Privacy Policy
Effective Date: April 29, 2026 | Last Updated: April 29, 2026
ScanGo ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.
1. Information We Collect
1.1 Information You Provide
- Account Information: When you create an account, we collect your email address and password (handled by Firebase Authentication and never stored in plaintext on our servers).
- Shift and Delivery Data: Start/end times, delivery counts, earnings, tips, expenses, and mileage you enter.
- Address Information: Delivery addresses you scan or enter (see Section 3 for how we handle this data).
- Payment Records: Manual payment entries you create to track employer payments.
- Settings and Preferences: Your app preferences including theme, language, notification settings, and capture configuration.
- Feedback: If you submit in-app feedback, we collect your message, an optional screenshot of the app, your account email (if signed in), and basic device information.
1.2 Information Collected Automatically
- Device Information: Device model, operating system version, and app version for crash reporting and compatibility.
- Advertising ID: On Android, the Google Advertising ID (AAID) is collected by Google AdMob to serve ads and limit ad frequency. You can reset or opt out of this identifier in your device's Google settings (Settings → Google → Ads).
- Usage Analytics: Anonymous usage events (e.g., which features are used) collected via Firebase Analytics to improve the app. No personally identifiable information is included.
- Crash Reports: Technical crash data collected via Firebase Crashlytics to help us fix bugs.
1.3 Optional Information (Opt-In Only)
- AI Receipt Scanning: If you enable "AI Receipt Scanning" in Settings (or accept the in-capture consent prompt), receipt images you choose to scan are sent to our Cloud Function and processed by Anthropic's Claude (Haiku) Vision API to extract structured fields (date, total, postcode, brand). The image is processed in-memory by the Cloud Function and is not retained server-side after the response is returned. You can revoke this consent at any time in Settings.
- Personalized Advertising (EEA / UK / Switzerland): If you consent in the in-app Google UMP prompt, AdMob and its partners may use the Advertising ID and contextual signals to deliver personalized ads. You can change or withdraw this consent at any time from Settings → Privacy → Ad Privacy.
2. How We Use Your Information
We use your information to:
- Provide Core Functionality: Track your shifts, deliveries, earnings, and generate reports.
- Sync Across Devices: If you have a CLOUD+ subscription, sync your data securely across multiple devices. PRO users receive a one-time cloud restore on a new device when local storage is empty.
- Generate Tax Reports: Create HMRC-compatible self-assessment data exports.
- Improve the App: Analyze anonymous usage patterns and crash reports to fix bugs and add features.
- Process AI Receipt Scans: Send receipt images you scan to our Cloud Function (and onward to Anthropic's Claude API) to extract structured data, when you have given consent.
- Show Ads (Free / Guest tiers): Display banner, interstitial, and rewarded ads via Google AdMob to support the free tier.
- Verify Purchases: Validate Google Play purchase tokens server-side via a Firebase Cloud Function before unlocking subscription features.
3. Data Storage and Security
3.1 Local Storage
App data is stored locally on your device using a SQLite database (managed by the Drift library). Database files are kept in the app's private storage directory, which is sandboxed by Android and not readable by other apps. Cryptographic keys used for cloud-address encryption are stored in Android Keystore via flutter_secure_storage. Even without an internet connection, you can use all core app features.
3.2 Cloud Storage (Authenticated Users)
When you sign in and enable cloud sync:
- Address Encryption (CLOUD+): Full delivery addresses are encrypted on-device using AES-256-GCM (with a key derived from your Firebase user ID via PBKDF2) before being uploaded.
- Firebase Services: We use Google Firebase for authentication, cloud storage (Firestore), file storage, analytics, crash reporting, and Cloud Functions.
- Access Control: Your cloud data is protected by Firebase Security Rules that ensure only you can access your data.
3.3 Address Data Handling (GDPR Compliance)
- Guest / FREE / PRO Tiers: Only the postcode area (e.g., "SW1") is synced to the cloud — full addresses never leave your device.
- CLOUD+ Tier: Full addresses are encrypted client-side (AES-256-GCM) and synced, with a 30-day server-side retention policy.
- Auto-Redaction (CLOUD+): After 30 days, the encrypted full-address payload is automatically removed from the cloud. Only the postcode area is retained for your historical analytics.
4. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Firebase Authentication | User sign-in | Email address |
| Firebase Firestore | Cloud data sync | Encrypted shift/delivery data |
| Firebase Storage | Feedback screenshots | Optional feedback screenshot |
| Firebase Cloud Functions | AI receipt parsing & purchase verification | Receipt image (when AI scan consent given), Play purchase token |
| Firebase Analytics | Anonymous usage stats | Non-identifiable usage events |
| Firebase Crashlytics | Crash reporting | Device info, crash traces |
| Google AdMob | Banner, interstitial, and rewarded ads (Free / Guest tiers) | Advertising ID, coarse device/locale signals, ad interaction events |
| Google User Messaging Platform (UMP) | Collect EEA / UK / Swiss consent for personalized ads | Consent choices, region signal |
| Google Play Billing | Subscription and in-app purchase management | Purchase tokens, product IDs |
| Anthropic (Claude API) | AI receipt parsing (only when AI scan consent given) | Receipt image bytes, region code |
For details on Google's data handling, see Google's Privacy Policy. For Anthropic, see Anthropic's Privacy Policy. Anthropic does not retain prompt or image content for model training when called via the standard Claude API.
5. Your Rights
Under GDPR, UK GDPR, and other applicable privacy laws, you have the right to:
5.1 Access Your Data
Export your data at any time using the CSV export feature in Settings → Tax Returns.
5.2 Correct Your Data
Edit any shift, delivery, or payment record directly in the app.
5.3 Delete Your Data
- Delete Individual Records: Remove any shift, delivery, or payment from the app.
- Delete Your Account: Go to Settings → Delete My Account to permanently delete all your data from both the app and our cloud servers (Firebase Authentication, Firestore, and Storage). This action cannot be undone. If you cannot access the app, you can also email [email protected] from your account address to request deletion.
5.4 Data Portability
Export your complete data history as CSV files for use in other applications.
5.5 Withdraw Consent
- AI Receipt Scanning: Disable at any time in Settings → AI Receipt Scanning. Subsequent scans will not be uploaded.
- Personalized Ads (EEA / UK / Switzerland): Re-open the consent form in Settings → Privacy → Ad Privacy to change your AdMob / partners consent choices.
- Cloud Sync: Sign out to stop cloud synchronization.
- Analytics: Firebase Analytics collects only anonymous, non-identifiable usage data. Analytics is disabled in development builds.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Local app data | Until you delete or uninstall |
| Cloud-synced data | Until you delete or request deletion |
| Full addresses (CLOUD+ only) | 30 days, then auto-redacted to postcode area |
| AI scan receipt images | Not retained after the Cloud Function returns parsed fields |
| Feedback screenshots | Until the feedback ticket is closed |
| Crash reports | 90 days (Firebase Crashlytics default) |
| Analytics events | Up to 14 months (Firebase Analytics default) |
7. Children's Privacy
ScanGo is not intended for users under 13 years of age, in line with our Google Play target audience setting. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at [email protected] and we will delete it.
8. International Data Transfers
Your data may be processed on servers located outside your country of residence. Specifically:
- Firebase services use Google Cloud data centers worldwide, including the United States and the European Union, with Standard Contractual Clauses for EU and UK data transfers.
- AI receipt parsing requests are forwarded to Anthropic, which processes data in the United States.
- Google AdMob serves ads via Google's global infrastructure.
9. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Updating the "Last Updated" date at the top of this policy
- Displaying an in-app notification for significant changes
10. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:
Email: [email protected]
Website: https://scango.live
11. Legal Basis for Processing (GDPR / UK GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance |
| Shift and delivery tracking | Contract performance |
| Cloud sync | Contract performance + Consent |
| Analytics and crash reporting | Legitimate interest |
| Non-personalized advertising | Legitimate interest |
| Personalized advertising (EEA / UK / CH) | Consent (opt-in via UMP) |
| AI receipt scanning | Consent (opt-in) |
| Purchase verification | Contract performance |
This privacy policy was last updated on April 29, 2026.