Effective date: May 2026 · Last updated: 5 June 2026
This Privacy Policy describes what personal data the RapidOMR mobile application (“App”) collects, how it is used, and your rights. By using RapidOMR, you agree to this policy.
Serhat Demirok
Contact: support@rapidomr.com
Web: rapidomr.com
When you create an account through Supabase Auth, we collect your email address, password (stored as a cryptographic hash, never in plain text), and full name. If you choose Google Sign-In or Sign in with Apple, your full name and account identifier are obtained from the provider and used for account display and authentication.
We collect the device identifier (Android ID / iOS identifierForVendor) and your monthly device switch count to enforce the 1-device-per-account limit and track the monthly free scan quota per device. This identifier is NOT a permanent hardware identifier such as phone number or IMEI; it can be reset when you uninstall the app.
Your monthly scan count (per device, for the 50 free scans/month quota) and, for school-licensed users only, monthly scan statistics visible on the school admin dashboard.
The following data never leaves your device by default; it is not uploaded to Supabase or any server unless you explicitly choose to back it up:
This data is stored only in the local SQLite database. If you uninstall the app, it is completely deleted. Exception — if you use the Optional Cloud Backup feature described below, the data above is uploaded to Supabase Storage as a ZIP archive.
Through RevenueCat and Google Play Billing, we collect the purchase identifier, license expiration date, and RevenueCat user identifier (linked to your Supabase user ID). Credit card, IBAN, or banking details are never processed by RapidOMR; all payment information is handled directly by Google Play Billing.
Licensed users (Individual or School license) can optionallyback up their app data to the cloud. This feature is triggered manually from the in-app “Settings → Backup and Restore” menu; there is no automatic or background backup. You can choose between two destinations:
Destination 1 — Supabase Storage (default):
Data included in the backup:
Data NOT included in the Supabase backup: optical form scan images captured during scanning (only the parsed answer data is backed up); license, device identifier, session information.
The backup is stored in the user-backups bucket at {user_id}/backup.zip. One backup per user rule: a new backup overwrites the previous one. Encrypted in transit (HTTPS/TLS); a Supabase Storage row-level access policy ensures only your own account can access your backup. You can delete the backup at any time from the in-app “Delete Backup” option; if you delete your account, the backup is automatically deleted (irreversible).
Destination 2 — Google Drive (alternative):
If you sign in with Google and grant access, backup ZIP archives can be uploaded to your own Google Drive. RapidOMR uses the drive.appdata OAuth scope — a restricted scope that limits our access to a hidden application data folder created by RapidOMR. We cannot read or modify any other files in your Google Drive; the backup files do not appear in your Drive UI but still count toward your Drive storage quota.
The same data set as the Supabase backup is included, plus the original scanned form images (since Google Drive does not incur server-side storage cost for us). Multiple backup files are kept on Drive with an automatic rotation policy; you can delete any backup at any time from the in-app interface. RapidOMR never deletes or accesses Drive files outside the in-app backup flow. If you uninstall the app or revoke Google access from your Google account (myaccount.google.com/permissions), we lose all ability to read or write the backup files; the files themselves remain in your Drive until you delete them.
Backup data sent to your Google Drive is not transferred to humans, not shared with any third party other than Google, and never used for advertising or to train AI/ML models. Use of Google Drive data is in compliance with the Google API Services User Data Policy, including the Limited Use requirements.
If the app crashes unexpectedly, the following anonymous information is automatically sent to Google Firebase Crashlytics: device model and operating system version, app version, crash time and error message / stack trace, anonymous Firebase installation identifier. Crash reports contain no personal data (no email, names, or student data); they are used solely to detect and fix app errors.
You can optionallyexport exam reports (score lists, item analyses, learning outcome summaries, ranking lists, etc.) as Google Sheets spreadsheets in your own Google Drive. This feature is triggered manually from the in-app “Results → Sheets” menu; there is no automatic export.
To create the spreadsheet, RapidOMR uses the drive.file OAuth scope — a restricted scope that allows the app to create new files in your Drive and modify only the files RapidOMR itself has created. We cannot read or modify any of your other Drive files; the exported spreadsheet appears in your Drive root folder (or wherever you move it) and is owned by you.
The exported spreadsheet contains the same student-level data shown in the in-app result tables (student names, school numbers, answers, scores, learning outcome breakdowns). RapidOMR never modifies or accesses your spreadsheet after creation; once written, the data is solely under your control.
Spreadsheet data sent to your Google Drive is not transferred to humans, not shared with any third party other than Google, and never used for advertising or to train AI/ML models. Use of Google Sheets / Drive data is in compliance with the Google API Services User Data Policy, including the Limited Use requirements.
We use the data we collect only for the following purposes:
Your data is never used for advertising, marketing, or sale to third parties.
RapidOMR uses the following services as data processors:
drive.appdata scope) — Backup storage in your own Drive, only if you opt in. Limited to RapidOMR's hidden application data folder.drive.file scope) — Spreadsheet report export to your own Drive, only if you opt in. Limited to files RapidOMR itself creates.Each service is subject to its own privacy policy: Supabase · RevenueCat · Google
Under GDPR (EU General Data Protection Regulation) and Turkey's KVKK Law No. 6698, you have the following rights:
For requests: support@rapidomr.com
Account deletion:you can delete your account at any time from “Settings → Account → Delete My Account”. Upon deletion, your account data is permanently removed from Supabase.
RapidOMR is designed for use by teachers. We do not knowingly collect data directly from children under 13.
The app is used by teachers to process exam data (names, school numbers, exam results) for students in their classes. In this case, the teacher or school is the data controller for student data; RapidOMR is only the data processor providing the technical infrastructure. Student data is stored locally on the device; it is not uploaded to Supabase (except via the opt-in cloud backup).
We may update this policy from time to time. For significant changes, we will publish an in-app notice and send an email to registered users. You can track changes by watching the “Last updated” date.
For any questions or requests about this policy or your data: support@rapidomr.com