Scanlate (“we”, “our”, “us”) operates the scanlate.app platform, providing QR-based multilingual guide services for museums, galleries, heritage sites, and other cultural institutions. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.
We are committed to complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Translate exhibit content and generate audio narration
Process payments and manage subscriptions
Send transactional emails (verification, password reset, team invitations)
Send optional service emails (onboarding tips, usage summaries) — you can unsubscribe at any time
Provide analytics to institutions about exhibit engagement
Prevent fraud, abuse, and unauthorized access
Improve our services and fix errors
4. Third-Party Processors
We share data with the following third-party processors, solely for the purposes described:
Service
Purpose
Data Shared
Supabase
Database & file storage
All platform data (EU-West-1 region)
Stripe
Payment processing
Email, payment details, subscription info
Google Cloud
Text translation
Exhibit text content
OpenAI
Audio generation & OCR
Exhibit text, placard images
Resend
Transactional email
Email addresses, message content
Sentry
Error monitoring
Error data, device info, page URLs
Upstash
Rate limiting
IP addresses (temporarily)
Vercel
Hosting & deployment
Request logs, IP addresses
Tawk.to
Live chat support
Chat messages, browser info
5. Data Retention
Account data: Retained while your account is active, deleted upon request
Analytics data: Scan and visit records retained for the lifetime of the institution account
Rate limiting data: IP-based records automatically expire within 1 hour
Error logs: Retained for 90 days (Sentry default)
Deleted accounts: Soft-deleted (archived) and fully purged within 30 days of request
6. Your Rights (GDPR)
Under GDPR, you have the following rights regarding your personal data:
Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your personal data
Right to portability: Request your data in a machine-readable format
Right to restrict processing: Request we limit how we use your data
Right to object: Object to processing of your data for certain purposes
Right to withdraw consent: Withdraw previously given consent at any time
To exercise any of these rights, contact us at support@scanlate.app. We will respond within 30 days.
7. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
Passwords are hashed using bcrypt (never stored in plain text)
Sessions use signed JWT tokens in httpOnly cookies
All data transmitted over HTTPS/TLS
Database hosted in EU (Supabase EU-West-1)
Rate limiting and disposable email blocking to prevent abuse
Role-based access control for institution teams
8. Children's Privacy
Scanlate is not directed at children under 16. We do not knowingly collect personal data from children under 16. Visitor accounts scanning exhibits at institutions do not require age verification, as the content is educational and provided by the institution.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top of this page indicates when the policy was last revised.
10. Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: