Legal
v0.1 · Effective 22 April 2026
Privacy Policy
Keeper of Things Last Updated: 2026-04-22
We do not sell your personal information. We never have and we never will.
1. Introduction
Keeper of Things ("KOT", "we", "us", "our") is a mobile inventory management app that helps you track, organise, and manage your belongings. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and what rights you have over it.
Data Controller: Keeper of Things Contact: support@keeperofthings.app Privacy contact: privacy@keeperofthings.app
This policy applies to:
- The Keeper of Things mobile application (Android and iOS)
- Our associated cloud services (backend infrastructure and server-side services)
- Any web interface we operate
This Privacy Policy should be read together with our Terms of Service, which govern your use of the Service.
If you are located in the European Union or United Kingdom, Keeper of Things is the data controller responsible for your personal information under the GDPR and UK GDPR. If you are located in California, this policy also satisfies your rights under the CCPA/CPRA. If you are located in Australia, this policy complies with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
2. What Information We Collect
2.1 Account and Authentication Data
When you create an account we collect:
| Field | Source | Purpose |
|---|---|---|
| Email address | You provide it | Account creation and login |
| Password (hashed) | You provide it | Authentication — we never see your plaintext password |
| Display name | Optional, you provide it | Personalisation |
| Profile photo URL | Optional, you provide it | Personalisation |
| Account identifier | Auto-generated | Uniquely identifies your account across our services |
| Email verified status | Firebase | Security |
| Account creation timestamp | Firebase | Account management |
| Last active timestamp | Our systems | Security and abuse prevention |
We use email/password authentication only. We do not offer social sign-in (no Google, Apple, or Facebook login).
2.2 Inventory Content
Everything you add to your inventory is stored and associated with your account:
| Data | Description |
|---|---|
| Item names, descriptions, tags | The details you enter for each item |
| Categories, locations | How you organise your items |
| Item metadata | Brand, colour, model number, serial number, and other optional fields |
| Quantity | How many of an item you own |
| QR codes | Codes you generate or scan for items/locations |
| Warranty information | Expiry date, provider, notes — entered by you |
| Timestamps | When items and locations were created or updated |
This is the core content of the app. Without it, the app cannot function.
2.3 Photos and Images
When you photograph items or upload images:
- Item photos are stored in secure cloud storage in a private area accessible only to your account.
- AI detection photos are source images sent to our AI pipeline. They are stored in your private Storage area while the related review batch exists, and are deleted when the batch is deleted and no accepted items still reference that source image.
- Exported PDFs are stored in your private storage area and are accessible only via a short-lived (7-day) access link. Exports are deleted when you delete your account.
- Standard item/manual uploads support JPEG, PNG, WebP, and GIF up to 15 MB per file.
- AI detection source uploads are JPEG-only and capped at 8 MB per file.
2.4 AI Processing Data
When you use the AI item detection feature:
- Your photo is sent to the Google Gemini API for analysis. The analysis request contains no personally identifying information about you.
- Gemini returns detected item names, descriptions, tags, and bounding boxes. This data is stored securely in your account until you complete the review.
- To power duplicate detection, we use Gemini to generate a numerical representation of each item's characteristics (name, description, category, brand, colour, model, and tags). This representation is stored with the item and contains no photos or identifiable information.
- Gemini AI is operated by Google. See Google's AI/ML Privacy.
2.5 Subscription and Billing Data
We use RevenueCat to manage subscriptions:
- We pass your account identifier to RevenueCat to link your subscription to your KOT account. We do not pass your name or email to RevenueCat.
- RevenueCat independently collects device identifiers and your purchase receipt from the App Store or Google Play. We do not receive or store your payment card number or full purchase receipts.
- We receive subscription status updates from RevenueCat and store the following in your user record: plan ID, subscription status, product ID, store (App Store/Google Play), entitlement ID, billing period end date, and cancellation status.
- See RevenueCat's Privacy Policy.
2.6 Usage and System Data
| Data | Description |
|---|---|
| AI credit usage ledger | A log of how many AI credits were granted, used, or refunded per transaction. The log contains no item-level PII. |
| Item and location counts | Running totals stored in your user record to enforce plan limits |
| Storage usage (MB) | Counter used to enforce storage limits |
| Security/audit log | Internal server-side log of security-relevant operations (account changes, plan enforcement, abuse prevention). May include your IP address where collected for security purposes. Readable only by KOT administrators. |
We do not use any third-party analytics SDKs (no Amplitude, Mixpanel, or similar). We do not use crash-reporting SDKs (no Sentry or Crashlytics). We do not use advertising SDKs.
2.7 Household / Account Sharing Data
If you create or join a shared household:
- We store the household name, your role (owner or member), the display name and email address of each member (denormalised for display), and join timestamps.
- Invitations store the invited email address, a secure invitation token, and the inviting user's account identifier.
2.8 Feedback and Support Communications
If you submit in-app feedback or contact support:
- We store: your message (up to 5,000 characters), your user ID, your email address, the feedback type, your platform (iOS/Android), and app version.
- Feedback may be shared with our development team for review and action. If you submit a bug report, the content of your report may be shared internally with third-party developer tools used to track issues. No personal information beyond the report content is shared.
- Feedback is readable only by KOT administrators.
2.9 Push Notifications
Push notifications are local only. We do not register your device with APNs or FCM, and we do not store any device push tokens on our servers. All notification scheduling happens on your device.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing the app — account creation, authentication, and syncing your inventory | Account data, inventory data, photos | Performance of contract |
| AI item detection and duplicate identification | Photos, item embeddings | Performance of contract |
| Subscription management and plan enforcement | Subscription/billing data, usage counters | Performance of contract |
| Account sharing (household feature) | Household and member data | Performance of contract |
| Security — detecting abuse, enforcing usage limits, maintaining audit trails | Usage data, credit ledger, security/audit logs, timestamps, IP addresses (where collected) | Legitimate interests (our interest in keeping the service secure and preventing abuse) |
| Customer support and responding to feedback | Feedback, email | Performance of contract / Legitimate interests |
| Service improvement — understanding how features are used (internal, aggregated) | Anonymised usage patterns | Legitimate interests |
| Legal compliance — responding to lawful requests | As required | Legal obligation |
We do not use your data for advertising, behavioural profiling, or any purpose unrelated to providing and improving the Keeper of Things service.
4. How We Share Your Information
4.1 Third-Party Service Providers
We share data only with the providers necessary to operate the app:
| Provider | What Is Shared | Why |
|---|---|---|
| Google Firebase | All data described in Section 2 | Core infrastructure — authentication, database, file storage, and server-side processing |
| RevenueCat | Account identifier only | Subscription billing and entitlement management |
| Google Gemini API | Photos submitted for AI detection; item text fields for duplicate detection | AI item detection and duplicate detection |
4.2 Household Members
If you are in a shared household, other members of that household can see:
- Items and locations you choose to share (based on the household configuration)
- Your display name and email address as shown in the member list
4.3 Legal Requirements
We disclose personal information when required to do so by law or in good faith belief that such action is necessary to comply with a legal obligation, protect the rights or safety of KOT or our users, or investigate fraud.
4.4 We Do Not Sell Your Data
We do not sell, rent, trade, or otherwise share your personal information with any third party for their own commercial purposes. This applies to all users including California residents (CCPA) and EU/UK residents (GDPR).
5. Data Transfers
Keeper of Things is based in Australia. The services we use are operated primarily in the United States:
| Transfer | Recipient | Safeguards |
|---|---|---|
| All app data | Google Firebase (Google LLC, USA) | EU Standard Contractual Clauses (SCCs); Google Cloud Terms of Service |
| Subscription data | RevenueCat Inc., USA | RevenueCat DPA and SCCs |
| AI processing | Google Gemini API (Google LLC, USA) | Google Cloud SCCs |
For users in the EU and UK, these transfers are protected by Standard Contractual Clauses approved by the European Commission under GDPR Article 46. Google and RevenueCat both participate in the UK International Data Transfer framework.
For users in Australia, we disclose under APP 8 that your data is transferred to and processed by Google and RevenueCat in the United States. We take reasonable steps to ensure these providers protect your data to a standard comparable to the Australian Privacy Principles. By using the app, you acknowledge these cross-border transfers.
[Placeholder for legal review]: If KOT exceeds 250 employees or engages in substantial EU data processing, an EU/UK representative must be appointed under GDPR Article 27. Confirm with legal counsel.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (email, display name, settings) | Until you delete your account, plus our cloud provider's standard backup window (typically up to 7 days) |
| Inventory items and locations | Until you delete them individually or delete your account |
| Photos and uploaded images | Until you delete the item or your account; AI detection source images remain while their review batch exists and are deleted when the batch is deleted and no accepted items still reference the source image |
| AI review batches (detected items, results) | Until you complete the review or delete your account |
| Subscription/billing data | Until you delete your account |
| AI credit usage ledger | Until you delete your account |
| Exported PDFs | Until you delete your account |
| Household data | Your membership is removed on account deletion; shared household and other members' data may persist |
| In-app feedback | Retained by administrators; no automatic deletion. Contact support@keeperofthings.app to request deletion. |
| Transactional emails (household invitation emails) | Processed by our email delivery service; metadata retained per that service's defaults. Contact support@keeperofthings.app to request deletion. |
| System and audit logs | Retained per our service provider's defaults (typically 30–365 days depending on service) |
When you delete your account, we initiate deletion of your account credentials, all inventory data, stored photos, and associated usage records. Due to asynchronous deletion processes and backup windows, complete deletion may take up to 30 days.
7. Your Rights
7.1 Rights for EU and UK Users (GDPR / UK GDPR)
You have the following rights regarding your personal data:
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Obtain a copy of the personal data we hold about you | Email support@keeperofthings.app |
| Rectification | Correct inaccurate or incomplete data | Edit directly in the app, or email us |
| Erasure ("right to be forgotten") | Request deletion of your data | Use in-app account deletion, or email us |
| Restriction | Ask us to stop processing your data (in limited circumstances) | Email support@keeperofthings.app |
| Data portability | Receive your data in a structured, machine-readable format | Email support@keeperofthings.app |
| Object | Object to processing based on legitimate interests | Email support@keeperofthings.app |
| Withdraw consent | Where processing is based on consent, withdraw it at any time | Email support@keeperofthings.app or adjust in-app settings |
We respond to all GDPR requests within 30 days. If a request is complex, we may extend this by a further two months and will notify you.
You also have the right to lodge a complaint with your national data protection authority (for EU users) or the Information Commissioner's Office (for UK users: ico.org.uk).
7.2 Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete: Request deletion of personal information we have collected from you (subject to certain exceptions).
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell or share personal information, so there is nothing to opt out of.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right.
Sensitive Personal Information under CCPA: Photos of your belongings and warranty receipts may qualify as sensitive personal information under CCPA. We use photos only to provide the AI detection feature and inventory storage you request. We do not use them for inferring characteristics or targeted advertising.
To submit a CCPA request, email support@keeperofthings.app with the subject line "California Privacy Request". We will respond within 45 days.
7.3 Rights for Australian Users (Privacy Act / APPs)
Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs):
How we comply with the APPs:
- APP 1 (Transparency): This Privacy Policy is publicly available and clearly describes our data practices.
- APP 3 (Collection): We collect only personal information that is reasonably necessary to provide the Service. See Section 2.
- APP 5 (Notification of collection): We notify you of what we collect, why we collect it, and who we disclose it to via this Policy, presented before or at the time of collection.
- APP 6 (Use and disclosure): We use your information only for the purposes described in Section 3 and do not disclose it to third parties except as described in Section 4.
- APP 8 (Cross-border disclosure): We transfer your data to overseas recipients (Google and RevenueCat in the USA) and take reasonable steps to ensure they protect it to an equivalent standard. See Section 5.
- APP 11 (Security): We take reasonable technical and organisational measures to protect your information from misuse, interference, loss, and unauthorised access. See Section 10.
Your rights under the APPs:
- You have the right to access personal information we hold about you (APP 12).
- You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
- You have the right to complain to us about a breach of the APPs. We will respond within 30 days.
- If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
To exercise your rights, contact support@keeperofthings.app.
8. Account Deletion
In-App Deletion
You can delete your account directly within the app:
- Open the app's account/profile menu and choose Delete Account.
- Confirm the deletion.
- We immediately initiate deletion of your account, all inventory data, stored photos, and associated usage records.
Deletion via Support
If you are unable to delete your account in-app, email support@keeperofthings.app with the subject line "Account Deletion Request". We will process your request within 7 business days.
What Happens After Deletion
- Your authentication record, inventory data, photos, and usage data are deleted.
- Household membership: you are removed from any shared household. Items you contributed to a household may persist for remaining members if they are considered shared resources under the household configuration.
- Feedback you submitted to us is retained unless you separately request its deletion.
- System and audit logs may retain anonymised references for up to 30 days per our service provider's defaults.
9. Children's Privacy
Keeper of Things is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13.
For users in the European Union, the minimum age for consent to digital services under GDPR Article 8 is 16 years (or lower in member states that have lowered the threshold). If you are under 16 and in the EU, you should not use KOT without verifiable parental or guardian consent.
If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible. If you believe we may have collected information from a child under 13, contact us at support@keeperofthings.app.
10. Data Security
We take reasonable technical and organisational measures to protect your personal information:
| Measure | Detail |
|---|---|
| Encryption in transit | All data transmitted between the app and our servers is encrypted using TLS 1.2 or higher |
| Encryption at rest | Your data is encrypted at rest by our cloud storage provider using industry-standard AES-256 encryption |
| Access controls | Each user's data is protected by server-side access controls that restrict read and write access strictly to the authenticated account holder |
| Server-side integrity | Sensitive fields — subscription status, plan data, AI credit balances — are managed exclusively by our server infrastructure and cannot be modified by the app directly |
| Credential security | API credentials are stored in a dedicated secure secrets management service and are never embedded in the app |
| Time-limited access links | Exported files are accessible only via short-lived (7-day) access links, not permanent public URLs |
| Minimal data principles | We do not send personally identifying information to AI providers. Photo metadata (EXIF) is not intentionally extracted or stored by KOT. |
No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and notify affected users without undue delay where required.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will:
- Update the "Last Updated" date at the top of this document.
- For material changes (new data types collected, new third-party sharing, new purposes, or reduced rights), notify you via an in-app notice or email before the change takes effect.
- For minor, non-substantive changes (clarifications, formatting, corrections), update the policy without separate notification.
A "material change" is any change that meaningfully affects your privacy rights, the categories of data we collect, or the parties with whom we share your data.
Continued use of the app after the effective date of a material change constitutes acceptance of the updated policy. If you do not agree to the updated policy, you should stop using the app and delete your account.
12. Contact Us
For any privacy questions, requests, or complaints:
Keeper of Things Email: support@keeperofthings.app Privacy: privacy@keeperofthings.app
Please include "Privacy Request" in the subject line so we can route your enquiry promptly.
Data Protection Complaints — EU/UK
If you are in the EU or UK and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority:
- EU users: Contact your national data protection authority (a full list is available at edpb.europa.eu)
- UK users: Contact the Information Commissioner's Office at ico.org.uk/make-a-complaint
Australian Privacy Complaints
If you are in Australia and not satisfied with our response to a privacy complaint, you may contact:
Office of the Australian Information Commissioner (OAIC) Website: oaic.gov.au Phone: 1300 363 992
Version History
| Version | Effective Date | Status |
|---|---|---|
| v0.1 | 22 April 2026 | Current |