← Home

Privacy Policy

Türkçe

Effective date: May 2026 · Last updated: 5 June 2026

This Privacy Policy describes what personal data the RapidOMR mobile application (“App”) collects, how it is used, and your rights. By using RapidOMR, you agree to this policy.

1. Data Controller

Serhat Demirok
Contact: support@rapidomr.com
Web: rapidomr.com

2. Data We Collect

a) Account Information

When you create an account through Supabase Auth, we collect your email address, password (stored as a cryptographic hash, never in plain text), and full name. If you choose Google Sign-In or Sign in with Apple, your full name and account identifier are obtained from the provider and used for account display and authentication.

b) Device Information

We collect the device identifier (Android ID / iOS identifierForVendor) and your monthly device switch count to enforce the 1-device-per-account limit and track the monthly free scan quota per device. This identifier is NOT a permanent hardware identifier such as phone number or IMEI; it can be reset when you uninstall the app.

c) Usage Data

Your monthly scan count (per device, for the 50 free scans/month quota) and, for school-licensed users only, monthly scan statistics visible on the school admin dashboard.

d) App Content (default: stored only on your device)

The following data never leaves your device by default; it is not uploaded to Supabase or any server unless you explicitly choose to back it up:

  • Student rosters (names, school numbers)
  • Class structures
  • Exam configurations (subject, questions, answer keys, learning outcomes)
  • Exam results (scanned answers, scores)
  • Scan sessions
  • Institution logo and name
  • In-app settings

This data is stored only in the local SQLite database. If you uninstall the app, it is completely deleted. Exception — if you use the Optional Cloud Backup feature described below, the data above is uploaded to Supabase Storage as a ZIP archive.

e) Purchase Information

Through RevenueCat and Google Play Billing, we collect the purchase identifier, license expiration date, and RevenueCat user identifier (linked to your Supabase user ID). Credit card, IBAN, or banking details are never processed by RapidOMR; all payment information is handled directly by Google Play Billing.

f) Optional Cloud Backup (Supabase Storage or Google Drive)

Licensed users (Individual or School license) can optionallyback up their app data to the cloud. This feature is triggered manually from the in-app “Settings → Backup and Restore” menu; there is no automatic or background backup. You can choose between two destinations:

Destination 1 — Supabase Storage (default):

Data included in the backup:

  • Class structures and student rosters (including student names and school numbers)
  • Exam configurations, booklet variants (A/B/C/D), answer keys, learning outcomes
  • Exam results (each student's answers, scores, net correct count)
  • Scan sessions (timestamps and metadata)
  • Subject lists, institution logo and name, in-app settings

Data NOT included in the Supabase backup: optical form scan images captured during scanning (only the parsed answer data is backed up); license, device identifier, session information.

The backup is stored in the user-backups bucket at {user_id}/backup.zip. One backup per user rule: a new backup overwrites the previous one. Encrypted in transit (HTTPS/TLS); a Supabase Storage row-level access policy ensures only your own account can access your backup. You can delete the backup at any time from the in-app “Delete Backup” option; if you delete your account, the backup is automatically deleted (irreversible).

Destination 2 — Google Drive (alternative):

If you sign in with Google and grant access, backup ZIP archives can be uploaded to your own Google Drive. RapidOMR uses the drive.appdata OAuth scope — a restricted scope that limits our access to a hidden application data folder created by RapidOMR. We cannot read or modify any other files in your Google Drive; the backup files do not appear in your Drive UI but still count toward your Drive storage quota.

The same data set as the Supabase backup is included, plus the original scanned form images (since Google Drive does not incur server-side storage cost for us). Multiple backup files are kept on Drive with an automatic rotation policy; you can delete any backup at any time from the in-app interface. RapidOMR never deletes or accesses Drive files outside the in-app backup flow. If you uninstall the app or revoke Google access from your Google account (myaccount.google.com/permissions), we lose all ability to read or write the backup files; the files themselves remain in your Drive until you delete them.

Backup data sent to your Google Drive is not transferred to humans, not shared with any third party other than Google, and never used for advertising or to train AI/ML models. Use of Google Drive data is in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

g) Crash Reports

If the app crashes unexpectedly, the following anonymous information is automatically sent to Google Firebase Crashlytics: device model and operating system version, app version, crash time and error message / stack trace, anonymous Firebase installation identifier. Crash reports contain no personal data (no email, names, or student data); they are used solely to detect and fix app errors.

h) Optional Google Sheets Export

You can optionallyexport exam reports (score lists, item analyses, learning outcome summaries, ranking lists, etc.) as Google Sheets spreadsheets in your own Google Drive. This feature is triggered manually from the in-app “Results → Sheets” menu; there is no automatic export.

To create the spreadsheet, RapidOMR uses the drive.file OAuth scope — a restricted scope that allows the app to create new files in your Drive and modify only the files RapidOMR itself has created. We cannot read or modify any of your other Drive files; the exported spreadsheet appears in your Drive root folder (or wherever you move it) and is owned by you.

The exported spreadsheet contains the same student-level data shown in the in-app result tables (student names, school numbers, answers, scores, learning outcome breakdowns). RapidOMR never modifies or accesses your spreadsheet after creation; once written, the data is solely under your control.

Spreadsheet data sent to your Google Drive is not transferred to humans, not shared with any third party other than Google, and never used for advertising or to train AI/ML models. Use of Google Sheets / Drive data is in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

3. Data We Do NOT Collect

  • Location (including GPS or IP-based)
  • Contacts
  • Microphone
  • Gallery / photos (the camera is only used for OMR scanning; images are never uploaded to our servers)
  • Your other Google Drive files (Drive scopes used by RapidOMR are restricted to a hidden app data folder for backups and to files RapidOMR itself creates for exports)
  • Advertising or behavioral marketing data
  • Third-party analytics (Google Analytics, Facebook SDK, etc. are not used)

4. How We Use Your Data

We use the data we collect only for the following purposes:

  • Create your account and let you log in
  • Verify your license and subscription rights
  • Track your free scan quota
  • Prevent the same account from being used on multiple devices at the same time
  • Show total scan statistics on the school admin dashboard (school-licensed users only)
  • Detect and fix app errors (Crashlytics)
  • When you create a backup, store your app data in Supabase Storage or upload it to your own Google Drive so you can restore it later (only when the opt-in feature is used)
  • When you export an exam report as a Google Sheet, create the spreadsheet file in your own Google Drive (only when the opt-in feature is used)

Your data is never used for advertising, marketing, or sale to third parties.

5. Third-Party Services

RapidOMR uses the following services as data processors:

  • Supabase (Auth + DB) — Account, license, device, scan counter (EU servers)
  • Supabase Storage (optional) — Cloud backup, only if you opt in (EU servers)
  • RevenueCat — Subscription state, user identifier (US servers)
  • Google Play Billing — Purchase processing
  • Google Sign-In (optional) — Authentication
  • Google Drive API (optional, drive.appdata scope) — Backup storage in your own Drive, only if you opt in. Limited to RapidOMR's hidden application data folder.
  • Google Sheets API (optional, drive.file scope) — Spreadsheet report export to your own Drive, only if you opt in. Limited to files RapidOMR itself creates.
  • Sign in with Apple (optional, iOS only) — Authentication
  • Firebase Crashlytics — Anonymous crash reports

Each service is subject to its own privacy policy: Supabase · RevenueCat · Google

6. Data Retention

  • Account information: until the account is deleted
  • Device identifier: until the device is changed or the account is deleted
  • Monthly scan counter: automatically reset at the start of each month (past months retained for 12 months)
  • License expiration date: until the account is deleted
  • Crash reports: Firebase Crashlytics default retention (90 days)
  • App content (local): until you uninstall the app; not stored in the cloud by default
  • Supabase cloud backup (optional): until you tap “Delete Backup”, upload a new one, or delete your account (one backup per user, new backup overwrites previous; automatically deleted on account deletion)
  • Google Drive backup (optional): retained in your own Google Drive until you delete it from the in-app interface or directly from Drive. RapidOMR does not delete or access these files from outside the in-app backup flow; if you uninstall the app, the files remain in your Drive.
  • Google Sheets export (optional): retained in your own Google Drive until you delete it directly from Drive. RapidOMR never modifies or accesses the spreadsheet after creation.

7. Your Rights

Under GDPR (EU General Data Protection Regulation) and Turkey's KVKK Law No. 6698, you have the following rights:

  • Right of access: request access to and a copy of your data
  • Right to rectification: request correction of inaccurate data
  • Right to erasure: delete your account (in-app “Delete My Account”)
  • Right to object: object to processing for specific purposes
  • Right to data portability: export your data in a machine-readable format

For requests: support@rapidomr.com

Account deletion:you can delete your account at any time from “Settings → Account → Delete My Account”. Upon deletion, your account data is permanently removed from Supabase.

8. Children's Data

RapidOMR is designed for use by teachers. We do not knowingly collect data directly from children under 13.

The app is used by teachers to process exam data (names, school numbers, exam results) for students in their classes. In this case, the teacher or school is the data controller for student data; RapidOMR is only the data processor providing the technical infrastructure. Student data is stored locally on the device; it is not uploaded to Supabase (except via the opt-in cloud backup).

9. Security

  • All server communication uses HTTPS/TLS encryption
  • Passwords are stored as one-way hashes (bcrypt-equivalent) by Supabase Auth
  • The local database (SQLite) is protected by device-level encryption if enabled
  • On the server side, Supabase Row Level Security (RLS) ensures each teacher can only access their own data

10. Policy Changes

We may update this policy from time to time. For significant changes, we will publish an in-app notice and send an email to registered users. You can track changes by watching the “Last updated” date.

11. Contact

For any questions or requests about this policy or your data: support@rapidomr.com