Legal

Privacy policy

A clear explanation of what data Scanter collects, why we collect it, how we protect it, and the rights you have over it.

Effective: June 1, 2026 Last updated: June 1, 2026 Version: 1.0

1. Data controller

This Privacy Policy applies to the Scanter website (scanterapp.com) and the Scanter mobile application (collectively, the "Service").

We act as the data controller under Turkey's Personal Data Protection Law No. 6698 ("KVKK") and, for users in the European Union, under the General Data Protection Regulation ("GDPR"). Full contact details are in the Contact section.

2. Data we collect

Depending on how you use the Service, we collect data in the categories below. We have structured these to mirror our Apple App Store and Google Play "Data Safety" disclosures.

Account info: email address, password (stored only as a bcrypt hash), optional name — collected at sign-up.

Uploaded files: the contents of PDF files you upload for merging, compressing, converting, splitting, watermarking, or image extraction — held temporarily, while we process them.

Conversion log: job ID (UUID), conversion type, file size, success/failure status, timestamp — collected at each conversion.

Usage data: IP address (rate-limiting / abuse prevention only), HTTP request headers, browser/device type — collected on every request.

Authentication: JWT session token, stored only in your browser/device — collected when you sign in.

Notification tokens (mobile): your Apple Push Notification (APNs) or Firebase Cloud Messaging (FCM) device token — collected when you enable notifications.

Support messages: the content of messages you send us and any contact info you provide — collected when you reach out.

Data we do NOT collect: location, contacts, calendar, photo library, microphone, biometric data, health data, or any content analysis/profiling of your uploaded files. We do not use advertising identifiers (IDFA/AAID).

3. How we use data

We process your personal data only for the purposes and under the legal bases set out below:

To deliver the Service (KVKK Art. 5/2-c, GDPR Art. 6(1)(b) — contract): perform the PDF conversion you requested, return your file, manage your account.

Security (KVKK Art. 5/2-f, GDPR Art. 6(1)(f) — legitimate interest): prevent abuse, enforce rate-limits, detect fraud.

Legal obligations (KVKK Art. 5/2-ç, GDPR Art. 6(1)(c)): retain records required by law, respond to lawful requests.

Improve the Service (legitimate interest): aggregated, de-identified analytics to optimize our infrastructure.

Communication (contract / consent): send important account updates and — only with your explicit consent — marketing messages.

We never sell, rent, or share your personal data with advertising networks.

4. Sharing with third parties

We only share data in the limited situations below:

Infrastructure providers: our servers are self-managed (data center in Turkey). We work with a small set of processors for backups and CDN delivery.

Notification services: for mobile push notifications, we share only your device token with Apple (APNs) and Google (FCM).

Legal requests: we disclose data when required by a court order, prosecutor's request, or legal obligation.

Corporate transactions: in a merger, acquisition, or sale, your data may transfer to the acquirer under equivalent protection; you will be notified in advance.

The Service does not use any analytics, advertising, or third-party tracking SDKs.

5. Retention

Uploaded PDF files (input and output): up to 1 hour after processing, then automatically deleted.

Account information: while your account is active, then fully purged 30 days after a deletion request.

Conversion log: de-identified statistics retained for 12 months.

IP / security logs: 90 days.

Support messages: 24 months after the matter is resolved.

6. Security

Technical and organizational measures we apply:

All traffic is end-to-end encrypted via TLS 1.2/1.3 (HTTPS).

Passwords are hashed with bcrypt; plaintext is never stored.

Sessions are managed with JWT; tokens live only on the client.

Rate limiting and abuse filters are enforced.

Backups are stored encrypted; access follows least-privilege.

Regular security patching and dependency updates.

No internet service is 100% secure, but we protect your data using industry best practices. In the event of a data breach, we will notify you and the relevant authorities (KVKK Board, supervisory authorities) within the legally required timeframes.

7. Children

The Service is not directed at children under 13. The U.S. COPPA rules apply for children located in the United States; GDPR Art. 8 (age 13–16 depending on the EU member state) applies in the EU. We do not knowingly collect personal data from children under 13; if we learn that we have, we delete it promptly.

8. International data transfers

Our primary data storage is located in Turkey. When push notification services (APNs/FCM) are used, your device token is transferred to Apple's or Google's global infrastructure. For EU/EEA users, these transfers are made under GDPR Art. 45 (adequacy decisions) or Art. 46 (Standard Contractual Clauses).

9. Your rights

Under KVKK Art. 11 and GDPR Arts. 15–22 you have the right to:

Confirm whether your personal data is being processed and request access.

Have inaccurate data corrected.

Request erasure / right to be forgotten.

Object to or restrict processing.

Request data portability in a structured, machine-readable format.

Withdraw any consent you previously gave.

Lodge a complaint with the relevant authority (KVKK Board, your EU supervisory authority).

Account deletion: You can delete your account at any time. In the mobile app go to Settings › Delete my account, or email privacy@scanterapp.com. Requests are fulfilled within 30 days.

10. Cookies and similar technologies

We use only strictly necessary session cookies / local storage (your JWT auth token). We do not use advertising, profiling, or third-party analytics cookies. You can clear your session at any time from your browser; you will need to sign in again afterwards.

11. Mobile app disclosures (Apple App Store & Google Play)

Additional disclosures specific to our mobile app:

Apple App Tracking Transparency: we do not track you across apps and websites owned by other companies. We do not request the IDFA.

Apple Privacy Nutrition Label: "Data Linked to You" — User Content (your uploaded files, temporary), Identifiers (user ID), Contact Info (email), Diagnostics (crash/performance). "Data Used to Track You" — none.

Google Play Data Safety: data encrypted in transit — yes. Users can request data deletion — yes. Data shared with third parties — none (only the service providers listed above).

Permissions: only "File access" so you can pick PDFs and "Notifications" if you opt in. We do not request location, camera, contacts, or microphone access.

12. Changes to this policy

We may update this policy from time to time. We will announce material changes at least 30 days in advance via email and/or in-app notice. The "Last updated" date at the top of the page reflects the current version.

13. Contact

You can reach us as data controller at:

Privacy requests: privacy@scanterapp.com

General support: info@scanterapp.com

Web: scanterapp.com

If you are in Turkey, you may also submit KVKK-specific requests using the methods described in our KVKK Disclosure Notice (Turkish only — local law).