Privacy Policy

1. Introduction

DocuScanr ("the App," "we," "us," or "our") is a privacy-first document scanning application developed by ToTheTower Labs LLC, a California-based company. This Privacy Policy explains how we handle information in connection with your use of DocuScanr. By using the App, you acknowledge that you have read and understood this Privacy Policy.

DocuScanr is designed around a core principle: your documents are encrypted on your device and never leave it. We do not operate servers that receive your data, we do not maintain user accounts, and we do not have the ability to access your documents.

This Privacy Policy is provided in compliance with the California Online Privacy Protection Act (CalOPPA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the EU General Data Protection Regulation (GDPR), and other applicable privacy laws worldwide.

2. Data Controller Information

For purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data protection laws, the data controller is:

ToTheTower Labs LLC 2108 N ST #15629 Sacramento, CA, United States Email: info@tothetowerlabs.com

We do not currently have a Data Protection Officer. If you have questions about data protection, please contact us at the email address above.

EU/UK Representative (GDPR Article 27): Because our processing is limited to privacy-scrubbed crash diagnostics containing no direct personal identifiers, and we do not engage in large-scale processing of personal data or special categories of data, we are not required to appoint an EU/UK representative under Article 27(2)(a) of the GDPR. If this changes, we will update this section with our appointed representative's contact information. In the meantime, you may direct any inquiries to our contact email above.

3. Information We Collect

3.1 Information We Do Not Collect

DocuScanr is designed to minimize data collection. We do not collect:

• Document content. All scanned documents, images, OCR text, and PDFs remain encrypted on your device.
• Usage analytics or behavioral data. We do not track how you use the App, what features you access, or how often you use them.
• Advertising identifiers. The App contains no ads and no ad-related tracking.
• Location data. We do not access your location.
• Contacts, calendar, or other personal data.
• Account credentials. There is no user account or login system.
• Biometric data. While the App supports biometric authentication for app lock, biometric processing is handled entirely by the Android operating system. We never receive, process, or store biometric data.

3.2 Crash Reporting (Opt-In Only)

DocuScanr includes an optional crash reporting feature powered by Sentry. Crash reporting is disabled by default and only activates if you explicitly enable it in Settings > Appearance & Privacy > Crash Reporting. You can disable it at any time — doing so immediately stops all data collection and clears any buffered data.

When crash reporting is active, the following data may be collected:

• Crash stack traces and error messages — technical diagnostic data about application errors. All data is scrubbed of personally identifiable information before transmission.
• Basic device information — CPU architecture, total memory, free memory, and low-memory status. Device name, manufacturer, model, and other identifying device information are stripped before transmission.
• Basic OS information — operating system name and version only.

The following data is never stored or retained, even with crash reporting active:

• Your IP address (Sentry is configured to discard IP addresses upon receipt and not store them; as with any internet communication, IP addresses are necessarily transmitted during the connection but are not logged or retained)
• Geographic location or locale
• Device identifiers (ANDROID_ID, advertising ID, serial number)
• Document content, file names, or any user-generated content
• Screenshots or screen recordings

Sentry acts as a data processor (GDPR) and service provider (CCPA/CPRA) on our behalf, processing crash data solely for the purpose of providing diagnostic services to us. We maintain a Data Processing Agreement with Sentry in accordance with GDPR Article 28. Sentry's own handling of data transmitted to their infrastructure is governed by Sentry's Privacy Policy and Sentry's Data Processing Addendum.

3.3 Google Play Billing Data

When you make an in-app purchase, Google Play processes the transaction. We receive confirmation of your purchase status (purchased or not purchased) from the Google Play Billing API at runtime, but we do not persistently store this purchase status on our servers (we have no servers) — it is queried from Google Play each time the App launches. We do not receive or store your payment information, billing address, or Google account details. Google's handling of billing data is governed by Google's Privacy Policy.

3.4 Implicit Data Processing by Third-Party Components

Certain third-party components bundled with the App may transmit minimal operational data through Google Play Services infrastructure on your device:

• Google ML Kit (Text Recognition) — Performs text recognition entirely on-device. ML Kit's bundled on-device model processes images locally without sending data to Google servers. We have disabled Firebase Analytics and related telemetry (see below). However, ML Kit depends on Google Play Services, which may transmit lightweight API usage metrics as described below.
• TensorFlow Lite — Runs a document detection model entirely on-device. No data is transmitted.
• OpenCV — Performs image processing entirely on-device. No data is transmitted.
• Google Play Services — If present on your device, Play Services may transmit lightweight API usage metrics (such as call counts and device model) as part of its normal operation. No document content, images, or user-generated data is included in these metrics. This data transmission is controlled by Google Play Services on your device and is subject to Google's Privacy Policy.

We have taken the following steps to minimize third-party data collection:

• Disabled Firebase Analytics collection via manifest configuration
• Removed the Firebase initialization provider
• Disabled Google Analytics advertising ID collection
• Disabled Firebase default data collection

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area ("EEA"), United Kingdom, and Switzerland, we process data on the following legal bases:

Processing Activity	Legal Basis	GDPR Article
On-device document processing and encryption	Performance of contract (providing the App's core functionality)	Art. 6(1)(b)
Crash reporting (when explicitly enabled by you)	Consent	Art. 6(1)(a)
Processing purchase confirmations	Performance of contract (fulfilling your Pro upgrade)	Art. 6(1)(b)
Responding to your inquiries	Legitimate interest (customer support)	Art. 6(1)(f)

You may withdraw your consent for crash reporting at any time by disabling it in Settings, without affecting the lawfulness of processing carried out prior to withdrawal.

Automated Decision-Making and Profiling (GDPR Article 22): We do not engage in automated decision-making or profiling as defined by GDPR Article 22. While the App uses on-device machine learning for document detection and text recognition, these processes run entirely on your device and are not used to make decisions that produce legal or similarly significant effects concerning you.

5. Device Permissions

DocuScanr requests the following permissions:

Permission	Purpose	When Requested
Camera	Scanning documents using the device camera	When you first use the camera scan feature
Biometric	Unlocking the app with fingerprint or face recognition	When you enable App Lock in Settings
Internet	Sending anonymous crash reports (when enabled)	Automatic (no prompt)

Images captured by the camera are processed and encrypted on your device. They are never uploaded or shared with any service. You can revoke camera permission at any time through your device's Settings, which will disable the camera scan feature but will not affect other App functionality.

Biometric data is handled entirely by the Android operating system. DocuScanr never accesses, stores, or transmits biometric data. The app only receives a success or failure result from the system biometric prompt.

6. On-Device Processing

All document processing happens locally on your device:

• Document scanning uses an on-device machine learning model (TensorFlow Lite) and computer vision library (OpenCV) for document edge detection and perspective correction. No image data leaves your device.
• Text recognition (OCR) uses Google ML Kit's on-device text recognition. ML Kit processes images entirely on your device and does not send image data to Google servers. Extracted text is stored locally in the encrypted database and is never transmitted.
• Sensitive content detection uses on-device pattern matching to scan your document text for potential personally identifiable information (PII) such as Social Security numbers, credit card numbers, bank account numbers, phone numbers, email addresses, and passport numbers. This analysis is performed entirely on your device using regular expression patterns — no document content or detection results are ever transmitted off your device. Detection results are stored as metadata flags in the encrypted database alongside your documents. This feature is enabled by default and can be disabled at any time in Settings. When disabled, no scanning occurs.
• Encryption uses industry-standard algorithms (AES-256-GCM via Google Tink, SQLCipher for the database). Encryption keys are protected by the Android Keystore and never leave your device.

7. Data Storage and Security

We employ the following security measures, all operating locally on your device:

• All documents are encrypted at rest using AES-256-GCM (Google Tink StreamingAead).
• The database is encrypted using SQLCipher (AES-256).
• Encryption keys are generated and managed by the Android Keystore system and never leave the secure hardware (where available).
• App preferences are encrypted using Google Tink Aead.
• Optional app lock provides biometric or device credential protection.
• Backup files are encrypted with a key derived from your recovery key using PBKDF2-HMAC-SHA256 (600,000 iterations) and HKDF domain separation.
• Optional screenshot prevention blocks screen capture and recording when enabled.
• Network security configuration restricts all traffic to system-trusted certificates only and disables cleartext (unencrypted) connections.

Important: Because encryption keys are managed on your device, we cannot access, decrypt, recover, or restore your documents. The security of your data ultimately depends on your device's security posture (screen lock, biometrics, OS updates).

8. Data Sharing and Disclosure

We do not sell, rent, trade, or otherwise share your personal data with any third party. We have not sold or shared personal information (as those terms are defined under CCPA/CPRA) in the preceding 12 months, nor do we intend to do so in the future.

The only circumstances under which data leaves your device:

• User-initiated exports: When you explicitly export a PDF, image, or text file to your device's Downloads folder or share it via the Android share sheet.
• User-initiated backups: When you explicitly create an encrypted backup file and save it to a location you choose.
• Crash reports (opt-in): When you have voluntarily enabled crash reporting, privacy-scrubbed diagnostic data is transmitted to Sentry. See Section 3.2.
• Purchase transactions: When you make an in-app purchase, the transaction is processed by Google Play. See Section 3.3.

We do not disclose your data to law enforcement or government authorities because we do not possess your data. If we receive a legal request for user data, we can only confirm that our architecture makes it technically impossible for us to comply, as all user data is encrypted on-device with keys we do not hold.

Data Breach Notification: In the unlikely event of a personal data breach affecting data we process (limited to crash diagnostics if enabled, and purchase confirmation status), we will: (a) notify affected users without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Article 33; (b) notify relevant supervisory authorities as required by applicable law; and (c) notify affected California residents as required by California Civil Code §1798.82. Because virtually all user data is encrypted on-device and never transmitted to us, the scope of any potential breach on our systems is extremely limited.

9. International Data Transfers

DocuScanr processes virtually all data on your device, with no international transfer. In the limited cases where data may cross borders:

• Crash reports (opt-in): If enabled, crash data is transmitted to Sentry, Inc., which may process data in the United States. Sentry maintains appropriate safeguards, including Standard Contractual Clauses for EU data transfers. You can prevent any international transfer by keeping crash reporting disabled (the default).
• Google Play Billing: Purchase transactions are processed by Google LLC under its own privacy practices and data transfer mechanisms, including Standard Contractual Clauses and other approved mechanisms.

For EEA/UK users, any transfers to countries without an EU adequacy decision are protected by Standard Contractual Clauses or other approved transfer mechanisms maintained by the respective service providers.

10. Data Retention and Deletion

10.1 On-Device Data

All document data, preferences, and encryption keys are stored locally on your device. You have complete control:

• Delete individual items — documents, pages, folders, tags, and annotations can be deleted at any time within the App.
• Uninstall the App — permanently deletes all App data, including encrypted documents, the database, encryption keys, and preferences.
• We retain nothing — because we never receive your document data, there is nothing for us to retain or delete on our end.

10.2 Crash Report Data

If you enabled crash reporting, Sentry retains crash data for 90 days, after which it is automatically deleted. You can request early deletion by contacting us.

10.3 Google Play Purchase Records

Google maintains records of your purchase as part of your Google Play account. This is governed by Google's data retention policies.

11. Your Privacy Rights

11.1 Rights for All Users

Regardless of your location, you can:

• Delete any or all of your data within the App at any time.
• Enable or disable crash reporting at any time.
• Revoke camera permission through your device settings.
• Uninstall the App to permanently delete all associated data.

11.2 Additional Rights for EEA, UK, and Swiss Users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Right of Access (Art. 15) — You may request confirmation of whether we process your personal data and, if so, a copy of that data.
• Right to Rectification (Art. 16) — You may request correction of inaccurate personal data.
• Right to Erasure (Art. 17) — You may request deletion of your personal data.
• Right to Restriction of Processing (Art. 18) — You may request that we restrict the processing of your data.
• Right to Data Portability (Art. 20) — You may request your personal data in a structured, commonly used, machine-readable format. With respect to documents stored on your device, the App provides export functionality in standard formats (PDF, JPEG, PNG, plain text) that satisfy this requirement. The App's encrypted backup format (.docuscanr) is proprietary; however, because we do not hold your data on our systems, Article 20 portability obligations apply only to the limited data we process (crash diagnostics, if enabled).
• Right to Object (Art. 21) — You may object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent, you may withdraw consent at any time.
• Right to Lodge a Complaint (Art. 77) — You have the right to lodge a complaint with a supervisory authority in your Member State of habitual residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

In practice, because we process almost no personal data, most of these rights are satisfied by default. If you have enabled crash reporting, contact us to exercise any of the above rights with respect to that data. We will respond to GDPR requests within 30 days, extendable by an additional 60 days for complex requests with prior notice.

11.3 Additional Rights for California Residents (CCPA/CPRA and CalOPPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and the California Online Privacy Protection Act:

• Right to Know — You may request the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete — You may request deletion of personal information we have collected from you.
• Right to Correct — You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — We do not sell or share (as defined by CCPA/CPRA) your personal information. We have not sold or shared personal information in the preceding 12 months. Because we do not sell or share personal information, no "Do Not Sell or Share My Personal Information" link is required; however, you may contact us at any time to confirm this.
• Right to Limit Use of Sensitive Personal Information — We do not collect sensitive personal information as defined by CCPA/CPRA.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge different prices, provide a different quality of service, or suggest any of these will occur as a result of exercising your rights.

Categories of Personal Information (CCPA Disclosure):

CCPA Category	Collected?	Details
A. Identifiers	No	—
B. Personal information under Cal. Civ. Code §1798.80(e)	No	—
C. Protected classification characteristics	No	—
D. Commercial information	Limited	Purchase confirmation status received from Google Play (purchased or not purchased); not stored by us beyond the current app session
E. Biometric information	No	Biometric auth handled by Android OS
F. Internet or electronic network activity	Only if crash reporting enabled	Privacy-scrubbed crash diagnostics
G. Geolocation data	No	—
H. Sensory data	No	Camera images processed on-device only
I. Professional or employment information	No	—
J. Non-public education information	No	—
K. Inferences	No	—
L. Sensitive personal information	No	—

Sources of Personal Information: When crash reporting is enabled, diagnostic data is generated by the App on your device.

Business Purpose for Collection: Improving App stability and fixing software defects.

Third Parties: When crash reporting is enabled, privacy-scrubbed diagnostic data is transmitted to Sentry, Inc. (service provider). No personal information is sold to or shared with third parties.

Submitting Requests: To exercise your CCPA/CPRA rights, contact us at the email address in Section 15. You may also designate an authorized agent to make a request on your behalf (the agent must provide written authorization signed by you). Because we do not maintain user accounts or collect identifying information, identity verification may be limited to confirming details only the requestor would know. We will use reasonable methods to verify that the requestor is the individual whose personal information is the subject of the request. We will respond within 45 days, extendable by an additional 45 days with prior notice. You may submit requests up to twice per 12-month period.

Financial Incentives: We do not offer financial incentives or price differences in exchange for the collection, sale, or deletion of personal information.

11.4 Additional Rights Under Other U.S. State Laws

California "Shine the Light" (Civil Code §1798.83): We do not disclose personal information to third parties for their direct marketing purposes.

Nevada (NRS Chapter 603A): We do not sell your personal data as defined under Nevada law.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon, Texas, Montana, and other states with comprehensive privacy legislation: Residents may have rights including access, correction, deletion, portability, and opt-out of targeted advertising, sale, or profiling. Virginia residents also have appeal rights if a request is denied.

Because we collect virtually no personal data, these rights are largely satisfied by our architecture. Contact us at the email address in Section 15 to exercise any applicable rights or to confirm our data practices.

11.5 Additional Rights for Users in Other Jurisdictions

Users in Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act 1988), South Korea (PIPA), and other jurisdictions with applicable privacy laws may have similar rights to those described above, including the right to access, correct, delete, and port personal data, as well as the right to object to processing. Contact us to exercise any applicable rights. We will respond in accordance with the timeframes required by your jurisdiction's laws.

12. Children's Privacy

DocuScanr is not directed at children under the age of 16. In the United States, the Children's Online Privacy Protection Act (COPPA) applies to the collection of personal information from children under 13; under the GDPR, the age of digital consent varies by EU Member State (between 13 and 16, with 16 as the default under Article 8). We use 16 as our global minimum age threshold. We do not knowingly collect personal information from children under these applicable ages. Since the App collects virtually no personal information from any user, no age-gating mechanism is implemented. If a parent or guardian becomes aware that their child has provided us with personal data (e.g., through crash reporting), please contact us and we will promptly delete it. If we become aware that we have collected personal information from a child without verified parental consent, we will take steps to delete that information.

13. Third-Party Services Summary

Service	Purpose	Data Sent to Servers	Privacy Policy
Google ML Kit (Text Recognition)	On-device text recognition	None (on-device only; see §3.4 for Play Services metrics)	Google Privacy Policy
TensorFlow Lite	On-device document detection	None	Open source (Apache 2.0); a Google project
OpenCV	On-device image processing	None	Open source (Apache 2.0)
Google Play Billing	In-app purchases	Purchase transactions (handled by Google Play)	Google Privacy Policy
Sentry (opt-in only)	Crash reporting	Privacy-scrubbed crash diagnostics	Sentry Privacy Policy
Google Tink	On-device encryption	None	Open source (Apache 2.0)
SQLCipher	On-device database encryption	None	Open source (BSD)

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

• Update the "Last Updated" date at the top of this page.
• Provide notice through the App (e.g., an in-app notification) for material changes that affect your rights or our data practices.
• For material changes, provide at least thirty (30) days' notice before the changes take effect.

For users in the EEA/UK, material changes to data processing that rely on consent will require your renewed consent before taking effect.

As required by CalOPPA, we will conspicuously post any changes to this Privacy Policy. We encourage you to review this Privacy Policy periodically. Your continued use of the App after the effective date of non-material changes constitutes acknowledgment of those changes.

15. Contact

If you have questions about this Privacy Policy, wish to exercise any of your privacy rights, or have a data protection concern, contact us at:

ToTheTower Labs LLC 2108 N ST #15629 Sacramento, CA, United States Email: info@tothetowerlabs.com

We will respond to privacy-related inquiries within the timeframe required by applicable law: 30 days for GDPR requests (extendable by 60 days for complex requests with prior notice) and 45 days for verified CCPA/CPRA requests (extendable by an additional 45 days with prior notice).

16. Supplemental Notices

16.1 Google Play Data Safety

This Privacy Policy is consistent with the information disclosed in our Google Play Data Safety section. In the event of any conflict, this Privacy Policy controls.

16.2 Do Not Track (CalOPPA Disclosure)

As required by CalOPPA, we disclose our response to "Do Not Track" signals: The App does not respond to "Do Not Track" browser signals because the App does not track users across websites or apps, and the App is not a web-based service. The App's privacy-first architecture provides stronger protections than Do Not Track compliance would require. No third parties collect personally identifiable information about your online activities over time and across different websites or online services when you use the App.

16.3 Accessibility

This Privacy Policy is made available in a format that is accessible and printable. If you need this Privacy Policy in an alternative format, please contact us.

This Privacy Policy applies to the DocuScanr Android application distributed via the Google Play Store. It is governed by the laws of the State of California, United States.