TraceLite ("we," "our," or "us") is a project management and collaboration platform developed by Vasskep. This Privacy Policy explains in detail how we collect, use, store, process, disclose, and safeguard your information when you use our mobile application TraceLite (the "App") available on iOS and Android platforms.

Please read this Privacy Policy carefully. By downloading, installing, accessing, or using the App, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, you must not access or use the App.

Table of Contents

1. Information We Collect
2. Device Permissions & Hardware Access
3. How We Use Your Information
4. Third-Party Services & Data Processors
5. Data Storage, Retention & Security
6. Data Sharing & Disclosure
7. AI & Automated Processing
8. Your Rights & Choices
9. Children's Privacy
10. International Data Transfers
11. Cookies & Tracking Technologies
12. Changes to This Privacy Policy
13. Compliance & Legal Framework
14. Contact Us

1. Information We Collect

We collect information that you provide directly, information generated through your use of the App, and information obtained from third-party sources. Below is a comprehensive breakdown of all data categories.

1.1 Personal Information You Provide Directly

When you register for an account and use TraceLite, you voluntarily provide us with the following personal information:

Account Registration Information:

• Full name (first name and last name)
• Email address
• Mobile phone number (used as primary identifier for authentication)
• Profile picture or avatar image that you upload
• Password or authentication credentials (stored in hashed form)

Organization Information:

• Organization or company name
• Organization type and details
• Your role and designation within the organization
• Membership status and access level

Team Member Information:

• Names of team members you add to projects
• Primary and alternate phone numbers of team members
• Email addresses of team members
• Designation, role, and job title of team members
• Profile pictures of team members

Subscription & Billing Information:

• Subscription plan type (Free or Pro)
• Subscription start and end dates
• Usage limits and quota consumption
• Payment transaction details (if applicable)

1.2 Content & Data You Create Within the App

As you use the App's collaboration and project management features, we collect and store all content you create, upload, or share:

Project Information:

• Project names, descriptions, and codes
• Project type and category classifications
• Project locations and addresses
• Project start dates, end dates, and deadlines
• Project notes, status updates, and progress details
• Scope of Work (SOW) items with detailed descriptions, quantities, and specifications

Communication Data:

• Text messages sent in group and private chat rooms
• Audio voice messages recorded and sent in chats
• Images, photographs, and videos shared in conversations
• Documents and files attached to chat messages
• Message metadata including timestamps, read receipts, and delivery status
• Chat room names, descriptions, and participant lists
• Message replies, forwards, and thread references
• Mention and tag data when you reference other users
• Pinned and archived message states

Project Updates:

• Update titles, descriptions, and body content
• Images, videos, and audio files attached to updates
• Comments posted on updates by you and other team members
• Like and engagement reactions on updates
• Update status labels and categorization
• Task categorization and assignment data linked to updates

Design & Document Data:

• Design documents and files you upload (PDFs, images, drawings, blueprints)
• Design folder and category organization structure
• Document thumbnails and preview images
• Comments and feedback on design documents
• Document view history (who viewed which document and when)
• Design type classifications and labels

Store Visit & Product Data:

• Store visit dates, locations, and visitor information
• Product names, descriptions, brands, and categories
• Product pricing information and price history
• Product dimensions, sizes, quantities, and specifications
• Product photographs and documentation images
• Store item categorization, favorites, and final selection lists
• Product comparison and selection notes

Area & Spatial Data:

• Project area definitions, names, and descriptions
• Hierarchical area structures (rooms, zones, floors)
• Area type classifications
• Area-specific scope items and assignments

Selection & Preference Data:

• Custom selection categories and items
• Product and material selections per project area
• Selection requirements, notes, and specifications
• Final approved selection lists

1.3 Automatically Collected Information

When you access and use the App, certain information is collected automatically without requiring your direct input:

Device Information:

• Device manufacturer, model, and type (phone or tablet)
• Operating system name and version (iOS or Android)
• App version and build number
• Unique device identifiers
• Screen resolution and display density
• Device language and locale settings

Network & Connectivity Information:

• Network connection type (Wi-Fi, cellular data, or offline)
• Network connectivity status changes (online/offline transitions)
• Internet service provider information
• IP address (collected by our cloud service providers)

App Usage & Analytics Data:

• Feature usage frequency and patterns
• Session duration and timestamps
• Navigation paths within the App
• User interaction breadcrumbs (sequence of actions taken for crash analysis)
• Feature-level usage logs for billing (AI tokens consumed, audio minutes recorded, storage bytes used)
• Monthly aggregated usage summaries per user and organization

Push Notification Data:

• Firebase Cloud Messaging (FCM) device registration tokens
• Notification delivery and open status
• Notification preferences and read/unread state

Error & Performance Data:

• Application crash reports and stack traces
• Error messages and exception details
• App performance metrics and response times
• Memory usage and resource consumption data
• Environment and configuration details at the time of errors
• Session replay breadcrumbs showing user actions leading to an error

2. Device Permissions & Hardware Access

TraceLite requests access to certain device hardware and software capabilities to provide its full range of features. Below is a detailed explanation of each permission, why it is needed, what data is accessed, how it is used, and what happens if you deny the permission.

2.1 Camera Access

• What We Access: Your device's front and rear cameras.
• Why We Need It: TraceLite allows you to capture photos directly within the App for multiple purposes:
  • Taking photographs of products, furniture, and materials during store visits for documentation and comparison.
  • Capturing images to share in chat conversations with your team members.
  • Photographing project sites, progress, and areas for project updates.
  • Taking profile pictures for your user account.
  • Capturing design references, samples, and on-site conditions for design documents.
• How Camera Data Is Used:
  • Photos you capture are stored locally on your device temporarily during the editing/upload process.
  • Once you confirm sharing or uploading, images are transmitted over an encrypted HTTPS connection to our cloud storage (Supabase Storage).
  • Images shared in chats are visible to all participants of that chat room.
  • Images attached to project updates are visible to project team members.
  • Product images captured during store visits are stored as part of the product record.
  • We do not access your camera in the background or without your active initiation.
• On-Device Processing: When you photograph store items, the App may use Google ML Kit (an on-device machine learning model) to automatically classify and categorize the item (e.g., as a chair, sofa, table, bed). This processing happens entirely on your device — no image data is sent to Google or any external server for this classification.
• If You Deny This Permission: You will not be able to take photos within the App. You can still select previously taken photos from your photo library (if that permission is granted). Store visit documentation and in-chat photo capture will be unavailable.

2.2 Photo Library & Gallery Access

• What We Access: Your device's photo library, image gallery, and saved videos.
• Why We Need It: TraceLite allows you to select and upload existing photos and videos from your device for various purposes:
  • Selecting photos from your gallery to share in chat conversations.
  • Uploading images to project updates, store visit records, and design documents.
  • Choosing a profile picture from your existing photos.
  • Attaching multiple images and videos to project updates for progress documentation.
  • Selecting product photos from your gallery for store visit records.
  • Uploading site photos and reference images for design discussions.
• How Gallery Data Is Used:
  • We only access the specific photos and videos that you actively select through the image picker interface. We do not scan, index, or access your entire photo library.
  • Selected images are uploaded over an encrypted HTTPS connection to our cloud storage.
  • Thumbnails and compressed versions may be generated for preview purposes.
  • Images are cached locally on your device for faster loading when you revisit them in the App.
  • Video files you select are uploaded and stored for playback within the App.
  • Video thumbnails are automatically generated for preview display in chat and update feeds.
• Write Access: The App may also request permission to save images to your photo library when you download or save shared images, design documents, or exported content from the App.
• If You Deny This Permission: You will not be able to select or upload photos and videos from your gallery. You may still capture new photos using the camera (if camera permission is granted). Downloading and saving images from the App to your device will also be unavailable.

2.3 Microphone Access

• What We Access: Your device's built-in microphone or any connected audio input device.
• Why We Need It: TraceLite includes voice messaging functionality in its chat feature:
  • Recording voice messages to send in group and private chat conversations.
  • Capturing audio notes for project updates.
  • Recording on-site audio observations during store visits or project inspections.
• How Microphone Data Is Used:
  • Audio is recorded only when you explicitly press and hold the voice recording button in the chat interface. We never record audio in the background or without your direct action.
  • Recorded audio files are stored temporarily on your device during recording.
  • Once you confirm sending, the audio file is uploaded over an encrypted HTTPS connection to our cloud storage.
  • Audio messages are playable by all participants of the chat room where the message was sent.
  • Audio duration in seconds is tracked for usage billing purposes (for users on metered subscription plans).
  • Audio files are stored in standard audio formats compatible with both iOS and Android playback.
• If You Deny This Permission: You will not be able to record or send voice messages in chat. All other App features including text messaging, image sharing, and document sharing will continue to function normally.

2.4 Contacts Access

• What We Access: Your device's contact list including names, phone numbers, and email addresses stored in your address book.
• Why We Need It: TraceLite provides a team collaboration feature that allows you to invite team members:
  • Quickly selecting contacts from your address book to invite as team members to your organization or projects.
  • Auto-populating team member details (name, phone number, email) when adding new members.
  • Matching existing TraceLite users from your contacts for easy team assembly.
  • Sending SMS invitations to contacts who are not yet TraceLite users.
• How Contact Data Is Used:
  • Contact data is read locally on your device and displayed in a contact picker interface within the App.
  • Only the contacts you explicitly select are processed — we do not upload or sync your entire contact list to our servers.
  • Selected contact names, phone numbers, and email addresses are used to create team member records and send invitations.
  • Phone numbers of selected contacts may be sent to our SMS service provider (MSG91) for delivering invitation messages.
  • We do not store your full contact list on our servers or use it for marketing purposes.
  • We may write back to your contacts to save TraceLite team member details to your device address book (with your permission).
• If You Deny This Permission: You will not be able to import contacts from your address book. You can still manually enter team member names, phone numbers, and email addresses to add them to your projects and organization.

2.5 Network & Internet Access

• What We Access: Your device's internet connection via Wi-Fi or cellular data networks.
• Why We Need It: TraceLite requires network access for virtually all of its core functionality:
  • Authentication: Verifying your identity via OTP (One-Time Password) sent over SMS and validating your login session with our authentication servers.
  • Data Synchronization: Syncing your projects, messages, updates, designs, and all user-generated content between your device and our cloud servers in real time.
  • Real-Time Messaging: Delivering and receiving chat messages, voice messages, images, and files in real time via WebSocket connections.
  • File Upload & Download: Uploading images, videos, audio files, and documents to cloud storage, and downloading shared media from other team members.
  • Push Notifications: Maintaining a connection with Firebase Cloud Messaging servers to receive push notifications about new messages, updates, and project activity.
  • AI Features: Sending requests to OpenAI servers for chat summarization, update summarization, and task analysis features.
  • Error Reporting: Transmitting crash reports and error logs to Sentry servers for monitoring and debugging.
  • SMS Delivery: Sending OTP codes and team invitation SMS messages via MSG91 servers.
• How Network Data Is Used:
  • All data transmitted over the network is encrypted using industry-standard HTTPS/TLS protocols.
  • Your IP address may be logged by our cloud service providers (Supabase, Firebase, Sentry) as part of standard server access logs.
  • Network connectivity status is monitored locally to enable seamless offline-to-online transitions. When you go offline, data is stored locally and automatically synced when connectivity is restored.
  • We monitor network request failures and timeouts as part of error tracking to improve app reliability.
• If You Deny This Permission: The App will not function in online mode. While limited offline functionality is available (viewing previously synced data), you will not be able to authenticate, send messages, upload files, receive notifications, or sync data with your team.

2.6 Phone Number & Telephony

• What We Access: Your mobile phone number as provided during registration.
• Why We Need It:
  • Primary Authentication: Your phone number serves as the primary identifier for your TraceLite account. You log in by receiving a one-time password (OTP) via SMS to your registered phone number.
  • Account Verification: We verify your phone number via OTP to ensure account security and prevent unauthorized access.
  • Team Communication: Your phone number may be displayed to other team members within your organization for collaboration purposes.
  • SMS Invitations: When you invite new team members, SMS invitations are sent from our SMS service to their phone numbers.
• How Phone Number Data Is Used:
  • Your phone number is stored securely in our authentication database (Supabase Auth) and your user profile record.
  • OTP codes are generated by our server and delivered to your phone number via MSG91 SMS gateway.
  • Your phone number is visible to other members of your organization and project teams within the App.
  • We do not sell, rent, or share your phone number with third parties for marketing or advertising purposes.
  • Phone numbers of team members you invite are transmitted to MSG91 solely for delivering invitation SMS messages.
• If You Choose Not to Provide: You cannot create a TraceLite account without a valid phone number, as phone-based OTP is the primary authentication mechanism.

2.7 Background App Refresh & Notifications

• What We Access: The ability to perform background fetch operations and receive remote push notifications.
• Why We Need It:
  • Push Notifications: Receiving real-time alerts about new chat messages, project updates, team invitations, design comments, and other activity even when the App is not in the foreground.
  • Background Data Sync: Periodically syncing data in the background to ensure you see the latest information when you open the App.
• How This Is Used:
  • Firebase Cloud Messaging (FCM) delivers push notifications to your device.
  • Notification content includes a title and brief preview of the activity (e.g., "New message from [Name]" or "New update in [Project]").
  • Notification tokens are stored on our servers to route notifications to your specific device.
  • Background fetch is used to keep your local database in sync with the latest project data.
• If You Deny This Permission: You will not receive push notifications about new messages, updates, or activity. You will only see new content when you manually open the App and it syncs with the server.

2.8 File Storage & Document Access

• What We Access: The ability to read and write files on your device's local storage, and to browse and select files from your device.
• Why We Need It:
  • File Uploads: Selecting PDF documents, Excel spreadsheets, design files, and other documents from your device to upload to projects and chats.
  • File Downloads: Saving shared documents, exported reports (Excel/PDF), and media files to your device.
  • Local Caching: Storing cached images, thumbnails, and frequently accessed files locally for faster loading and offline access.
  • Offline Database: Maintaining a local SQLite database for offline functionality.
• How File Data Is Used:
  • Only files you explicitly select through the file picker are uploaded — we do not scan or access files beyond what you choose.
  • Downloaded files are saved to your device's standard documents or downloads directory.
  • Cache files are stored in the App's private storage directory and are automatically managed (old cache files are cleared periodically).
  • The local database is stored in the App's sandboxed storage area, inaccessible to other apps.
• If You Deny This Permission: You will not be able to upload documents or save files from the App to your device. Image and media sharing from your gallery requires separate photo library permission.

3. How We Use Your Information

We process your information for the following specific, legitimate purposes:

3.1 Account Creation & Authentication

• Registering your user account using your phone number and/or email address.
• Verifying your identity through OTP-based authentication via SMS.
• Maintaining your authenticated session and securing your account access.
• Enabling password recovery and account restoration.
• Managing your subscription status and plan features.

3.2 Core Project Management & Collaboration

• Creating, organizing, and managing projects with all associated data (areas, scope, designs, updates).
• Enabling real-time collaboration between team members on shared projects.
• Facilitating team member invitations, role assignments, and access control.
• Storing and organizing design documents, files, and media for project reference.
• Tracking project progress through updates, task management, and status reporting.
• Managing store visits, product documentation, pricing, and material selections.

3.3 Real-Time Communication

• Delivering text messages, voice messages, images, videos, and documents in real-time chat rooms.
• Managing group discussions and private conversations between team members.
• Tracking message delivery and read status for reliable communication.
• Enabling message search, pinning, archiving, and organization within chat rooms.
• Supporting @mentions and notifications to draw attention to specific team members.

3.4 AI-Powered Features & Intelligent Assistance

• Summarizing lengthy chat conversations to help you quickly catch up on discussions.
• Generating AI-powered summaries of project updates and progress reports.
• Analyzing tasks and providing intelligent categorization and recommendations.
• Processing store visit data for automated insights and product analysis.
• On-device image classification using machine learning to automatically categorize products and items (e.g., furniture type detection) — this processing occurs entirely on your device using Google ML Kit and no image data is transmitted to external servers.

3.5 Push Notifications & Alerts

• Sending real-time push notifications about new chat messages, project updates, and team activity.
• Delivering notification alerts for team invitations, design comments, and mentions.
• Notifying you of important project milestones, deadlines, and status changes.

3.6 Offline Functionality & Data Synchronization

• Maintaining a local copy of your project data on your device for offline access.
• Automatically synchronizing local changes with our cloud servers when connectivity is restored.
• Resolving data conflicts that may arise from concurrent offline and online edits.
• Monitoring network connectivity to seamlessly transition between online and offline modes.

3.7 Error Monitoring, Crash Reporting & App Improvement

• Collecting crash reports, error logs, and performance metrics to identify and fix bugs.
• Analyzing user interaction breadcrumbs to understand the sequence of actions leading to errors.
• Monitoring app performance to optimize loading times, responsiveness, and reliability.
• Tracking session data and environment details to reproduce and resolve issues.
• We use Sentry for this purpose, which may collect personally identifiable information (PII) including user IDs and session details to aid in debugging.

3.8 Usage Tracking & Billing

• Monitoring AI feature token consumption for metered subscription plans.
• Tracking audio recording duration for usage-based billing.
• Measuring storage consumption (uploaded files, images, videos) against plan limits.
• Generating monthly usage summaries and estimated cost breakdowns per user and organization.
• Enforcing subscription plan limits and triggering upgrade prompts when limits are approached.

3.9 SMS Communication

• Delivering one-time passwords (OTP) to your phone number for authentication.
• Sending SMS invitations to phone numbers of team members you invite to your organization or projects.
• We use MSG91 as our SMS gateway provider for these communications.

4. Third-Party Services & Data Processors

We rely on the following third-party service providers to operate, maintain, and improve the App. Each provider acts as a data processor on our behalf and is contractually obligated to protect your data. Below is a detailed description of each service, what data is shared, and why.

4.1 Supabase (Authentication, Database & File Storage)

• Provider: Supabase, Inc.
• Purpose: Supabase serves as our primary backend infrastructure providing user authentication, relational database storage, real-time data subscriptions, and cloud file storage.
• Data Shared:
  • Account credentials (phone number, email) for authentication and OTP delivery.
  • All user profile data (name, email, phone, avatar, subscription status).
  • All project data, team records, chat messages, updates, designs, store visits, and selections.
  • Uploaded media files (images, videos, audio recordings, documents) stored in Supabase Storage buckets.
  • Real-time event data for live synchronization across devices.
• Data Location: Supabase cloud infrastructure (data center location depends on project configuration).
• Privacy Policy: https://supabase.com/privacy

4.2 Firebase (Google Cloud — Push Notifications)

• Provider: Google LLC
• Purpose: Firebase Cloud Messaging (FCM) is used to deliver push notifications to your device.
• Data Shared:
  • Device FCM registration tokens (unique identifiers for routing notifications to your device).
  • Notification payloads including title, body text, and metadata for routing to the correct screen.
  • Basic device information (platform, OS version) for notification delivery optimization.
• Data NOT Shared: We do not use Firebase Analytics, Firebase Crashlytics, or any other Firebase products beyond Cloud Messaging.
• Data Location: Google Cloud infrastructure (global).
• Privacy Policy: https://firebase.google.com/support/privacy

4.3 PowerSync (Offline Database Synchronization)

• Provider: JourneyApps (Pty) Ltd
• Purpose: PowerSync enables offline-first functionality by synchronizing a local SQLite database on your device with our cloud database (Supabase).
• Data Shared:
  • All relational project data that needs to be available offline (projects, messages, updates, team data, designs, store visits).
  • Sync metadata including timestamps and change logs for conflict resolution.
  • User authentication tokens for securing the sync connection.
• On-Device Processing: PowerSync maintains a local SQLite database on your device. This data is stored in the App's sandboxed storage area and is not accessible to other apps.
• Data Location: PowerSync cloud infrastructure.
• Privacy Policy: https://www.powersync.com/privacy

4.4 Sentry (Error Tracking & Performance Monitoring)

• Provider: Functional Software, Inc. (Sentry)
• Purpose: Sentry is used for real-time error tracking, crash reporting, and performance monitoring to help us identify, diagnose, and fix issues in the App.
• Data Shared:
  • Crash reports including stack traces, error messages, and exception details.
  • Session data including session ID, duration, and status.
  • Device information (model, OS version, app version, memory usage).
  • User action breadcrumbs — a trail of actions the user took leading up to a crash or error.
  • Environment details (development, staging, or production).
  • Personally Identifiable Information (PII): Sentry is configured with sendDefaultPii enabled, which means user-identifying information such as user IDs and session identifiers may be included in error reports to aid debugging.
• Sampling Rate: In production, we sample 20% of performance transactions. In non-production environments, 5% of transactions are sampled.
• Data Retention: Error and crash data is retained by Sentry for up to 90 days.
• Data Location: Sentry cloud infrastructure (United States).
• Privacy Policy: https://sentry.io/privacy/

4.5 OpenAI (AI-Powered Summarization & Analysis)

• Provider: OpenAI, L.L.C.
• Purpose: OpenAI's language models power the App's AI summarization features including chat summarization, update summarization, and task analysis.
• Data Shared:
  • Chat message content (text messages from conversations selected for summarization).
  • Project update text content selected for summarization.
  • Task descriptions and context for AI-powered task analysis.
  • No images, audio, video, or personal account information is sent to OpenAI.
• Important Note: Message content sent to OpenAI is processed according to OpenAI's data usage policies. We recommend reviewing OpenAI's privacy policy to understand how they handle data received via their API.
• User Control: AI summarization features are entirely optional. You initiate them manually — no data is automatically sent to OpenAI without your action.
• Data Location: OpenAI cloud infrastructure (United States).
• Privacy Policy: https://openai.com/privacy/

4.6 MSG91 (SMS Gateway)

• Provider: Walkover Web Solutions Pvt Ltd (MSG91)
• Purpose: MSG91 is our SMS service provider used for delivering OTP codes for authentication and sending team invitation SMS messages.
• Data Shared:
  • Recipient phone numbers (your phone number for OTP, or team member phone numbers for invitations).
  • SMS message content (OTP codes, invitation text with links).
  • Sender identification details.
• Data NOT Shared: No project data, messages, files, or other personal content is shared with MSG91.
• Data Location: MSG91 infrastructure (India-based).
• Privacy Policy: https://msg91.com/privacy-policy

4.7 Google ML Kit (On-Device Machine Learning)

• Provider: Google LLC
• Purpose: Google ML Kit provides on-device image labeling capabilities used to automatically classify and categorize product images (e.g., detecting whether an item is a chair, sofa, table, bed, or other furniture type).
• Data Shared: None. All image processing occurs entirely on your device using a pre-downloaded TensorFlow Lite model. No images, classification results, or any other data is transmitted to Google servers for this feature.
• On-Device Model: The App includes a bundled machine learning model (FurnitureModel.tflite) that runs locally on your device's processor.
• Privacy Policy: https://developers.google.com/ml-kit/terms

4.8 Syncfusion (Document Processing)

• Provider: Syncfusion, Inc.
• Purpose: Syncfusion libraries are used for viewing PDF documents and generating Excel (XLSX) reports within the App.
• Data Shared: None. All document viewing and generation occurs locally on your device. No document content is transmitted to Syncfusion servers.
• On-Device Processing: PDF rendering and Excel file generation are performed entirely on-device.
• Privacy Policy: https://www.syncfusion.com/privacy-policy

5. Data Storage, Retention & Security

5.1 Where Your Data Is Stored

Your data is stored across multiple layers to provide reliable, fast, and offline-capable service:

• Cloud Database (Supabase): All relational data including user accounts, projects, team members, messages, updates, designs, store visits, selections, and associated metadata is stored in Supabase's cloud-hosted PostgreSQL database.
• Cloud File Storage (Supabase Storage): All uploaded media files — including images (photographs, profile pictures, product images, design documents), videos, audio recordings (voice messages), and document files (PDFs, spreadsheets) — are stored in Supabase Storage buckets organized by content type.
• Local SQLite Database (PowerSync): A synchronized copy of your relational data is maintained in a local SQLite database on your device. This enables offline access and faster data loading.
• Local Preferences (Shared Preferences): App settings, theme preferences, authentication tokens, and user preferences are stored locally on your device.
• Local Cache (Flutter Cache Manager): Downloaded images, thumbnails, and frequently accessed media files are cached on your device for performance optimization. Cache is automatically managed and old entries are periodically cleared.
• Error Tracking (Sentry Cloud): Crash reports, error logs, and performance data are stored on Sentry's cloud infrastructure in the United States.
• Notification Service (Firebase Cloud): FCM device tokens and notification delivery logs are stored on Google's Firebase infrastructure.

5.2 Data Retention Periods

We retain your information for the following periods:

Data Category Retention Period Details Account Data Until account deletion Your profile, authentication credentials, and account settings are retained as long as your account is active. Project Data Lifetime of the project/organization Project details, areas, scope of work, and configurations are retained as long as the associated project or organization exists. Chat Messages Lifetime of the chat room Messages, attachments, and read receipts are retained as long as the chat room exists within the project. Media Files Lifetime of the parent record Images, videos, audio files, and documents are retained as long as the associated message, update, or project record exists. Updates & Comments Lifetime of the project Project updates, comments, and engagement data are retained for the duration of the project. Design Documents Lifetime of the project Design files, comments, and view history are retained for the duration of the project. Store Visit Records Lifetime of the project Store visits, product records, and pricing history are retained for the duration of the project. Error Logs & Crash Reports Up to 90 days Sentry retains error and crash data for a maximum of 90 days. Usage Logs 12 months rolling Feature usage logs and monthly summaries are retained for billing and analytics for up to 12 months. SMS Delivery Logs As per MSG91 policy MSG91 retains SMS delivery logs per their own data retention policy. Push Notification Tokens Until token refresh or account deletion FCM tokens are updated when they refresh and removed when the account is deleted. Backup Data Up to 30 days after deletion Database backups may retain deleted data for up to 30 days for disaster recovery purposes.

5.3 Security Measures

We implement comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

• Encryption in Transit: All data transmitted between the App and our servers is encrypted using HTTPS with TLS 1.2 or higher. This includes API calls, file uploads/downloads, real-time sync connections, and push notification delivery.
• Encryption at Rest: Data stored in our cloud database and file storage is encrypted at rest using industry-standard AES-256 encryption provided by our infrastructure providers.
• Authentication Security:
  • Phone-based OTP authentication with time-limited codes.
  • Session tokens with automatic expiration and refresh mechanisms.
  • Secure token storage on-device using platform-specific secure storage.
• Application Security:
  • Sensitive credentials (API keys, database URLs, service keys) are stored in environment variables and are never hardcoded in the distributed application.
  • Cryptographic hashing (SHA-256) is used for data integrity verification.
  • Input validation and sanitization to prevent injection attacks.
• Infrastructure Security:
  • Cloud infrastructure with built-in DDoS protection, firewall rules, and access controls.
  • Regular security updates and patches applied to all server-side components.
  • Access to production systems restricted to authorized personnel only.
• Local Device Security:
  • Local SQLite database is stored within the App's OS-level sandboxed storage, inaccessible to other applications.
  • Cached files are stored in the App's private cache directory.
  • App data is protected by the device's lock screen and biometric security.

5.4 Offline Data Security

When the App operates in offline mode:

• Data is stored in a local SQLite database within the App's sandboxed storage directory.
• The local database is protected by the operating system's application isolation mechanisms.
• Queued uploads (images, audio, documents) are stored in the App's private storage area until connectivity is restored.
• Upon reconnection, queued data is transmitted to the server over encrypted HTTPS connections.
• Sync conflicts are resolved using timestamp-based conflict resolution.

5.5 Data Breach Response

In the event of a data breach that affects your personal information:

• We will investigate and assess the breach within 72 hours of discovery.
• We will notify affected users and relevant regulatory authorities as required by applicable law.
• We will take immediate steps to contain the breach and prevent further unauthorized access.
• We will provide you with information about the breach and recommended protective actions.

6. Data Sharing & Disclosure

We do not sell, rent, trade, or otherwise commercially transfer your personal information to outside parties. We may share your information only in the following specific circumstances:

6.1 Within Your Organization & Project Teams

• Your profile information (name, phone number, email, profile picture, role) is visible to other members of your organization within the App.
• Project data, messages, updates, designs, and documents you create are shared with other members who have access to the same project.
• Chat messages are visible to all participants of the respective chat room.
• This sharing is inherent to the App's collaborative nature and is necessary for team functionality.

6.2 With Third-Party Service Providers

• We share data with the third-party services detailed in Section 4 strictly for the purposes of operating, maintaining, and improving the App.
• Each provider processes data on our behalf under contractual obligations to protect your information.
• We do not authorize these providers to use your data for their own marketing or unrelated purposes.

6.3 For Legal Compliance & Protection

We may disclose your information if we believe in good faith that such disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request.
• Enforce our Terms of Service or other agreements.
• Protect the rights, property, or safety of Vasskep, our users, or the public.
• Detect, prevent, or address fraud, security, or technical issues.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets:

• Your information may be transferred as part of the transaction.
• We will notify you via email and/or a prominent notice within the App prior to your information being subject to a different privacy policy.
• You will have the opportunity to delete your account before such a transfer takes effect.

6.5 With Your Explicit Consent

We may share your information for purposes not described in this policy only with your explicit, informed consent.

6.6 Aggregated & Anonymized Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you. For example, we may share general usage statistics or feature adoption trends.

7. AI & Automated Processing

7.1 AI-Powered Chat & Update Summarization

TraceLite offers AI-powered summarization features to help you quickly understand long conversations and project updates:

• How It Works: When you request a summary, the text content of the selected chat conversation or project update is sent to OpenAI's API servers. OpenAI's language model processes the text and returns a concise summary, which is then displayed to you within the App.
• What Data Is Sent: Only the text content of messages or updates selected for summarization. No images, audio files, video files, or personal account information is included in the API request.
• User Control: Summarization is always initiated manually by you. No content is automatically sent to OpenAI. You decide when and what to summarize.
• Token Usage Tracking: The number of AI tokens consumed by each summarization request is logged for billing and usage tracking purposes.
• Data Retention by OpenAI: Data sent to OpenAI via their API is subject to OpenAI's data usage and retention policies. We recommend reviewing their privacy policy for details.

7.2 AI-Powered Task Analysis

• The App can analyze project updates and generate task summaries and categorizations using AI.
• Task-related text content is sent to OpenAI for processing.
• Results are displayed within the App and stored as part of your project data.

7.3 On-Device Machine Learning (Image Classification)

• Technology: Google ML Kit with a custom TensorFlow Lite model (FurnitureModel.tflite).
• Purpose: Automatically classifying and labeling store visit product images into categories such as chairs, sofas, tables, beds, lighting, and other furniture types.
• Privacy Guarantee: All image classification processing occurs entirely on your device's local processor. No images are uploaded to any external server (including Google) for this feature. The ML model is bundled with the App at installation time.
• Results: Classification labels are stored locally and synced to our cloud database as part of the product record metadata (text labels only, not images sent for processing).

7.4 No Automated Decision-Making

We do not use AI or automated processing to make decisions that have legal or similarly significant effects on you. AI features in TraceLite are assistive tools designed to help you work more efficiently, not to make decisions on your behalf.

8. Your Rights & Choices

You have the following rights regarding your personal information. To exercise any of these rights, please contact us using the details in Section 14 or use the in-app options where available.

8.1 Right to Access

• You can access your personal information (name, email, phone, profile picture, subscription status) through the App's Profile and Settings screens.
• You may request a complete copy of all personal data we hold about you by contacting us.

8.2 Right to Rectification (Update/Correct)

• You can update your profile information directly within the App at any time.
• If you discover inaccurate information that you cannot correct yourself, contact us and we will rectify it.

8.3 Right to Deletion (Right to Be Forgotten)

• You can request deletion of your account through the App's Settings screen using the "Delete Account" option.
• Upon account deletion:
  • Your personal profile data will be removed from our active database.
  • Your authentication credentials will be revoked.
  • Content you created within shared projects (messages, updates, comments) may be retained in anonymized form for the continuity of other team members' project records.
  • Backup copies may retain your data for up to 30 days after deletion.
  • Data already transmitted to third-party services (Sentry error logs, OpenAI API logs) will be retained per their respective retention policies.

8.4 Right to Data Portability

• You may request a copy of your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV).
• We will provide this data within 30 days of your request.

8.5 Right to Restrict Processing

• You may request that we restrict processing of your personal data under certain circumstances (e.g., while we verify the accuracy of your data or if processing is unlawful).

8.6 Right to Object

• You may object to the processing of your personal data for certain purposes.
• If you object, we will cease processing unless we have compelling legitimate grounds that override your interests.

8.7 Right to Withdraw Consent

• Where processing is based on your consent (e.g., contact access, AI features), you may withdraw consent at any time.
• Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.

8.8 Device Permission Controls

You can manage device-level permissions at any time through your device settings:

• iOS: Settings > TraceLite > Toggle individual permissions (Camera, Microphone, Contacts, Photos).
• Android: Settings > Apps > TraceLite > Permissions > Toggle individual permissions.
• Revoking a permission will disable the corresponding feature but will not affect other App functionality.

8.9 Push Notification Controls

• Disable all notifications: Settings > Notifications > TraceLite > Toggle off.
• Per-channel controls (Android): You may control notification categories individually on Android devices.

8.10 Data Export

• You can request an export of your projects and data by contacting us. We will provide the data in a commonly used format within 30 days.

8.11 Complaint to Supervisory Authority

• If you are located in the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights.
• If you are located in India, you may file a complaint with the Data Protection Board of India under the Digital Personal Data Protection Act, 2023.

9. Children's Privacy

• TraceLite is designed for business and professional use and is not intended for children under the age of 13 (or the minimum age of digital consent in your jurisdiction, which may be higher, e.g., 16 in some EU member states).
• We do not knowingly collect, solicit, or receive personal information from children.
• If we discover that we have inadvertently collected personal information from a child under the applicable age threshold, we will take immediate steps to delete such information from our servers and active systems.
• If you are a parent or guardian and believe your child has provided personal information to us through the App, please contact us immediately using the details in Section 14 so that we can take appropriate action.

10. International Data Transfers

• Your information may be transferred to, stored in, and processed in countries other than your country of residence. Specifically, our service providers operate infrastructure in the following regions:
  • United States: Supabase (database & storage), Sentry (error tracking), OpenAI (AI processing), Firebase/Google Cloud (push notifications).
  • India: MSG91 (SMS gateway).
  • Other Regions: PowerSync and Syncfusion may process data in additional regions per their infrastructure.
• These countries may have data protection laws that differ from those in your jurisdiction. By using the App, you consent to the transfer of your information to these countries.
• Safeguards for International Transfers:
  • We ensure that all third-party service providers are contractually obligated to protect your data to standards consistent with this Privacy Policy.
  • For transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or other appropriate transfer mechanisms.
  • All data transfers occur over encrypted channels (HTTPS/TLS).

11. Cookies & Tracking Technologies

• Cookies: The App does not use browser cookies as it is a native mobile application, not a web application.
• Local Storage Technologies: The App uses the following local storage mechanisms on your device:
  • Shared Preferences: Stores app settings, theme preferences, authentication state, and environment configuration.
  • SQLite Database: Stores synced project data for offline access via PowerSync.
  • File Cache: Stores cached images and media for performance via Flutter Cache Manager.
  • Hive Database: May store key-value data for app preferences and local state.
• Third-Party Tracking: We do not use any advertising trackers, marketing pixels, or behavioral analytics SDKs. The only analytics-related service is Sentry, which is used exclusively for error tracking and crash reporting, not for behavioral analytics or advertising.
• Do Not Track (DNT): While the App is not a web browser and does not receive DNT headers, we respect user privacy preferences and do not engage in cross-app tracking or behavioral advertising.

12. Changes to This Privacy Policy

• We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
• Material Changes: For significant changes that affect how we collect, use, or share your personal data, we will:
  • Post a prominent in-app notification about the updated policy.
  • Update the "Last Updated" date at the top of this document.
  • Where required by law, seek your renewed consent before applying the changes.
• Minor Changes: For non-material changes (e.g., formatting, clarifications), we will update the policy and the "Last Updated" date without additional notice.
• Your Responsibility: We encourage you to review this Privacy Policy periodically. Your continued use of the App after changes are posted constitutes your acceptance of the updated policy.
• Access to Previous Versions: You may request previous versions of this Privacy Policy by contacting us.

13. Compliance & Legal Framework

This Privacy Policy is designed to comply with the following data protection laws and platform requirements:

13.1 General Data Protection Regulation (GDPR) — European Economic Area

• Legal Basis for Processing: We process your data based on: (a) your consent, (b) performance of a contract (providing our services), (c) our legitimate interests (improving the App, ensuring security), and (d) legal obligations.
• Data Protection Officer: For GDPR-related inquiries, contact us at the address provided in Section 14.
• Rights: GDPR grants you rights to access, rectify, erase, restrict, port, and object to processing of your personal data (see Section 8).

13.2 California Consumer Privacy Act (CCPA) — California, USA

• Categories of Personal Information Collected: Identifiers, commercial information, internet activity, geolocation (approximate), audio/visual information, and professional information.
• Sale of Personal Information: We do not sell your personal information.
• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected.
• Right to Delete: You may request deletion of personal information we have collected.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

13.3 Digital Personal Data Protection Act, 2023 (DPDPA) — India

• Data Fiduciary: Vasskep acts as the Data Fiduciary responsible for processing your personal data.
• Consent: We obtain your consent before collecting and processing personal data. You may withdraw consent at any time.
• Data Principal Rights: You have the right to access, correct, erase, and grieve regarding your personal data.
• Data Localization: We comply with any data localization requirements as mandated by the Indian government.

13.4 Apple App Store Guidelines

We comply with Apple's App Store Review Guidelines Section 5.1 (Privacy), including:

• Providing this comprehensive privacy policy.
• Requesting only necessary permissions with clear purpose strings.
• Accurately declaring data collection practices in the App Store privacy nutrition labels.
• Supporting account deletion as required by Apple.

13.5 Google Play Store Policies

We comply with Google Play's User Data policy, including:

• Providing prominent disclosure of data collection practices.
• Accurately completing the Data Safety section in the Play Console.
• Handling personal and sensitive user data securely.
• Supporting user data deletion requests.

14. Contact Us

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy, your personal data, or our data protection practices, please contact us through any of the following channels:

Vasskep

• Email: [support@vasskep.com]
• Website: [https://www.vasskep.com]

Response Time:

• We aim to respond to all privacy-related inquiries within 15 business days.
• For data access, portability, or deletion requests, we will fulfill your request within 30 calendar days of verification.
• For urgent matters (e.g., suspected data breaches), we will prioritize and respond as quickly as possible.

Escalation:

• If you are not satisfied with our response, you may escalate your concern to the relevant data protection authority in your jurisdiction (see Section 8.11).

This privacy policy was last reviewed and updated on March 20, 2026.

Version 1.0