lovit BV. For privacy enquiries, contact us at: privacy@hongi.io
1. Overview
Hongi is designed with privacy as a core principle. The app is offline-first and stores all data locally on your device. We do not maintain accounts or user profiles on our servers. Limited network features (described in Section 4) are optional and designed to minimise data exposure.
2. Data We Store Locally on Your Device
All data created by Hongi remains exclusively on your device. This includes:
- Cryptographic seed — a locally generated secret key used to derive your verification codewords. It is stored in your device's secure enclave (iOS Keychain / Android Keystore) and never leaves your device.
- Contact records — the aliases you assign to people you have paired with, stored in a local SQLite database.
- App settings — your display name, appearance preferences, and security preferences (such as whether biometric app lock is enabled), stored locally.
- Push notification token — if you opt in to verification pings, a device push token is stored locally and shared with our relay server so that your contacts can send you ping requests (see Section 4).
No account is required. No username, email address, phone number, or other personally identifiable information is collected by us.
3. Data We Do Not Collect
We do not collect:
- Analytics or usage telemetry
- Crash reports transmitted to our servers
- Location data
- Device identifiers
- Contacts from your phone's address book
- Any biometric data
4. Network Requests
The app makes the following optional network requests:
- NTP clock synchronisation — the app may contact a public Network Time Protocol (NTP) server to check your device clock accuracy. This request contains no personally identifiable data and is a standard UDP/TCP packet that does not identify you.
- Remote pairing relay — when you pair with someone who is not physically present, the app connects to our relay server to exchange ephemeral public keys. Only cryptographic public keys and your chosen display name are transmitted. The shared secret (seed) is never sent over the network. Relay sessions are short-lived and automatically deleted after expiry.
- Verification pings — if you choose to send or receive verification pings, the app registers a device push token with our relay server and uses Apple Push Notification service (APNs) or Google Firebase Cloud Messaging (FCM) to deliver ping requests. Ping payloads contain only a cryptographic nonce and a mailbox identifier — no message content, display names, or personal data. Push tokens are associated with anonymous mailbox IDs, not with user accounts.
All network features are optional. Core verification (codeword display and matching) works entirely offline.
5. Deletion of Your Data
All data is stored locally on your device. You can permanently delete all app data at any time by:
- Using Settings → Danger Zone → Delete All Data within the app, or
- Uninstalling the app from your device.
Neither action requires any interaction with our servers, because we hold no data about you.
6. Children's Privacy
Hongi is not directed at children under 13 years of age (or under 16 years of age for users in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided personal data to us, please contact us at privacy@hongi.io.
7. GDPR — Rights of EEA Users
If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR). Because Hongi does not collect or process personal data on its servers, most of these rights are automatically satisfied — your data never reaches us.
Data Controller: Lovit BV, Asse, Belgium (contact: privacy@hongi.io)
Legal basis for any processing: The legal basis is legitimate interest (operating the app as intended) and, where applicable, consent (granting camera access for QR scanning, enabling push notifications, or enabling biometric app lock).
Your rights include:
- Right of access — you can view your contact list and settings within the app.
- Right to erasure — delete all data via the app's Delete All Data feature or by uninstalling.
- Right to portability — data is stored in standard formats on your device.
- Right to object — you may uninstall the app at any time.
If you have a concern about our data practices, you also have the right to lodge a complaint with your local data protection authority.
8. CCPA — Rights of California Users
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA).
- We do not sell or share your personal information with third parties.
- We do not collect personal information as defined under the CCPA.
- You may delete any locally stored data at any time by uninstalling the app or using Delete All Data in settings.
For questions, contact: privacy@hongi.io
9. Third-Party Services
Hongi does not integrate any third-party analytics, advertising, or tracking services. The app uses:
- Open-source cryptographic libraries (@noble/curves, @noble/hashes) that operate entirely on-device.
- Apple Push Notification service (APNs) and Google Firebase Cloud Messaging (FCM) for optional verification pings, governed by Apple's and Google's respective privacy policies.
- Your device's built-in biometric authentication (Face ID, Touch ID, or fingerprint) via the operating system. Hongi never accesses, stores, or transmits biometric data — authentication is handled entirely by the OS.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this document. We encourage you to review this policy periodically.
11. Contact
Company: Lovit BV
Address: Asse, Belgium
Email: privacy@hongi.io