Offload

Legal

Privacy Policy

Effective: 6 July 2026  ·  Version 2.0

← Home Terms of Service → Delete your data →

The promise

Offload keeps your documents in your memory by keeping them on your phone. Your IDs, registrations, licenses, plate and passport numbers, scans, and the dates that matter — Pax reads them and reminds you, and none of it is ever uploaded to us. By default it never leaves your device at all. It's stored encrypted, on your phone. Scanning and text recognition happen entirely on-device — the camera image and the text read from it are never sent anywhere, to us or anyone else.

If you choose to turn on backup, only an encrypted copy that you alone can unlock is saved to your own Google Drive — we can't read it and neither can Google. That's the one and only place your document data can go, and only if you ask for it.

A few other narrow things leave your phone for specific reasons: processing a purchase, an anonymous crash report so the app doesn't stay broken, and feedback you choose to send. This policy says exactly what, when, and to whom — in plain language, because vagueness is its own kind of dishonesty.

We do not sell your data. We do not run ads. We do not read your documents. We do not share your data with anyone beyond the named service providers below, and never for advertising or profiling.

01 Who's responsible for the limited data that reaches us

You stay in control of your information. Offload keeps your documents on your device — we never receive them, store them, or look at them. For that data there is no one "responsible" but you, because it never reaches us.

The only personal data we are responsible for is what you choose to send:

  • the feedback you submit (your message plus basic app and device details — never your documents), and
  • anonymous crash reports (if enabled), which only help us fix problems.

(Purchases and subscriptions are handled by the App Store / Google Play and RevenueCat — see Section 3 — and are not stored by us.)

For that limited data — and only that — the responsible party (the "data controller" under laws such as the GDPR) is the independent developer who operates Offload. You can reach us about any privacy matter, including the rights in Section 8, at [email protected].

If you are in the EU/EEA or UK and believe we have not resolved a concern, you also have the right to lodge a complaint with your local supervisory authority. If you are in Kuwait, this policy is also intended to meet the consent and purpose-limitation requirements of Law No. 20 of 2014 Concerning Electronic Transactions: we collect only what is named in Section 3, only for the stated purpose, and only with your action (using a feature that requires it) as the trigger.


02 What stays on your device — and is never collected

The core of Offload is local-first. The following is created and stored only on your device, in the app's local storage, and is never transmitted to us or to any third party through the app:

  • Document and item details you add or scan: names, national/Civil ID numbers, passport numbers, vehicle plate and VIN/chassis numbers, license and registration numbers, issue and expiry dates, fees, notes.
  • Photos and scans of your documents and cards, and any attachments you add.
  • Birthdays added to the in-app calendar.
  • Your service log / history, reminders, and preferences.
  • Your app-lock PIN (stored only as a salted SHA-256 hash — the PIN itself is never stored) and your biometric setting (biometric matching is handled entirely by your device's operating system; Offload never sees your fingerprint or face data).
  • If you enroll a PIN-recovery email address, it is stored only in your device's secure storage (Android Keystore / iOS Keychain) — not on our servers. It is only transmitted to send you the one-time recovery code described in Section 3.

Scanning and text recognition (OCR) happen entirely on your device using on-device libraries. The image and the text read from it are not sent anywhere.

Encrypted at rest. On your device, your data is stored in an encrypted (SQLCipher) database; scan images are separately encrypted; your app-lock PIN and the encryption keys live in your device's secure hardware store (Android Keystore / iOS Keychain). Raw text read by OCR during a scan is not retained.

No automatic cloud backup. Offload deliberately disables your device's automatic operating-system backup (Android Auto Backup and iCloud backup) for its data. Unless you turn on Encrypted Backup (below), nothing is copied to any cloud, and nothing transfers when you set up a new device.

Optional Encrypted Backup to your own Google Drive (off by default). You may choose to enable backup. If you do, you sign into your own Google account and set a backup password. Offload then encrypts a copy of your data on your device (AES-256-GCM, key derived from your password with PBKDF2-SHA-256 at 600,000 iterations) and uploads only that encrypted file to a private, app-only folder in your Google Drive. Your scan images are not included — only structured details. Your password and encryption key never leave your device. Because the encryption happens before upload, neither we nor Google can read your backup — only someone with your password can. There is no recovery if you forget it: the backup is, by design, unrecoverable without your password. You can turn backup off and delete the backup file at any time.

Because this data never leaves your device, we cannot access it, recover it, or delete it for you — it is yours alone. Deleting the app, or using the in-app "erase all data" control (see Section 8), removes it.


03 What does leave your device — and exactly when

Offload connects to outside services only in these specific situations. For each, we name the processor, the data involved, and why.

Service (processor) What is sent When it happens Where the processor operates
RevenueCat, Inc. (purchases) A pseudonymous app-user identifier tied to your account (so your purchases and any promotional access aren't lost to a throwaway per-install ID) — no email, name, or payment details; plus purchase/subscription receipt data and basic device and network information (incl. IP address) Only if you open the store/paywall or make/restore a purchase United States
Sentry (Functional Software, Inc.) (crash reports) Anonymous crash diagnostics: error type and stack trace, app version, device model and OS version. Sentry is configured to not collect your IP address or other default personal identifiers, and messages are scrubbed for obvious personal data before sending Only in released builds, only when a crash occurs United States / EU
Supabase (feedback) A random, reinstall-resettable install ID; the message text you type; the category you pick; app version; platform; OS version; device locale; and your current plan name Only when you choose to send feedback European Union (Frankfurt, Germany)
Supabase Auth (PIN recovery & optional account linking) The email address you provide, and a one-time 6-digit code sent to it. For PIN recovery, the verification session is discarded immediately after the code is confirmed. If you choose to link your email in Settings, a signed-in session is kept on your device until you sign out — your documents still never leave your phone Only if you enroll a recovery email or link your email — at enrollment, on "Forgot PIN", and when signing in European Union (Frankfurt, Germany)
Resend (email delivery) Delivers the one-time-code emails above on our behalf: your email address and the code-bearing message, sent from [email protected] Whenever a one-time code email is sent to you European Union (Ireland)
open.er-api.com (currency rates) A request for current exchange rates. No personal data is included — only your IP address, as with any internet request When the app refreshes currency conversion rates —
Google Drive (optional Encrypted Backup) An end-to-end-encrypted copy of your structured data (see Section 2), stored in a private, app-only "App Data" folder in your own Google account — invisible in your regular Drive file list. We never receive it; Google stores only ciphertext it cannot read Only if you turn backup on, then on your schedule Your Google account

Apart from the opt-in, end-to-end-encrypted backup to your own Google Drive, we do not transmit your documents, scans, IDs, plate/passport numbers, or any item content to RevenueCat, Sentry, Supabase, Google, or any other service — and the backup itself is encrypted on your device so no one but you can read it.

Note on payments: purchases are processed by Apple (App Store) or Google (Google Play) and brokered by RevenueCat. Offload never sees or stores your payment-card details. Your purchase is governed by Apple's or Google's terms in addition to ours.


03a Google API Services — Limited Use disclosure

Offload's optional Encrypted Backup feature uses the Google Drive API, scoped narrowly to drive.appdata — a private, per-app storage area that is not visible in your general Drive and that Offload cannot use to see, list, or touch any other file in your Google account.

Offload's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Concretely:

  • Data accessed via the Drive API is used only to store and retrieve your own encrypted backup file — never for any other purpose.
  • It is never used for advertising, and never sold, shared with, or transferred to any other party.
  • It is never read by humans — the backup content is encrypted on your device before it reaches Google's servers, and we hold no key that could decrypt it.
  • No data obtained via the Drive API is used to train any AI/ML model, generalized or otherwise.

04 Why we process this data (purposes and legal bases)

For users in jurisdictions that require a legal basis (e.g. EU/UK under the GDPR; Saudi/UAE/Bahrain under the applicable PDPL), the bases are:

Purpose Data Legal basis
Provide the core reminder service On-device data (Section 2) Performance of a contract with you / your consent by using the app. Processing is local; no transfer to us.
Process and restore purchases and subscriptions RevenueCat data (Section 3) Performance of a contract (delivering the plan you bought)
Keep the app stable and fix crashes Sentry crash diagnostics Legitimate interests (maintaining a working product), balanced against your rights, with an opt-out provided
Respond to feedback you send Supabase feedback data Your consent, given by choosing to submit feedback
Verify your identity to reset a forgotten PIN Recovery email + one-time code (Supabase Auth) Your consent, given by choosing to enroll a recovery email
Show amounts in your currency FX rate request Legitimate interests (a useful display feature); no personal data sent

05 Device permissions

Offload asks only for what a given action needs, and explains why in context:

  • Camera / Photos — to scan or attach a document or card. Images are processed on-device; you choose each one.
  • Notifications — to deliver Pax's reminders. Reminders are scheduled and shown locally by your device.
  • Biometric / Fingerprint — for the optional app lock. Matching is done by your operating system; Offload never receives biometric data.

You can change or revoke any of these in your device settings at any time.


06 How long data is kept (retention)

  • On-device data: kept until you delete the item, use "erase all data", or uninstall the app. We hold no copy and impose no retention period because we never receive it.
  • Purchases (RevenueCat / Apple / Google): retained per those providers' policies for as long as needed to manage your subscription and for legal/financial record-keeping.
  • Crash reports (Sentry): retained for a limited diagnostic window per Sentry's configured retention, then deleted.
  • Feedback (Supabase): kept for up to 24 months, or until you request earlier deletion (Section 8) — whichever comes first.
  • PIN-recovery email: kept on your device only until you remove it in Settings, reset the app, or uninstall. Supabase Auth's own OTP delivery logs are transient and expire on their standard short-lived schedule.

07 Crash reporting

Offload uses Sentry to send anonymous crash diagnostics from released builds only — never from local development or testing. This is configured to omit your IP address and other default identifiers, and message text is scrubbed for anything that looks like personal data before it leaves your device. You can turn this off at any time in Settings → SECURITY & DATA → "Share anonymous crash reports" — the change stops reporting immediately and applies fully from the next launch.


08 Your rights and how to use them

Depending on where you live, you have some or all of these rights: access a copy of your data; correct it; delete it ("right to be forgotten"); export/port it; object to or restrict processing; and withdraw consent at any time. We do not discriminate against you for exercising any right.

Because Offload is local-first, most of these you exercise directly on your device:

  • Access / export: your data lives in the app; document details and history are viewable and (where supported) exportable in-app.
  • Correction: edit any item directly.
  • Deletion: delete any item, or use Settings → erase all Offload data to remove everything on the device. Uninstalling also erases all local data.

For data held by our processors (feedback and recovery email in Supabase, crash reports in Sentry, purchase records in RevenueCat), email [email protected] and we will action your request, normally within 30 days. See also our dedicated data deletion page.

California residents (CCPA/CPRA): we do not "sell" or "share" personal information as those terms are defined, and we do not process it for cross-context behavioral advertising — so no "Do Not Sell or Share My Personal Information" action is required. You retain the rights to know, delete, and correct, exercisable via the contact above.


09 International data transfers

Our Supabase database and authentication run in the European Union (Frankfurt, Germany), and our email delivery (Resend) in the European Union (Ireland). RevenueCat operates in the United States, and Sentry in the United States/EU. Where transfers outside your region are required (e.g. for EU/EEA, UK, or Saudi/UAE/Bahrain users), they rely on appropriate safeguards — Standard Contractual Clauses and the processors' Data Processing Agreements — which we maintain with each provider.


10 Children

Offload is listed with an 18+ target audience on the Google Play Store and is not directed to or designed for children. We do not knowingly collect personal data from children. If you believe a child has provided data through feedback or PIN recovery, contact us and we will delete it.


11 Security

Your document data is stored in an encrypted database (SQLCipher) on your device, with scan images separately encrypted and the encryption keys and app-lock PIN held in your device's secure hardware store (Android Keystore / iOS Keychain). Access is further protected by your device's own security (lock screen, OS sandboxing) and Offload's optional app lock (biometric and/or hashed PIN). Any optional Encrypted Backup is encrypted on your device before it leaves (end-to-end), so it is never readable by us or by Google. Data in transit to the processors in Section 3 is encrypted (HTTPS/TLS). No method is perfectly secure, but we minimize risk by keeping document data off the network by default and encrypting it both at rest and — when you back up — in your own cloud.


12 Changes to this policy

If we change how Offload handles data, we will update this policy, change the version and effective date above, and — for material changes — surface a notice in the app. Continued use after an update means you accept the revised policy.


13 Contact

Questions, requests, or complaints: [email protected]


← Home Terms of Service →
Offload
His Memory. Your Peace.
Contact Privacy Terms Data deletion