Privacy Policy

1. Who We Are

Popit is operated by Tohmoco Oy, a company registered in Finland. We are the data controller for the personal data you provide when using the Popit app.

Contact: info@tohmoco.fi

2. What Data We Collect

Data you provide directly

• Captured content ("Pops"): Photos, voice recordings (converted to text), text notes, PDF documents, and links you choose to capture. This may include images of receipts, invoices, recipes, warranty documents, or other personal material.
• Account information: Email address and display name, provided directly or through Google Sign-In or Apple Sign-In.
• Profile preferences: Language, timezone, notification settings, and capture preferences.

Data collected automatically

• Location (optional): If you enable location features, a single GPS reading is taken at the time of capture. Popit does not continuously track your location. Location features are opt-in and disabled by default.
• Crash reports: Device model, OS version, and crash stack traces are collected via Firebase Crashlytics for stability monitoring. No behavioural analytics are collected.
• Push notification tokens: Device identifiers used to deliver reminders and notifications you have configured.

Data derived by AI

• Content type classification (receipt, invoice, recipe, event, task, warranty, etc.)
• Extracted entities: store names, amounts, dates, ingredients, event details, locations
• AI-generated summaries and suggested actions (reminders, shopping lists, calendar events)

What we do NOT collect

• We do not use advertising trackers or collect advertising identifiers.
• We do not collect behavioural analytics or usage events (Firebase Analytics is not used).
• We do not access your contacts, calendar, or camera roll beyond the specific items you share with Popit.

3. How We Use Your Data

To provide the service (contract performance — Art. 6(1)(b) GDPR)

• Analysing captured content with AI to extract dates, amounts, reminders, and other structured information.
• Generating shopping lists, reminders, warranty tracking, and calendar events from your captures.
• Providing search across your captured content.
• Managing your account and subscription.

To improve the service (legitimate interest — Art. 6(1)(f) GDPR)

• Logging AI processing metadata (operation type, token count, success/failure) for quality monitoring. No actual content is stored in these logs — only hashes and metadata.
• Diagnosing crashes and technical errors via Crashlytics.
• Recording user corrections to AI results (e.g. type changes) to improve accuracy. Only correction metadata is stored, not raw content.

With your consent (Art. 6(1)(a) GDPR)

• Sending push notifications for reminders you have configured.
• Collecting and using location data for location-based features and reminders.

4. AI Processing

Popit uses Google Vertex AI (Gemini models) to analyse the content you capture. This processing occurs on servers located in the EU (Belgium, europe-west1). Your content is processed solely to provide the service to you.

Your data is never used to train AI models. This is explicitly guaranteed under Google Cloud's Data Processing Addendum.

AI extraction is automated and may be inaccurate. Please verify important information (such as warranty expiry dates, due dates, or financial amounts) from original documents. Popit is not a substitute for professional financial, legal, or medical advice.

5. Data Sharing and Third Parties

We do not sell your personal data. We do not display advertisements. We do not share data with advertisers or data brokers.

We share data only with the following service providers, operating under strict data processing agreements:

• Supabase (EU — Ireland): Database, authentication, and file storage. All user data is stored here with row-level security ensuring user-level data isolation.
• Google Vertex AI (EU — Belgium): AI content analysis. Receives captured content (images, text, PDFs) for processing. Does not receive user IDs or email addresses. Customer data is not used for model training.
• Firebase Cloud Messaging (Google): Push notification delivery. Receives device tokens and notification payloads.
• Firebase Crashlytics (Google): Crash reporting in production builds. Receives crash traces and device info.
• RevenueCat: Subscription management. Receives an anonymous user identifier and subscription lifecycle events. Does not receive user email, name, or captured content.
• Apple App Store / Google Play Store: Handle all payment processing. We never see or store payment card details.

We may also disclose data if required by Finnish or EU law, or to protect the rights and safety of our users.

6. International Data Transfers

Core data processing occurs within the EU:

• Database and storage: Supabase, EU (Ireland)
• AI processing: Google Vertex AI, EU (Belgium)

Some supporting services involve transfers to the United States:

• Push notification delivery (Firebase Cloud Messaging)
• Crash reporting (Firebase Crashlytics)
• Subscription management (RevenueCat)
• Authentication (Google/Apple OAuth)

All US transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

We retain your captured content and account data for as long as your account is active. You can delete individual captures or your entire account at any time through the app settings.

When you delete your account, all data is permanently removed: media files, all database records (pops, actions, collections, profiles, push tokens, logs), and your authentication record. This is irreversible.

8. Data Security

• Encryption at rest (AES-256) and in transit (TLS/HTTPS) for all data.
• Row-Level Security ensuring each user can only access their own data.
• Media files stored in private buckets with short-lived signed URLs (1-hour TTL).
• JWT-based authentication required for all API access.
• No persistent local storage on your device — all caches are in-memory only and cleared on sign-out.

No system is completely secure. If a data breach occurs that poses a risk to your rights, we will notify you and the Finnish Data Protection Ombudsman within 72 hours as required by GDPR.

9. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

• Right of access: View all your data in-app or request a copy.
• Right to rectification: Correct inaccurate personal data.
• Right to erasure: Delete your account and all associated data.
• Right to restriction: Ask us to pause processing of your data.
• Right to portability: Export your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent at any time for location and notification features.

To exercise any of these rights, email us at info@tohmoco.fi. We will respond within 30 days.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

10. Children's Privacy

Popit is not directed at children under the age of 16 (EU) or 13 (US). We do not knowingly collect personal data from children. If we discover that a minor's data has been collected, it will be deleted promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or by email. The date at the top of this page reflects when the policy was last updated.

12. Contact

For any privacy-related questions, requests, or concerns:

• Email: info@tohmoco.fi
• Tohmoco Oy, Finland (Y-tunnus: 3387948-8)