Privacy Policy

1. Information We Collect

We collect the following information in order to provide the Service, deliver features, maintain security, and comply with legal obligations.

A. Account Information

• Email address (when using Magic Link authentication)
• Telegram user ID, first name, username (if logged in via Telegram)

B. Usage Information

• Product barcodes you scan
• Product photos you upload for AI analysis
• Scan history and favorites
• Language preferences
• Interaction logs (feature usage, timestamps)

C. Technical Information

• Device type and operating system
• Browser or client type and version
• IP address (for security and fraud prevention)
• App usage statistics, logs, crash reports

D. Health-Related and Special Categories

When you choose to provide it, we may collect:

• Dietary preferences
• Health conditions (e.g., chronic conditions, medications, allergies)
• Other information related to well-being or personal health goals

This data may qualify as "special category data" under GDPR (see Section 3).

E. Payment Information

We do not collect sensitive payment card data. Your payment information is processed directly by our payment providers (Stripe and EveryPay). We may receive transactional metadata (e.g., subscription tier, payment timestamps).

2. How We Use Your Information

We use your information for the following purposes, based on legal grounds described in Section 3:

• To provide and improve the Service
• To authenticate your account and enable secure login
• To save your scan history and preferences
• To process product photos using AI and generate results
• To support customer service requests
• To prevent fraud and secure accounts
• To send transactional emails (account, billing)
• To send marketing emails, with your consent
• To comply with legal and regulatory requirements

3. Legal Basis for Processing (GDPR)

We process personal data based on the following GDPR legal bases:

Contractual necessity (Art. 6(1)(b))
Account creation, scan history, subscription management, security.

Consent (Art. 6(1)(a))
Email marketing, AI analysis of photos, profiling personalization.

Legitimate interests (Art. 6(1)(f))
Fraud detection, security, service improvement.

Legal obligation (Art. 6(1)(c))
Compliance with applicable laws and legal requests.

Special category data (GDPR Art. 9)
Health-related and dietary data are processed only with your explicit consent.

4. Retention of Your Data

We retain user data only as long as necessary to fulfill Service functions and legal obligations. Specific retention periods include:

Data Type	Retention Period
Account profile	Until account deletion + 30 days
Scan history	90 days
Premium analysis cache	30 days
Session logs	90 days
"Remember me" tokens	365 days
Transactional metadata	As required by law
Email marketing consents	Until withdrawal

After the retention period expires, we delete or anonymize data.

5. Third-Party Services and Transfers

We use third-party services to operate the Service. These providers may process data on our behalf or as independent controllers. They include:

A. OpenAI

AI analysis of product photos is processed by OpenAI on servers outside the European Economic Area (EEA). Transfers are safeguarded under Standard Contractual Clauses and limited to necessary data for analysis.

B. Stripe & EveryPay

Payment processing is handled by Stripe and EveryPay. They may be independent data controllers for payment metadata, and data transfers outside the EEA may occur under appropriate safeguards.

C. Telegram

If you use Telegram login, basic profile information is shared through Telegram's systems. Telegram operates as a separate controller for login data.

D. Nutrition Databases

We use public nutrition data sources (Open Food Facts, USDA, FatSecret). Your use of these features may involve requests to external sites, governed by their respective privacy policies.

6. Cookies

We use cookies and similar technologies to operate the Service and improve your experience.

Essential Cookies — Required to enable core service functions (e.g., session cookies, language setting).

Analytics Cookies — Used to understand usage patterns and improve features.

We do not use advertising or tracking cookies without your consent.

You may configure or reject cookies via browser or device settings. See our Cookie Policy for details.

7. Your Rights (Under GDPR)

Under the GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to certain processing
• Portability — receive your data in structured format
• Withdraw consent at any time

To exercise these rights, contact us at support@scanpal.app.

If you believe your rights have been violated, you may lodge a complaint with the Estonian Data Protection Inspectorate.

8. Data Security

We implement industry-standard security measures, including:

• HTTPS/TLS encrypted transmission
• Secure authentication flow
• Regular security reviews
• Restricted access to data

However, no system is completely secure; we cannot guarantee absolute protection.

9. Children's Privacy

ScanPal is not directed at children under 16. We do not knowingly collect data from individuals under 16. If we discover such data, it will be deleted promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal or operational changes. We will notify you of significant changes via the Service or email.

Your continued use of the Service constitutes acceptance of the updated policy.