Privacy Policy

Effective date: April 25, 2026 · Last updated: April 25, 2026

This Privacy Policy describes how Antiquer: Antique Identification & Appraisal ("Antiquer," "we," "us," or "our") collects, uses, and protects your information. This policy applies to the Antiquer mobile application (the "App").

Also see our Terms of Service and Support.

Who We Are

Data Controller: Anton, individual developer
Location: Batumi, Georgia
Contact: support@byanton.dev
Website: byanton.dev

As a small-scale individual developer, we are not required to appoint a Data Protection Officer under GDPR Article 37. For all privacy inquiries, contact us at the email above.

Summary: Antiquer identifies antiques and collectibles from photos you take. Photos are sent to Google Gemini (via our Cloudflare Workers proxy) for AI analysis — only after you explicitly accept the in-app AI Consent disclosure. We collect no name, email, location, contacts, or tracking identifiers. Identification results are stored only on your device. We do not sell your data, and your photos are never used to train AI models.

1. AI System Disclosure (EU AI Act Article 50)

You are interacting with an artificial intelligence system. Specifically:
Antique identification, appraisal, era estimation, rarity scoring, and related-market data are produced by Google Gemini 2.5 Flash, a multimodal AI model from Google LLC, accessed via Google Vertex AI in the us-central1 region.
The "Curator" chat feature uses Google Gemini 2.5 Flash (when an image is included) or Google Gemini 2.5 Flash-Lite (text-only) for conversational follow-up.
AI-generated identifications, valuations, and historical context may contain inaccuracies, omissions, or unexpected outputs. They are not professional appraisals and must not be used as the sole basis for purchase, sale, or insurance decisions. Always consult a qualified human appraiser for high-value items.
The first time you tap "Scan", Antiquer presents an AI Processing Consent screen that names Google Gemini and Cloudflare and describes the data flow. You may decline; the App will function in read-only mode (browsing your existing archive, settings, and content) without scanning.

2. Information We Collect

2.1 Information You Provide

Data	Purpose	Storage	Retention
Photos you choose to scan	AI antique identification and appraisal	On your device (primary, encrypted SwiftData with `@Attribute(.externalStorage)`); ephemerally in transit to Google Gemini for the duration of the request	Local: until you delete the item or the App. Cloud: processed in real time, never stored on our servers
Identification results	Building your personal collection archive	On your device only (SwiftData)	Until you delete individual items, use Settings → "Delete All Data", or uninstall the App
Curator chat messages and replies	Conversational follow-up about a scanned item	On your device only (SwiftData)	Until you clear the conversation or delete the App
Currency selection	Showing valuations in your preferred currency	On your device only (UserDefaults)	Until you change it or delete the App
Onboarding archetype	Personalising guidance copy	On your device only	Until you delete the App

2.2 Information Collected Automatically

Anonymous subscription identifier — generated by RevenueCat to verify Pro entitlement across devices. No name, email, or personal identifier is associated with this ID. (RevenueCat will be enabled with the production app key prior to public release.)
Anonymous usage signals — via TelemetryDeck (privacy-first analytics, EU-hosted). No personal data, no device identifiers, no cross-app tracking. (Currently stubbed and not actively transmitting; will be enabled with explicit disclosure in a future release.)
IP address — visible to our Cloudflare Workers proxy only for rate-limit keying (60 requests per 60-second window per IP). The IP is never stored in our KV cache or our identification results, never shared with Google Gemini, and never sold or shared with third parties.
Locale and app version — sent as standard request headers (X-Locale for AI response language, User-Agent for diagnostics). Visible to Cloudflare in request logs (~24 h retention) and used by Gemini to localise the response language.

2.3 Information We Do NOT Collect

Email address, phone number, name, physical address
Location (GPS) — we never request CLLocationManager permission
Contacts, calendar, microphone, or health data
Advertising identifiers (IDFA) — we do not use App Tracking Transparency
Browsing history, cookies, or web tracking pixels
We do not create user accounts or require registration
We do not use Apple Sign In, Google Sign In, or any social login
We do not collect EXIF metadata (GPS, camera serial number) from your photos — only the pixel data needed for identification

3. Legal Basis for Processing (GDPR Article 6)

Processing Activity	Legal Basis
Cloud AI identification (Vertex AI / Gemini)	Explicit consent via the in-app AI Processing consent screen shown before your first scan
Saving items to your local archive	Consent (you tap "Add to Collection")
Camera and photo library access	Consent (iOS permission dialogs)
Subscription processing	Contract performance (via Apple StoreKit and RevenueCat)
Anonymous usage analytics	Legitimate interest (product improvement) — no personal data involved
Rate limiting and abuse prevention	Legitimate interest (service availability and security)

4. Third-Party Services

Apple Guideline 5.1.2(i) Disclosure: The following named third parties may process your data. Photo data is shared with Google AI services only after you explicitly accept the in-app "AI Processing" consent screen, which names Google Gemini and Cloudflare specifically and describes the data flow.

Provider	Service	Data Sent	Retention by Provider
Google LLC (Vertex AI — Gemini 2.5 Flash)	AI identification, appraisal, valuation, curator chat (multimodal)	Photo (base64, ephemeral) + currency code (e.g. "EUR") + locale (e.g. "de-DE")	Not retained. Not used for model training per Vertex AI / Gemini API enterprise data-usage terms.
Google LLC (Vertex AI — Gemini 2.5 Flash-Lite)	Curator chat (text-only follow-up turns)	Conversation history (text only, last ~20 turns)	Not retained. Not used for model training.
Cloudflare, Inc. (Workers + KV)	Secure proxy routing between the App and Google's AI APIs; per-IP rate limiting; deterministic result cache (7-day TTL, keyed by SHA-256 of image+currency+locale — not by IP)	Encrypted request body (HMAC-SHA256 signed); IP visible to rate limiter only	Cache: 7 days. Rate-limit counters: 60-second sliding window. No photo storage outside the result cache value, which is deleted automatically on TTL expiry.
RevenueCat, Inc.	Subscription management, receipt validation, entitlement verification	Anonymous install ID, subscription status, country code	Retained per RevenueCat privacy policy for the subscription lifetime + audit period
TelemetryDeck (Telemetry Deck GmbH, EU)	Privacy-first anonymous usage analytics (currently stubbed; will be enabled in a future release with explicit disclosure)	When enabled: anonymous session signals only — no personal data, no device IDs, no cross-app tracking	When enabled: per TelemetryDeck terms, GDPR-compliant, EU-hosted
Apple Inc. (StoreKit)	In-app purchase processing	Managed by Apple per Apple Privacy Policy	Managed by Apple

All cloud data transfers use TLS 1.3 encryption, HMAC-SHA256 request signing, and a 5-minute timestamp anti-replay window. Photos are transmitted only for the duration of a single identification request and never written to disk on the Cloudflare proxy. The 7-day result cache stores the AI's structured JSON identification (name, era, valuation range, etc.) keyed by a SHA-256 hash of the image bytes — the original photo is not extractable from the cache key.

5. Data Storage and Retention

Data	Where Stored	Retention Period
Photos and identification results	Your device (SwiftData with externalStorage, app sandbox file system)	Until you delete individual items, use Settings → "Delete All Data", or uninstall the App
Photos in transit to AI providers	Cloudflare Workers (in memory) → Google Cloud (in memory)	Processed in real time, never written to disk
AI identification result cache	Cloudflare Workers KV	7 days, then automatically deleted; keyed by SHA-256 hash of image+currency+locale, IP-blind
Rate limit counters	Cloudflare Workers (Rate Limiting API)	60-second sliding window, per IP
Subscription data	Apple servers, RevenueCat servers	Managed per their respective privacy policies

You can export all your locally-stored data at any time as a JSON file (Settings → Data & Privacy → Export My Data) and delete all locally-stored data immediately (Settings → Data & Privacy → Delete All Data), which also resets the AI Consent flag so you will be prompted again before the next scan.

6. Children's Privacy

Antiquer is rated 4+ on the App Store and does not contain content inappropriate for children. However, as a tool that uses cloud AI:

COPPA: We do not knowingly collect personal information from children under 13. If we discover such data was collected, we will delete it immediately.
GDPR Article 8: For users aged 13–15 in EU member states where the digital age of consent is 16 (Germany, Ireland, Netherlands, France, etc.), parental or guardian consent is recommended for using the cloud AI scan feature.
We do not sell, share, or use minors' data for advertising or AI model training.
Parents should supervise children's use of the App, particularly when scanning photos that may contain identifiable individuals or location-sensitive backgrounds.

7. Your Rights

All Users

Access: Your full archive is visible in the App's Archive tab, and the complete database can be exported as JSON via Settings → Data & Privacy → Export My Data.
Deletion: Delete individual items by long-pressing them in the Archive, or use Settings → Data & Privacy → Delete All Data to wipe every scan, badge, streak, and reset the AI Consent flag. Uninstalling the App also removes all local data.
Portability: The exported JSON contains all your scan results with images base64-encoded and timestamps in ISO-8601 format — portable to any system.
Withdraw AI consent: "Delete All Data" resets the consent flag so the next scan will re-show the AI Processing disclosure. You may decline at that point.

EU/EEA Residents (GDPR)

Right to access, rectification, erasure, restriction of processing, portability, and objection
Right to withdraw consent at any time without affecting prior processing
Right to lodge a complaint with your local data protection authority (e.g., CNIL in France, BfDI in Germany, DPC in Ireland)
Right not to be subject to solely automated decisions with legal effects — our AI processing is for informational identification only and produces no legal or financial decisions

California Residents (CCPA/CPRA)

Right to know, delete, correct, and opt-out of sale/sharing
We do not sell or share your personal information
We do not use your data for cross-context behavioral advertising
Automated decision-making: Antiquer uses AI to identify antiques. This is informational processing with no legal or similarly significant effects.

Brazil Residents (LGPD)

Right to confirmation, access, correction, anonymisation, deletion, portability, and consent withdrawal
We will respond to data subject requests within 15 days

Turkey Residents (KVKK)

Right to access, correction, deletion, objection, and compensation for damages
Cross-border transfers to the US are conducted under appropriate safeguards (see Section 9)
We will respond to requests within 30 days

Japan Residents (APPI)

Right to disclosure, correction, cessation of use, and deletion
Photos that may contain images of individuals are processed only with your explicit consent for cloud AI features

8. Apple Required Privacy Disclosures

8.1 Required Reasons API (PrivacyInfo.xcprivacy)

Antiquer declares the following API usage in its privacy manifest:

API	Reason
UserDefaults	Store app preferences, AI consent flag, currency selection (reason: CA92.1)
File timestamp	Display scan dates and sort archive by recency (reason: DDA9.1)
Disk space	Verify available storage before saving large photo blobs (reason: 85F4.1)
System boot time	Internal logging diagnostics (reason: 35F9.1)

8.2 App Store Privacy Nutrition Label

Antiquer's App Store privacy label declares the following data types:

Data Type	Linked to Identity	Used for Tracking	Purpose
User Content (Photos)	No	No	App Functionality (AI identification)
Diagnostics (Crash Data, Performance Data)	No	No	App Functionality (when TelemetryDeck is enabled)
Purchases (Subscription Status)	No	No	App Functionality (entitlement verification via RevenueCat)

We do not collect any data type not listed above. We do not engage in tracking as defined by Apple's App Tracking Transparency framework.

9. International Data Transfers

Your photo data is transferred to and processed in the United States (Google Cloud Platform, Cloudflare). These transfers are protected by:

EU-US Data Privacy Framework (where applicable)
EU Standard Contractual Clauses (SCCs) per GDPR Article 46
Google Cloud Data Processing Addendum (DPA), GDPR-compliant
Cloudflare's data processing agreement
TLS 1.3 encryption in transit and HMAC-SHA256 request signing
Our commitment to applying equivalent protections regardless of where data is processed

10. Data Security

All data in transit encrypted using TLS 1.3 (HTTPS)
All API requests to our Cloudflare Workers proxy are signed with HMAC-SHA256 and a 5-minute timestamp window to prevent tampering and replay attacks
Per-IP rate limiting (60 requests per 60-second window) protects against abuse without tracking individual users
App secrets stored in iOS Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly — never iCloud-synced
Primary photo storage on your device, protected by iOS sandboxing and Secure Enclave
Server-side photo processing keeps data in memory only — never written to disk on the Cloudflare proxy
Result cache stores only the structured JSON identification (no photo blob), with a 7-day automatic TTL
SPKI certificate pinning is implemented (currently in report-only mode for safe rollout; will be enforced after 90 days of clean telemetry)
No user accounts, no passwords, no saved credentials — minimal attack surface

11. No Tracking, No Advertising

Antiquer does not track you across apps or websites
We do not use advertising identifiers (IDFA) or App Tracking Transparency
We do not display advertisements
We do not share data with data brokers, ad networks, or analytics providers that build user profiles
TelemetryDeck (when enabled) is privacy-first, EU-hosted, and does not collect personal data, device IDs, or tracking identifiers
We do not sell or share your personal information under any circumstances

12. Data Breach Notification

In the unlikely event of a data breach affecting your personal information:

We will notify affected users within 72 hours of discovery (GDPR, LGPD, KVKK)
We will notify relevant supervisory authorities as required
We will take immediate steps to contain and remediate the breach

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through an updated "Last updated" date and, where practicable, through an in-app notification. If the data flow changes (e.g., a new third-party AI provider is added), the AI Consent flag will be reset so users see the updated disclosure before their next scan. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy inquiries, data subject requests, or complaints:

Email: support@byanton.dev
Developer: Anton
Location: Batumi, Georgia
Website: byanton.dev