The Short Version
This Privacy Policy explains how Cruelty Check ("we," "us," or "our") collects, uses, stores, and shares information when you use our mobile application ("App") available on iOS and Android, and our website at crueltycheck.app (collectively, the "Services").
By using the Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Services.
Who We Are
Cruelty Check is a company registered in the United States. For the purposes of applicable data protection laws, Cruelty Check is the data controller responsible for your personal information.
Our Data Protection contact is reachable at admin@crueltycheck.app.
Data We Collect
We collect information in the following ways, depending on how you interact with the Services:
2.1 Information you provide directly
- Account registration: If you create an account, we collect your email address and chosen display name. Account creation is optional — the core scanning feature works without an account.
- Support requests: If you contact our support team, we collect the content of your message, your email address, and any attachments you send.
- Feedback and reviews: If you submit a brand correction, a missing product report, or other feedback, we collect that submission along with optional contact details you provide.
2.2 Information collected automatically
- Barcode scan data: When you scan a barcode, the barcode number (EAN/UPC) is transmitted to our servers to perform a database lookup. We do not store a history of your individual scans linked to your identity unless you are signed in and have opted into Scan History (which you may disable at any time in Settings).
- Device information: Device type, operating system and version, app version, unique device identifiers (such as IDFV on iOS and Android ID on Android), and mobile network information.
- Usage data: App interactions such as screens viewed, features used, and time spent. This data is aggregated and anonymized where possible.
- Crash reports and diagnostics: If the app crashes, we automatically collect a crash report that may include stack traces, device state, and app version information. This data does not include personally identifiable information.
- Log data (website): IP address, browser type and version, pages visited, time and date of visit, time spent on pages, and referring URLs.
2.3 Information we do not collect
2.4 Camera permission
The App requests camera access solely to scan barcodes. The camera feed is processed locally on your device to detect a barcode. Only the decoded barcode number is sent to our servers — no images are transmitted or stored.
How We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing the barcode lookup service | Barcode numbers, device identifiers | Contractual necessity |
| Account management | Email address, display name | Contractual necessity |
| Sending transactional emails (password reset, etc.) | Email address | Contractual necessity |
| Improving app performance and fixing bugs | Crash reports, usage data | Legitimate interests |
| Brand Watch notification alerts | Email address, watched brands list | Consent (opt-in) |
| Responding to support requests | Email address, support message content | Legitimate interests |
| Legal compliance and fraud prevention | Log data, IP address | Legal obligation / legitimate interests |
| Aggregate analytics and product research | Anonymised usage data | Legitimate interests |
We do not use your data to serve targeted advertising. We do not build behavioural profiles. We do not sell, rent, or trade your personal data to third parties for their commercial purposes.
Sharing & Disclosure
We share your data only in the following limited circumstances:
4.1 Service providers
We engage trusted third-party vendors to help operate our Services (e.g. cloud hosting, email delivery, crash reporting). These providers process data only on our behalf under written data processing agreements and are prohibited from using your data for their own purposes.
4.2 Legal requirements
We may disclose your information if required to do so by law, regulation, or valid legal process (such as a court order or subpoena), or where we believe disclosure is necessary to protect the rights, property, or safety of Cruelty Check, our users, or the public.
4.3 Business transfers
If Cruelty Check is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website prior to your data becoming subject to a different privacy policy.
4.4 With your consent
We may share your information with third parties in other cases only when you have given us explicit consent to do so.
Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
- Account data: Retained for the life of your account. Upon account deletion, your profile, email address, and scan history are deleted within 30 days, except where retention is required for legal compliance.
- Scan data (unauthenticated): Individual barcode lookups made without an account are not linked to any identity and are purged from our servers within 24 hours after the lookup is completed.
- Crash reports: Retained for 90 days and then deleted.
- Support correspondence: Retained for 24 months following the resolution of your request.
- Server log data: Retained for 90 days for security and diagnostic purposes.
Security
We implement commercially reasonable technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access. These include:
- TLS encryption for all data in transit between your device and our servers
- Encryption at rest for databases containing personal information
- Access controls and least-privilege principles for our team
- Regular security reviews and penetration testing
- Secure software development practices
Children's Privacy
The Services are not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal data from a child under the applicable age threshold, we will take steps to delete that information as quickly as possible.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at admin@crueltycheck.app.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
All users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data ("right to be forgotten").
- Withdrawal of consent: Withdraw consent for processing based on consent (e.g. Brand Watch alerts) at any time without affecting the lawfulness of processing before withdrawal.
- Portability: Receive your data in a structured, machine-readable format.
EEA, UK & Switzerland residents (GDPR / UK GDPR)
- Objection: Object to processing based on legitimate interests.
- Restriction: Request restriction of processing while a complaint is resolved.
- Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EEA).
California residents (CCPA / CPRA)
- Right to know what personal information is collected, disclosed, or sold.
- Right to opt out of the sale or sharing of personal information. Note: we do not sell personal information.
- Right to non-discrimination for exercising your rights.
- Right to limit use of sensitive personal information.
To exercise any of these rights, contact us at admin@crueltycheck.app. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.
Cookies & Tracking
Our website uses a small number of cookies. The App does not use cookies but uses similar device-level identifiers described in Section 2.2.
| Cookie name | Type | Purpose | Duration |
|---|---|---|---|
cc_session |
Strictly necessary | Maintains your login session on the website | Session |
cc_csrf |
Strictly necessary | Prevents cross-site request forgery attacks | Session |
cc_prefs |
Functional | Stores your cookie consent preference | 12 months |
_cc_analytics |
Analytics (opt-in) | Anonymised page-view analytics (no cross-site tracking) | 13 months |
We do not use advertising cookies, third-party tracking pixels, or social media tracking scripts. You can manage cookie preferences via the cookie banner when you first visit the site, or by adjusting your browser settings.
Third-Party Services
We use the following categories of third-party service providers. All are bound by data processing agreements consistent with applicable data protection law:
- Cloud infrastructure: Servers and databases hosted by a major cloud provider in the United States, with data replicated to the EU for redundancy.
- Email delivery: A transactional email provider for sending password resets, notifications, and support responses.
- Crash reporting: An anonymised crash analytics service that processes device and app-state data but not personal identifiers.
- Product databases: We query third-party cruelty-free databases (such as Leaping Bunny, PETA, and Choose Cruelty Free) to retrieve certification status. Only the brand name is shared with these services as part of each lookup query; no user identity is disclosed.
We do not integrate with social media platforms, advertising networks, or data brokers.
International Data Transfers
Cruelty Check is based in the United States. If you are accessing the Services from the European Economic Area, the United Kingdom, or another jurisdiction with data protection laws that differ from those of the United States, please be aware that your information may be transferred to and processed in the United States.
Where required by applicable law, we rely on appropriate safeguards for such transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO, as applicable.
- Adequacy decisions where available.
- Data Processing Agreements with all sub-processors containing appropriate transfer mechanisms.
Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Post a prominent notice within the App.
- Where required by law, notify registered users by email at least 30 days before the changes take effect.
We encourage you to review this page periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:
Cruelty Check — Privacy Team
🔒 admin@crueltycheck.app (security disclosures only)
We aim to respond to all privacy-related enquiries within 5 business days, and within the timeframe required by applicable law for formal data subject requests.