QR & Barcode Scanner — Privacy Policy

Effective & last updated: August 10, 2025

This Privacy Policy explains how we collect, use, disclose, and protect information when you use the QR & Barcode Scanner mobile application (the "App").

1. Who We Are

Controller: Velocity Retail (the "Company", "we", "our", "us")
Registered Address: Bren Starlight, Bangalore 560049, India
Support: support@appophile.com
App Package: com.appophile.qrcode
India Grievance Officer: Nam Gupta, Bren Starlight, Bangalore 560049, grievance@appophile.com

QR & Barcode Scanner is operated from India and is not specifically directed at users in the EU/EEA or the UK. If we begin offering the App to users in those regions in a way that requires us to appoint a representative under Article 27 of the GDPR (or the UK GDPR), we will appoint one and update this Policy with their details. In the meantime, EU/EEA and UK users can reach us about any data protection matter at privacy@appophile.com.

2. Scope

This Policy applies to the App and any in-app or support channels we operate. If a feature links to another policy (e.g., Google/Meta), that policy governs that feature's provider.

3. Information We Collect

We design the App so core scanning works on-device.

3.1 You Provide

Generated QR Data: text/URL/contact/Wi-Fi/event content you enter to create codes.
Feedback/Support: email content and attachments you send us.
Preferences: beep, auto-copy, dark mode, language.

3.2 Collected Automatically

Advertising ID (AAID) and IP address (for ads/analytics). We do not collect persistent device identifiers such as IMEI, MAC address, or Android ID.
Device & App Diagnostics: model, OS version, app version, performance, crash logs (via Firebase services).
Camera Access: live camera frames used temporarily to detect/decipher codes. We do not store or transmit camera content.

3.3 Third-Party Sources

Firebase (Google): analytics, crash and performance metrics.
Ad Networks: Google AdMob and Meta Audience Network receive advertising signals (e.g., AAID, coarse location/IP).
URL Safety (if enabled): We may use Google Safe Browsing to check links. If we use a lookup method, hashes/URLs may be sent to the provider; if we use an update method, only threat lists are synced.

4. How We Use Data (Purposes & Legal Bases)

Provide core functions (scan, generate, save locally). Legal basis: legitimate interests/contract.
App analytics & quality: performance, crash triage, feature usage. Basis: consent (EEA/UK/CH); legitimate interests elsewhere where permitted.
Advertising/monetization: serving personalized or non-personalized ads, frequency capping, measurement, fraud prevention. Basis: consent (EEA/UK/CH and where required); legitimate interests/contract otherwise where permitted by law.
Purchases: verify premium (ad-free) via Google Play. Basis: contract.
Safety & compliance: detect abuse, comply with law, enforce Terms. Basis: legal obligation/legitimate interests.

EEA/UK/CH: We use a Google-certified Consent Management Platform (CMP) integrated with IAB TCF v2.2 to collect and honor choices for personalized/non-personalized ads and analytics.
California (CPRA): We provide a "Do Not Sell or Share My Personal Information" control (Settings ▸ Privacy) that opts out of cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals where technically feasible.
India (DPDP): We provide controls to withdraw consent, request access/correction/erasure, and a Grievance Officer contact. The App is not directed to children; we do not knowingly process children's data for personalized ads. Where age is uncertain or identified as under 18 in India, we serve non-personalized ads.

6. Storage & Security

On-device (default): Scan history and settings are stored locally using encrypted storage (e.g., Room + Jetpack Security) under your device's OS protections.
Cloud telemetry: Analytics/performance/crash data may be sent to Firebase and retained per Section 10.
Security measures: industry-standard TLS in transit; encryption at rest for local data; restricted access; regular dependency updates and vulnerability review. No method is 100% secure.

We do not sell your scan content. We share limited data with:

Service Providers/Processors: Firebase (Google) for analytics, crash, performance; Google Play for billing. They process data under our instructions.
Independent Controllers: Ad networks (Google AdMob, Meta Audience Network) when showing ads. They may use data they collect per their own policies.
Legal/Compliance: to comply with law, enforce our Terms, protect users and our rights.
Business transfer: if we undergo a merger, acquisition, or asset sale, subject to equivalent protections.

8. International Transfers

We may transfer data to countries outside your own. Where required, we rely on recognized transfer tools, such as the EU-US Data Privacy Framework (for eligible providers) and/or Standard Contractual Clauses. Vendor details are listed in Appendix A.

9. Your Choices & Controls

View/Clear/Export: Manage scan history in the App (view, delete single/all, export CSV/PDF).
Ads: Buy Premium to remove ads; otherwise switch to non-personalized ads in Settings or via CMP (region-specific).
Device controls: Reset/limit AAID and ad tracking in Android settings.
Permissions: You can revoke Camera/Storage permissions (some features may not work).

10. Retention

On-device scan history & settings: kept until you delete them or uninstall the App.
Generated images saved to gallery: stay until you delete them.
Telemetry: Firebase Analytics up to ~26 months; Crash/Performance logs typically ≤90 days (subject to vendor defaults and our needs).

11. Your Rights

EEA/UK/CH (GDPR/UK GDPR): access, rectification, erasure, restriction, portability, objection, and right to withdraw consent. You may lodge a complaint with your local supervisory authority.
California (CPRA): right to know, delete, correct, and opt out of sale/sharing; no discrimination for exercising rights.
India (DPDP): right to access, correction, erasure, grievance redressal, and to nominate a person for exercising rights.

Request rights or raise questions at privacy@appophile.com or via in-app Privacy controls. We will verify your request and respond within the timeframes required by law.

12. Children's Privacy

The App is not directed to children. We do not knowingly collect personal data from children under 13 globally and under 18 in India. If you believe a child has provided personal data, contact us and we will take appropriate steps.

13. Changes to this Policy

We may update this Policy. Material changes will be announced via in-app notice and/or app-store notes. Your continued use after the Effective Date means you accept the changes.

14. Contact

Controller: Velocity Retail, Bren Starlight, Bangalore 560049
Support: support@appophile.com
Privacy: privacy@appophile.com
India Grievance Officer: Nam Gupta, grievance@appophile.com, Bren Starlight, Bangalore 560049

Appendix A — Vendors & Roles (Summary)

Google LLC (Firebase, Google Play, AdMob): analytics, crash, performance, billing, ads; controller/processor depends on feature; transfers via DPF/SCCs; retention per Google policies.
Meta Platforms, Inc. (Meta Audience Network): ads; independent controller for ad signals; transfers via SCCs/DPF where applicable.
Safe Browsing Provider (if enabled): link safety checks (lookup/update method as implemented).

Appendix B — Google Play Data Safety Mapping (High-level)

Collected: AAID, IP/coarse location, app diagnostics, crash logs, analytics.
Not Collected: scan content, contacts, precise location, persistent device IDs (IMEI/MAC/Android ID).
Shared: limited ad/measurement signals with ad networks when showing ads.
Purposes: analytics, app functionality, fraud prevention, advertising (personalized or non-personalized).
Security: data encrypted in transit; local data encrypted at rest.
Deletion: on request and by in-app controls, subject to legal obligations.