Privacy

The short version

LumenScan turns your phone’s camera into a document scanner. Every scan, every line of recognised text, and every signature you draw stays on your device unless you explicitly share it.

• No cloud upload of documents.OCR runs locally using Apple’s Vision framework (iOS) or Google’s ML Kit (Android). Your scans never reach our servers.
• No analytics on document content.We don’t inspect what you scan, what your OCR text says, or what you sign.
• No ads, no cross-app tracking. No ad SDKs, no advertising identifier, no session replay. We do use privacy-friendly, anonymous product analytics and crash diagnostics (detailed below) that never see your documents or any personal detail.
• Subscriptions go through Apple / Google.If you upgrade to Pro, the App Store or Play Store handles the transaction. We see only the entitlement (“is Pro?”), not your card or address.

What lives on your device

• Scanned images and PDFs.Stored in LumenScan’s app sandbox on your iPhone, iPad, or Android device. Removed when you delete the scan or uninstall the app.
• Recognised text (OCR output). Embedded into the PDF as a searchable text layer, and indexed locally so you can search across your scans. Never sent to us.
• Signatures and annotations. Saved with the document on-device. Re-usable across scans if you choose.
• Preferences and history.Standard app settings (filter defaults, page size, last-used vaults) live in the platform’s standard preferences store.
• Optional iCloud sync (iOS). If you turn on iCloud sync in Settings, LumenScan keeps your scans and folders in sync across your own Apple devices using your private iCloud (CloudKit) database. The data stays inside your personal iCloud account — we have no access to it and it is never sent to our servers. Sync is off unless you enable it.

If your device’s own backup is enabled (for example Apple iCloud backup on iOS), those copies live in your owncloud account via the platform’s infrastructure. We have no access to them.

What leaves your device

• Share to other apps.When you hit Share, the document goes to whichever target you pick — Mail, Files, Drive, AirDrop, Messages, any installed share-extension. That’s a normal OS share intent; LumenScan hands the file off and steps aside.
• Device backup (optional).If you enable your platform’s own backup, the OS may replicate app files to your personal cloud storage via Apple/Google’s infrastructure — LumenScan never sees the upload.
• iCloud sync (optional, iOS). If you turn on iCloud sync, your scans and folders are mirrored to your own private iCloud (CloudKit) database so they appear on your other Apple devices. This stays within your personal iCloud account; it never reaches us. Off unless you enable it.
• Anonymous analytics & crash diagnostics. To keep the app reliable, LumenScan sends limited, anonymous data to two privacy-focused processors working on our behalf: PostHog for product analytics (which features and screens are used) and Sentry for crash reports (stack traces and device model). This data is tied only to a random, anonymous app identifier — never your documents, OCR text, name, or any personal detail. It is enabled by default to help us fix bugs and improve the app; we never sell it, use it for ads, or link it across other apps.

Subscriptions and billing

LumenScan Pro is a subscription handled through the App Store (iOS) or Google Play (Android). When you subscribe:

• Apple or Google processes the payment, manages the renewal, and tells the app whether you currently have an active entitlement.
• We use RevenueCatto resolve the entitlement (“is this user on Pro?”) across devices. RevenueCat receives an anonymous installation identifier, your subscription product ID, and the entitlement status. They do not receive your name, email, card, or document content. See RevenueCat’s privacy notice.
• We do not receive, see, or store your payment card, billing address, or Apple/Google ID.

What we do not collect

• No account, login, or password — LumenScan works without one.
• No phone number or email address.
• No location data.
• No advertising identifier (IDFA / GAID).
• No reading or uploading of your contacts. The business-card scanner can save a card you scan as a new contact, with your permission — but LumenScan never reads or transmits your existing contact list.
• No call data, and no audio is ever recorded.
• No browsing history or other apps’ data.

Permissions LumenScan asks for

• Camera — required to capture scans. Used only while the scanner view is on screen.
• Photo Library— optional, only if you choose “Import from Photos.” We read the image you pick; we do not browse or upload the rest of your library.
• Face ID / Touch ID / Biometric— optional, used to lock your vault. The biometric check happens on the device’s secure enclave; we never see the biometric data.
• Notifications — optional, only if you turn on GST filing reminders. Reminders are scheduled locally on your device; we send no push messages from a server.
• Contacts — optional, only when you choose to save a scanned business card as a contact. We write the one card you scanned; we never read your existing contacts.

Your rights

Because LumenScan keeps your documents on your device, you control them directly — delete them from inside the app, or uninstall the app to wipe everything LumenScan stored locally. There is no server-side account to delete.

If you have legal questions about data we process incidentally (subscription entitlement, crash reports), contact us at [email protected] from the device’s subscription email and we will respond within 30 days. This covers requests under the EU GDPR, UK GDPR, California CCPA, and India’s DPDP Act, 2023.

LumenScan is operated by NOVA-LUMEN LABS LLP. For the Lumen Labs company-wide privacy policy (registered office, data-protection contact, complaint procedure), see the Lumen Labs privacy policy.

Deleting your data

Your scans, OCR text, and signatures live only on your device. Deleting a document inside LumenScan removes it, and uninstalling the app erases everything LumenScan stored locally — we never held a copy.

To delete the limited anonymous records held by our processors — PostHog (product analytics), Sentry (crash diagnostics), and your RevenueCat subscription-entitlement record — email [email protected] and we will action the request within 30 days.

What is deleted: the anonymous analytics, crash, and app-identifier records associated with your install. What may be kept: subscription and transaction records that Apple, Google, or we are required to retain for tax, accounting, and legal-compliance purposes.

Children

LumenScan is not designed for, marketed to, or targeted at children under 13. We do not knowingly collect data from children. If you believe a child has used LumenScan and you want any incidental data (e.g. a subscription record) removed, contact us at the email above.

Changes to this policy

If we materially change what LumenScan does with data, we will update this page, bump the “Last updated” date, and call out the change in the next release notes.

Contact

Questions about LumenScan or this policy: [email protected].