Privacy Policy
This Privacy Policy explains how InkScan ("we", "us") collects, uses, and protects your information when you use our handwriting OCR service at inkscan.app and via our API.
1. Information We Collect
Account information: email address, name, and OAuth profile data (Google, GitHub) when you sign up. Payment information: processed securely by Stripe — we never see or store your card details. Usage data: pages processed, API calls, credit transactions, and request metadata (IP address, timestamps). Uploaded content: images and PDFs you submit for OCR processing.
2. How We Handle Your Uploaded Files
Images submitted through the free web tool are processed in memory and not stored after the response is returned. For authenticated API and dashboard users, source images are stored temporarily in Cloudflare R2 to enable job history and re-extraction. Job results (including stored images) are automatically deleted after the retention period configured for your account. We never use your uploaded files to train or improve our AI models.
3. How We Use Your Information
We use collected information to: provide and operate the OCR service; process payments and manage your credit balance; send transactional emails (welcome, receipts) via Resend; monitor service health and performance via PostHog analytics; prevent abuse and enforce rate limits; and respond to support requests.
4. Third-Party Services
We use the following third-party services to operate InkScan: Stripe for payment processing; Cloudflare (R2 storage, Turnstile human verification, DNS); Resend for transactional email; PostHog for product analytics; Neon for database hosting; Z.AI (GLM-OCR) for handwriting recognition. Each provider processes data according to their own privacy policies. We do not sell your personal information to any third party.
5. Cookies & Sessions
We use session cookies to keep you logged in. Cloudflare Turnstile sets a cookie for anonymous bot detection on the free web tool. We do not use advertising or cross-site tracking cookies.
6. Data Security
All data is transmitted over HTTPS (TLS 1.2+). Passwords are hashed using bcrypt. API keys are stored as SHA-256 hashes — the plain key is shown only once at creation. Payment data is handled entirely by Stripe (PCI DSS Level 1). While we implement industry-standard security measures, no system is 100% secure.
7. Data Retention
Account data is retained as long as your account is active. OCR job history and stored images are automatically deleted after the configured retention period. Credit transaction records are retained for accounting purposes. You can delete your account at any time by contacting us, and we will remove all associated personal data within 30 days.
8. Your Rights
You have the right to: access the personal data we hold about you; correct inaccurate information; request deletion of your account and data; export your data in a machine-readable format; and withdraw consent for optional data processing. To exercise any of these rights, contact us at the email below.
9. Children's Privacy
InkScan is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact
If you have any questions about this Privacy Policy or want to exercise your data rights, please contact us at [email protected]
Last updated: 2026