Privacy Policy

1. Data Controller & Data Protection Officer

The data controller responsible for processing your personal data is:

• Controller: Decoway Lifestyle Private Limited
• Registered Address: India
• Email: apps@thecocoder.com
• Website: https://thecocoder.com

Our Data Protection Officer (DPO) can be contacted for any privacy-related questions or concerns:

• DPO Contact: dpo@thecocoder.com

We aim to respond to all privacy-related inquiries within 30 days.

2. Information We Collect

ScanPro is designed with a privacy-first approach. We minimize data collection and process most information locally on your device. Below is a complete summary of data we may collect:

2.1 Information Stored Locally on Your Device

The following data is stored exclusively on your device and is never transmitted to our servers:

• Scan History: Barcodes and QR codes you scan, including their content and timestamps.
• Generated Codes: QR codes and barcodes you create within the App.
• Inventory Data: Product items, quantities, and notes you manage in the inventory feature.
• Tags & Organization: Labels and categories you create to organize your data.
• App Preferences: Theme settings, language preference, and feature configurations.

2.2 Information Collected by Third-Party Services

When you consent or enable specific features, the following data may be collected by third-party services integrated into the App:

Data Type	Collected By	Condition
Advertising ID	Google AdMob & mediation partners	With Consent
Ad interaction data	Google AdMob & mediation partners	With Consent
Device info (model, OS version)	Google AdMob & mediation partners	With Consent
Approximate location (IP-based)	Google AdMob & mediation partners	With Consent
Crash logs & stack traces	Firebase Crashlytics	Opt-In
Anonymous usage analytics	Firebase Analytics	With Consent
Product barcode number	Open Food Facts API	Automatic

2.3 Information We Do NOT Collect

We want to be transparent about what we do not collect:

• Names, email addresses, or account credentials
• Precise GPS location
• Contact lists, call logs, or SMS messages
• Photos or media files (camera images are processed in real-time and discarded)
• Financial or payment information
• Health or fitness data
• Persistent device identifiers (other than the resettable Advertising ID)

3. Legal Basis for Processing

We process your data based on the following legal grounds:

• Consent: Advertising (Google AdMob), analytics (Firebase Analytics), and crash reporting (Firebase Crashlytics) are activated only after you provide explicit consent. You may withdraw consent at any time via Settings.
• Contractual Necessity: Processing required to provide the App's core functionality (barcode scanning, QR code generation, document scanning, inventory management, PDF tools) as described in our Terms of Service.
• Legitimate Interest: Product information lookups via Open Food Facts when you voluntarily scan a product barcode. We have assessed that this processing does not override your rights and freedoms.

4. How We Use Your Information

We use the limited information collected for the following purposes:

• Core Functionality: Provide barcode scanning, QR code generation, document scanning, inventory management, and PDF tools.
• Product Information: Look up product details when you scan an EAN or UPC barcode, via the Open Food Facts public database.
• Advertising: Display ads through Google AdMob to support the App as a free service (with your consent).
• Crash Reporting: If you opt in, diagnose and fix App crashes and errors via Firebase Crashlytics.
• Analytics: If you consent, understand anonymous feature usage patterns to improve the App via Firebase Analytics.
• App Improvement: Improve App features, performance, and user experience based on aggregated, anonymous data.

5. Data Sharing & Disclosure

We do not sell, trade, or rent your personal information to any third party. We do not share personal data for purposes unrelated to providing or improving the App. Information may be shared only in the following limited circumstances:

5.1 Third-Party Service Providers (With Consent)

• Google AdMob & Mediation Partners: Advertising ID, device information, ad interaction data, and approximate location are shared with Google and its ad mediation partners to serve and measure advertisements. This occurs only after you consent via the UMP consent form.
• Firebase Crashlytics: Crash logs, device model, and OS version are shared with Google Firebase only if you enable crash reporting in Settings.
• Firebase Analytics: Anonymous screen views and feature usage events are shared with Google Firebase only after you consent to ads.
• Open Food Facts: Only the barcode number is sent to retrieve product information. No personal data is transmitted.

5.2 User-Initiated Sharing

When you use the App's share, export, or open features, data is shared with other apps you select via your device's native sharing mechanism. This is always initiated by you and under your control.

5.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety.

5.4 What We Do NOT Share

• We do not share personal data with data brokers or marketing companies.
• We do not share your scan history, inventory data, or generated codes with anyone.
• We do not create user profiles or combine data across services.
• We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

6. Third-Party Services, SDKs & Network Endpoints

The App integrates the following third-party services. Each operates under its own privacy policy:

6.1 Google AdMob (Advertising)

• Purpose: Display banner, native, and full-screen advertisements.
• Data Collected: Advertising ID, device information, ad interaction data, approximate location (IP-based).
• Consent: Ads are served only after consent is obtained via Google's User Messaging Platform (UMP). Users in the European Economic Area (EEA) are presented with a GDPR-compliant consent form.
• Privacy Policy: Google Privacy Policy

6.2 Ad Mediation & Measurement Partners

Google AdMob may route ad requests through mediation partners. The following third-party domains may be contacted by the ad SDK to serve, verify, and measure advertisements:

Domain	Service	Purpose
google-analytics.com	Google Analytics	Ad performance measurement and analytics
gstatic.com	Google Static Content	Ad creative delivery and static resources
youtube.com	YouTube (Google)	Video ad content delivery
outbrain.com	Outbrain	Programmatic ad delivery via ad mediation
zemanta.com	Zemanta (Outbrain)	Programmatic ad delivery via ad mediation
cheqzone.com	CHEQ	Ad verification and fraud detection

These services process data according to their own privacy policies. We do not control the data processing practices of these third-party ad partners. All ad-related data collection occurs only after you provide consent.

6.3 Firebase Crashlytics (Crash Reporting)

• Purpose: Collect crash reports to help us identify and fix bugs.
• Data Collected: Crash stack traces, device model, OS version, app state at time of crash.
• Consent: Disabled by default. You must explicitly enable crash reporting in Settings. No data is collected unless you opt in.
• Privacy Policy: Firebase Privacy Policy

6.4 Firebase Analytics (Usage Analytics)

• Purpose: Understand anonymous feature usage and App performance.
• Data Collected: Screen views, feature usage events (all anonymous, no personal identifiers).
• Consent: Disabled by default. Analytics collection is only enabled after you consent to ads via the UMP consent form. No analytics data is collected without your consent.
• Privacy Policy: Firebase Privacy Policy

6.5 Open Food Facts (Product Lookup)

• Purpose: Retrieve product information (name, brand, nutrition data) when you scan a product barcode.
• Data Sent: Only the barcode number (e.g., EAN-13 digits). No personal information or device identifiers are sent.
• Consent: Lookups occur automatically when you scan a product barcode. No personal data is transmitted.
• Privacy Policy: Open Food Facts Privacy Policy

6.6 Google Fonts

• Purpose: Render typography within the App.
• Data: Font files may be fetched from Google's servers. No personal data is transmitted.
• Privacy Policy: Google Privacy Policy

7. Advertising

ScanPro is a free App supported by advertising through Google AdMob. We are committed to responsible ad practices:

7.1 Ad Formats

The App may display the following ad formats:

• Banner Ads: Small rectangular ads displayed at the edges of screens.
• Native Ads: Ads styled to match the App's visual design, clearly labeled as "Sponsored".
• App Open Ads: Full-screen ads shown when the App returns to the foreground (limited to once every 5 minutes).
• Rewarded Ads: Optional full-screen video ads that provide in-app benefits when you choose to watch.

7.2 Consent & GDPR Compliance

We use Google's User Messaging Platform (UMP) to manage advertising consent:

• EEA/UK Users: A GDPR-compliant consent form is presented before any ads are loaded. You may choose to accept or decline personalized advertising.
• All Users: You can manage your ad preferences at any time via Settings > Ad Preferences in the App.
• Non-Personalized Ads: If you decline personalized ads, you may still see contextual (non-personalized) ads.

7.3 Advertising ID

On Android 13 and above, the App requests the AD_ID permission to access Google's resettable Advertising ID. This identifier is used by AdMob to serve and measure ads. You can reset or disable this ID in your device's privacy settings.

8. App Permissions

ScanPro requests only the permissions necessary for its core features. Below is a full explanation of each permission:

Permission	Purpose	Required?
Camera	Scan barcodes, QR codes, and documents using the device camera. Images are processed in real-time on-device and are never stored or uploaded.	Core feature
Internet	Required for product lookups (Open Food Facts), ad delivery (AdMob), crash reporting (Firebase Crashlytics), and analytics (Firebase Analytics).	Core feature
Network State	Detect network connectivity to provide appropriate offline/online behavior.	Core feature
Vibrate	Provide haptic feedback when a barcode is successfully scanned.	Optional UX
Advertising ID	Allow Google AdMob to serve and measure advertisements (Android 13+).	Ad-supported

Note on Storage Permissions: The App does not request broad storage access. All file operations use Android's scoped storage model (Android 10+). The READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE permissions are explicitly removed from the App manifest. Legacy storage permissions that may appear in third-party library manifests are restricted to Android 9 and below, which is below the App's minimum supported version (Android 10 / API 29).

9. Data Storage & Security

9.1 Local Storage

Your scan history, generated codes, inventory data, and preferences are stored in a local SQLite database and device storage within the App's private sandbox. This data:

• Remains on your device at all times
• Is protected by the operating system's application sandboxing
• Is not accessible by other apps
• Is deleted when you uninstall the App

9.2 Network Security

• All network communications use HTTPS/TLS encryption
• No sensitive data (authorization tokens, API keys) is logged in production builds
• API responses are cached locally for up to 5 minutes to minimize network requests

9.3 Third-Party Data Storage

Data collected by third-party services (Google AdMob, Firebase) is stored and processed according to their respective privacy policies and data retention schedules. We do not have direct access to raw data stored by these services.

10. Data Retention

We retain data only for as long as necessary to fulfill the purposes described in this Privacy Policy. Our retention practices are as follows:

Data Type	Retention Period	Details
Local App Data (scan history, generated codes, inventory, tags, preferences)	Until you delete or uninstall	Retained on your device only. We do not access, back up, or retain this data on any server.
Firebase Crashlytics	90 days	Crash logs are automatically deleted by Google Firebase after 90 days.
Firebase Analytics	14 months	Anonymous usage data is automatically deleted by Google Firebase after 14 months.
Google AdMob	Up to 2 years	Ad interaction data retained per Google's data retention policies.
Open Food Facts	Transient	Barcode lookup requests are not stored by us. Open Food Facts' own retention policy applies to their server logs.

How to Delete Your Data

• Scan History: Settings > Clear History
• Inventory Data: Delete individual items or clear all from the Inventory screen
• All App Data: Uninstall the App to permanently remove all locally stored data
• Advertising ID: Reset via your device's privacy settings (Settings > Privacy > Ads)
• Firebase Data: Contact us at dpo@thecocoder.com to request deletion of any crash or analytics data associated with your device

11. International Data Transfers

While the App processes data locally on your device, the third-party services we use (Google AdMob, Firebase, Open Food Facts, and ad mediation partners) may process data in countries outside your country of residence, including the United States. These transfers are conducted in compliance with applicable data protection laws and subject to appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Google's compliance with the EU-U.S. Data Privacy Framework

12. Your Rights & Choices

Regardless of where you live, you have the following rights regarding your data:

Right	How to Exercise
Access your data	View all your data directly in the App (History, Inventory, Settings)
Export your data	Export scan history and inventory data in CSV format from the App
Delete your data	Clear history in Settings, delete inventory items, or uninstall the App
Control ad personalization	Settings > Ad Preferences to change or revoke consent at any time
Control crash reporting	Settings > Crash Reporting to enable or disable (disabled by default)
Reset Advertising ID	Device Settings > Privacy > Ads > Reset Advertising ID
Opt out of personalized ads	Device Settings > Privacy > Ads > Opt out of Ads Personalization
Withdraw consent	You may withdraw any previously given consent at any time without affecting the lawfulness of processing before withdrawal

13. Region-Specific Privacy Rights

13.1 European Economic Area, UK & Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):

• Right of Access: Request a copy of the personal data we process about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
• Right to Restriction of Processing: Request that we restrict processing of your data.
• Right to Data Portability: Receive your data in a structured, commonly used format (CSV export is available in-app).
• Right to Object: Object to processing based on legitimate interest.
• Right to Withdraw Consent: Withdraw consent at any time via Settings.
• Right to Lodge a Complaint: File a complaint with your local supervisory authority.

To exercise these rights, contact our DPO at dpo@thecocoder.com. We will respond within 30 days.

13.2 California, USA (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

• Right to Know: You have the right to know what personal information is collected, used, shared, or sold.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out of Sale: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by CPRA.

Contact apps@thecocoder.com to exercise your CCPA/CPRA rights.

13.3 Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with the following rights:

• Right to Confirmation: Confirm whether your personal data is being processed.
• Right to Access: Access your personal data that we process.
• Right to Correction: Request correction of incomplete, inaccurate, or outdated data.
• Right to Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD.
• Right to Data Portability: Transfer your personal data to another service provider (CSV export available in-app).
• Right to Deletion: Request deletion of personal data processed with your consent.
• Right to Information about Sharing: Know which public and private entities your data has been shared with.
• Right to Information about Consent: Be informed about the possibility of denying consent and the consequences of doing so.
• Right to Revoke Consent: Revoke your consent at any time via Settings.

The legal bases for processing under LGPD are consent (for ads, analytics, and crash reporting) and legitimate interest (for core App functionality). Contact apps@thecocoder.com or our DPO at dpo@thecocoder.com to exercise your LGPD rights.

13.4 Virginia, USA (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) provides you with the following rights:

• Right to Access: Confirm whether your personal data is being processed and access that data.
• Right to Correct: Request correction of inaccurate personal data.
• Right to Delete: Request deletion of your personal data.
• Right to Data Portability: Obtain a copy of your personal data in a portable and readily usable format.
• Right to Opt Out: Opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling. We do not sell personal data or engage in profiling.

To exercise your VCDPA rights, contact apps@thecocoder.com. If we decline your request, you may appeal by contacting us, and if unsatisfied with the outcome, you may contact the Virginia Attorney General.

13.5 Other US State Privacy Laws

If you reside in Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, or Indiana, you may have similar privacy rights including:

• Right to access, correct, and delete your personal data.
• Right to data portability.
• Right to opt out of targeted advertising, sale of personal data, and profiling. We do not sell personal data or engage in profiling.
• Right to appeal if we decline your request.

Contact apps@thecocoder.com to exercise your rights under any US state privacy law.

13.6 Canada (PIPEDA)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides you with the right to access, correct, and withdraw consent for the processing of your personal information. Contact apps@thecocoder.com to exercise your rights.

13.7 South Africa (POPIA)

If you are located in South Africa, the Protection of Personal Information Act (POPIA) provides you with rights including the right to access, correct, and delete your personal information, and the right to object to processing. Contact apps@thecocoder.com or our Information Officer at dpo@thecocoder.com.

13.8 Other Jurisdictions

If you reside in Australia (Privacy Act), Japan (APPI), South Korea (PIPA), Thailand (PDPA), Singapore (PDPA), or any other jurisdiction with applicable privacy legislation, you may have similar rights to access, correct, delete, and port your personal data. Contact apps@thecocoder.com to exercise your rights.

14. Children's Privacy

ScanPro is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at apps@thecocoder.com and we will take steps to delete such information.

The App is rated for general audiences. All data processing occurs locally on the device. Advertising shown to users complies with Google's child-directed content policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Effective Date" at the top of this page
• We will update the privacy policy within the App
• For material changes, we will provide prominent notice within the App

We encourage you to review this Privacy Policy periodically. Your continued use of the App after any changes constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.