At a Glance
- OCR is performed locally on-device.
- Image files and PDF files are not sent to our servers for analysis.
- Only extracted text is processed for AI explanation output by the selected AI provider.
- iCloud Recovery can store recovery archives in the user's private iCloud database.
- No ad tracking, no sale of personal data.
1. Controller
ExplainThisDoc
Julian Heger
Cumberlandstr. 40
1140 Vienna
Austria
Contact:
[email protected]
2. Overview
- OCR (text extraction) is performed locally on the user's device.
- Image files and PDF documents are not transmitted to our servers for analysis.
- Only extracted text is transmitted for analysis and processed by the selected AI provider (and deleted from our systems after processing).
- iCloud Recovery can use Apple CloudKit to store recovery archives in the user's private iCloud database.
- No advertising tracking is used. We do not sell personal data.
3. Categories of Data Processed
3.1 Text Content
When a user scans or imports a document, text extraction is performed locally on the device. For analysis, only the extracted text is transmitted to our backend and processed by the selected or configured external AI service provider. The currently supported AI providers are OpenAI, Mistral AI, and Qwen / Alibaba Cloud Model Studio (DashScope). For technical reasons (for example iOS backgrounding), extracted text may be stored temporarily on our servers until processing completes or fails. After processing, the extracted text is deleted/cleared from the job record. No images, camera data, or document files are transmitted to an AI provider for analysis.
Legal basis: Article 6(1)(b) GDPR (performance of a contract)
3.2 Account and Authentication Data
To provide the service and manage credits, we process pseudonymous identifiers such as a device identifier generated by the app, an app authentication token (Bearer token), and credit balance information.
Legal basis: Article 6(1)(b) GDPR (performance of a contract)
3.3 Technical Usage Data
To operate and secure the service, we process limited technical data such as IP address, request timestamps, request identifiers, language and time zone settings, aggregated usage metrics (for example request counts and token counts), and credit/transaction identifiers, for service delivery, fraud prevention, rate limiting, troubleshooting, and security.
Legal basis: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR (legitimate interest in system integrity and abuse prevention)
3.4 In-App Purchases
Credits may be purchased via Apple's App Store. Payment processing is handled by Apple. We do not receive or store payment card information. We receive transaction-related metadata (for example transaction identifiers, product identifiers, and verification data such as signed transaction info) necessary to credit the user's account. Apple acts as an independent data controller.
Apple Privacy Policy: https://www.apple.com/legal/privacy/
3.5 Support Communications
If you contact us by email, we process your email address and the content of your message to respond and handle your request.
Legal basis: Article 6(1)(b) GDPR and/or Article 6(1)(f) GDPR
3.6 iCloud Recovery / CloudKit
The app can use Apple CloudKit for iCloud Recovery of imported history and saved analysis results across reinstalls and the user's own devices signed in to the same Apple ID. If iCloud Recovery is available and not disabled, a recovery archive may be stored in the user's private iCloud database. This archive may include saved history entries, generated explanations, original extracted text saved with history, user notes, locally stored document assets, previews, and note attachments. CloudKit records may also contain checksums, timestamps, byte sizes, a hashed account scope, history identifiers for deletion markers, and a small control marker used to disable future recovery uploads.
App authentication tokens, device identifiers, and the raw server user identifier are not stored in CloudKit by this feature. The account scope stored in CloudKit is derived from a SHA-256 hash. Users can delete and disable iCloud Recovery in the app settings; a small marker without document content may remain to prevent future uploads for that account.
Apple provides and operates iCloud and CloudKit. Apple may process related data under its own privacy terms: https://www.apple.com/legal/privacy/
Legal basis: Article 6(1)(b) GDPR and/or Article 6(1)(f) GDPR
3.7 Website Access (Legal Site)
Our legal website is hosted on Cloudflare Pages. When you access the website, Cloudflare may process connection and log data (such as IP address, user agent, and request metadata) to deliver and protect the site. We do not set our own analytics, marketing, or tracking cookies. To provide and protect the website, our hosting and security provider Cloudflare may use technically necessary cookies or comparable security mechanisms.
Legal basis: Article 6(1)(f) GDPR (legitimate interest in secure delivery)
4. Server Location
Our backend infrastructure is hosted within the European Union (Germany). This does not include external AI providers, Apple/iCloud services, App Store payment processing, or Cloudflare website delivery, which operate under their own infrastructure and terms.
5. International Data Transfers
When users request text analysis, extracted text may be processed by the selected AI provider. Depending on the selected provider and endpoint configuration, this may involve processing outside the EEA, including the United States for OpenAI services or China/Singapore and other regions for Qwen / Alibaba Cloud Model Studio services. Mistral AI is presented in the app as an EU-region provider, but users should also review the provider's current terms.
Depending on your usage, other providers (such as Apple for App Store payments and iCloud/CloudKit, and Cloudflare for website delivery) may also process personal data outside the EEA under their own terms and safeguards. Where required, transfers are based on appropriate GDPR transfer mechanisms such as Standard Contractual Clauses and additional safeguards as applicable.
OpenAI Privacy Policy: https://openai.com/privacy
Mistral AI Privacy Policy: https://legal.mistral.ai/terms/privacy-policy
Qwen / Alibaba Cloud Model Studio Privacy Notice: https://help.aliyun.com/zh/model-studio/privacy-notice
Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
6. Data Retention
Technical usage data is retained only as long as necessary for service provision, security, and legal obligations. Extracted text is stored only temporarily for processing and is deleted/cleared after processing completes or fails. Server-side job records (including the generated result) are retained for up to 7 days to allow delayed retrieval, then deleted. Locally stored history can be deleted in the app at any time. Purchase transaction records may be retained as required by law and for fraud prevention.
iCloud Recovery archives and deletion markers remain in the user's private iCloud database until overwritten by a newer recovery archive, deleted through the app settings, or otherwise removed by the user/Apple according to iCloud behavior and Apple's terms.
7. No Automated Decision-Making
We do not perform automated decision-making within the meaning of Article 22 GDPR. AI-generated explanations are informational only and do not constitute legal or financial advice.
8. Data Security
We implement appropriate technical and organizational measures (including encrypted transmission and access controls) to protect data.
9. Your Rights (EU/EEA)
You have rights of access, rectification, erasure, restriction, portability, and objection under the GDPR. To exercise your rights, contact us using the details above. We may require your in-app device identifier to identify your account.
10. Obligation to Provide Data
The provision of certain data (such as extracted text content and technical usage data) is necessary for the performance of the contract and to provide the service. Without such data, the service cannot be delivered.
11. Legitimate Interests
Where processing is based on Article 6(1)(f) GDPR, our legitimate interests include ensuring system security, preventing abuse, maintaining service integrity, and managing credit accounting. We ensure that such interests do not override the fundamental rights and freedoms of users.
12. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority in the European Union, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
13. Hosting and Infrastructure Providers
Our infrastructure may rely on service providers acting as data processors under Article 28 GDPR, who process data on our behalf and under contractual safeguards. Some external providers, such as Apple for App Store payments and iCloud/CloudKit, may also act under their own terms and roles. Relevant external providers include backend hosting providers, selected AI providers for text analysis, Apple for App Store payments and iCloud/CloudKit, and Cloudflare for website delivery.
14. Children
The app is not directed to children under 16 years of age. We do not knowingly collect data from children without appropriate consent.
15. Changes
We may update this Privacy Policy to reflect legal, technical, or operational changes. The current version is always available within the app and on our website.