Privacy Policy
Last updated: March 20, 2026
This Privacy Policy describes how TortugaApps ("we," "us," or "our") collects, uses, discloses, and protects information when you use our mobile applications (collectively, the "Apps") and our website at tortugahub.app (the "Website"). By using any of our Apps or the Website, you agree to the collection and use of information in accordance with this policy.
If you do not agree with any part of this policy, you should discontinue use of the Apps and the Website immediately.
1. Data Controller
TortugaApps is the data controller responsible for your personal data. For questions or concerns regarding this policy or your data, contact us at privacy@tortugahub.app.
2. Information We Collect
2.1 Account Information
When you create an account, we collect information depending on the sign-in method you choose:
- Email/Password: Your email address and a cryptographically hashed password. We never store your password in plain text.
- Google Sign-In: Your Google account email, display name, and profile photo URL as provided by Google's OAuth service.
- Sign In with Apple: Your Apple ID email (which may be a private relay address) and display name (provided only on first sign-in).
2.2 User Content
When you use the scanning feature, we process and store:
- Photos: Images you submit for analysis. These are uploaded to our secure infrastructure for processing and stored under your personal account.
- Analysis Results: AI-generated identification results, including detected objects, characteristics, and categorization data.
- Organizational Data: Folders you create and the scans you assign to them.
2.3 Usage and Analytics Data
We automatically collect certain information when you use the Apps:
- App Events: Actions such as scans started, scans completed, features used, and screens viewed.
- Device Information: Device type, operating system version, app version, screen resolution, and language settings.
- Performance Data: Crash reports, ANR (Application Not Responding) data, and performance metrics used to improve app stability.
This data is collected through Firebase Analytics (Google Analytics for Firebase) and Firebase Crashlytics. It is used in aggregate to understand usage patterns and improve our Apps. Individual user-level analytics data is retained for 14 months; event-level data is retained for 2 months, in accordance with Firebase default retention policies.
2.4 Advertising Data
For users on the free tier, we display advertisements through Google AdMob. AdMob may collect:
- Device advertising identifiers (IDFA on iOS, subject to App Tracking Transparency consent)
- IP address (for approximate location-based ad targeting)
- Ad interaction data (impressions, clicks, view duration)
Premium subscribers do not see advertisements, and no advertising-specific data is collected for them. You can limit ad personalization through your device's privacy settings.
2.5 Purchase Information
When you subscribe to a premium plan, purchase transactions are processed entirely by the Apple App Store or Google Play Store. We receive only:
- Purchase confirmation tokens (for server-side receipt verification)
- Product identifiers and subscription status
- Platform information (iOS or Android)
We do not receive, process, or store your payment card details, billing address, banking information, or other financial data. All payment processing is handled exclusively by Apple or Google.
2.6 Local Data
Certain preferences are stored locally on your device using standard iOS/Android storage mechanisms and are never transmitted to our servers:
- Theme and language preferences
- Onboarding completion state
- Usage streak data
- Notification preferences
2.7 Information We Do Not Collect
We do not collect:
- Precise geolocation data (GPS coordinates)
- Contacts or address book information
- Biometric data (fingerprints, face scans for identification purposes)
- Health or fitness data
- Financial or banking information
- Phone call logs or SMS messages
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
- Contract Performance (Article 6(1)(b)): Processing necessary to provide the Apps and fulfill your account, including AI image analysis, result storage, and account management.
- Legitimate Interest (Article 6(1)(f)): Analytics and performance monitoring to improve app quality, security, and user experience. Our legitimate interest does not override your fundamental rights.
- Consent (Article 6(1)(a)): Personalized advertising (via AdMob), push notifications, and any tracking that requires your explicit consent under applicable law. You may withdraw consent at any time.
- Legal Obligation (Article 6(1)(c)): Where we are required to retain or disclose data to comply with a legal obligation.
4. How We Use Your Information
We use the information we collect for the following purposes:
- Provide the Service: Process your photos through image analysis, store your scan history, and organize results into folders.
- AI Image Processing: Your uploaded images are sent to Google Vertex AI (Gemini) through our secure Cloud Functions for identification and analysis. Images are processed only to return results to you and are not used for model training.
- Account Management: Authenticate your identity, manage your subscription status, and maintain your account.
- Improve the Apps: Analyze aggregate usage patterns, identify and resolve bugs, optimize performance, and develop new features.
- Display Advertisements: Show ads to free-tier users through Google AdMob. Premium subscribers are exempt from advertising.
- Communications: Send push notifications (with your prior consent), such as usage reminders or important service updates.
- Security and Fraud Prevention: Detect, investigate, and prevent unauthorized access, abuse, or fraudulent activity.
5. AI Image Processing Disclosure
When you scan an object, the following occurs:
- Your photo is encoded and transmitted over an encrypted connection (TLS 1.2+) to our Cloud Functions hosted on Google Cloud Platform.
- The image is forwarded to Google Vertex AI (Gemini) for analysis.
- The AI-generated identification results are saved to your personal Firestore document collection.
- The original image is stored in Firebase Storage under a user-scoped, access-controlled path.
Important disclosures regarding AI processing:
- Images are processed solely to provide you with identification results.
- We do not use your images or results to train, fine-tune, or improve AI models.
- Google Vertex AI processes data under Google Cloud's enterprise terms, which prohibit the use of customer data for model training. See Google Cloud's Data Processing Addendum.
- No personal data beyond the image content itself is shared with the AI service.
6. Third-Party Services
We use the following third-party services to operate the Apps:
| Service | Provider | Purpose | Privacy Policy |
|---|---|---|---|
| Firebase Authentication | User sign-in and identity management | Link | |
| Cloud Firestore | Storing scan results, folders, and user data | Link | |
| Firebase Storage | Storing user-uploaded photos | Link | |
| Firebase Analytics | App usage analytics and crash reporting | Link | |
| Google AdMob | Advertising (free-tier users only) | Link | |
| Vertex AI (Gemini) | Image analysis and identification | Link | |
| Cloud Functions | Server-side processing pipeline | Link | |
| In-App Purchase | Apple / Google | Subscription payment processing | Apple / Google |
We do not share your personal data with third parties for their own marketing or advertising purposes beyond what is described above.
7. Data Storage and Security
Your data is stored on Google Cloud Platform infrastructure with the following protections:
- Encryption in transit: All data transmitted between the Apps and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored in Firebase (Firestore and Storage) is encrypted at rest using AES-256 by default.
- Access control: Firestore security rules enforce that authenticated users can only access their own data. Cross-user access is technically impossible.
- Storage isolation: Your images are stored in user-scoped paths that are inaccessible to other users.
- Infrastructure security: Google Cloud maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications.
While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.
8. Data Retention and Deletion
- Account Data: Retained for as long as your account is active.
- Scan Data and Images: Retained until you delete individual scans, folders, or your entire account.
- Analytics Data: User-level data is retained for 14 months. Event-level data is retained for 2 months.
- Advertising Data: Managed and retained by Google AdMob per their own retention policies.
Account Deletion
You can delete your account at any time through the App (Profile → Settings → Delete Account). When you delete your account:
- Your Firebase Authentication record is permanently deleted.
- Your scan history, folders, and uploaded images are queued for deletion.
- Local data and preferences are cleared from your device.
- Deletion is irreversible. Deleted data cannot be recovered.
If you require complete data erasure beyond self-service deletion, or need a confirmation of deletion, contact us at privacy@tortugahub.app. We will respond within 30 days.
9. Children's Privacy
Our Apps are not directed to children under the age of 13 (or 16 in jurisdictions where a higher minimum age applies under GDPR). We do not knowingly collect personal information from children below the applicable minimum age.
If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@tortugahub.app. We will take steps to delete such information within a reasonable timeframe.
10. Your Rights
10.1 All Users
Regardless of your location, you can:
- Access all your data within the App (scan history, folders, profile information).
- Delete individual scans, folders, or your entire account at any time.
- Export individual scan results by sharing them from the App.
- Manage notifications through your device's system settings.
- Limit ad personalization through your device's privacy settings.
10.2 European Economic Area, UK, and Switzerland (GDPR)
If you are in the EEA, UK, or Switzerland, you have the following additional rights:
- Right of Access (Article 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Article 16): Request correction of inaccurate personal data.
- Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
- Right to Restrict Processing (Article 18): Request that we limit how we use your data.
- Right to Data Portability (Article 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to Object (Article 21): Object to processing based on legitimate interests, including profiling.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact privacy@tortugahub.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.
10.3 California Residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell (if applicable).
- Delete personal information we hold about you, subject to certain exceptions.
- Opt-out of the sale or sharing of your personal information.
- Non-discrimination: Exercise your privacy rights without receiving discriminatory treatment.
- Correct inaccurate personal information.
- Limit use of sensitive personal information to purposes necessary to provide the service.
We do not sell your personal information as defined under CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.
To exercise your CCPA/CPRA rights, email privacy@tortugahub.app with the subject line "CCPA Request." We will verify your identity and respond within 45 days.
11. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our infrastructure providers operate. These transfers are protected by:
- Google Cloud's Data Processing Addendum, which includes Standard Contractual Clauses (SCCs) approved by the European Commission.
- Google's compliance with applicable data protection frameworks.
By using the Apps, you acknowledge that your data may be processed in jurisdictions with different data protection laws than your own.
12. Cookies and Tracking Technologies
Our Website (tortugahub.app) does not use cookies or tracking technologies. The Apps use standard analytics SDKs (Firebase Analytics) which may use device identifiers as described in this policy.
13. Do Not Track Signals
Our Apps and Website do not respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard interpretation of DNT for mobile applications. You can control tracking through your device's privacy settings and App Tracking Transparency prompts on iOS.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other reasons. When we make material changes:
- We will update the "Last updated" date at the top of this page.
- For significant changes, we may notify you through the App or by other reasonable means.
- Continued use of the Apps after the effective date of changes constitutes acceptance of the updated policy.
We encourage you to review this policy periodically.
15. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a complaint regarding data handling, please contact us:
- Email: privacy@tortugahub.app
- Website: tortugahub.app
- Entity: TortugaApps
We aim to respond to all inquiries within 30 days.