Scan Hero — Privacy Notice
Last updated: 30 May 2026 Effective date: 30 May 2026
This Privacy Notice explains how AIz Serviços de Inteligência Artificial Ltda. ("Scan Hero", "we", "us") collects, uses, shares and protects personal data in connection with the website scanheroai.com, its subdomains, APIs and related services (the "Service").
It applies worldwide, with specific addenda for the European Economic Area / United Kingdom, the United States and Brazil at the end of this document. Where local law grants you stronger rights, those rights prevail over the general rules in this notice.
This notice is written in plain English to satisfy the transparency obligations of the Brazilian General Data Protection Law ("LGPD", Law 13,709/2018), the EU General Data Protection Regulation ("GDPR", Regulation 2016/679), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") and similar U.S. state privacy laws.
1. Who we are
Controller of your personal data:
- Name: AIz Serviços de Inteligência Artificial Ltda.
- Registered office: Av. Marechal Floriano, 399 – Rio de Janeiro, RJ, Brazil
- CNPJ: 66.955.511/0001-75
- Contact: admin@scanheroai.com
For purposes of the GDPR/UK GDPR, our representative in the European Union (article 27 GDPR) is DP-Dock. Our representative in the United Kingdom is DP-Dock.
Our Data Protection Officer / Encarregado pelo Tratamento de Dados Pessoais (LGPD article 41) is DP-Dock, reachable at admin@scanheroai.com.
2. Quick summary
| Topic | Plain-English answer |
|---|---|
| What we collect | Your sign-in info (Google), subscription state, files you upload, the AI outputs, basic usage logs, and (only if you opt in) data for AI training. |
| Why | To run the Service, bill you, prevent abuse, comply with law and (only with consent) improve our models. |
| Who we share with | Our cloud providers (Google Cloud, Stripe, Anthropic) and authorities when legally required. |
| Where it is stored | Mostly in the United States (Google Cloud us-central1), with appropriate transfer safeguards. |
| How long | Files: 1 hour to 15 days depending on size (see § 7). Account: until you delete it. Tax records: 7 years. Training data (opt-in): no fixed limit. |
| Your rights | Access, correct, delete, port, object, withdraw consent, complain to a regulator (see § 10 and the regional addenda). |
| Sale of data | We do not sell your personal data. |
| AI training | Only with your explicit opt-in via the Evaluation Cashback programme (see § 5). |
3. What personal data we collect
3.1 Data you give us
- Account data (when you sign in with Google): your e-mail address and Firebase user ID. We do not store your name, profile picture, password or Google contacts.
- Customer Content: the documents (PDFs, images, etc.) you upload, the prompts you submit, the Markdown outputs we generate, the templates you create, and any feedback or evaluation you give us.
- Billing data: your subscription plan and the date it expires. Payment is processed by Stripe; we receive a Stripe customer identifier but we do not store your card details, billing address, invoice numbers or payment receipts — those remain with Stripe.
- Support data: anything you send us when you contact admin@scanheroai.com.
3.2 Data collected automatically
- Usage and security logs: IP address, user-agent, timestamps, request paths, error codes, rate-limit and abuse signals. Logs do not contain the content of the files you upload.
- AI telemetry: when you run a task that uses an LLM, we record the file type of the input, the file type of the output, the prompt template used and content-quality / "distance" metrics (numerical scores describing how the output relates to the input). This is used to monitor quality and detect regressions.
- Cookies and similar technologies: see our Cookie Statement.
3.3 Data you provide only if you opt in — AI training
If a task you process is selected by the platform for evaluation and you accept the invitation and submit a rating, you receive an Evaluation Cashback equal to 10% of the credits spent on that task. In exchange, you grant us permission to use the input file, the prompt and the output of that specific task to train, fine-tune and evaluate our AI models. No training use is made of your content unless you accept this opt-in. See § 5.
3.4 Special categories of data
The Service is not designed for special-category (sensitive) data such as health records, biometric data, government IDs, racial or ethnic data, religious beliefs, sexual orientation, political opinions, trade-union membership, or children's data. You must not upload such data unless you have a valid legal basis under applicable law and have assessed the risks (LGPD art. 11, GDPR art. 9, U.S. state laws). If you do, you remain the controller of that data and you indemnify us for any resulting claims.
4. How we use your data — purposes and legal bases
For each purpose we identify the legal basis under the GDPR / UK GDPR (in italics) and under the LGPD (in bold).
| # | Purpose | Data used | Legal basis (GDPR / UK GDPR) | Legal basis (LGPD art. 7 / 11) |
|---|---|---|---|---|
| 1 | Create and manage your account, authenticate you | Account data | Performance of a contract | Execução de contrato (art. 7, V) |
| 2 | Run the document-to-Markdown conversion you requested | Customer Content, AI telemetry | Performance of a contract | Execução de contrato (art. 7, V) |
| 3 | Bill you, prevent payment fraud | Account data, billing data, Stripe customer ID | Performance of a contract and legal obligation (tax) | Execução de contrato and cumprimento de obrigação legal (art. 7, II) |
| 4 | Keep the Service secure, prevent abuse, enforce our Terms | Usage and security logs, account data | Legitimate interests (art. 6(1)(f)) | Legítimo interesse (art. 7, IX) |
| 5 | Comply with court orders, regulators and applicable law | Whatever data is responsive | Legal obligation (art. 6(1)(c)) | Cumprimento de obrigação legal ou regulatória (art. 7, II) |
| 6 | Improve and monitor the quality of the Service using aggregated metrics | AI telemetry (file types, prompts used, distance metrics, token counts) — no file content | Legitimate interests | Legítimo interesse |
| 7 | Send service announcements (changes, security, price changes) | Performance of a contract and legal obligation | Execução de contrato | |
| 8 | Send optional marketing (only where applicable and only with consent) | Consent (art. 6(1)(a)) | Consentimento (art. 7, I) — you may withdraw at any time | |
| 9 | Web analytics via Google Analytics 4 | Cookies and pseudonymous identifiers | Consent (where required) | Consentimento (where required) |
| 10 | Train, fine-tune and evaluate our AI models (Evaluation Cashback) | Customer Content of the specific task you opted in | Consent (art. 6(1)(a)) | Consentimento (art. 7, I) — see § 5 |
You can object to processing based on legitimate interests as explained in § 10.
5. AI training — Evaluation Cashback (opt-in)
We use third-party large language models (currently Anthropic Claude) to convert your documents. By default we do not use your Customer Content to train any AI model, ours or anyone else's. Anthropic, as our sub-processor, processes inputs only to return the output of each call and does not use them to train its foundation models under our contractual terms (see § 8). We are not responsible for the training practices of third-party AI providers beyond our contractual relationship with them — you should review their respective notices if this is important to you.
If you wish to help us improve the Service, you can join the Evaluation Cashback programme:
- Trigger. The platform selects certain tasks for evaluation according to internal criteria. When that happens, after the task is completed we invite you to rate the quality of the output.
- Reward. If you submit a rating, you receive 10% of the credits spent on that task back into your account.
- Permission. When you submit the rating, you give us your explicit, free, informed and specific consent to use the input file, the prompt and the output of that specific task to train, fine-tune and evaluate AI models operated by Scan Hero, with no predefined retention period.
- Scope. The permission covers only the task you opted in for; tasks for which you did not opt in are deleted in accordance with § 7.
- Withdrawal. You can withdraw your consent for future tasks at any time in your account settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and content already integrated into a trained model cannot be removed from the model itself, though we will stop further use of the underlying raw data on request.
Decisions made by the Service (e.g. the conversion output, the quality score) do not produce legal or similarly significant effects on you and you are not subject to solely automated decision-making with such effects (GDPR art. 22, LGPD art. 20). The output is informational and you remain responsible for what you do with it.
6. Who we share your data with
We share data only with the recipients below, only as needed for the purposes above, and only under appropriate contractual safeguards.
6.1 Sub-processors (data processors / operators)
| Sub-processor | Role | Location | What it processes |
|---|---|---|---|
| Google LLC / Google Ireland Ltd (Google Cloud Platform, Firebase Authentication / GCIP, Cloud Run, Firestore, Cloud Storage, Cloud Armor, Google Analytics 4) | Hosting, authentication, storage, analytics, security | United States (us-central1), Ireland |
Account data, Customer Content, logs, telemetry, analytics cookies |
| Anthropic, PBC | LLM inference for the conversion engine | United States | Customer Content sent in prompts (transient, not used for training under our agreement) |
| Stripe, Inc. / Stripe Payments Europe Ltd | Payment processing | United States, Ireland | E-mail, Stripe customer ID, payment card data (Stripe collects card data directly from you; we never see it) |
The current list of sub-processors is also published at scanheroai.com. We will give reasonable advance notice before adding or replacing sub-processors.
6.2 Authorities and legal recipients
We may disclose personal data when we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to a valid request from a competent authority, enforce our Terms, protect the rights, property or safety of Scan Hero, our users or others, or in connection with a corporate transaction (merger, acquisition, sale of assets) — in which case the acquirer will be bound by this Privacy Notice or by a notice at least as protective.
6.3 We do not sell your personal data
Scan Hero does not sell personal data for money. We also do not "share" personal data for cross-context behavioural advertising as those terms are defined under CCPA/CPRA — see § A.2.
7. How long we keep your data
| Data category | Retention period |
|---|---|
| Uploaded source documents (the file you submit) | Deleted within 1 hour of upload from our processing storage. |
| Conversion outputs ≤ 5 MB | Up to 15 days, then deleted. |
| Conversion outputs 5 – 50 MB | Deleted within 24 hours. |
| Conversion outputs > 50 MB | Deleted within 1 hour. |
| Templates you create | Kept until you delete them or delete your account. |
| Account data (e-mail, plan, credits, Stripe customer ID) | Kept until you delete your account, plus a short grace period for backups. |
| Payment / tax records (invoice metadata held on our side, plus the Stripe customer ID) | 7 years after the end of the relationship, to comply with tax law (Brazil, U.S., EU). |
| Usage and security logs (no file content) | Kept indefinitely for audit and security purposes, in a form that does not include uploaded content. |
| AI telemetry (file types, prompt template, distance metrics, token counts — no file content) | Kept for as long as needed for quality monitoring; no fixed limit. |
| Training data under the Evaluation Cashback opt-in | No predefined retention limit. You may withdraw consent for future tasks at any time (see § 5). |
| Support tickets | 3 years from last interaction. |
When a retention period expires, data is deleted or anonymised. Backup copies may persist for a short additional period before being overwritten.
8. International data transfers
Most of our processing happens in the United States (Google Cloud us-central1). When we transfer personal data out of Brazil, the EEA or the UK, we rely on appropriate safeguards:
- GDPR / UK GDPR. We use the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, together with supplementary technical and organisational measures (encryption in transit and at rest, access controls). For Google Cloud, Anthropic and Stripe, we rely on their published data-processing agreements incorporating the SCCs. Copies of the safeguards are available on request at admin@scanheroai.com.
- LGPD. Transfers comply with article 33 of the LGPD: contractual clauses with adequate safeguards approved by the ANPD, performance of a contract with the data subject, or compliance with a legal obligation, as applicable.
9. How we protect your data
We apply technical and organisational measures appropriate to the risk, including:
- TLS 1.2+ encryption in transit, AES-256 encryption at rest on Google Cloud;
- access controls (least privilege, role-based access, single sign-on with MFA for staff);
- secret management via Google Secret Manager;
- Cloud Armor WAF and rate limiting;
- audit logs and security monitoring;
- staff training and confidentiality obligations;
- vendor due diligence and contractual safeguards.
No service can guarantee absolute security. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent authority and, where required, you, within the timeframes mandated by the LGPD (without undue delay), GDPR (72 hours) and applicable U.S. state laws.
10. Your rights
Subject to applicable law, you have the following rights with respect to your personal data:
- Access — obtain confirmation that we process your data and a copy of it;
- Rectification — have inaccurate or incomplete data corrected;
- Erasure / deletion — have your data deleted, subject to legal retention obligations;
- Restriction — have us limit processing in certain circumstances;
- Portability — receive your data in a structured, machine-readable format and/or have it transmitted to another controller, where technically feasible;
- Objection — object to processing based on our legitimate interests or to direct marketing;
- Withdraw consent — at any time, without affecting prior processing;
- Not be subject to solely automated decision-making producing legal or similarly significant effects;
- Information about with whom we share your data (LGPD art. 18, VII);
- Complain to a supervisory authority (see addenda).
To exercise any right, write to admin@scanheroai.com. We will respond within the timeframe required by applicable law (typically 15 days under the LGPD, one month under the GDPR, 45 days under U.S. state laws). We may need to verify your identity before responding.
You can also delete your account directly from your account settings. We do not charge for handling requests except where allowed by law for manifestly unfounded or excessive requests.
11. Cookies and similar technologies
The Service uses a small number of cookies. We do not set our own marketing or advertising cookies. For details (purpose, provider, duration and how to opt out), see our Cookie Statement.
12. Children
The Service is not directed to children under 18 and we do not knowingly process the personal data of minors. If you believe a minor has used the Service, write to admin@scanheroai.com and we will delete the account.
We do not respond to "Do Not Track" signals because there is no industry consensus on how they should be interpreted. We do honour Global Privacy Control ("GPC") signals from U.S. residents where required by state law (see § A.2).
13. Changes to this Privacy Notice
We may update this Privacy Notice from time to time. Material changes will be announced by e-mail or in-app notice with reasonable advance notice. The "Last updated" date at the top of this notice always reflects the current version. Previous versions are available on request.
14. Contact
- Controller: AIz Serviços de Inteligência Artificial Ltda. — admin@scanheroai.com — Av. Marechal Floriano, 399 – Rio de Janeiro, RJ, Brazil — CNPJ 66.955.511/0001-75.
- DPO / Encarregado: DP-Dock — admin@scanheroai.com.
- EU Representative (GDPR art. 27): DP-Dock.
- UK Representative: DP-Dock.
Addendum A — United States
This Addendum supplements the Privacy Notice for residents of the United States. It implements rights granted by the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and similar laws in Texas, Oregon, Montana, Tennessee, New Jersey and other states as they enter into force.
A.1 Categories of personal information collected (CCPA/CPRA disclosure)
Over the past 12 months, we have collected the following CCPA-defined categories of personal information:
- Identifiers (e.g. e-mail address, Firebase user ID, IP address, Stripe customer ID).
- Customer records / commercial information (subscription plan, credit balance, transaction history through Stripe).
- Internet or other electronic network activity (logs, telemetry, cookies — see Cookie Statement).
- Inferences (limited; e.g. quality metrics related to your tasks).
- Content you upload and content we generate from it (Customer Content) — to the extent it contains personal information you decide to include.
We do not collect biometric information, geolocation precise enough to identify a household, sensitive personal information as defined by CPRA (except where you choose to upload a document containing it), or information about your sexual orientation or political opinions.
Sources, business purposes and recipients are described in §§ 3, 4 and 6 of the main Privacy Notice.
A.2 Sale and sharing
We do not sell personal information and we do not share personal information for cross-context behavioural advertising as those terms are defined by CCPA/CPRA. We honour valid Global Privacy Control signals as opt-out signals where required by California, Colorado, Connecticut and similar laws.
A.3 Your rights under U.S. state privacy laws
Depending on your state of residence, you may have the rights to: (i) know / access the personal information we have collected about you; (ii) delete it; (iii) correct it; (iv) port it; (v) opt out of sale, sharing or targeted advertising (not applicable to us — we don't do any); (vi) opt out of profiling that produces legal or similarly significant effects (not applicable to us); (vii) limit use of sensitive personal information; (viii) appeal a denial of your rights request.
To exercise any of these rights, write to admin@scanheroai.com or submit a request through your account settings. We will verify your identity through your account login. Authorised agents may submit requests on your behalf with proof of authorisation. We will respond within 45 days (extendable by another 45 days if necessary).
We will not discriminate against you for exercising your rights.
A.4 Children — COPPA and state laws
We do not knowingly process personal information of children under 13 (COPPA) or, more broadly, of minors under 18. The Service is restricted to users 18+.
Addendum B — European Economic Area / United Kingdom / Switzerland
This Addendum supplements the Privacy Notice under the GDPR, the UK GDPR, the Swiss FADP and complementary national laws (e.g. German BDSG, French LIL, etc.).
B.1 Legal bases
Legal bases for each processing purpose are listed in § 4 of the main notice. Where we rely on legitimate interests, our assessment is available on request.
B.2 International transfers
See § 8 of the main notice. We rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum, with supplementary measures. You can request a copy of these safeguards at admin@scanheroai.com.
B.3 Your rights
You have the rights listed in § 10 of the main notice (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, no automated decision-making). You also have the right to complain to your supervisory authority without prejudice to any judicial remedy:
- Find your authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- UK ICO: https://ico.org.uk/
- Switzerland FDPIC: https://www.edoeb.admin.ch/
B.4 Representatives
- EU Representative (GDPR art. 27): DP-Dock.
- UK Representative: DP-Dock.
B.5 Automated decision-making
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (GDPR art. 22).
Addendum C — Brazil
This Addendum supplements the Privacy Notice under the Lei Geral de Proteção de Dados Pessoais (LGPD, Law 13,709/2018) and ANPD regulations.
C.1 Controller and DPO (Encarregado)
- Controlador: AIz Serviços de Inteligência Artificial Ltda., CNPJ 66.955.511/0001-75, Av. Marechal Floriano, 399 – Rio de Janeiro, RJ, Brazil.
- Encarregado pelo Tratamento de Dados Pessoais (LGPD art. 41): DP-Dock — admin@scanheroai.com.
C.2 Legal bases (LGPD art. 7 and 11)
See § 4 of the main notice. The most common bases are: execution of contract (art. 7, V), legitimate interest (art. 7, IX), compliance with a legal or regulatory obligation (art. 7, II) and, for training under the Evaluation Cashback programme and for analytics cookies, consent (art. 7, I).
C.3 Your rights as a data subject (titular) — LGPD art. 18
You have the rights to: (i) confirm that we process your data; (ii) access your data; (iii) correct incomplete, inaccurate or outdated data; (iv) request anonymisation, blocking or deletion of unnecessary, excessive or unlawfully processed data; (v) port your data to another provider or controller, subject to ANPD regulations; (vi) delete data processed on the basis of consent; (vii) be informed about the public and private entities with which we shared your data; (viii) be informed about the possibility of refusing consent and the consequences of refusal; (ix) revoke consent; (x) petition the ANPD; (xi) oppose processing based on bases other than consent when carried out in breach of the LGPD.
To exercise any right, write to admin@scanheroai.com.
C.4 ANPD
You may file a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados — ANPD) at https://www.gov.br/anpd/.
C.5 International transfers
Transfers comply with LGPD art. 33 — see § 8 of the main notice.