Privacy Policy

Effective: 19 May 2026 · Last updated: 19 May 2026

ScanSmart is a document scanner app for Android. We try to keep things simple: what stays on your device, stays on your device, and what we do need to know about you is only what's required to run the service.

1. Who we are

"ScanSmart," "we," or "us" refers to the developer of the ScanSmart application. For privacy questions or any of the rights described below, contact us at support@scansmart.app.

2. What data we collect

2.1 If you use the app in Guest mode

You can use ScanSmart without creating an account. In Guest mode:

• All scanned documents, folders, OCR text, and preferences are stored only on your device.
• We do not collect your name, email, location, contacts, device identifiers, advertising IDs, or analytics events.
• Standard server access logs may be recorded on our backend (IP address, timestamp) only if your device contacts us — e.g. for a software update check.

2.2 If you create an account

Signing in lets you keep your scans across devices. When you register, we collect:

• Email address — used to sign you in, send a welcome email, and send password-reset links.
• Display name — optional; shown only inside the app on your own device.
• Password — stored as a one-way bcrypt hash. We can never see your plaintext password. If you sign in with Google, we don't store a password at all.
• Documents you create — scanned images and their metadata (titles, folders, dates, OCR text) may be sent to our servers so you can access them from other devices.

2.3 What we do NOT collect

We do not collect: location data, contacts, calendar, microphone audio, advertising identifiers, browsing history, device fingerprints, or any data from other apps on your device. We do not use third-party analytics, ad networks, or trackers in v1.

3. Why we collect it

• Authentication and account management — to sign you in and keep your session.
• App functionality — to store and retrieve your scanned documents if you opt into cloud backup.
• Transactional email — welcome, password-reset, and (rarely) important account notices.
• Security and abuse prevention — short-lived logs help us detect and block automated abuse.

We do not sell your personal information, and we do not share it with advertisers.

4. Where your data lives

We use a small number of third-party providers to run the service. Each one only sees the data needed for its role.

• Render (United States) — hosts our backend API. Personal data and document metadata are stored in a managed PostgreSQL database.
• Cloudinary (United States / EU) — stores scanned-document images if you opt into cloud backup. Images are referenced by an opaque ID.
• Google — provides "Sign in with Google" (if you choose it) and the on-device ML Kit components that perform document detection and OCR. ML Kit runs entirely on your device; nothing is sent to Google for OCR.
• Resend — delivers our transactional emails (welcome, password reset). Resend receives only the recipient address and the email body.

If you are in the European Economic Area, the United Kingdom, or another region with data-export rules, please note that your data may be transferred to and stored in the United States. Each provider above offers standard contractual clauses or equivalent safeguards.

5. How long we keep it

• Account information and documents are kept for as long as your account is active.
• When you delete your account from within the app, we mark it for deletion and permanently remove your account, documents, and metadata after a 30-day grace period (so accidental deletions can be reversed by contacting support).
• Password-reset tokens expire automatically 15 minutes after they are issued.
• Routine server logs are retained for up to 30 days for security and debugging, then deleted.

6. Your rights

You can:

• Access your data — every document, folder, and OCR result is visible inside the app.
• Export any document as PDF or JPEG from the app's share sheet.
• Correct your display name or change your password from Settings → Account.
• Delete your account and all associated data from Settings → Account → Delete Account.
• Withdraw consent at any time by deleting your account, after which we no longer process your personal data.

If you are in the EEA, UK, or California, you may also have additional rights under the GDPR / UK GDPR / CCPA, including the right to lodge a complaint with your local data-protection authority. Contact us at support@scansmart.app and we will assist.

7. Security

All connections between the app and our servers use HTTPS / TLS. Passwords are hashed with bcrypt. Authentication uses short-lived JSON Web Tokens. Our infrastructure providers use industry-standard encryption at rest. No system is perfectly secure, but we treat your data with the care we would want for our own.

8. Children

ScanSmart is not directed at children under 13 (or under 16 in some jurisdictions). We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete it.

9. Changes to this policy

If we make a material change, we will update the "Last updated" date at the top of this page and, where appropriate, notify you in-app or by email. Continued use of ScanSmart after the change means you accept the updated policy.

10. Contact

Questions, requests, or complaints: support@scansmart.app.