Privacy Policy

Last updated: August 18, 2025

1) Who we are

Nordic Scan (“Nordic Scan”, “we”) is the data controller for personal data collected via the Nordic Scan mobile application.

  • Legal entity: Nordic Scan
  • Address: 795640 3rd Line EHS, Mono, Ontario L9W 5Z4, Canada
  • Contact email: privacy@nordicscan.co
  • Privacy Officer (title): Data‑Protection & Privacy Lead

2) Scope

This Policy explains how we collect, use, share, and protect your information when you use the Nordic Scan mobile app (the “App”).

3) Data We Collect & Legal Bases

  • Account data (e.g., email address, hashed password)
    • Legal basis: Contract performance (needed to create and secure your account)
  • Profile & personalisation (e.g., age, gender)
    • Legal basis: Legitimate interest (to tailor recommendations). EU/UK users may object at any time.
  • Health & dietary preferences (special‑category) (e.g., vegan/vegetarian flag, gluten‑free flag, food allergies, skin type)
    • Legal basis: Explicit consent (GDPR Art. 9(2)(a)); can be withdrawn at any time.
  • Scan photos (front label and ingredient‑list images you upload)
    • Legal basis: Contract performance + perpetual licence (see ToS § 7)
  • Location (while using the App) (lat/long captured when a scan occurs)
    • Legal basis: Consent (requested by OS dialog)
  • Analytics & diagnostics (e.g., Firebase Analytics events, Crashlytics crash logs)
    • Legal basis: Legitimate interest (operate, secure, and improve the service)
  • Subscription & payment (e.g., store transaction ID, plan type, renewal date)
    • Legal basis: Contract performance + legal obligation (tax and accounting)

*Additional regional rights apply; see Section 10.

4) How We Use Data

  • Perform barcode analysis and return product ratings
  • Personalise recommendations based on location, age, gender, and preferences
  • Send push notifications when scans finish processing
  • Operate, secure, and improve the App (usage analytics, crash reports)
  • Send marketing emails to subscribers (opt‑out any time)

5) Third‑Party Processing & Sharing

We do not sell your personal data. We share it only with third‑party service providers that help us operate the App, under strict confidentiality agreements.

Typical recipients and purposes:

  • Cloud‑hosting & storage providers — host servers, databases, and image files in secure data centres (primarily U.S.)
  • Managed database services — provide high‑performance, encrypted data storage and backup
  • AI processing services — perform text recognition on photos and ingredient analysis to generate scores
  • Analytics & crash‑reporting services — collect usage metrics and diagnostic logs to improve stability
  • EU & UK data‑protection representative — handle GDPR Art. 27 inquiries from EU/UK users and regulators
  • A detailed list of processors is available on request (see Section 10).

6) International Transfers

Your data may be transferred to countries outside your jurisdiction. We rely on Standard Contractual Clauses or equivalent safeguards for EU/UK users.

7) Retention Schedule

  • Uploaded photos — used in product database → kept indefinitely; otherwise deleted within 30 days
  • Extracted text & ingredient data — same as photos
  • Profile & preferences — deleted upon account deletion
  • Location–product link — kept indefinitely (anonymised once account is deleted)
  • App logs & error logs — up to 7 years
  • Payment & subscription records — 7 years (tax and accounting)
  • Back‑ups — up to 7 years

8) Security Measures

  • TLS 1.2+ for all API traffic — Yes
  • Signed S3 URLs (time‑limited) — Yes
  • IAM least‑privilege roles & separate env keys — Yes
  • MFA on AWS & RedisLabs admin accounts — Yes
  • AES‑256 at rest on Redis & S3 — Planned
  • Continuous vulnerability alerts — Yes
  • Annual penetration test — Planned
  • Bug‑bounty / disclosure programme — Planned

9) Automated Decision‑Making

Ingredient‑based scores are generated algorithmically for information only; they do not make medical or legal determinations.

10) Your Rights

  • EU / UK (GDPR): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
  • California (CPRA): know, delete, correct, and opt‑out of “sharing”.
  • Canada (PIPEDA): access, correction, and the right to withdraw consent.
  • Brazil (LGPD): confirm, access, correct, delete, port, and anonymise.

To exercise any rights, email info@nordicscan.co or contact our EU/UK representative (see Section 11).

11) EU & UK Representative

We intend to appoint GDPRLocal as our EU and UK data-protection representative under Article 27 GDPR/UK GDPR. Until onboarding is complete, please use the following contact points (and copy privacy@nordicscan.co). We will update this section with the final details provided by GDPRLocal.

EU Representative (GDPR):

  • Address: Office 2, 12A Lower Main Street, Lucan, Co. Dublin, K78 X5P8, Ireland
  • Email: contact@gdprlocal.com
  • Please include: “Nordic Scan – EU Representative” in the subject line.

UK Representative (UK GDPR):

  • Company: GDPR Local Ltd
  • Address: 1st Floor Front Suite, 27–29 North Street, Brighton, England, BN1 1EB
  • Email: contact@gdprlocal.com
  • Please include: “Nordic Scan – UK Representative” in the subject line.

(These are temporary placeholders pending confirmation by GDPRLocal.)

12) Marketing Communications

Paying subscribers receive occasional promotional emails. Each email contains an Unsubscribe link. Transactional emails (e.g., password reset, receipt) are not marketing and cannot be opted‑out.

13) Changes to This Policy

We will post updates here and, for significant changes, provide 30 days’ in‑app or email notice.

14) Contact

Questions, concerns, or complaints?

  • Email: info@nordicscan.co
  • Postal mail: Nordic Scan, 795640 3rd Line EHS, Mono, Ontario L9W 5Z4, Canada