← Back to Sortify
Privacy

Sortify Privacy Policy

Last updated: 16 June 2026 Effective date: 16 June 2026


Who We Are

This Privacy Policy is published by MokingBird Oy, a company registered in Finland. Sortify is a product and registered brand of MokingBird Oy.

In this Privacy Policy, "Sortify", "we", "our", and "us" refer to MokingBird and the Sortify brand and service operated by MokingBird Oy.

For privacy-related questions or requests, contact us at: [email protected]


Introduction

Sortify is a local-first workspace and shared inventory memory application. We built Sortify with privacy at its core: your operational inventory data lives on your device, not on our servers. This Privacy Policy explains what personal data we process, why, how, and what rights you have under applicable law — including the General Data Protection Regulation (GDPR) as it applies in Finland and the European Economic Area.

Please read this policy carefully before using Sortify. By using the app or any Sortify-related service, you acknowledge that you have read and understood this Privacy Policy.


1. What Sortify Is

Sortify is a privacy-first, local-first inventory and shared-space memory app. It helps people, families, labs, workshops, and teams organize physical items across rooms, workspaces, and shared environments.

Sortify is designed so that:


2. Data Controller

The data controller for the Sortify service is MokingBird Oy.

Sortify is a registered brand of MokingBird Oy.


3. Scope

This Privacy Policy applies to:

This policy does not apply to third-party services you connect to Sortify (for example, your Google Drive, Onedrive or Dropbox account). Those services are governed by their own privacy policies.

For example, when you connect a Google account for Google Drive sync, Google's own privacy policy and account permissions also apply. Sortify's use and transfer of information received from Google APIs is intended to comply with the Google API Services User Data Policy, including the Limited Use requirements where applicable. This is applicable also to Onedrive and Dropbox


4. Categories of Personal Data We Collect

4.1 Account and Registration Data

Depending on how you sign in, we may process:

We support the following sign-in methods: email and password (credentials managed by Firebase — we do not store your plaintext password), passwordless email link, Google Sign-In, Microsoft Sign-In, and Apple Sign-In (iOS only).

4.2 Guest-Mode Data

If you use Sortify without registering, we may store limited local data on your device, such as:

Guest data remains local to your device and is not transmitted to MokingBird.

4.3 Workspace and Collaboration Data

When you create or participate in a workspace, Sortify may process:

4.4 Inventory and Operational Data

Sortify may process the following operational content that you enter:

This content is stored locally on your device. When user-owned cloud sync is enabled, it is encrypted before being uploaded to your selected cloud storage account. When Sortify Cloud or Enterprise SyncNative is enabled, changes and checkpoints are encrypted on-device before managed transport. MokingBird does not receive your plaintext inventory contents in the ordinary course of operations.

4.5 Security and Session Data

Sortify may process security-related data required to protect the app and the user session, such as:

Sortify does not intentionally store raw biometric data. Biometric verification is delegated entirely to device operating system services (iOS Keychain / Android Keystore). MokingBird receives only a success or failure signal.

4.6 Diagnostics, Analytics, and Performance Data

Sortify may process limited technical and product telemetry, including:

This telemetry is handled through Firebase services configured for Sortify, including Firebase Analytics, Firebase Crashlytics, and Firebase Performance Monitoring. Telemetry scope and controls may vary by app version, environment, and applicable law.


5. Where Data Is Stored

5.1 Authentication Data

Authentication and sign-in account data are handled through Firebase Authentication (operated by Google LLC) and your selected identity provider.

5.2 Local Device Data

Sortify stores operational data locally on the device, including:

5.3 Synced Workspace Data

When user-owned cloud sync is enabled, Sortify exports and synchronizes encrypted workspace data to Google Drive, OneDrive, or Dropbox. Sortify Cloud and Enterprise SyncNative use a separate managed encrypted-event and checkpoint transport. Availability of a provider or managed workspace type may vary by app version, account entitlement, organization, region, and backend configuration.

Workspace sync files are encrypted before upload. MokingBird does not receive plaintext workspace contents in the ordinary course of operating Sortify. To support account/device recovery, Sortify may store encrypted key envelopes in Firebase/Firestore, including an encrypted account master key envelope and encrypted per-workspace key envelopes for authorized members. These envelopes are not plaintext workspace keys. They are designed to be decrypted only on the user's device after the user proves account identity and provides the applicable account password or recovery password. MokingBird does not store that password in plaintext and cannot use Firebase Authentication alone to decrypt encrypted workspace files.

For Sortify Cloud and Enterprise SyncNative workspaces, Firebase/Firestore stores safe routing and coordination metadata plus encrypted event/checkpoint payloads. Optional managed photo sync stores compressed, device-encrypted image ciphertext in Firebase Storage and stores only ciphertext references, checksums, sizes, compression profile, actor ID, and timestamps in Firestore. Allowed metadata includes workspace IDs, member IDs, roles, event sequence numbers, device IDs, timestamps, sync cursors, checkpoint generation, organization references, and billing/entitlement flags. It must not contain plaintext item names, room names, locations, notes, quantities, photos, or decrypted workspace data.

Sortify Cloud and Enterprise SyncNative operate as zero-knowledge managed transport: the app encrypts workspace changes on-device, Firebase transports encrypted payloads, and authorized devices decrypt locally using workspace keys.

5.4 Google Drive OAuth and Workspace File Access

For Google Drive sync, Sortify uses Google Drive access to operate encrypted Sortify workspace files stored in the user's Google Drive account. Google Drive collaboration uses the narrower https://www.googleapis.com/auth/drive.file scope and targeted authorization of known Sortify workspace files.

Under this approach, a workspace owner creates or shares an encrypted Sortify workspace package. When a secondary member joins, Sortify may ask the user to complete a Finalize Join step. This can open Google's authorization interface so the user can grant Sortify access to the specific encrypted Sortify workspace package needed for sync. The purpose is to authorize a known Sortify workspace file, not to browse or inspect unrelated Google Drive files.

Sortify's app logic is designed to restrict Drive operations to Sortify workspace folders, workspace package files, and Sortify sync artifacts. Sortify does not intentionally scan, index, copy, sell, or analyze unrelated Google Drive content. Drive references stored by Sortify are workspace folder IDs, package file IDs, sync file IDs, and version tokens needed to synchronize encrypted workspace data.

Google Drive data used by Sortify may include:

MokingBird does not receive your plaintext Google Drive files through this integration in normal operation. The app reads and writes Sortify sync artifacts from the user's connected Google Drive account.

5.5 OneDrive OAuth and Workspace Folder Access

When OneDrive sync is enabled and used as cloud provider, Sortify uses Microsoft identity and Microsoft Graph APIs to operate Sortify workspace folders and encrypted Sortify sync files in the user's OneDrive account.

The intended OneDrive permissions are used for:

OneDrive sync data used by Sortify may include Microsoft account identity data, OAuth tokens stored in platform secure storage, OneDrive item IDs or paths, file ETags, sharing permission records, encrypted Sortify database files, and Sortify metadata files.

Sortify does not intentionally use OneDrive access to inspect unrelated OneDrive content. OneDrive operations are intended to be limited to Sortify workspace folders and Sortify sync artifacts.

Secondary member must also login to their Onedrive account to have access to Primary member's workspace who uses Onedrive as their provider. Same email address used for Sortify authentication should be used to login to the Onedrive account.

5.6 Dropbox OAuth and Shared Folder Access

When Dropbox sync is enabled and used as cloud provider, Sortify uses Dropbox OAuth and Dropbox API permissions to operate Sortify workspace folders, shared folder references, encrypted Sortify sync files, and membership-related sharing controls.

The intended Dropbox permissions are used for:

Dropbox sync data used by Sortify may include Dropbox account identity data, OAuth tokens stored in platform secure storage, workspace folder paths or shared folder IDs, file revision IDs, sharing membership records, encrypted Sortify database files, and Sortify metadata files.

Sortify does not intentionally use Dropbox access to inspect unrelated Dropbox content. Dropbox operations are intended to be limited to Sortify workspace folders and Sortify sync artifacts.

Secondary member must also login to their Dropbox account to have access to Primary member's workspace who uses Dropbox as their provider. Same email address used for Sortify authentication should be used to login to the Dropbox account.

5.7 Diagnostics and Monitoring Data

Limited diagnostics and telemetry may be transmitted to Firebase services when enabled for app operation, analytics, performance, and crash reporting.


6. How We Use Personal Data

We use personal data to:


7. Legal Bases Under the GDPR

Where the GDPR applies, our legal bases include:

Where consent is the legal basis, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.


8. How Collaboration and Invitations Work

Sortify allows workspace collaboration. A workspace owner or authorized user may:

If you are invited to a workspace:

Some shared workspaces also require cloud-provider access. This is separate from Sortify membership approval. For example, a Google Drive workspace requires access to the shared encrypted workspace package and may require the secondary user to complete Finalize Join. Optional photo sync requires separate authorization for the photo package. A no-approval Sortify invite can still require provider access if the folder or file is not yet accessible. Sortify may store approval request status, requester identity, owner decision status, provider access status, pending sync-task state, timestamps, and related notification records so the app can distinguish workspace approval, provider access, Finalize Join, and optional photo authorization.


9. Cloud Providers and Third-Party Services

Sortify may interact with the following third-party providers:

These providers operate under their own terms and privacy notices and are not controlled by MokingBird.

9.1 Google API Data Use and Limited Use

Sortify uses Google API data only to provide user-requested sign-in and Google Drive sync functionality. Specifically:

9.2 Microsoft OneDrive and Microsoft Graph Data Use

When OneDrive is used as provider, Sortify uses Microsoft Graph data only to provide user-requested OneDrive sync and collaboration functionality. Specifically:

9.3 Dropbox API Data Use

When Dropbox support is used as provider, Sortify uses Dropbox API data only to provide user-requested Dropbox sync and collaboration functionality. Specifically:


10. We Do Not Sell Personal Data

MokingBird does not sell user personal data to third parties. We do not transfer personal data to advertising networks or data brokers.


11. Data Sharing

We may share limited data only:


12. International Data Transfers

Your data may be processed outside your country or the European Economic Area depending on:

Where required by applicable law, we will rely on appropriate safeguards for international transfers, such as Standard Contractual Clauses (SCCs) approved by the European Commission.


13. Data Retention

We retain data for as long as necessary to:

Because Sortify uses local-first and user-controlled cloud storage patterns, retention of most operational data is controlled by you, not by us. Local device data remains until you delete the app or clear app data. Sync files in your cloud storage remain until you or an authorized workspace owner deletes them.

Where encrypted account/device recovery is enabled, encrypted key envelopes and recovery status metadata may be retained while your account or workspace membership is active so that authorized devices can restore access after app reinstall, device loss, or local data clearing. If account deletion offers a deletion-pending recovery window, the duration shown in the app applies. After the permanent deletion point, active recovery records and encrypted key envelopes for that account are deleted, revoked, or cryptographically shredded subject to legal, security, backup, and provider limitations.

OAuth tokens are retained on the device only as long as needed for the connected provider session, unless removed by sign-out, account deletion, app data clearing, token expiration, provider revocation, or disconnect flows supported by the app. Provider-side access grants and shared folder permissions remain subject to the provider's own controls and the workspace owner's actions.


14. Security Measures

MokingBird uses a layered security approach including:

No security system is absolute. We cannot guarantee that unauthorized access, hardware failure, or other events will never occur.


15. Your Rights Under the GDPR

As a data subject in the EEA, you have the following rights:

To exercise your rights, contact: [email protected]


16. Account Deletion and Workspace Implications

If you delete your account:


17. Children's Privacy

Sortify is not intended for children in circumstances where parental consent is legally required and has not been obtained. We do not knowingly collect personal data from children without appropriate authorization. Contact [email protected] if you believe a child has provided data without required consent.


18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and, where required by law, provide additional notice. Updated versions become effective when published unless applicable law requires a different process.

The current version is always available at: https://sortify.mokingbird.xyz/privacypolicy


19. In-App Availability

An offline-readable version of this Privacy Policy is available in the Sortify app. The in-app version mirrors this policy for offline reading. The authoritative version is the one published at the URL above.


20. Contact

For privacy, data protection, or legal requests:

MokingBird Oy — Sortify Privacy Email: [email protected] Website: https://sortify.mokingbird.xyz


21. Summary

Sortify is built to help users organize shared spaces while keeping authentication secure, limiting unnecessary data collection, and storing synced workspace content in user-controlled and encrypted cloud storage rather than in a centralized MokingBird inventory database. We do not sell your data. Your inventory stays on your device and in your cloud.


Sortify is a registered brand of MokingBird Oy, Finland. Governing law: Finland (EU).