1. Controller
ExplainThisDoc
Julian Heger
Cumberlandstr. 40
1140 Vienna
Austria
Contact: [email protected]
2. Overview
- OCR (text extraction) is performed locally on the user's device.
- Image files and PDF documents are not transmitted to our servers.
- Only extracted text is transmitted for analysis (and deleted from our systems after processing).
- No advertising tracking is used. We do not sell personal data.
3. Categories of Data Processed
3.1 Text Content
When a user scans or imports a document, text extraction is performed locally on the device. Only the extracted text is transmitted to our backend and processed by an external AI service provider (OpenAI). For technical reasons (for example iOS backgrounding), extracted text may be stored temporarily on our servers until processing completes or fails. After processing, the extracted text is deleted/cleared from the job record. No images, camera data, or document files are transmitted to the AI provider.
Legal basis: Article 6(1)(b) GDPR (performance of a contract)
3.2 Account and Authentication Data
To provide the service and manage credits, we process pseudonymous identifiers such as a device identifier generated by the app, an app authentication token (Bearer token), and credit balance information.
Legal basis: Article 6(1)(b) GDPR (performance of a contract)
3.3 Technical Usage Data
To operate and secure the service, we process limited technical data such as IP address, request timestamps, request identifiers, language and time zone settings, aggregated usage metrics (for example request counts and token counts), and credit/transaction identifiers, for service delivery, fraud prevention, rate limiting, troubleshooting, and security.
Legal basis: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR (legitimate interest in system integrity and abuse prevention)
3.4 In-App Purchases
Credits may be purchased via Apple's App Store. Payment processing is handled by Apple. We do not receive or store payment card information. We receive transaction-related metadata (for example transaction identifiers, product identifiers, and verification data such as signed transaction info) necessary to credit the user's account. Apple acts as an independent data controller.
Apple Privacy Policy: https://www.apple.com/legal/privacy/
3.5 Support Communications
If you contact us by email, we process your email address and the content of your message to respond and handle your request.
Legal basis: Article 6(1)(b) GDPR and/or Article 6(1)(f) GDPR
3.6 Website Access (Legal Site)
Our legal website is hosted on Cloudflare Pages. When you access the website, Cloudflare may process connection and log data (such as IP address, user agent, and request metadata) to deliver and protect the site. We do not use cookies for advertising or analytics on this site; Cloudflare may set technically necessary cookies for security purposes.
Legal basis: Article 6(1)(f) GDPR (legitimate interest in secure delivery)
4. Server Location
Our backend infrastructure is hosted within the European Union (Germany).
5. International Data Transfers
When users request text analysis, extracted text may be processed by OpenAI, which may involve processing outside the EEA (including the United States). Transfers are carried out under Article 46 GDPR using Standard Contractual Clauses and additional safeguards as applicable.
Depending on your usage, other providers (such as Apple for payments and Cloudflare for website delivery) may also process personal data outside the EEA under their own terms and safeguards.
OpenAI Privacy Policy: https://openai.com/privacy
6. Data Retention
Technical usage data is retained only as long as necessary for service provision, security, and legal obligations. Extracted text is stored only temporarily for processing and is deleted/cleared after processing completes or fails. Server-side job records (including the generated result) are retained for up to 7 days to allow delayed retrieval, then deleted. Locally stored history can be deleted in the app at any time. Purchase transaction records may be retained as required by law and for fraud prevention.
7. No Automated Decision-Making
We do not perform automated decision-making within the meaning of Article 22 GDPR. AI-generated explanations are informational only and do not constitute legal or financial advice.
8. Data Security
We implement appropriate technical and organizational measures (including encrypted transmission and access controls) to protect data.
9. Your Rights (EU/EEA)
You have rights of access, rectification, erasure, restriction, portability, and objection under the GDPR. To exercise your rights, contact us using the details above. We may require your in-app device identifier to identify your account.
10. Obligation to Provide Data
The provision of certain data (such as extracted text content and technical usage data) is necessary for the performance of the contract and to provide the service. Without such data, the service cannot be delivered.
11. Legitimate Interests
Where processing is based on Article 6(1)(f) GDPR, our legitimate interests include ensuring system security, preventing abuse, maintaining service integrity, and managing credit accounting. We ensure that such interests do not override the fundamental rights and freedoms of users.
12. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority in the European Union, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
13. Hosting and Infrastructure Providers
Our infrastructure may rely on service providers acting as data processors under Article 28 GDPR. Such providers process data solely on our behalf and under contractual safeguards.
14. Children
The app is not directed to children under 16 years of age. We do not knowingly collect data from children without appropriate consent.
15. Changes
We may update this Privacy Policy to reflect legal, technical, or operational changes. The current version is always available within the app and on our website.