Quick Scope — Privacy Policy

Effective Date: 14 October 2025
Contact: [email protected]
Operator: The provider of the Quick Scope application and related services (the “Operator,” “we,” “us,” or “our”).

This Privacy Policy explains how we collect, use, disclose, transfer, and store information when you use the Quick Scope mobile application, website, and related services (collectively, the “Services”). It complements— and should be read together with—our Terms of Service.

1) Scope & Overview

Quick Scope lets you take photos of educational tasks to receive AI‑generated explanations (“Answers”). We do not require you to create an account. We strongly discourage and contractually prohibit the upload of personal data or images of people. However, we may incidentally process such data to detect and filter it (see Section 4 and 7).

This policy applies to information we process as a controller when you use the Services or contact us. Where we engage third parties to process data for us, they act as our processors (see Section 8).

2) Categories of Data We Process

We may process the following categories of information:

• User Content: images of tasks/assignments/questions you submit; associated prompts; OCR results; and contextual metadata (e.g., timestamps, language, app version).
• Answers & derived technical artifacts: model outputs, embeddings, features, annotations, and quality labels.
• Device & diagnostics: device model, OS version, device identifiers (e.g., platform advertising ID if available), app version, IP address, crash logs, performance metrics.
• Usage data: interaction events (e.g., button taps, success/failure codes), coarse region inferred from IP for localization/abuse prevention, and non‑precise analytics.
• Moderation data: flags, block reasons, decision logs, and appeals correspondence.
• Support & communications: messages you send to [email protected] and related metadata.
• Billing (if paid features are enabled): transaction identifiers, receipts, limited payment metadata from app stores (we do not receive full card numbers).
• Website cookies (if you visit our site): essential cookies for security and operations; we do not use third‑party advertising cookies.

We do not seek to collect special categories of personal data (e.g., health, biometric data). Please do not include such information in uploads or messages.

3) Purposes of Processing

We use information for the following purposes:

1. Provide the Services: process your User Content to generate Answers; ensure core functionality.
2. Safety, abuse detection & fraud prevention: prevent cheating, policy violations, and misuse; investigate incidents.
3. Diagnostics & quality: debug, measure, and improve reliability and accuracy.
4. Research & improvement: train, test, calibrate, and evaluate models and algorithms that enable the Services.
5. Compliance & legal: comply with laws (e.g., copyright, sanctions/export controls), respond to lawful requests, and enforce our Terms.
6. Communications: respond to your inquiries and provide service notices.
7. Billing (if applicable): process purchases, detect payment fraud, and maintain records.

4) Legal Bases (EU/EEA/UK)

Where the GDPR or UK GDPR applies, our processing relies on the following legal bases:

• Performance of a contract (Article 6(1)(b)): to provide the Services and generate Answers.
• Legitimate interests (Article 6(1)(f)): to ensure security; detect abuse; perform diagnostics; and improve the Services (including model improvement). You have the right to object at any time for reasons relating to your particular situation (see Section 10).
• Legal obligations (Article 6(1)(c)): to comply with laws and respond to lawful requests.
• Consent (Article 6(1)(a)) where required by local law (e.g., for certain optional features like push notifications or where the law requires consent).

We do not intentionally process children’s data without appropriate consent and supervision (see Section 11).

5) Data Minimization & Personal Data in Uploads

The Services are designed for educational tasks only. Do not submit images of people or any personal data. If such data is incidentally captured, we may process it transiently to filter, block, and delete it and to enforce our policies. We also log policy‑violation signals (e.g., “face detected”) for safety and abuse‑prevention purposes.

6) Retention

We keep data only as long as necessary for the purposes described above and to comply with legal obligations or defend legal claims. We apply the following standard retention schedule (subject to extension for investigations or legal holds):

• User Content & derived artifacts used for improvement: up to 24 months from collection, or until you exercise your GDPR objection to model improvement (whichever occurs first), after which items are excluded from future training/evaluation data sets.
• Request processing logs & usage analytics: up to 12 months.
• Security & abuse logs: up to 24 months.
• Moderation & appeals records: up to 24 months after case closure.
• Support communications: up to 24 months after ticket closure.
• Billing & tax records: up to 7 years (or longer if required by law).
• DMCA notices: up to 10 years (U.S. safe‑harbor practice).

We may retain de‑identified or aggregated data for longer.

7) How We Process Content (including OCR and Model Outputs)

To generate Answers, we transmit User Content (and necessary metadata) to our processing stack, which may include optical character recognition (OCR) and AI models. Automated systems and, in limited cases, authorized personnel may review samples for quality, safety, and debugging. We apply access controls and logging to prevent misuse.

8) Sharing & Recipients

We do not sell your personal data. We share data only with:

• External Providers / processors that support the Services (e.g., AI model providers such as OpenAI; cloud hosting; OCR; analytics; error reporting). These parties process data strictly under our instructions and subject to confidentiality and security obligations.
• Payment processors / app stores for billing and fraud prevention.
• Professional advisors (legal, audit) under confidentiality.
• Law enforcement or regulators when required by law or to protect rights, safety, and the integrity of the Services.
• Corporate transactions: if we engage in a merger, acquisition, or asset sale, data may be transferred to the successor subject to this Policy.

9) International Transfers

Your information may be processed outside your country, including in the United States. Where required, we implement appropriate safeguards, such as Standard Contractual Clauses and, if applicable, UK Addenda and EEA adequacy decisions. We conduct transfer risk assessments where appropriate.

10) Your Rights (EU/EEA/UK and other regions)

Subject to legal limits, you may have the following rights: access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interests.

• Object to model improvement: email [email protected] with the subject line “GDPR Objection – Model Improvement.” We will record your choice and exclude your future User Content and derived data from model‑improvement pipelines.
• Exercise other rights: email [email protected]. We may request reasonable verification of identity (e.g., device model, OS, approximate timestamps) to locate data because we do not maintain user accounts.

If you believe we have not resolved your concern, you can lodge a complaint with your local data protection authority (for EEA/UK users).

11) Children’s Privacy

• U.S. (COPPA): We do not knowingly collect personal information from children under 13 without verifiable parental consent.
• EU/EEA/UK (GDPR Article 8): Where consent is the legal basis, the age threshold is determined by local law (typically 16 and not lower than 13). Minors may use the Services only with parental/guardian consent and supervision. If you believe a child has provided personal data without required consent, contact us so we can take appropriate action.

12) Security

We implement administrative, technical, and physical safeguards appropriate to the risks, including encryption in transit and at rest where feasible, access controls, audit logging, rate‑limiting and abuse detection, and secure development practices. No system is perfectly secure; if we discover a security incident that affects you, we will notify you and regulators as required by law.

13) Region‑Specific Disclosures

A. EU/EEA/UK

• Controller: The Operator listed above.
• Representative: If we are not established in your region and a local representative is required under Article 27 GDPR/UK GDPR, we will appoint one and update this Policy with contact details.
• Legal bases: see Section 4.
• Transfers: see Section 9.
• Digital content/services guarantees: If you purchase paid features, your statutory guarantees of conformity remain unaffected (see Terms of Service).

B. United States (including California)

• We do not “sell” personal information and do not share it for cross‑context behavioral advertising as those terms are defined by the California Consumer Privacy Act (CCPA/CPRA).
• California residents have rights to know, access, delete, correct, and opt‑out of “sale”/“sharing” if applicable, and to non‑discrimination for exercising rights. Submit requests via [email protected].
• Categories collected: identifiers (device ID, IP), internet/activity info (usage logs), geolocation (coarse region), inferences (quality/abuse scores), and user communications. Sources include your device and our Services. Purposes and disclosure categories are described above.

14) Third‑Party Services

The Services may integrate with or reference third‑party services. Their privacy practices are governed by their own policies. We are not responsible for third‑party practices.

15) Automated Decision‑Making

We use automated tools to detect abuse, policy violations, or prohibited content and to route requests for quality assurance. These processes may affect access to features (e.g., temporary blocks). You can contact us to request human review of significant decisions where required by law.

16) Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice in a reasonable manner (e.g., in‑app notice). Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

17) Contact

For questions, requests (including GDPR/CCPA rights), or concerns about this Policy, contact: [email protected].