ScanToDriveHome

Privacy Policy

Effective: 26 April 2026

This Privacy Policy explains how Ada Commerce GmbH (“we”, “us”) processes your personal data when you use the ScanToDrive web application (“Service”) at scantodrive.adacommerce.de. We comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data Controller

Ada Commerce GmbH
Neusser Straße 150
41363 Jüchen, Germany
Email: mail@adacommerce.de

Managing director: Enes Adanur. We do not currently designate a Data Protection Officer because the size and scope of our processing does not meet the GDPR threshold (Art. 37 GDPR / § 38 BDSG). You can contact us about any privacy matter via the email above.

2. What ScanToDrive does

ScanToDrive lets you photograph products, business cards, or price tags during trade shows. Our AI extracts structured data (manufacturer, product name, price, contact details, etc.) and writes it directly into your own Google Sheet; the photos are stored in a folder we create inside your own Google Drive. We do not store your photos or extracted product data on our servers — they live in your Google account.

3. Data we process

CategoryWhyLegal basisRetention
Google account name, email, profile picture, Google user IDAuthenticate you and link captures to your accountArt. 6(1)(b) GDPR — contract performanceUntil account deletion
OAuth refresh + access tokens for Google Drive and Google SheetsWrite photos and rows into your own Drive/Sheets on your behalfArt. 6(1)(b) GDPR — contract performanceUntil you sign out, revoke access in your Google account, or delete your ScanToDrive account
List metadata you create (list names, column schema)Provide the ServiceArt. 6(1)(b) GDPRUntil you delete the list or your account
Encrypted third-party API keys (Google Gemini, Elimapi — both optional)Run AI extraction and optional 1688/Taobao market lookups with your own quotaArt. 6(1)(a) GDPR — your consentUntil you remove the key or delete your account. Stored encrypted at rest with AES-256-GCM.
API usage telemetry (model, tokens, cost in micro-cents)Show you the cost dashboard (“Verbrauch & Kosten”)Art. 6(1)(b) GDPRUntil you press “Reset counter” in settings or delete your account
Server access logs (IP address, user agent, timestamps)Operate, troubleshoot, and secure the ServiceArt. 6(1)(f) GDPR — legitimate interestUp to 14 days, then deleted
Photos and extracted product data (manufacturer, price, specifications, etc.)Stored only in your Google Drive / Google Sheet. Briefly held in our database while the offline sync queue uploads them, then deleted.Art. 6(1)(b) GDPRRemoved from our database immediately after successful sync (typically <5 seconds). Persisted only in your Google account, which you control.

4. Cookies and similar technologies

We use only strictly necessary cookies. They are essential for the Service to function, do not require consent under § 25(2) TTDSG, and are not used for tracking or advertising:

  • Auth.js session cookie (authjs.session-token) — keeps you signed in. HttpOnly, Secure, SameSite=Lax. JWT, signed with our server secret, ~30 days.
  • Locale cookie (scantodrive-locale) — remembers whether you chose German, English, or Russian. ~1 year.

We do not use Google Analytics, Meta Pixel, or any other tracking pixel. We do not embed third-party advertising.

5. Recipients and processors

We share data with the following processors, all engaged under a Data Processing Agreement (Art. 28 GDPR) where applicable:

  • Google Ireland Ltd. / Google LLC — OAuth authentication, Google Drive (your photos), Google Sheets (your rows), Google Gemini API (AI extraction). Data may be transferred to the United States; Google is certified under the EU-U.S. Data Privacy Framework and we additionally rely on Standard Contractual Clauses (Art. 46 GDPR).
  • Elimapi (Hangzhou Elim Technology) only if you enable the 1688/Taobao market comparison feature. Receives the Chinese keywords your AI extracted, not your photos or contact data. You can disable this in Settings at any time. Data may be transferred to China; we rely on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and your explicit opt-in (Art. 49(1)(a) GDPR).
  • Hosting (Dockup.ai / managed hosting) — runs the application servers and PostgreSQL database. Servers are in the EU.

We do not sell, rent, or share your data with advertisers, brokers, or any other third party.

6. Google API Services User Data Policy

ScanToDrive’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use the drive.file scope, which limits access to files our application creates or that you explicitly open with our app. We do not see anything else in your Drive.
  • We use the spreadsheets scope only to write rows into Sheets you have linked to a list inside ScanToDrive.
  • We use Google user data only to provide and improve user-facing features visible in the application UI.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data for advertising, including retargeting, personalised, or interest-based advertising.
  • We do not allow humans to read Google user data, except: with your affirmative agreement for specific messages; for security purposes (e.g. abuse investigation); to comply with law; or where the data has been aggregated and anonymised for internal operations.

7. AI processing (Google Gemini)

When you press “AI suggestions”, the photos you capture are sent to the Google Gemini API together with the column schema of your list. Gemini returns extracted fields, which we display in the form for you to review. The API key used belongs to you(you provide it in Settings), and the call is billed against your Google AI Studio quota — not ours. Per Google’s Gemini API Additional Terms, data sent through paid Gemini endpoints is not used to train Google’s models.

8. Data transfers outside the EU

Some processors (Google, Elimapi) operate servers outside the EU. Transfers are protected by either an adequacy decision (UK), the EU-U.S. Data Privacy Framework, and/or Standard Contractual Clauses adopted by the EU Commission. You may request a copy of the relevant safeguards by contacting us.

9. Your rights

You have the following rights under GDPR:

  • Access (Art. 15) — receive a copy of the personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — request deletion of your account and associated data. Use Settings → Sign out, then email us, or revoke our access at myaccount.google.com/permissions.
  • Restriction (Art. 18) and objection (Art. 21) — limit or oppose processing.
  • Portability (Art. 20) — receive your data in a machine-readable format. Most data is already in your own Google Sheet, which is fully portable.
  • Withdraw consent (Art. 7(3)) — withdraw any consent you previously gave (e.g. by removing your Gemini key in Settings).
  • Lodge a complaint with a supervisory authority. Our lead supervisory authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

10. Data security

We protect your data with TLS 1.3 in transit, AES-256-GCM at rest for sensitive fields (API keys), HTTP-only signed session cookies, strict Content-Security-Policy headers, Strict-Transport-Security, and rate limiting. Database access is limited to the application; backups are encrypted.

11. Children

ScanToDrive is a B2B trade-show tool and is not directed at children under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this Privacy Policy as the Service evolves. The “Effective” date at the top reflects the latest revision. Material changes will be communicated in-app or by email before they take effect.

13. Contact

Questions or requests regarding this Privacy Policy or your personal data: mail@adacommerce.de.