Privacy Policy

Effective date: 10 July 2026
Last updated: 10 July 2026

This Privacy Policy explains how A-Design, obrt za web dizajn, vl. Josip Valčić, trading under the Zappira brand (“Zappira”, “we”, “us”, or “our”), processes information when you use the Scany mobile application (“Scany” or the “App”).

Scany is a local-first document-scanning application. Your scanned and imported document images are processed and stored primarily on your device. Scany does not currently provide accounts or cloud synchronisation, and the App does not intentionally upload the contents of your scans or exported PDFs to Zappira, Firebase Storage, or an artificial-intelligence service. Technical installation, usage, and crash information does leave your device as described below.

1. Who Is Responsible for Your Information

The data controller responsible for the personal data described in this Policy is:

A-Design, obrt za web dizajn, vl. Josip Valčić
S. S. Kranjčevića 5
23000 Zadar
Croatia
Email: [email protected]

2. Information Scany Processes

Document content and library information stored on your device. When you scan a document or import selected photos, Scany processes the image content you choose to provide. Depending on what you scan, this content may contain personal, confidential, financial, health, government-identification, or other sensitive information. The App may also store:

  • original images and locally processed or cropped copies;
  • document titles, document type and source, folders, tags, page order, and page count;
  • creation, update, and export dates;
  • crop, perspective-correction, contrast, and other image-processing settings;
  • local file paths and PDF export status; and
  • onboarding completion state.

This information is used to display and operate your local Scany library. Zappira does not receive this document content merely because you create, edit, organise, preview, or export a scan.

Camera and photo input. With your permission, Scany accesses the camera to capture pages and the system photo picker or photo library when you choose to import an existing image. Scany does not request full photo metadata, but a selected or captured file may nevertheless retain embedded metadata as well as visible personal information. Scany does not record audio. It does not request precise location, contacts, health, calendar, or notification access in the current version.

Scany installation information. The App creates a random, persistent Scany installation identifier. On each launch, Scany sends that identifier, your platform (iOS or Android), App version, and device manufacturer or model to scany.zappira.com. The backend may associate a first-seen timestamp and a legacy-free eligibility status with that installation identifier. The receiving server and its network-security provider also receive ordinary connection information such as IP address, request date and time, and HTTP or security metadata. This registration does not include your name, email address, hardware serial number, scanned images, document titles, folders, tags, or PDFs.

Analytics information. Scany uses Google Analytics for Firebase, which is enabled when the App launches. Scany logs an app-open event and observes navigation to named App screens. Google Analytics may also collect automatically generated events and information such as first launch, sessions, engagement, screen views, approximate location derived from IP address, language, operating system, device brand and model, App version, an app-instance identifier, and device or advertising identifiers and attribution signals where available under the platform configuration. Scany does not set a Firebase user ID and does not intentionally send scan images, PDF contents, document titles, folders, or tags to Analytics. The current version does not display ads or include a direct ad-serving interface. Analytics advertising features and links to other Google products are controlled separately through Firebase and Google Analytics configuration.

Crash and diagnostic information. Scany uses Firebase Crashlytics, which is enabled when the App launches. If the App fails or encounters an error, Crashlytics may receive installation and session identifiers, timestamps, error and exception messages, crash stack traces, App and bundle version, operating-system version, device model and architecture, available memory or disk information, foreground or background state, screen orientation, root or jailbreak status, and Analytics breadcrumb events. Scany adds only technical custom fields identifying the Scany App area and whether a debug build is running. Scany does not intentionally attach your scanned images or PDFs to a crash report, although technical error messages can occasionally include a local file name or path.

Google ML Kit diagnostic information on Android. Scany uses Google Play services and ML Kit components for document scanning and on-device image analysis. Document images, camera frames, detected text regions, and scan results are processed on the device and are not intentionally sent to Google as input content. ML Kit may nevertheless send Google technical usage and diagnostic metrics, such as App and SDK version, package identifier, device model and operating system, feature or model version, configuration and image dimensions, performance and latency measurements, download or detection events, identifiers associated with an installation or device, and error codes. Google Play services may also connect to Google to download scanner components, models, updates, or compatibility fixes.

Support communications. If you contact us, we process the contact details, message content, attachments, and related correspondence that you choose to provide. Please do not email scans, identity documents, financial details, or other sensitive content unless it is strictly necessary for us to address your request.

3. How Scany Uses Information

We use information for the following purposes:

  • to capture or import pages, detect document boundaries, crop and enhance images, preview and reorder pages, and create PDFs;
  • to save, display, rename, organise, export, share, and remove documents from the visible App library;
  • to register and distinguish App installations, record when an installation was first seen, understand platform and version compatibility, maintain any applicable legacy-free eligibility status, and protect the service from abuse;
  • to understand how the App is opened and navigated so we can improve its design and performance;
  • to identify, investigate, and repair crashes and technical errors;
  • to respond to support, privacy, or legal requests; and
  • to protect our rights, users, systems, and services and comply with applicable law.
4. Legal Bases for Processing

Where the General Data Protection Regulation (“GDPR”), UK GDPR, or a similar law applies, we rely on the following legal bases:

  • Performance of a contract: to provide App functions you request, such as scanning, local organisation, PDF creation, and user-directed sharing.
  • Legitimate interests: to register installations, maintain App compatibility and security, understand basic App use, diagnose crashes, prevent misuse, and improve Scany. We consider these interests against the limited and pseudonymous nature of the transmitted information and the fact that document content is not intentionally uploaded.
  • Consent: where applicable law requires consent and we specifically tell you that processing is optional and ask for your agreement. You may withdraw consent at any time without affecting processing that was lawful before withdrawal. Camera and photo permissions can separately be withdrawn in your operating-system settings.
  • Legal obligations and legal claims: when processing is necessary to comply with law, respond to lawful requests, or establish, exercise, or defend legal claims.

The current App version automatically enables Firebase Analytics and Crashlytics and does not include an in-App switch for those services. Depending on your country, access to or storage of analytics identifiers on your device may be subject to additional consent requirements.

5. On-Device Scanning and Image Analysis

Scany and its platform-scanning components use on-device computer-vision functions to identify document edges or text regions for framing, alignment, crop, perspective correction, and image enhancement. On Android, the system document-scanning flow is supplied through Google Play services and ML Kit. On iOS, Scany uses Apple VisionKit, Vision, and Core Image. The App does not provide user-visible optical-character-recognition output and does not use generative AI. Where text-region detection is used to locate a document, Scany does not store the detected text as a separate text record.

6. Local Storage, Backups, Export, and Sharing

Scanned and imported images, processed copies, library metadata, and preferences are stored within Scany’s application storage on your device. PDFs are created locally in temporary application storage. Scany does not provide its own cloud backup or synchronisation.

Your operating system may include Scany data in a device backup or a backup connected to your Apple or Google account, depending on your device and backup settings. Those backups are controlled by you and the relevant platform provider, not by Zappira.

When you create a PDF, Scany embeds the document title, “Scany” as author and creator, and the scan type as subject metadata. When you select Share PDF, Scany opens the operating system’s share sheet and discloses the PDF, the document title used as its file name or share subject, and short Scany share text to the app, service, person, or organisation you select. Their privacy practices apply after you share the file. Zappira cannot retrieve, control, or delete copies held by recipients or third-party services.

7. When Information Is Disclosed

We may disclose the limited information described in this Policy to:

  • Google: Google Analytics for Firebase and Firebase Crashlytics process analytics and diagnostic information. Google Play services and ML Kit provide Android scanning components and may process technical metrics. See Firebase Privacy and Security, ML Kit Terms and Privacy, and Google’s Privacy Policy.
  • Apple: iOS system frameworks, device backups, App Store services, and any Apple service you choose may process information under Apple’s Privacy Policy.
  • Backend, hosting, and network-security providers: our Scany installation-registration endpoint and its infrastructure providers process installation and connection data on our behalf. The endpoint currently uses Cloudflare for network delivery and security; see Cloudflare’s Privacy Policy.
  • Your selected recipients: any app, cloud drive, messaging service, email provider, printer, person, or organisation you choose through the share sheet.
  • Authorities or other parties for legal reasons: where disclosure is required by law or reasonably necessary to protect rights, safety, users, or services, investigate misuse, or respond to a legal process.
  • A successor organisation: in connection with a merger, acquisition, restructuring, or transfer of the App or business, subject to applicable confidentiality and data-protection requirements.

We do not sell your personal data. The current App does not display ads or contain a direct ad-serving SDK or advertising interface. Firebase Analytics may nevertheless collect advertising identifiers and attribution signals where available, and may support advertising-product integrations configured outside the App, as described above.

8. International Data Transfers

Zappira is based in Croatia. Google, Cloudflare, platform providers, and their subprocessors operate globally, so transmitted technical data may be processed outside Croatia, the European Economic Area, the United Kingdom, or your country of residence. Where required, transfers are protected by recognised legal mechanisms such as adequacy decisions, the EU-US Data Privacy Framework for participating organisations, or approved standard contractual clauses, together with appropriate technical and organisational measures.

9. Data Retention
  • Local library data: library records remain on your device until you remove them from the App, clear Scany’s storage, or delete the App. Deleting a document or page in the current version removes it from the visible library record, but copied image assets, processed variants, cached captures, or temporary PDFs may remain in the App’s private storage until the operating system clears them, you clear the App’s storage, or you fully delete the App. Offloading an app may preserve its data. Copies in device backups or shared with others follow the backup provider’s or recipient’s retention rules.
  • Scany installation records: the random installation identifier, first-seen or eligibility status, and associated device, platform, and version information are retained according to how long the installation continues to interact with the service and how long the records remain necessary for installation management, compatibility, security, legal limitation periods, or other legal obligations. Routine server and security logs follow operational and security needs and may be kept longer when required to investigate abuse or comply with law.
  • Google Analytics: user-level and event-level Analytics data is retained for no longer than 14 months under the available standard-property retention settings; a shorter 2-month setting may apply. Standard aggregated reports may remain available for longer.
  • Firebase Crashlytics: Google states that crash stack traces, extracted crash data, and associated installation identifiers are retained for 90 days before removal from live and backup systems begins.
  • Support and legal records: correspondence is retained for as long as needed to answer the request, maintain necessary business records, resolve disputes, enforce agreements, or meet legal obligations.
10. Security

Scany relies on the operating system’s application sandbox and device-security features to protect local files. Network requests to the Scany endpoint and Firebase services use encrypted HTTPS connections. We apply reasonable technical and organisational safeguards, but no device, storage method, backup, or transmission is completely secure. Scany does not add separate file-level encryption to your scans. You should use a device passcode, keep your operating system updated, review backup settings, restrict access to your device, and use care when scanning or sharing sensitive documents.

11. Your Choices
  • Camera and photos: deny or revoke access in your device settings. Features that require the denied permission will not work.
  • Sharing: cancel the share sheet or choose the recipient and service you trust. Review the PDF before sharing it.
  • Local data: remove items from the visible library. To remove remaining App-controlled local files, use the operating system’s clear-storage function where available or fully delete Scany rather than offloading it. You may also need to remove device backups and copies already exported or shared.
  • Identifiers and diagnostics: the current version has no in-App Analytics or Crashlytics opt-out and no control that resets the Scany installation identifier. Platform privacy settings may limit certain identifiers. You may contact us to object to processing or request deletion of server-side information.
12. Your Privacy Rights

Subject to applicable law, you may have the right to request access to, correction of, deletion of, or restriction of your personal data; receive portable data you provided; object to processing based on legitimate interests; withdraw consent without affecting earlier lawful processing; and lodge a complaint with a supervisory authority. These rights can be subject to legal conditions and exceptions.

Because Scany does not require an account, does not display its random installation identifier, and uses pseudonymous records, we may need limited information to try to locate a server-side record. You may provide your platform, device model, approximate installation date, and approximate last-use date, but we may be unable to identify a particular installation from those details alone. Do not send a scan or government identifier merely to verify a privacy request. We may ask for proportionate additional information if necessary to prevent unauthorised access or deletion, and we will explain if we cannot reasonably identify the relevant record.

Send requests to [email protected]. We will respond within the period required by applicable law.

13. Automated Decisions

Scany does not use personal data to make decisions that produce legal or similarly significant effects about you. Image detection, crop suggestions, and enhancements are technical scanning functions and are not used to evaluate your identity, eligibility, creditworthiness, health, or behaviour.

14. Children’s Privacy

Scany is a general productivity tool and is not directed to children under 16. If you are under 16, use Scany only with the involvement and permission of a parent or legal guardian. We do not knowingly request a child’s name or contact details. A parent or guardian who believes a child has provided personal data to us may contact us to request appropriate action.

15. Regional Disclosures

Residents of jurisdictions with additional privacy laws may have further rights, including rights to know the categories of personal information processed, request correction or deletion, obtain a copy, and appeal a denied request. We do not sell personal information. Firebase Analytics may collect advertising identifiers or attribution signals and may support integrations controlled through the Analytics property configuration. You may exercise applicable rights using the contact details in this Policy, and we will not discriminate against you for making a valid privacy request.

16. Changes to This Policy

We may update this Policy to reflect changes to Scany, our providers, or applicable law. We will revise the “Last updated” date and, when appropriate, provide notice in the App, on the publication page, or through another reasonable method. Material changes apply from the stated effective date.

17. Contact and Complaints

For questions, objections, or privacy requests, contact:

A-Design, obrt za web dizajn, vl. Josip Valčić
S. S. Kranjčevića 5
23000 Zadar
Croatia
Email: [email protected]

You also have the right to complain to the supervisory authority in your country. In Croatia, the authority is the Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka, AZOP), Ulica Metela Ožegovića 16, 10000 Zagreb, Croatia, email [email protected], website https://azop.hr/.