Scanner – Privacy Policy

Effective date: May 17, 2026

This Privacy Policy explains how Xeplin Yazılım Hizmetleri Anonim Şirketi (“Xeplin,” “we,” “our,” or “us”) collects, uses, and shares information when you use our mobile application “Scanner App: PDF Docs & Sign” (the “App”). This Policy is part of, and incorporated into, our Terms of Use & End-User License Agreement.

1. Data Controller

• Legal name: Xeplin Yazılım Hizmetleri Anonim Şirketi
• Address: Fulya Mah. Büyükdere Cad. Torun Center D Blok No: 74D, İç Kapı No: 43, 34394 Şişli/İstanbul, Türkiye
• Trade Registry No: 1058219 · MERSIS No: 0839126685400001
• Contact: [email protected]

2. Information We Do Not Collect

• No account, no profile. The App does not require you to register, sign in, or provide your name, email, phone number, or any other contact information.
• Your documents stay on your device. Scans, photos imported from your gallery, edited images, OCR-extracted text, applied effects, and electronic signatures are processed and stored locally on your iOS device. We do not upload, copy, view, or back up your User Content to our servers, and we cannot access it.
• No payment information. All purchases and subscriptions are processed by Apple through the App Store. We do not receive your payment card or bank account details.

3. Information We Collect

To operate the App, prevent abuse, measure performance, and improve our Services, we and our third-party service providers collect the following limited categories of information:

3.1 Device and Technical Information

iOS version; device model and hardware identifiers (e.g., device type); language and locale settings; time zone; mobile carrier (where applicable); App version and build; and general technical information necessary for the App to function properly.

3.2 Usage and Analytics Data

Information about how you interact with the App, such as features used, screens viewed, in-app events, session duration, frequency of use, scan counts (without scan content), conversion events, paywall views, and similar product-analytics events. This data is used in aggregate and is not used to identify you personally.

3.3 Diagnostic and Crash Data

If the App crashes or encounters an error, we collect crash reports, error logs, stack traces, device state at the time of the crash, and performance metrics. This information helps us diagnose and fix problems and improve stability.

3.4 Subscription and Purchase Events

When you start a trial, subscribe, renew, cancel, or have a subscription expire, we and our subscription-management providers receive event-level information from Apple (such as the product purchased, transaction identifier, currency, country, trial start and end events, renewal and cancellation events). We do not receive your payment card details.

3.5 Advertising Identifier (IDFA) and Attribution Data

If you grant permission through Apple’s App Tracking Transparency (ATT) prompt, we and our attribution provider may collect your Identifier for Advertisers (IDFA) and related attribution data (such as the marketing campaign, channel, or referrer that led you to install the App). If you do not grant ATT permission, the IDFA is not collected. You can change your ATT choice at any time in iOS Settings → Privacy & Security → Tracking.

3.6 Push Notification Tokens

If you allow push notifications, Apple Push Notification service (APNs) assigns a device token that we use to send you notifications. You can disable push notifications at any time in iOS Settings.

3.7 IP Address

Our service providers may automatically collect your IP address when the App communicates with their servers, for security, fraud prevention, and approximate-region inference (country/region level).

4. iOS Permissions We Request

You can change any of these permissions at any time in iOS Settings.

5. How We Use Information

We use the information we collect for the following purposes:

• to provide, operate, maintain, and secure the App;
• to process and manage subscriptions, trials, renewals, and entitlements;
• to diagnose and fix bugs, crashes, and performance issues;
• to understand how the App is used and to improve features, design, and user experience;
• to measure the performance of our marketing campaigns and prevent fraudulent installs;
• to send service-related communications and, if you opt in, push notifications;
• to comply with legal obligations, enforce our Terms, and protect our rights and the rights of others.

6. Third-Party Service Providers (SDKs)

We rely on the following third-party service providers, who act as our processors or as independent controllers for the limited purposes described. These providers may collect information automatically through their software development kits (SDKs) integrated in the App. Their use of information is governed by their own privacy policies.

From time to time, we may add additional service providers (for example, additional analytics, marketing, or customer-engagement tools such as Meta/Facebook SDK or Mixpanel) to support our business operations. We will update this Policy and the list above when we do so. Where required by law, we will obtain your consent before integrating new tracking technologies.

7. Sharing and Disclosure

We do not sell your personal information. We share information only:

• With service providers listed in Section 6, who process information on our behalf or as independent controllers for the limited purposes described;
• With Apple, in connection with App distribution and in-app purchases;
• To comply with law, when required by applicable law, court order, or governmental request, or to protect the rights, property, or safety of Xeplin, our users, or others;
• In connection with a corporate transaction, such as a merger, acquisition, financing, reorganization, or sale of assets, in which case information may be transferred to the successor entity, subject to commitments consistent with this Policy.

8. International Data Transfers

Xeplin is based in the Republic of Türkiye. Some of our service providers are located outside Türkiye and outside the European Economic Area (EEA), including in the United States. Where personal data is transferred internationally, we rely on appropriate legal mechanisms, including, where applicable, Standard Contractual Clauses approved by the European Commission, adequacy decisions, and equivalent safeguards under Turkish Personal Data Protection Law No. 6698 (“KVKK”). By using the App, you understand that your information may be processed in countries whose data-protection laws may differ from those in your country of residence.

9. Data Retention

We retain information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Typical retention periods are:

• Analytics and usage data: up to 26 months in aggregated form;
• Crash and diagnostic data: up to 90 days;
• Attribution data: as required to measure marketing campaigns and prevent fraud, typically up to 24 months;
• Subscription event data: for the duration of the subscription relationship and as required by tax, accounting, and legal obligations.

When information is no longer needed, it is deleted or anonymized.

10. Security

We use commercially reasonable technical and organizational measures designed to protect the limited information we collect against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), restricted access to data, and routine security reviews. However, no method of transmission over the internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your device secure (for example, by using a strong device passcode and keeping iOS up to date).

11. Your Rights

11.1 Rights Under GDPR (EEA, UK and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, subject to applicable conditions and exceptions: the right to access your personal data; the right to rectify inaccurate data; the right to erasure (“right to be forgotten”); the right to restrict or object to processing; the right to data portability; the right to withdraw consent at any time (where processing is based on consent); and the right to lodge a complaint with your local supervisory authority.

The legal bases on which we rely are: (a) legitimate interests for operating, securing, and improving the App, for analytics, attribution, and fraud prevention; (b) performance of a contract for processing subscriptions and entitlements; (c) consent for ATT-based tracking and push notifications; and (d) legal obligation where we are required to retain certain information.

11.2 Rights Under CCPA/CPRA (California)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of “sale” or “sharing” of personal information as defined by California law. We do not sell or share personal information as those terms are defined under California law. We do not knowingly collect the personal information of minors under 16 without legally required consent. You may exercise your rights by contacting us at [email protected]. We will not discriminate against you for exercising these rights.

11.3 Rights Under KVKK (Türkiye)

If you are located in Türkiye, you have the rights provided under the Personal Data Protection Law No. 6698 (KVKK), including the right to learn whether your personal data is processed, to request information about processing, to request correction or deletion, and to lodge a complaint with the Personal Data Protection Authority (KVKK).

11.4 Exercising Your Rights

To exercise any of the above rights, please contact us at [email protected]. We will respond within the timeframes required by applicable law. Because the App does not require an account, identifying the data associated with you may require additional information (such as the IDFA assigned to your device or your attribution identifier). If we cannot verify your identity or locate the data, we may not be able to fulfill your request.

12. Children’s Privacy

The App is not directed to children under 13 years of age (or the equivalent minimum age in the relevant jurisdiction, such as 16 in some EEA countries). We do not knowingly collect personal information from children under that age. If you are a parent or legal guardian and believe that your child has provided us with information without your consent, please contact us at [email protected], and we will take reasonable steps to delete such information.

13. Do Not Track

The App does not respond to browser-based “Do Not Track” signals because such signals are not standardized for mobile applications. However, you control tracking through Apple’s App Tracking Transparency framework as described in Section 3.5.

14. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated Policy at xeplin.ai/apps/scanner/privacy-policy and updating the “Effective date” above, and, where appropriate, by in-app notice. Your continued use of the App after the effective date of the revised Policy constitutes your acceptance of the changes.

15. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

• Email: [email protected]
• Postal address: Xeplin Yazılım Hizmetleri Anonim Şirketi, Fulya Mah. Büyükdere Cad. Torun Center D Blok No: 74D, İç Kapı No: 43, 34394 Şişli/İstanbul, Türkiye