Legal Information

Privacy Policy

Privacy Policy for ContactScanner AI according to GDPR

Sections of the ContactScanner AI privacy policy

Effective from: August 16, 2025 · Last updated: June 23, 2026

Data Controller:

Baudis AI UG (haftungsbeschränkt)
Paul-Zobel-Straße 8d, 10367 Berlin, Germany

Email: info@contactscanner.ai

Product: "ContactScanner AI" mobile app

1. What Data Does the App Process?

1.1 Content You Actively Process

  • Images/photos (e.g., cards, email signatures, badges, posters, screens, whiteboards) that you use in the app to extract contact data.
  • Recognized/extracted contact data according to schema (e.g., first/last name, company, job title, phone/fax/mobile, email, website, street, postal code, city, country).

1.2 App Technology & Pseudonymous Identifiers

  • Device ID (provided by the device) and Client ID (locally generated, persistent key in the keychain).
  • For Apple Ads performance measurement: a locally generated install ID/app account token, Apple Ads attribution data (e.g., campaign, ad group, keyword, country/region, conversion type), and StoreKit purchase data (e.g., product ID, transaction ID, purchase date, price, currency, and storefront country).
  • For Android app analytics and Google Ads performance measurement: Firebase/Google Analytics app instance ID, technical device and app information, Advertising ID or Google advertising services identifiers where provided by the device, and events such as first_open, paywall_view, begin_checkout, purchase, quota_exceeded_paywall, and scan_completed. Purchase events may include product ID, transaction/purchase identifier, price, and currency. These events do not contain scanned images or extracted contact data.
  • These are sent as headers to the proxy to prevent abuse (rate limiting/quotas).
  • Subscription status (as "X-Sub" flag) for enforcing free quotas.

1.3 No Third-Party Ads, Limited Campaign Measurement

We do not display third-party ads in the app, do not use a crash backend, and do not use push notifications. To measure our own Apple Ads campaigns, we use Apple's AdServices/StoreKit interfaces and our own backend reporting. In the Android app, we use Firebase/Google Analytics only to measure app usage, installs, paywall/checkout/purchase events, and the performance of our own Google Ads campaigns.

1.4 Support Contact Form

  • When you use the support form on our website, we process the information you enter: name, email address (optional), category, subject, and issue description.
  • Required fields for handling your request are name, subject, and description. The email address is optional, but required if you want to receive a reply by email.

1.5 QR-Code Generator on the Website

  • When you use the QR-Code generator on our website, you may voluntarily enter contact information (e.g., name, company, email, phone number, address, website, social profiles) into the form fields.
  • The vCard content and QR-Code are generated locally in your browser (client-side).
  • Contact data entered into the generator are not automatically stored by us on our servers.
  • When visiting the website, technically required connection data (e.g., IP address, timestamp, user agent) are processed by the hosting provider.

2. Where Are Data Stored/Processed?

2.1 On Your Device (Local)

  • Pending Scans: JPEG + thumbnail, Base64 in JSON are stored locally when no internet is available.
  • History: Fully processed images (original + edited version) are stored locally in the documents area.
  • Protection: iOS NSFileProtection is enabled (files are device-dependently protected).
  • Local Deletion: There is a setting in the app to delete the scan history.

2.2 Processing via Our Infrastructure

(without permanent server storage of your images)

  • The app sends image data to our edge proxy (Vercel), which forwards the request directly to the OpenAI API and streams the response.
  • We do not permanently store images or result JSONs on the proxy.
  • For abuse protection/quotas, we use Upstash KV (see retention periods).

2.3 External Recipients/Data Processing

  • OpenAI (API, Vision Model): receives the image data you send exclusively for the purpose of extracting contact data. API calls are made with parameter store: false (no training use commissioned by us).
  • Vercel (Edge Proxy): forwards the request/response stream.
  • Upstash (KV): stores only counters/keys for rate limiting/quotas (see 4.).
  • Apple (App Store, StoreKit, Apple Ads/AdServices): provides purchase and subscription processing and Apple Ads attribution information so we can roughly connect installs and purchases to campaigns, ad groups, and keywords.
  • Google/Firebase (Google Analytics for Firebase, Google Ads, Google Play): processes Android app usage, install, purchase/subscription, and attribution events for app analytics, conversion measurement, and optimization of our own campaigns. Google may process technical device information, app instance identifiers, and Advertising ID/AdServices identifiers where provided by the device and Google services.

Note on Data Transfers to Third Countries:
Depending on the location of the respective providers/regions, a transfer to countries outside the EEA (e.g., USA) may take place. Please refer to the respective providers for details on their own data processing.

3. What Do We Use the Data For? (Purposes)

  • Providing Core Functionality: Reading contact data from your images and displaying the result in the app; optional saving to your device contacts.
  • Abuse/Fraud Protection & Quotas: Enforcing rate limiting/quotas (IP-minute, device-month, daily/monthly caps, free quota per client ID).
  • Offline Usage: Temporary local buffering (pending queue) until internet is available again.
  • Support Handling: Processing submitted support requests and (if provided) replying by email.
  • Own campaign measurement and product growth: Evaluating which Apple Ads and Google Ads campaigns, ad groups, keywords, countries, and ads lead to installs, paywall views, checkouts, and purchases. We use this reporting to optimize budgets, bids, keywords, countries, and ads for our own app. The legal basis is our legitimate interest in economically sustainable and abuse-resistant marketing of the app.

We do not sell this data, do not display third-party ads in the app, and do not use it to follow you across apps or websites owned by other companies.

4. Retention Periods

4.1 Locally on Device

  • History: remains on your device until you delete it in the app (or uninstall the app).
  • Pending Queue: remains local until upload is successful (no automatic expiration time).

4.2 Upstash KV (Counters/Keys Only)

  • rl:<ip>:<minute>: 60 seconds
  • cap:<YYYY-MM> (month): 40 days
  • cap:<YYYY-MM-DD> (day): 2 days
  • dev:<device>:<YYYY-MM>: 40 days
  • free:<client>: no automatic deletion (unlimited), until we delete on request.

No images/result JSONs are permanently stored on the proxy itself.

4.3 Apple Ads Attribution and Purchase Events

  • We store pseudonymous Apple Ads install and purchase events in Upstash KV for up to 730 days so the campaign automation can understand trends, recurring purchases, and later optimization decisions.
  • These records do not contain scanned images or extracted contact data.

4.4 Firebase/Google Analytics and Google Ads (Android)

  • Android app usage, install, and purchase events are stored in Firebase/Google Analytics and Google Ads according to the retention and product settings configured there.
  • These events are used for aggregated app and campaign analysis and do not contain scanned images or extracted contact data.
  • Locally stored Google Analytics data can be reset by deleting the app data or uninstalling the app. For further access or deletion requests, you can contact us using the email address below.

4.5 Support Requests (Website)

  • Data from the contact form are transmitted to our team as support emails and stored there for request handling.
  • If you provide a valid email address, you will additionally receive an automatic confirmation of receipt.
  • The retention period depends on the processing purpose and, where applicable, statutory retention obligations.

5. Recipients/Categories

  • OpenAI – API processing of images you send for text recognition/extraction.
  • Vercel – Edge proxy that forwards the request to OpenAI and returns the response to the app.
  • Upstash – Key-value store for rate limiting/quota counters.
  • Resend – Email delivery service for support messages from the contact form (forwarding to info@contactscanner.ai and optional confirmation emails).
  • Apple – App Store/StoreKit purchase processing and Apple Ads/AdServices attribution for our own campaign measurement.
  • Google/Firebase – Google Analytics for Firebase, Google Ads, and Google Play for Android app analytics, install/purchase conversion measurement, and our own campaign optimization.

6. Security

  • Transport encryption (TLS) for all connections.
  • NSFileProtection for locally stored files.
  • Minimization: No image/result data is persisted server-side; only technical counters/keys are maintained.

7. Device Contacts

  • You can save recognized contact data to the contacts app on your device.
  • We do not read your entire address book; when opening a saved contact on iOS, it is specifically loaded from the CNContactStore.

8. Your Rights (GDPR, where applicable)

  • Access, rectification, erasure, restriction, data portability, objection.
  • You have the right to complain to a supervisory authority.
  • For deletion/access requests (including deletion of Upstash keys for your client/device ID) contact us: info@contactscanner.ai.

9. Minors

  • The app has no age verification and is aimed at general users. Please observe local legal requirements for minors.
  • Parents/guardians can contact us at any time with questions.

10. Changes

We may update this privacy policy from time to time when features, legal situation, or providers change. The validity stated above is decisive. Material changes will be announced within the app.

11. Contact

Baudis AI UG (haftungsbeschränkt)

Paul-Zobel-Straße 8d, 10367 Berlin, Germany

Email: info@contactscanner.ai