Privacy Policy

1. Information We Collect

We collect information that you provide directly to us, information we obtain automatically when you use the Service, and information from third-party sources as described below.

1.1 Account Information

• Email address — collected when you sign up with email, Apple Sign-In, or Google Sign-In. Used for authentication, account recovery, and service-related communications.
• Password (hashed) — if you register with email. We store only a bcrypt hash; we never store or have access to your plaintext password.
• Authentication provider ID — a unique identifier from Apple or Google used to link your account.
• Name — if provided by your authentication provider (e.g., first name from Apple Sign-In). Used for personalization within the Service.

1.2 Content You Submit

• Homework images, documents, and text — uploaded when you use the solve feature. This content is transmitted to third-party AI services (see Section 3) for processing and is deleted from our servers within 7 days of processing. The resulting PDF solutions are stored locally on your device.
• Custom handwriting drawings — if you choose to create a custom handwriting font, we collect the letter and symbol drawings you submit. These drawings are stored on our servers and used to render your personalized handwritten-style PDFs. You can delete individual handwriting styles or all of your handwriting data at any time.

1.3 Connected Services

• Canvas LMS access token — if you choose to connect your Canvas account. This token is encrypted at rest using Fernet symmetric encryption and is used solely to retrieve your upcoming assignment information. We do not access your grades, submissions, course content, or other Canvas data beyond assignment listings.

1.4 Device and Usage Information

• Device push token — used to send you push notifications when your homework solution is ready for download.
• Subscription and transaction data — your current subscription plan tier, one-time purchase credit balance, and payment status, managed through Apple's App Store or our web payment system. We retain a ledger of grant and consumption events for one-time solve credits to operate the feature and support refund handling.
• Solve history metadata — a record of solve requests including the AI tier used, subject category, page count, and timestamp. This metadata is used to display your dashboard and enforce usage limits. We do not retain the content of your homework submissions after processing is complete.
• Log data — our servers automatically record information about how you interact with the Service, including request timestamps, API endpoints accessed, response times, and error codes. This information is used for debugging, performance monitoring, and maintaining the security of the Service.
• Device identifier — a unique device identifier (Keychain UUID on iOS, browser fingerprint on web) used for fraud and abuse prevention, including detecting duplicate registrations and other account abuse patterns.
• Analytics and advertising identifiers — we use PostHog (product analytics) and the Meta (Facebook) SDK and Pixel to measure app usage, ad campaign performance, and install attribution. These services may collect device identifiers, IP addresses, and in-app events (such as signups and purchases). On iOS, we request your permission via Apple's App Tracking Transparency prompt before enabling advertising attribution. You can opt out at any time in your device's Settings under Privacy & Security → Tracking.

1.5 Information We Do NOT Collect

• Precise or coarse location data
• Contacts or address book data
• Browsing history or web activity outside the Service
• Health, fitness, or biometric data
• Financial information (payment processing is handled entirely by Apple or Stripe)

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and operate the Service — process your homework submissions, generate handwritten-style PDF solutions, and deliver them to you.
• Account management — create and manage your account, authenticate your identity, and process subscription transactions.
• Communications — send push notifications when your solution is ready, and send transactional emails such as password reset codes and subscription reminders (e.g., trial expiration notices). We do not send marketing emails.
• Canvas integration — retrieve your upcoming assignments if you choose to connect your Canvas account.
• Improve the Service — analyze aggregate usage patterns to improve performance, fix bugs, and develop new features. We do not use your homework content for this purpose.
• Safety and security — detect and prevent fraud, abuse, and security incidents; enforce our Terms of Service; and comply with legal obligations.
• Legal compliance — comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not sell, rent, or trade your personal information to third parties. We do not use your homework content to train, improve, or fine-tune any AI models.

3. Third-Party Service Providers

We share your information with the following categories of third-party service providers, solely to the extent necessary to provide the Service:

3.1 AI Processing Providers

To solve your homework, we transmit your uploaded images and text to the following AI providers for processing:

• Google (Gemini API) — our primary AI provider for solving homework. Subject to Google's AI Terms of Service.
• Anthropic (Claude API) — used for select processing tasks. Subject to Anthropic's Terms of Service.

Under their respective commercial API terms, these providers process your data solely to generate responses to your requests and do not use your content to train their general-purpose AI models. Your homework content is not retained by these providers beyond the time reasonably necessary to process your request and comply with their legal obligations.

3.2 Infrastructure Providers

• Fly.io — cloud hosting infrastructure where our backend servers run.
• Resend — email delivery service used for password reset codes, subscription reminders, and transactional emails.
• Apple (App Store, APNs) — subscription payment processing and push notification delivery.
• Stripe — payment processing for web application subscriptions.

3.3 Analytics and Advertising Providers

• PostHog — product analytics. Collects anonymized usage events (e.g., pages visited, features used) to help us understand how the Service is used and identify areas for improvement. Subject to PostHog's Privacy Policy.
• Meta (Facebook) Pixel and SDK — advertising measurement. The Meta Pixel (on our website) and Facebook SDK (in our iOS app) collect device identifiers, IP addresses, and in-app events (such as signups and purchases) to measure the effectiveness of our advertising campaigns and attribute app installs. This data is shared with Meta Platforms, Inc. On iOS, tracking is enabled only after you grant permission via Apple's App Tracking Transparency prompt. Subject to Meta's Privacy Policy.

3.4 Other Disclosures

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or legal process; (b) protect and defend the rights or property of Scrawl AI; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users of the Service or the public; or (e) protect against legal liability.

4. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Homework images and uploaded content — deleted from our servers within 7 days of processing completion.
• PDF solutions — stored locally on your device. Server-side copies are deleted within 7 days.
• Custom handwriting data — retained for the duration your account remains active. Deleted immediately when you remove a handwriting style or delete your account.
• Account data — retained for the duration your account remains active. Upon account deletion, your data is permanently removed from our servers.
• Canvas tokens — retained in encrypted form until you disconnect your Canvas account or delete your Scrawl account, whichever occurs first.
• Server logs — retained for up to 90 days for debugging and security purposes, then automatically purged.

5. Data Security

We implement commercially reasonable technical and organizational security measures designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to:

• TLS/HTTPS encryption for all data transmitted between your device and our servers
• bcrypt password hashing with per-user salts
• Fernet symmetric encryption for sensitive credentials stored at rest
• SHA-256 hashing for password reset verification codes
• JWT-based authentication tokens with automatic 30-day expiry
• Write-ahead logging (WAL) mode for database integrity
• Environment-based secret management (secrets are never stored in source code)

However, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security. You acknowledge and accept that you transmit information to the Service at your own risk. In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities as required by law.

6. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions that may not provide the same level of data protection as your home country. Where required by applicable law, we implement appropriate safeguards for such transfers, including standard contractual clauses.

7. Your Rights and Choices

7.1 All Users

• Access— you can view your account data at any time in the app's Settings.
• Correction — you can update your account information through the app.
• Deletion— you can delete your account from within the app (Settings → Delete Account). This permanently removes all your personal data from our servers, subject to the retention periods described in Section 4.
• Disconnect Canvas — you can remove your Canvas LMS connection at any time in Settings, which immediately deletes your encrypted Canvas token.
• Push notifications— you can disable push notifications through your device's system settings at any time.

7.2 European Economic Area Residents (GDPR)

If you are located in the European Economic Area ("EEA"), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation ("GDPR") and similar laws, including:

• The right to access your personal data and obtain a copy of it
• The right to rectification of inaccurate personal data
• The right to erasure ("right to be forgotten")
• The right to restriction of processing
• The right to data portability
• The right to object to processing based on legitimate interests
• The right to withdraw consent at any time (where processing is based on consent)
• The right to lodge a complaint with a supervisory authority

Our legal bases for processing your personal data are:

• Performance of a contract — processing necessary to provide the Service you have signed up for (Article 6(1)(b) GDPR).
• Legitimate interests — processing necessary for our legitimate interests in operating and improving the Service, provided such interests are not overridden by your data protection rights (Article 6(1)(f) GDPR).
• Legal obligation — processing necessary to comply with a legal obligation to which we are subject (Article 6(1)(c) GDPR).

To exercise any of these rights, please contact us at the email address provided below. We will respond to your request within 30 days.

7.3 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA") provide you with specific rights regarding your personal information, including:

• The right to know what categories and specific pieces of personal information we have collected about you
• The right to request deletion of your personal information
• The right to opt out of the sale or sharing of your personal information
• The right to correct inaccurate personal information
• The right to limit use and disclosure of sensitive personal information
• The right to non-discrimination for exercising your privacy rights

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.

To exercise your CCPA/CPRA rights, contact us at the email address below or use the account deletion feature within the app.

7.4 Other Jurisdictions

If you are located in a jurisdiction with data protection laws that grant you specific rights regarding your personal information (including but not limited to Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, or Japan's APPI), we will honor those rights to the extent required by applicable law. Please contact us to exercise your rights.

8. Cookies and Tracking Technologies

Our web application uses the following cookies and tracking technologies:

• Strictly necessary cookies — for session management and authentication.
• PostHog analytics — collects anonymized product usage data to help us improve the Service.
• Meta Pixel — measures ad campaign performance by tracking conversion events (signups, purchases). This may enable cross-site tracking by Meta.

Our iOS application uses the Facebook SDK for install attribution and in-app event tracking, subject to Apple's App Tracking Transparency framework. You can control tracking permissions in your device's Settings under Privacy & Security → Tracking.

9. Do Not Track

The Service does not currently respond to "Do Not Track" browser signals. However, you can control advertising tracking on iOS via the App Tracking Transparency prompt or in your device's Settings under Privacy & Security → Tracking.

10. Children's Privacy

Scrawl is intended for users aged 13 and older. We do not knowingly collect, use, or disclose personal information from children under the age of 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to delete that information from our servers within a reasonable time.

11. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not operated by us (including Canvas LMS, Apple App Store, and Google services). We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy of every site you visit or service you use.

12. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time and from time to time. We will notify you of any material changes by posting the updated Privacy Policy within the Service, updating the "Last updated" date at the top of this page, and, where required by applicable law, sending you a notification. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your personal information, please contact us at:

Scrawl AI
Email: support@scrawlai.app

We will make every effort to respond to your inquiry within 30 days.