Privacy Policy - UketoAI

Privacy Policy

Last updated: April 4, 2026

1. Introduction

UketoAI ("we", "us", or "the App") is a smart document recognition application that uses AI technology to extract information from images of business cards, receipts, and other documents. This Privacy Policy explains how we collect, use, store, and protect your information.

This policy applies to users of the App in Taiwan and Japan, and has been prepared in accordance with the following laws:

  • Taiwan's Personal Data Protection Act
  • Japan's Act on the Protection of Personal Information (APPI)

2. Information We Collect

2.1 Account Information

When you first open the App, an account is automatically created. We collect the following information:

  • Device UUID: A unique identifier automatically generated and stored in your device's Keychain (synced via iCloud Keychain)
  • iCloud ID: Your CloudKit record identifier, collected only if you opt into iCloud sync (optional)

Purpose of collection: To identify your device, manage your account, and enable cross-device sync (if opted in).

Method of collection: Automatically generated on your device (Device UUID), or optionally provided by you (iCloud sync).

2.2 Usage Data

We collect the following usage records to manage your subscription and quota:

  • Number of scans performed (quota usage counts)
  • Subscription status and tier
  • Session information (login timestamps, device type)
  • Image metadata: file size and MIME type only (not the image itself)
  • AI processing logs: token counts, processing latency, and error status

Purpose of collection: To track usage quota for free and paid plans, manage subscription status, monitor service performance, and improve service quality.

2.3 What We Do NOT Collect or Store

  • Images: We do not store any images you scan on our servers. Images are sent to Google Gemini (Vertex AI) for real-time processing and are immediately discarded after processing is complete.
  • Recognition Results: AI recognition results are returned directly to your device and stored only on your device locally (using Apple SwiftData). We do not store recognition results on our servers.
  • Email Address: We do not collect or store your email address. No email-based sign-in is used.

3. How We Use Your Information

  • To identify your device and manage your account
  • To track usage quota for free and paid plans
  • To manage your subscription status
  • To improve our service quality and features

We will not use your personal information for purposes other than those stated above. If we need to change the purpose of use in the future, we will notify you in advance and obtain your consent.

4. Third-Party Services

UketoAI uses the following third-party services, each handling data as described below:

4.1 Google Gemini / Vertex AI (Google LLC, United States)

  • Purpose: Image recognition and data extraction.
  • Processing: Images are processed through Google Vertex AI cloud endpoints using Gemini models. The processing location is determined by Google's infrastructure and may be outside Japan and Taiwan (including but not limited to the United States).
  • Data retention: Images are used for real-time processing only and are not retained after processing is complete.
  • Data protection measures: Google Cloud holds internationally recognized security certifications including ISO 27001, ISO 27017, ISO 27018, ISO 27701, and SOC 2/3. We have a Data Processing Addendum (DPA) with Google Cloud, ensuring that data is processed in accordance with security management measures equivalent to those required by Japan's APPI and Taiwan's Personal Data Protection Act.
  • Google does not use your image data for model training or any other purposes.

4.2 Apple App Store / StoreKit 2 (Apple Inc.)

  • Purpose: In-app purchases, subscription management, and payment processing.
  • Processing: All payment transactions are processed by Apple. We only receive transaction identifiers, product IDs, and subscription status from Apple. We do not have access to your payment method, credit card information, or billing address.

4.3 Google AdMob (Google LLC)

  • Purpose: To display advertisements to free-tier users only. Premium and Ultimate subscribers do not see ads.
  • Processing: AdMob is configured to serve non-personalized ads only (npa=1). It may still collect a limited set of device data (such as IP-based coarse region and ad request metadata) solely to deliver and measure contextual ads. We do not perform cross-app or cross-website tracking and do not use the IDFA.
  • Additional iOS system-wide ad controls:
    • This App already disables personalized ads. If you want to further limit Apple's system-wide ad personalization, go to Settings > Privacy & Security > Apple Advertising and turn off "Personalized Ads".

4.4 Firebase (Google LLC)

  • Purpose: Push notifications (Firebase Cloud Messaging) and minimum app version checks (Remote Config).
  • Processing: Firebase receives your device push notification token (APNs token) for delivering notifications. Remote Config checks are anonymous. Firebase integration is optional and the App functions without it.

4.5 Apple CloudKit (Apple Inc.)

  • Purpose: Optional iCloud sync for scan records and custom scan templates.
  • Processing: If you enable iCloud sync, your scan records and custom scan templates are synced to your iCloud account via Apple's CloudKit service. This feature is opt-in and disabled by default. Data is stored in your personal iCloud account and managed by Apple.

5. Cross-Border Data Transfers

To provide this service, your data may be transferred to the following locations for processing and storage:

Data TypeStorage/Processing LocationNotes
Account data and usage recordsJapan (Google Cloud asia-northeast1 region)Stored on servers within Japan
AI image processingGoogle global infrastructure (may include the United States and other countries)Not retained after real-time processing
Push notification tokensGoogle global infrastructure (Firebase)Used for push notification delivery only

5.1 Notice for Users in Japan

In accordance with Article 28 of Japan's Act on the Protection of Personal Information (provision to a third party in a foreign country), we hereby inform you of the following:

  • Destination countries for data transfer: The United States (headquarters of Google LLC) and other countries where Google's infrastructure is located.
  • Personal data protection systems in destination countries: The United States has not been recognized by the Personal Information Protection Commission of Japan as a country with a personal data protection system equivalent to that of Japan.
  • Protective measures we have taken: Our Data Processing Addendum (DPA) with Google Cloud stipulates security management measures that Google must comply with, providing a level of protection equivalent to that required by Japan's APPI. We verify Google Cloud's compliance status at least once per year.

For more information about Google Cloud's APPI compliance: https://cloud.google.com/security/compliance/appi-japan

5.2 Notice for Users in Taiwan

In accordance with Taiwan's Personal Data Protection Act, we hereby inform you that some of your data (AI image processing) may be transferred outside of Taiwan for processing. We have confirmed that the data recipients have appropriate security measures in place.

5.3 Your Consent

When you first use the App's AI scanning feature, we will present an in-app pop-up clearly explaining the cross-border data transfers described above and requesting your explicit consent. You may withdraw this consent at any time in the App's settings; however, withdrawing consent will prevent you from using the AI scanning feature.

6. Data Storage and Security

  • Account data is stored on secure servers located in Japan (Google Cloud asia-northeast1), with all transmissions encrypted (TLS 1.2 or above).
  • Recognition results are stored only on your device using Apple's SwiftData framework.
  • Authentication uses JWT (JSON Web Tokens) with access tokens (short-lived) and refresh tokens (30-day TTL), rotated on each use.
  • Rate limiting is enforced globally (20 requests/second per IP) and per-user (3 seconds between scans) to prevent abuse.
  • We employ industry-standard security measures to protect your data, including but not limited to access controls, data encryption, and security audits.

7. Data Retention

  • We retain your account information and usage records for as long as your account is active.
  • When you delete your account, all associated server-side data will be permanently removed immediately.
  • Upon account deletion, subscription records and AI usage logs are anonymized (unlinked from your identity) and retained for analytics and audit purposes.
  • Session tokens have a 30-day TTL and are automatically cleaned up after expiration.
  • Local data on your device can be removed by deleting the App.
  • Data from AI image processing is not retained and is discarded immediately after processing is complete.

8. Your Rights

In accordance with Taiwan's Personal Data Protection Act and Japan's Act on the Protection of Personal Information, you have the following rights:

  • Right of access: You have the right to request access to, review, or obtain a copy of your personal data.
  • Right of correction: You have the right to request supplementation or correction of your personal data.
  • Right of deletion: You have the right to request deletion of your personal data.
  • Right to cease processing: You have the right to request that we stop collecting, processing, or using your personal data.
  • Right to cease cross-border transfer: You have the right to request that we stop transferring your personal data outside the country (however, doing so will prevent you from using the AI scanning feature).
  • Right to withdraw consent: You have the right to withdraw your previously given consent at any time.

To exercise any of the above rights, please contact us through the following: pcj.studio.tw@gmail.com

We will respond to your request within 30 days of receipt. No fees will be charged before or after exercising the above rights.

9. Data Breach Notification

In the event of a personal data breach, we will act in accordance with applicable laws:

  • Taiwan: In accordance with the Personal Data Protection Act, we will notify affected users through appropriate means.
  • Japan: In accordance with Article 26 of the APPI, we will promptly notify affected users upon discovery of a data breach and report the incident to the Personal Information Protection Commission (PPC).

10. Children's Privacy

This App is not intended for children and adolescents under the age of 16. We do not knowingly collect personal information from anyone under 16 years of age. If you are a parent or guardian and discover that your child has provided us with personal information without your consent, please contact us and we will promptly delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the following means:

  • Push notifications within the App
  • An in-app pop-up notification
  • Updating this page and revising the "Last updated" date

If the changes involve how your personal data is used, we will obtain your renewed consent before the changes take effect.

12. Complaints and Inquiries

If you have any questions or concerns about this Privacy Policy or how we handle personal data, you may reach out through the following channels:

Contact us directly:

Email: pcj.studio.tw@gmail.com

File a complaint with a regulatory authority:

13. Governing Law

The interpretation and application of this Privacy Policy shall be governed by the following laws based on the user's region:

  • Users in Taiwan are subject to the laws of the Republic of China (Taiwan).
  • Users in Japan are subject to the laws of Japan.

This policy is available in multiple languages. In the event of any discrepancy between versions, interpretation shall be governed by the applicable local laws, and the final right of interpretation belongs to UketoAI.