1. Data We Collect

1.1 Account Information

When you create an account, we collect your email address and a hashed version of your password. We do not store plaintext passwords. We use Supabase for authentication, which implements industry-standard bcrypt hashing.

1.2 Document Images

When you use PaperLens to scan a document, your image is transmitted to our servers over an encrypted HTTPS connection. By default, images are processed in-memory and are not permanently stored. If you choose to save a document to your Life Vault, the image URL (if you explicitly uploaded it) is stored alongside the AI analysis result.

We do not use your document images for any purpose other than generating the analysis you requested. We do not sell, share, or use images for AI model training.

1.3 Analysis Results

The structured analysis output (urgency level, summary, action type, deadline) is stored in our database associated with your account ID if you are logged in and have enabled vault storage. This data is encrypted at rest using AES-256.

1.4 Usage Analytics

We collect anonymized usage metrics — page views, feature interactions, error rates — to improve the product. This data contains no personally identifiable information and cannot be linked back to your account.

2. Local Redaction & Encryption

We are aware that many documents contain highly sensitive identifiers: Social Security Numbers, Tax IDs, bank account numbers, and medical record numbers.

2.1 In-Transit Encryption

All data transmitted between your device and our servers uses TLS 1.3, the current industry standard for transport-layer security. Certificate pinning is implemented on our mobile clients.

2.2 At-Rest Encryption

All data stored in our database — including analysis results and any saved document metadata — is encrypted at rest using AES-256 encryption managed by our cloud infrastructure provider (Supabase/AWS).

2.3 Local Redaction (Roadmap)

We are actively developing on-device redaction capabilities that will allow your device to mask sensitive identifiers (SSNs, TINs, account numbers) before any image is transmitted. This feature will be available in a future update and will be opt-in.

Our current recommendation: If your document contains a full SSN or account number and you are privacy-sensitive, photograph the document with that section physically covered before scanning.

3. Third-Party AI Sub-Processors

PaperLens uses third-party AI APIs to perform document analysis. When you submit a document for analysis, a copy of the image or extracted text is sent to the following sub-processor:

3.1 OpenAI (GPT-4o)

• Purpose: Generating plain-English summaries and urgency classifications
• Data sent: Base64-encoded image or extracted text
• Retention: OpenAI processes requests in-memory. As per our API agreement, OpenAI does not use API inputs for model training by default.
• Privacy policy: openai.com/privacy

We have opted out of OpenAI’s data usage for training purposes on our API account. However, as with any third-party service, we cannot guarantee their practices beyond what is stated in their privacy policy. If you require absolute data isolation, do not use cloud-based AI analysis tools.

4. Your Rights (GDPR & CCPA)

4.1 Right to Access

You may request a complete export of all data associated with your account at any time by contacting privacy@paperlens.co. We will respond within 30 days.

4.2 Right to Delete (Right to Be Forgotten)

You may delete your account and all associated vault data at any time from your account settings. Deletion is immediate and irreversible. Anonymized analytics data (which cannot be linked back to you) may be retained for aggregate reporting.

4.3 Right to Correct

You may update your account email or other profile information from your account settings at any time.

4.4 Right to Opt Out of Sale (CCPA)

We do not sell personal data. We do not share personal data with third parties for their direct marketing purposes. California residents have no sale to opt out of.

4.5 Data Portability

Upon request, we will provide your vault data in JSON format, exportable from your account settings.

5. Cookies & Session Storage

We use session cookies strictly for authentication. We do not use third-party tracking cookies, advertising pixels, or cross-site tracking technologies. You may disable cookies in your browser, but doing so will prevent you from staying logged in.

6. Children’s Privacy

PaperLens is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@paperlens.co.

7. Contact Us

For privacy-related questions, data requests, or to report a concern:

• Email: privacy@paperlens.co
• Response time: Within 5 business days for general questions, 30 days for data requests

We reserve the right to update this Privacy Policy. Material changes will be communicated by email to registered users at least 14 days before taking effect.