Privacy Policy
Last updated: June 30, 2026
This Privacy Policy explains what personal information ScrapIt collects, why, how it is used, and the rights available to you. It is written in plain language, but it is a real policy that governs how we handle your data. It is not a substitute for formal legal advice. If you have questions, contact us at [email protected].
1. Who we are
ScrapIt is a private digital scrapbook and memory-keeping app for iOS and Android, with a companion website at scrapit.app. The app and website are operated by Jason Xie & Drew Simpson, based in Hamilton, Ontario, Canada ("we," "us," "our").
For the purposes of the General Data Protection Regulation (GDPR) and UK GDPR, we are the data controller for the personal information described in this policy.
Privacy contact: [email protected]
Privacy Officer (Quebec Law 25): Jason Xie & Drew Simpson, Hamilton, Ontario, Canada — [email protected]
2. Scope of this policy
This Privacy Policy applies to the ScrapIt mobile app (iOS and Android) and the ScrapIt website (scrapit.app). It covers how we collect, use, store, share, and protect personal information when you use our products.
Third-party services we rely on (such as Clerk, Supabase, and Cloudflare) have their own privacy policies that govern their practices. We link to those in Section 7 below.
3. What data we collect and how
Account and identity information
When you create a ScrapIt account, we collect the following through our authentication provider, Clerk:
- Email address
- Full name
- Username
- Profile avatar image (photo you choose to upload)
- A unique user ID assigned to your account by Clerk (an internal identifier, not your email or name)
User-generated content
The content you create in ScrapIt is collected when you create or edit it:
- Photos you add to your memories, sourced from your device's photo library
- Captions you write for photos and memories
- Album titles and descriptions
- A free-text place name you optionally type for a memory (for example, "grandma's house" or "Banff") — this is plain text you write yourself
- Memory dates you enter
- Scrapbook layouts and design choices you make within the app
Photo metadata (EXIF / embedded metadata)
Photos you upload may contain embedded metadata (EXIF, IPTC, or XMP) inside the photo file itself. Depending on how the photo was taken, this can include:
- The date and time the photo was taken
- GPS coordinates (the location where the photo was captured), if your camera or phone recorded location data into the file
- The make and model of the device or camera used
- Camera settings such as exposure, focal length, and orientation
ScrapIt stores your photo exactly as you provide it, including any embedded metadata, because that metadata is part of the file. We do not separately extract, read, index, or use this metadata for any other purpose, and ScrapIt never collects location through the app itself (see Section 4). However, you should be aware that a photo you upload may carry embedded location or timestamp data within it.
If you would prefer not to store embedded metadata, you can remove it before uploading — most phones and computers offer a "remove location" or "strip metadata" option when sharing or exporting a photo. We are evaluating an optional strip-on-upload feature for a future release.
Social and sharing data
Because ScrapIt lets you share memories with specific people, we collect data describing those sharing relationships:
- Album memberships — which albums you belong to and who created them
- Invite codes and invite relationships (who invited whom to which album)
- Sharing records — which memories you have shared and with whom, and which memories others have shared with you
- Hidden-people preferences — users or people you have chosen to hide from suggestions within the app
- Email addresses you type when inviting someone to an album (these are entered by you and used only to identify the recipient within ScrapIt; we do not read your device contact list)
4. What we do not collect
ScrapIt's data footprint is intentionally minimal. The following data types are not collected:
- GPS or device location. The "place" field in a memory is plain text you type yourself. ScrapIt never requests or accesses your device's location services, and we do not collect precise or coarse geolocation.
- Analytics, advertising, or tracking data. There are no analytics, advertising, crash-reporting, or third-party tracking SDKs in the ScrapIt app (no Firebase Analytics, Sentry, Mixpanel, Amplitude, Facebook SDK, or equivalent).
- Advertising identifiers. We do not access or collect the IDFA (iOS Advertising Identifier), GAID (Android Advertising ID), or any equivalent identifier.
- Cross-app or cross-site tracking data. We do not track you across other apps or websites.
- Device address book / Contacts. We never request or read your device contact list.
- Financial or payment information. ScrapIt has no paid features; we do not collect payment card numbers or billing information.
- Health or sensitive data. We do not collect health, biometric, or other sensitive information as defined under applicable privacy laws.
- Browsing history, search history, or usage data. We do not track which screens you visit, how long you spend on them, or what you search for.
5. Why we collect this data — purposes and legal bases (GDPR / UK GDPR)
For users in the European Economic Area (EEA) and the United Kingdom, we are required to identify a legal basis for each processing activity. Under GDPR Article 6, our legal bases are:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and securing your account (authentication, login, access control) | Performance of contract — Art. 6(1)(b): necessary to provide the service you signed up for |
| Storing, displaying, and organizing your memories and scrapbook content | Performance of contract — Art. 6(1)(b) |
| Enabling album sharing — transmitting your content to the specific people you choose | Performance of contract — Art. 6(1)(b) |
| Accessing your device photo library to let you add photos to memories (requires your permission grant on device) | Consent — Art. 6(1)(a): you grant this via your device's permission prompt; you can revoke it at any time in device Settings |
| Security, fraud prevention, and investigation of abuse or safety reports | Legitimate interests — Art. 6(1)(f): our and our users' interests in a safe and trustworthy service |
| Responding to support requests | Performance of contract / legitimate interests — Art. 6(1)(b) and 6(1)(f) |
We do not rely on consent as the basis for data collection beyond photo library access. If you withdraw photo library permission on your device, the app will not be able to access new photos, but previously uploaded photos are not deleted. To delete them, use the in-app account deletion flow.
6. How we use your data
We use your personal information solely to operate ScrapIt. Specifically:
- Authenticating your account and keeping it secure
- Storing and displaying your memories, albums, and scrapbook content
- Enabling you to share albums and memories directly with specific people you choose, and showing shared content to those recipients
- Responding to support requests and investigating safety reports
- Maintaining the security, integrity, and reliability of the service
We do not:
- Use your data to serve targeted or behavioral advertising
- Sell your personal information to any third party
- Share your personal information for cross-context behavioral advertising (as defined under CCPA/CPRA)
- Share your data with data brokers
- Use your content to train AI or machine-learning models
- Share your personal information or content with any third-party AI service. ScrapIt does not send your photos, captions, account information, or any other personal data to any third-party artificial-intelligence provider or generative-AI service for any purpose, including model training, content generation, or analysis.
- Track you across other apps or websites
- Build profiles of you for purposes outside the app
7. Third parties and sub-processors
ScrapIt is built on a small number of trusted service providers (also called "sub-processors" or "data processors"). We share your personal information with them only to the extent necessary to operate the service. They are contractually required to protect your data and are not permitted to use it for their own independent purposes, including advertising.
| Provider | Role | Processing location | Privacy / DPA reference |
|---|---|---|---|
| Clerk | User authentication, account identity management, secure login, Sign in with Apple integration | United States | clerk.com/legal/privacy |
| Supabase | Relational database storing account data, album metadata, memories, photo records, memberships, invites, and preferences; also stores profile avatar images | United States | supabase.com/privacy |
| Cloudflare (R2 + Workers) | Private album photo storage (Cloudflare R2), delivered via a Cloudflare Worker that verifies your Clerk authentication token — photos are not publicly accessible | United States / global CDN edge | cloudflare.com/privacypolicy |
| Lovable | Hosting for the ScrapIt website (scrapit.app) | European Union / United States | lovable.dev/privacy-policy |
| Expo / EAS | Mobile app build and distribution infrastructure (used to build and publish the app to the App Store and Google Play) | United States | expo.dev/privacy |
Apple and Google also process certain information as part of app distribution if you install ScrapIt through the App Store or Google Play. Their practices are governed by their own privacy policies.
No other third parties receive your personal information. We do not use advertising networks, analytics platforms, data-broker services, or any third-party artificial- intelligence or generative-AI services. None of the sub-processors above use your content to train AI models, and we do not transmit your data to any external AI provider.
Album sharing between users is a user-initiated action: when you share a memory with another ScrapIt user, that user receives a copy of the memory you chose to share. This is a feature of the service you control, not a disclosure to a third party.
8. International data transfers
ScrapIt is operated from Hamilton, Ontario, Canada. Our service providers (Clerk, Supabase, Cloudflare, Expo) process data primarily in the United States. If you are located in the European Economic Area, the United Kingdom, or Quebec, your personal information is transferred outside your jurisdiction and we rely on the following safeguards:
EU / EEA → United States
We rely on the European Commission's Standard Contractual Clauses (SCCs) (2021 version) entered into with our US-based processors, and/or the EU-US Data Privacy Framework (DPF) where our processors are DPF-certified. We conduct transfer impact assessments where required.
United Kingdom → United States
We use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs for transfers to US-based processors.
Quebec, Canada → United States
As required by Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), we disclose that your personal information may be communicated to organizations outside Quebec — specifically to service providers in the United States. Before making such transfers, we conduct a privacy impact assessment and ensure equivalent or greater protection is in place through contractual measures.
You may request further information about the specific safeguards we use for international transfers by emailing us at [email protected].
9. Data retention
We retain your personal information for as long as your account is active and as needed to provide the ScrapIt service.
- Account and content data is retained until you delete your account. Upon deletion, we remove your account identity (Clerk), all photos from Cloudflare R2, and all associated rows from our database (albums, photos, memberships, invites, preferences, profile, and avatar). See our Delete Account page for a precise breakdown.
- Support communications you send us (emails, messages) are retained for a reasonable period to allow us to resolve your issue and for record-keeping.
- Records required for legal or security compliance may be retained beyond account deletion for the period required by applicable law or by legitimate security and fraud-prevention purposes.
- Copies of shared content that another user has independently received into their own account may persist in their account after you delete yours, because those are their copies. Deleting your account removes your originals; it does not reach into other users' accounts.
10. Security
We take reasonable technical and organizational measures to protect your personal information, including:
- Encryption in transit: All data transmitted between the app and our servers (Clerk, Supabase, Cloudflare) uses TLS/HTTPS encryption.
- Access-gated photo storage: Album photos stored in Cloudflare R2 are not publicly accessible. They are served via a Cloudflare Worker that verifies your Clerk authentication token before delivering any photo.
- Access controls: Access to user data in Supabase is governed by row-level security policies.
- No analytics surface: Because we collect no analytics or usage data, there is no analytics database that could be breached to expose behavioral patterns.
No system is completely secure. In the event of a security breach that is likely to result in a risk to your rights and freedoms, we will notify you and, where required, relevant supervisory authorities within the timeframes required by law.
11. Your privacy rights
Depending on where you are located, you have different rights with respect to your personal information. To exercise any of the rights described below, email us at [email protected]. We will respond within the timeframe required by applicable law (generally 30 days). You also have the right to lodge a complaint with your local data protection authority.
GDPR / UK GDPR (EEA and UK users)
- Right of access (Art. 15): Request a copy of the personal information we hold about you.
- Right to erasure (Art. 17 — "right to be forgotten"): Request deletion of your personal information. You can also exercise this directly by deleting your account in the app.
- Right to rectification (Art. 16): Request correction of inaccurate personal information we hold about you.
- Right to data portability (Art. 20): Request your personal information in a structured, commonly used, machine-readable format.
- Right to restriction of processing (Art. 18): Request that we limit processing of your data in certain circumstances (for example, while you contest its accuracy).
- Right to object (Art. 21): Object to processing based on our legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.
- Right to withdraw consent: Where we rely on consent (photo library access), you can withdraw at any time by revoking the permission in your device Settings. This will prevent the app from accessing new photos but will not delete existing uploads; use the in-app account deletion to remove those.
CCPA / CPRA (California residents)
- Right to know: the categories and specific pieces of personal information we collect, the purposes for which it is used, and the categories of third parties with whom it is shared.
- Right to delete: request deletion of your personal information. You can do this directly via the in-app account deletion flow.
- Right to correct: request correction of inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell your personal information and we do not share it for cross-context behavioral advertising. No opt-out mechanism is required because we do not engage in these practices. A prominent "Do Not Sell or Share" link is not displayed because there is nothing to opt out of.
- Right to limit use of sensitive personal information: We do not collect sensitive personal information beyond what is strictly necessary to operate the service.
- Non-discrimination: We will not discriminate against you for exercising any of these rights.
California residents may submit requests by email to [email protected]. We will respond within 45 days and may extend by an additional 45 days where reasonably necessary with notice to you.
Under the CCPA regulations effective January 1, 2026, a link to this Privacy Policy is accessible within the app as required.
PIPEDA (Canada — federal)
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access the personal information we hold about you and to challenge its accuracy. We are bound by PIPEDA's 10 fair-information principles, including accountability, identifying purpose, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.
To make a PIPEDA access or accuracy request, email us at [email protected]. We will respond within 30 days or notify you if an extension is required.
Quebec Law 25 (Quebec residents)
Under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Bill 64), you have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate, incomplete, or ambiguous information
- Request deletion of personal information collected in excess of what is necessary
- Receive your personal information in a structured, commonly used technological format (portability)
- Be informed of any transfers of your personal information outside Quebec (see Section 8 above)
- Be informed of any automated decision-making involving your personal information (we do not use automated decision-making)
Our designated Privacy Officer for Law 25 purposes is reachable at [email protected]. We will respond to access, correction, and deletion requests within 30 days.
12. Children's privacy
ScrapIt is not directed to children under the age of 13 (or the applicable digital consent age in your jurisdiction — 16 in some EU member states, 13 in the UK and US). We do not knowingly collect personal information from children.
If you believe a child has created a ScrapIt account without appropriate parental involvement, or if you are a parent or guardian who has discovered that your child has provided personal information to us, please contact us at [email protected] so we can investigate and delete the account and associated data promptly.
ScrapIt is not listed in the Apple Kids Category or Google Play Families program, and we declare an adult/teen audience on both stores.
13. Cookies and SDK tracking
In the app: The ScrapIt mobile app does not use advertising, analytics, or tracking cookies or SDKs. We do not embed Firebase Analytics, Sentry, Mixpanel, Amplitude, the Facebook SDK, or any equivalent tool. The app collects no usage data, crash reports, or behavioral telemetry beyond what is strictly necessary to operate the session.
On this website (scrapit.app): This website may use minimal functional or session-level cookies necessary for the page to render correctly (for example, to remember navigation state). We do not use advertising cookies, analytics cookies, or any tracking pixels. We do not use Google Analytics, Meta Pixel, or equivalent services on this website.
Because we do not use non-essential cookies, a cookie consent banner is not required on this site under the ePrivacy Directive. If this changes, we will update this section and add appropriate notice. For a dedicated, plain-language summary of how the website handles cookies and visitor data, see our Website & Cookie Notice.
14. How to delete your account and data
You can delete your ScrapIt account at any time. Deletion is permanent and removes your account identity, all memories and photos you own, and all associated data. See our Delete Account page for the full step-by-step process and a precise description of what is removed.
In the app: Open Settings or Profile → tap Delete Account → confirm.
Without the app: Visit our Delete Account page to submit a deletion request by email — no reinstallation required.
15. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes — for example, if we add a new data type, a new third-party processor, or a new purpose — we will update the "Last updated" date at the top of this page. For significant changes, we may also notify you in-app or by email.
Continued use of ScrapIt after a change takes effect constitutes your acceptance of the revised policy. If you do not agree with a change, you can delete your account at any time.
16. Contact us
If you have questions about this Privacy Policy, want to exercise a privacy right, or have a concern about how your data is handled, please reach out:
- Email: [email protected]
- Privacy Officer / data controller: Jason Xie & Drew Simpson, 157 Edgehill Dr., Hamilton, Ontario, Canada
EEA and UK users also have the right to lodge a complaint with their local data protection supervisory authority if they believe we have not handled their personal information correctly.
Questions about this page? Reach us anytime at [email protected].