Privacy
Privacy policy
Last updated: May 29, 2025
1. Who We Are
Nordic Scan (“Nordic Scan”, “we”) is the data controller for personal data collected via the Nordic Scan mobile application.
| Legal entity | Nordic Scan |
| Address | 795640 3rd Line EHS, Mono, Ontario L9W 5Z4, Canada |
| Contact email | privacy@nordicscan.co |
| Privacy Officer (title) | Data-Protection & Privacy Lead |
2. Scope
This Policy explains how we collect, use, share, and protect your information when you use the App.
3. Data We Collect & Legal Bases
| Category | Examples | Primary legal basis* |
|---|---|---|
| Account data | Email address, hashed password | Contract performance (needed to create & secure your account) |
| Profile & personalisation | Age, gender | Legitimate interest (to tailor recommendations). EU/UK users may object at any time. |
| Health & dietary preferences (special-category) |
Vegan / vegetarian flag, gluten-free flag, food allergies, skin type | Explicit consent (GDPR Art. 9 (2)(a)); can be withdrawn at any time |
| Scan photos | Front label & ingredient-list images you upload | Contract performance + perpetual licence (see ToS § 7) |
| Location (while using the App) | Lat/long captured when a scan occurs | Consent (requested by OS dialog) |
| Analytics & diagnostics | Firebase Analytics events, Crashlytics crash logs | Legitimate interest (operate, secure, improve service) |
| Subscription & payment | Store transaction ID, plan type, renewal date | Contract performance + legal obligation (tax & accounting) |
* Additional regional rights apply; see Section 10.
4. How We Use Data
- Perform barcode analysis and return product ratings
- Personalise recommendations based on location, age, gender, and preferences
- Send push notifications when scans finish processing
- Operate, secure, and improve the App (usage analytics, crash reports)
- Send marketing emails to subscribers (opt-out any time)
5. Third-Party Processing & Sharing
We do not sell your personal data. We share it only with third-party service providers that help us operate the App, under strict confidentiality agreements.
| Category of recipient | Typical purpose |
|---|---|
| Cloud-hosting & storage providers | Host servers, databases, and image files in secure data centres (primarily U.S.) |
| Managed database services | Provide high-performance, encrypted data storage & backup |
| AI processing services | Perform text recognition on photos and ingredient analysis to generate scores |
| Analytics & crash-reporting services | Collect usage metrics and diagnostic logs to improve stability |
| EU & UK data-protection representative | Handle GDPR Art. 27 inquiries from EU/UK users and regulators |
A detailed list of processors is available on request (see Section 10).
6. International Transfers
Data may be transferred to countries outside your jurisdiction. We rely on Standard Contractual Clauses or equivalent safeguards for EU/UK users.
7. Retention Schedule
| Data | Retention rule |
|---|---|
| Uploaded photos | Used in product DB → kept indefinitely; otherwise deleted within 30 days |
| Extracted text & ingredient data | Same as photos |
| Profile & preferences | Deleted upon account deletion |
| Location–product link | Kept indefinitely (anonymised once account is deleted) |
| App logs & error logs | Up to 7 years |
| Payment & subscription records | 7 years (tax & accounting) |
| Back-ups | Up to 7 years |
8. Security Measures
| Measure | Status |
|---|---|
| TLS 1.2+ for all API traffic | Yes |
| Signed S3 URLs (time-limited) | Yes |
| IAM least-privilege roles & separate env keys | Yes |
| MFA on AWS & RedisLabs admin accounts | Yes |
| AES-256 at rest on Redis & S3 | Planned |
| Continuous vulnerability alerts | Yes |
| Annual penetration test | Planned |
| Bug-bounty / disclosure programme | Planned |
9. Automated Decision-Making
Ingredient-based scores are generated algorithmically for information only; they do not make medical or legal determinations.
10. Your Rights
| Region | Your rights |
|---|---|
| EU / UK (GDPR) | Access, rectification, erasure, restriction, portability, objection, lodge complaint with supervisory authority |
| California (CPRA) | Know, delete, correct, opt-out of “sharing” |
| Canada (PIPEDA) | Access, correction, withdraw consent |
| Brazil (LGPD) | Confirm, access, correct, delete, port, anonymise |
To exercise any rights, email info@nordicscan.co or contact our EU/UK representative (Section 11).
11. EU & UK Representative
Nordic Scan has appointed GDPRLocal as its Article 27 EU and UK representative.
- Address:
[[REP_ADDRESS]] - Email:
[[REP_EMAIL]]
(Replace placeholders once assigned.)
12. Marketing Communications
Paying subscribers receive occasional promotional emails. Each email contains an Unsubscribe link. Transactional emails (e.g., password reset, receipt) are not marketing and cannot be opted-out.
13. Changes to This Policy
We will post updates here and, for significant changes, provide 30 days’ in-app or email notice.
14. Contact
Questions, concerns, or complaints?
- Email: info@nordicscan.co
- Postal mail: Nordic Scan, 795640 3rd Line EHS, Mono, Ontario L9W 5Z4, Canada