Privacy Policy

Last updated: July 14, 2026

The English text of this document is the binding version.

This policy explains what personal data ScanDrop collects, why, how long we keep it, and the rights you have over it. It is written to satisfy both the EU General Data Protection Regulation (GDPR) and the Israeli Protection of Privacy Law, 5741-1981, including Amendment 13.

1. What we collect and why

  • Account data — email address, name, profile picture (if signing in with Google), hashed authentication data. Purpose: operating your account. Legal basis: contract.
  • Product checks and reports — the links you submit and the reports generated from them. Purpose: this is the service itself. Legal basis: contract.
  • Billing data — subscription status, credit balances and transaction history. Card details are handled solely by Paddle, our merchant of record — we never see or store card numbers. Legal basis: contract, legal obligations.
  • Anti-abuse signals — a one-way hash of your IP address at signup and normalized email forms, used to prevent free-tier farming. Legal basis: legitimate interest (preventing abuse). Raw IP addresses are not stored.
  • Preferences — interface language, report language, currency, notification choices.

We do not sell personal data, and we do not use your data to train AI models.

2. Processors we rely on

Your data is processed by these providers, under their own compliance programs:

  • Supabase — database, authentication and file storage (hosted in the EU, Frankfurt).
  • Paddle — payments, invoicing and tax handling (merchant of record).
  • Anthropic — AI analysis of the product pages you submit.
  • fal.ai — generation of AI product images.
  • Resend — transactional email delivery.
  • Vercel — application hosting and privacy-friendly, cookieless analytics.

Product-page content sent to AI providers is the publicly available listing data — not your personal details.

3. Cookies

We use strictly necessary cookies for signing you in (authentication session) and a preference entry for your language. Our analytics (Vercel) are cookieless. Optional cookies are only ever set with your consent via the cookie banner, and rejecting them keeps the site fully functional.

4. Retention

  • Reports and history are kept for as long as your account exists — that permanence is a product feature.
  • Deleting your account permanently removes your profile, reports, images, notifications and credit history. Billing records that we are legally required to retain are kept by Paddle per their obligations.
  • Anti-abuse hashes expire on a rolling basis.

5. Your rights

Under the GDPR and Israeli law you may:

  • Access / export — download everything we hold about you with one click: Settings → Profile → "Export my data".
  • Erase — delete your account and all its data: Settings → Profile → "Delete my account". This works immediately and completely.
  • Rectify — edit your name and preferences in Settings.
  • Object / restrict — email us and we will respond within 30 days.
  • Complain — to your local supervisory authority, or in Israel to the Privacy Protection Authority.

6. Security

Data is encrypted in transit (TLS) and at rest. Access to production data is limited, authenticated and logged. Row-level security policies ensure each account can only ever read its own records. Report images are stored privately and served through short-lived signed URLs.

7. Children

The Service is not directed at anyone under 18, and we do not knowingly collect data from minors.

8. Changes and contact

Material changes to this policy will be announced by email. Data controller contact: support@scandrop.org.