ScannerOFF - Privacy Policy

Back to ScannerOFF

This Privacy Policy (hereinafter: "Policy") contains information on the processing of your personal data in connection with the use of the "ScannerOFF", operating at the Internet address scannyoai.com (hereinafter: "Application" or "App").

Any capitalized terms not otherwise defined in the Policy shall have the meaning given to them in the Terms and Conditions, available at: scanneroff.com

Personal data Controller

The Controller of your personal data is Michał Kawalec, residing at ul. Polna 5, 43-385 Jasienica, Poland, conducting an unregistered activity pursuant to Article 5(1) of the Polish Entrepreneurs' Law Act (hereinafter: "Controller").

Contact with the Controller

In all matters related to the processing of personal data, you can contact the Controller via:

e-mail - at: support@scannyoai.com;
traditional mail - at: ul. Polna 5, 43-385 Jasienica, Poland;
phone number - at the number: +48 788 303 210 (WhatsApp).

Personal data protection measures

The Controller applies modern organisational and technical safeguards to ensure the best possible protection of your personal data and guarantees that it processes them in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: "GDPR"), the Act of 10 May 2018 on the Protection of Personal Data and Other Personal Data Protection Regulations.

Information on the personal data processed

Using the Application requires the processing of your personal data by Third-Party Services: RevenueCat (payments) and Google AdMob (advertisement).


Purpose of processing	Personal data processed	Legal basis
Conclusion and performance of the Application Use Agreement	Device Identifiers: Advertising ID (IDFA on iOS / AAID on Android) and Vendor ID (IDFV). Approximate Location: Derived from IP address (used by AdMob to show ads relevant to your country/region). Purchase History: Transaction history, product IDs (e.g., "Premium_Yearly"), price, and currency (processed by RevenueCat). Transaction Identifiers: Anonymous receipt tokens and transaction IDs provided by the App Store/Google Play. Usage Data: Ad interactions (views, clicks), app launches, and session duration. Diagnostics: Crash logs and performance data related to the ad SDK or payment processing. Device Metadata: Device model, OS version, screen resolution, language settings, and carrier name. App User ID: An anonymous, randomly generated ID assigned by RevenueCat and AdMob to distinguish one device from another (even without a login).	Article 6(1)(b) of the GDPR (processing is necessary for the performance of the Account Service Agreement concluded with the data subject or to take steps to conclude it)
Purpose of processing	Personal data processed	Legal basis
Conducting a complaint procedure	Unique ID number assigned to each user after downloading the application (you can find it in the app) Name and surname of the Service Recipient (for verification with the bank account number from which the payment was made) E-mail address (for contact purposes)	Article 6(1)(c) of the GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case the following obligations: responding to a complaint – Article 7a of the Consumer Rights Act; exercising the Customer's rights resulting from the provisions on the Controller's liability in the event of non-compliance of the Physical Goods with the Sales Contract or the Object of Digital Supply with the Contract applicable to it)
Providing the above-mentioned personal data is a condition for receiving a response to the complaint or exercising the Service Recipient's rights resulting from the provisions on the Controller's liability in the event of non-compliance of the Subject of Digital Service with the Agreement applicable to him (their provision is voluntary, but the consequence of failure to provide them will be the inability to receive a response to the complaint and the exercise of the above-mentioned rights). The Controller will process the above-mentioned personal data for the duration of the complaint procedure, and in the case of exercising the above-mentioned rights of the Client – until their limitation expires.
Purpose of processing	Personal data processed	Legal basis
Conducting a verification procedure and considering appeals against decisions on dealing with unacceptable content	Unique ID number assigned to each user after downloading the application (you can find it in the app) E-mail address (for contact purposes)	Article 6(1)(c) of the GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case the following obligations: provide a mechanism for reporting inappropriate content (Article 16 of Regulation 2022/2065 on the single market for digital services and amending Directive 2000/31/EC (Digital Services Act)(hereinafter: "DSA"), (Article 20 of the DSA).
Providing the above-mentioned personal data is a condition for receiving a response to the report or exercising the User's rights under the provisions of the DSA (their provision is voluntary, but the consequence of failure to provide them will be the inability to receive a response to the report and the exercise of the above-mentioned rights). The Controller will process the above-mentioned personal data for the duration of the complaint procedure, and in the case of exercising the above-mentioned rights of the User – until their limitation expires.

Purpose of processing	Personal data processed	Legal basis
Handling queries submitted by Users	Unique ID number assigned to each user after downloading the application (you can find it in the app) E-mail address (for contact purposes) other data contained in the message to the Controller	Article 6(1)(f) of the GDPR (processing is necessary for the purpose of pursuing the legitimate interest of the Controller, in this case responding to the inquiry received)
Providing the above-mentioned personal data is voluntary, but necessary in order to receive a response to the inquiry (the consequence of failure to provide them will be the inability to receive an answer). The Controller will process the above-mentioned personal data until an effective objection is raised or the purpose of processing is achieved (whichever occurs first).

Purpose of processing	Personal data processed	Legal basis
Share Service reviews	name optionally – other data included in the Opinion	Article 6(1)(f) of the GDPR (processing is necessary for the purpose of the legitimate interest of the Controller, in this case making the Opinion available for information and promotional purposes)
Providing the above-mentioned personal data is voluntary, but necessary in order to add an Opinion (the consequence of not providing them will be the inability to add an Opinion). The Controller will process the above-mentioned personal data until an effective objection is raised or the purpose of processing is achieved (whichever occurs first).

Purpose of processing	Personal data processed	Legal basis
Fulfilling tax obligations (m.in. storing accounting documentation)	Name and surname address of residence	Article 6(1)(c) of the GDPR (processing is necessary to comply with a legal obligation to which the Controller is subject, in this case obligations under tax law)
Providing the above-mentioned personal data is voluntary, but necessary for the Controller to meet its tax obligations (the consequence of failure to provide them will be the Controller's inability to meet the above-mentioned obligations). The Controller will process the above-mentioned personal data for a period of 5 years from the end of the year in which the deadline for payment of tax for the previous year expired.

Purpose of processing	Personal data processed	Legal basis
Compliance with obligations related to the protection of personal data	name and surname contact details provided by you (e-mail address; correspondence address; telephone number)	Article 6(1)(c) of the GDPR (processing is necessary to comply with a legal obligation to which the Controller is subject, in this case the obligations resulting from the provisions on the protection of personal data)
Providing the above-mentioned personal data is voluntary, but necessary for the proper performance by the Controller of the obligations resulting from the provisions on the protection of personal data, m.in. the exercise of the rights granted to you by the GDPR (the consequence of failure to provide the above-mentioned data will be the inability to properly exercise the above-mentioned rights). The Controller will process the above-mentioned personal data until the expiry of the limitation periods for claims for violation of personal data protection regulations.

Purpose of processing	Personal data processed	Legal basis
Establishing, exercising or defending against legal claims	Name and surname E-mail address address of residence PESEL/SSN number	Article 6(1)(f) of the GDPR (processing is necessary for the purpose of pursuing the legitimate interest of the Controller, in this case establishing, investigating or defending against claims that may arise in connection with the performance of the Agreements concluded with the Controller)
Providing the above-mentioned personal data is voluntary, but necessary in order to establish, pursue or defend against claims that may arise in connection with the performance of the Agreements concluded with the Controller (the consequence of failure to provide the above-mentioned data will be the inability of the Controller to take the above-mentioned actions) The Controller will process the above-mentioned personal data until the expiry of the limitation periods for claims that may arise in connection with the performance of the Agreements concluded with the Controller.

Purpose of processing	Personal data processed	Legal basis
Analysis of your activity in the App	Date and time of the visit IP number of the device device operating system type approximate location type of web browser time spent in the App visited subpages and other actions taken within the Application	Article 6(1)(f) of the GDPR (processing is necessary for the purpose of the legitimate interest of the Controller, in this case obtaining information about your activity in the Application)
Providing the above-mentioned personal data is voluntary, but necessary in order for the Controller to obtain information about your activity in the Application (the consequence of failure to provide them will be the Controller's inability to obtain the above-mentioned information). The Controller will process the above-mentioned personal data until an effective objection is raised or the purpose of the processing is achieved.

Purpose of processing	Personal data processed	Legal basis
Application administration	IP address server date and time Web browser information Operating System Information The above data are saved automatically in the so-called server logs, each time the Application is used (it would not be possible to administer it without the use of server logs and automatic saving).	Article 6(1)(f) of the GDPR (processing is necessary for the purpose of pursuing the legitimate interest of the Controller, in this case ensuring the proper operation of the Application)
Providing the above-mentioned personal data is voluntary, but necessary to ensure the proper operation of the Application (the consequence of failure to provide them will be the inability to ensure the proper operation of the Application). The Controller will process the above-mentioned personal data until an effective objection is raised or the purpose of the processing is achieved.

Profiling

In order to create your profile for marketing purposes and direct marketing tailored to your preferences, the Controller will process your personal data in an automated manner, including profiling them – however, this will not have any legal effects on you or significantly affect your situation in a similar way.

The scope of profiled personal data corresponds to the scope indicated above in relation to the analysis of your activity in the Application.

The legal basis for the processing of personal data for the above purpose is Article 6(1)(f) of the GDPR, according to which the Controller may process personal data in order to pursue its legitimate interest, in this case to conduct marketing activities tailored to the preferences of recipients. Providing the above-mentioned personal data is voluntary, but necessary to achieve the above-mentioned purpose (the consequence of not providing them will be the Controller's inability to conduct marketing activities tailored to the preferences of recipients).

The Controller will process personal data for the purpose of profiling them until an effective objection is raised or the purpose of processing is achieved.

Recipients of personal data

The recipients of personal data will be the following external entities cooperating with the Controller:

App Store operator (Apple Distribution International Ltd. or Apple Inc.) - for processing in-app purchases and providing app distribution services;
Google Play Store operator (Google Ireland Ltd. or Google LLC) - for processing in-app purchases and providing app distribution services;
RevenueCat, Inc. - for managing subscriptions, validating receipts, and analyzing purchase data;
Google AdMob (Google Ireland Ltd. or Google LLC) - for providing advertising services and displaying personalized or non-personalized ads;
companies providing tools for analyzing activity in the Application and directing direct marketing to its users (m.in. Google Analytics);
a company providing accounting services;

In addition, personal data may also be transferred to public or private entities, if such an obligation results from generally applicable law, a final court judgment or a final administrative decision.

Transfer of personal data to a third country

In connection with the Controller's use of the services provided by Google LLC, your personal data may be transferred to the following third countries: Great Britain, Canada, USA, Chile, Brazil, Israel, Saudi Arabia, Qatar, India, China, South Korea, Japan, Singapore, Taiwan (Republic of China), Indonesia and Australia. The basis for the transfer of data to the above-mentioned third countries are:

in the case of the United Kingdom, Canada, Israel and Japan - a decision of the European Commission stating an adequate level of protection of personal data in each of the above-mentioned third countries;
for the USA, Chile, Brazil, Saudi Arabia, Qatar, India, China, South Korea, Singapore, Taiwan (Republic of China), Indonesia and Australia, adequacy contractual clauses in line with the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council.

You can obtain from the Controller a copy of the data transferred to a third country.

Data subject rights

In connection with the processing of personal data, you have the following rights:

the right to be informed what personal data concerning you is processed by the Controller and to receive a copy of this data (the so-called right of access). Issuing the first copy of the data is free of charge, for subsequent copies the Controller may charge a fee;
if the processed data becomes outdated or incomplete (or otherwise incorrect), you have the right to request its rectification;
in certain situations, you can ask the Controller to delete your personal data, e.g. when:
the data will no longer be needed by the Controller for the purposes of which it has informed;
you have effectively withdrawn your consent to the processing of data - unless the Controller has the right to process the data on another legal basis;
the processing is unlawful;
the need to delete the data results from a legal obligation to which the Controller is subject;
if personal data is processed by the Controller on the basis of the consent granted to the processing or in order to perform the Agreement concluded with him, you have the right to transfer your data to another Controller;
if personal data is processed by the Controller on the basis of your consent to the processing, you have the right to withdraw this consent at any time (the withdrawal of consent does not affect the lawfulness of the processing that was carried out on the basis of consent before its withdrawal);
if you believe that the processed personal data are incorrect, their processing is unlawful, or the Controller no longer needs certain data, you can request that for a specified period of time (e.g. checking the correctness of the data or pursuing claims) the Controller does not perform any operations on the data, but only stores them;
you have the right to object to the processing of personal data based on the legitimate interest of the Controller. In the event of an effective objection, the Controller will cease to process personal data for the above-mentioned purpose;
you have the right to lodge a complaint with the President of the Office for Personal Data Protection if you believe that the processing of personal data violates the provisions of the GDPR.

Technologies Used (SDKs and Local Storage)

The Controller informs that the Application uses Software Development Kits (SDKs) and Local Storage technologies. These technologies allow the Application to function without a traditional user account by storing data directly on your device.

The Controller uses these technologies for the following purposes:

Core Functionality: To enable local document scanning, OCR processing via Google ML Kit, and to store your scanned files securely on your device.

In-App Purchases: To manage subscriptions and verify premium access via RevenueCat.

Analytics: To collect anonymous statistical data about app usage (e.g., number of scans, session length) through Google Analytics for Firebase to improve performance.

Marketing & Advertising: To display ads via AdMob and track the effectiveness of marketing campaigns on platforms like Facebook or Google.

Data Persistence: Unlike web-based session cookies, the technologies used in the Application are generally persistent. Local storage data remains on your device until you manually delete the scans or uninstall the Application. Advertising identifiers can be reset or limited in your device's privacy settings.

User Control: You can manage or withdraw consent for tracking and specific data collection through the system settings of your mobile device (e.g., App Tracking Transparency on iOS or Privacy/Ads settings on Android).

Anonymity: The data collected through these SDKs and local storage do not allow the Controller to personally identify you.

The Controller uses the following SDKs and local storage or tools using them:

TOOL	SUPPLIER	FUNCTIONS AND SCOPE OF DOWNLOADED DATA	DURATION
Necessary Local Storage, SDK's	Controller	The operation of these technologies is necessary for the proper functioning of the Application. They enable core features such as local document processing and ensure app stability. They may collect technical data (e.g., IP address, device model) to ensure secure and correct performance.	Stored for the duration of the app session or until the Application is uninstalled / local data is cleared by the user in device settings.
Google Analytics for Firebase	Google	This tool enables the collection of statistical data on the manner in which Users interact with the Application, such as app launches, session duration, and feature usage (e.g., number of scans). The data helps to improve the App performance and is not linked to any personal user account.	Up to 14 months or until the app is uninstalled.
Facebook SDK (formerly Pixel)	Meta (Facebook)	Measures the effectiveness of ads on Facebook/Instagram. It tracks app installs and specific events (like "purchase") to optimize ad targeting.	Up to 180 days or until Ad ID reset.
RevenueCat	RevenueCat, Inc.	This tool manages in-app purchases and subscriptions. It processes anonymous transaction identifiers, purchase history, and receipt validation data to unlock premium features.	As long as necessary for tax compliance or until the app is uninstalled.
AdMob	Google	Used to display advertisements. It collects advertising identifiers (IDFA/AAID), IP addresses for approximate location, and interaction data (clicks/views) to show relevant ads and prevent fraud.	Up to 2 years or until the advertising ID is reset by the user in device settings.
Google Play Services / Apple Services	Google / Apple	Necessary for the core functionality of the app (including ML Kit for scanning) and app distribution. It collects technical device metadata and OS versions to ensure app stability and updates.	Persistent for the duration of app usage.
Firebase Crashlytics	Google	Used to collect crash reports and performance data. It helps the developer identify and fix technical bugs. It collects device models and OS versions at the time of a crash.	90 days.

You can manage the scope of data processed by the Application and the access to your device's functions through the system settings of your mobile device. Specifically, you can grant or revoke permissions for the camera and local storage at any time. You can also reset or limit the use of your Advertising Identifier (IDFA/AAID) in the privacy settings. Please note that disabling essential permissions (such as camera access) will make it impossible to use the core scanning functionalities of the Application. Deleting the Application will result in the immediate removal of all locally stored documents and data.

Final provisions

To the extent not regulated by the Policy, the generally applicable provisions on the protection of personal data shall apply.

The policy is effective from March 10, 2026 r.