CleanSweep – Privacy Policy

Effective Date: 2025-07-01

1 Who We Are

SK Venture Ltd. ("CleanSweep", "we", "our" or "us") operates the CleanSweep mobile application (the "App"). For all data‑processing activities described in this Policy, SK Venture Ltd. is the data controller under the General Data Protection Regulation ("GDPR") and other applicable privacy laws.

Registered address: 19 Moonstream Court, Mississauga, Ontario L5N 2P8, Canada
Privacy contact: help@cleansweep.photos
EU/UK representative (if required): email help@cleansweep.photos and include "EU Privacy" in the subject line.

2 Scope of this Policy

This Privacy Policy explains how we collect, use, disclose and safeguard personal data when you use the App. It also details your choices and rights. By installing or using the App, you acknowledge that you have read and understood this Policy.

3 Why & How We Process Personal Data

Below we describe each purpose for which we process personal data, the corresponding categories of data, the location of processing, the legal basis (for GDPR‑covered users) and the typical retention period.

App functionality (photo/video similarity analysis & duplicate‑contact cleanup). Data involved: photos, videos, related metadata and contact records. Where processed: entirely on your device. Legal basis: our legitimate interest in delivering the requested feature. Retention: media and contacts are deleted when you delete them or uninstall the App.
Email cleanup (Gmail batch delete feature). Data involved: email subject lines, body content (HTML and plain text), sender/recipient addresses, timestamps, attachment information (filenames only), Gmail labels/categories, message IDs, thread IDs, read/unread status, and email snippets. Where processed: entirely on your device; all communication occurs directly between your device and Gmail's servers (gmail.googleapis.com). Legal basis: performance of our contract with you (i.e., providing the Gmail cleanup service you request). Retention: email data is held temporarily in device memory only while you are viewing or selecting emails for deletion. No email data is cached to disk or persisted after you close the feature or App.
Analytics & diagnostics. Data involved: pseudonymised usage events, device model, operating‑system version, truncated IP address, advertising identifiers. Where processed: Canada or the United States (via PostHog, Meta/Facebook, Google Ads and Apple Identifier services). Legal basis: our legitimate interests in understanding and improving the App; consent where local law requires tracking opt‑in (e.g., App Tracking Transparency or CPRA). Retention: up to 24 months, after which the data is aggregated or deleted.
Subscriptions & purchases. Data involved: Apple transaction identifiers, subscription status, region and limited device information. Where processed: Canada, the United States and Apple's own servers (via RevenueCat). Legal basis: contractual necessity (to deliver paid features) and legal obligation (financial record‑keeping). Retention: up to 7 years for audit and accounting purposes.
Marketing and remarketing audiences. Data involved: advertising identifiers and high‑level in‑app events such as "trial started". Where processed: Canada or the United States (via Meta/Facebook and Google). Legal basis: your consent (GDPR Art. 6(1)(a)); you may opt‑out under CPRA and similar laws. Retention: until consent is withdrawn or a maximum of 24 months.

Note on ads: CleanSweep does not display advertisements inside the App. The analytics events listed above are used only to build external advertising audiences on Facebook and Google.

4 Gmail Data Access, Usage and Protection

CleanSweep's Gmail cleanup feature helps you efficiently batch-delete unwanted emails directly from your device. This section provides detailed information about how we handle your Gmail data in compliance with the Google API Services User Data Policy and Limited Use Requirements.

4.1 Gmail Data We Access

When you sign in with your Google account and grant permission, CleanSweep accesses the following Gmail data using the https://mail.google.com/ API scope:

Email metadata: Subject lines, sender and recipient addresses (From/To headers), timestamps (Date header), message IDs, thread IDs, Gmail labels/categories (e.g., CATEGORY_PROMOTIONS, CATEGORY_SOCIAL), and read/unread status.
Email content: Full email body content in both HTML and plain-text formats, and email snippets (preview text).
Attachment information: Filenames of email attachments (attachment content is not accessed unless you explicitly open an attachment).

4.2 How We Use Gmail Data

Gmail data is used exclusively to provide the email cleanup functionality you request:

Authentication: You sign in via Google OAuth to grant CleanSweep permission to access your Gmail.
Categorization: The App displays your emails organized by Gmail's built-in categories (Promotions, Social, Updates, Forums, Spam). No AI or machine learning is used—we rely entirely on Gmail's existing CATEGORY_* labels.
Browsing: You can browse up to 500 emails per category to review what will be deleted.
Batch deletion: When you select individual emails or tap "Select All," the App uses Gmail's batchDelete API endpoint to permanently delete the selected emails (up to 500 at a time) from your Gmail account.

We do NOT:

Transfer Gmail data to any servers operated by CleanSweep.
Use Gmail data for advertising, marketing, analytics, or AI/ML training.
Share, sell, or disclose Gmail data to any third parties (including PostHog, Meta/Facebook, Google Ads, RevenueCat, or any other service providers).
Create derived data products from your Gmail content.

4.3 Where Gmail Data Is Processed

All Gmail data processing occurs entirely on your device:

The App communicates directly with gmail.googleapis.com (Google's Gmail API servers).
CleanSweep operates no backend servers and therefore cannot and does not route, store, or process Gmail data server-side.
Email data exists only in your device's memory while you are actively using the Gmail cleanup feature.

4.4 Gmail Data Storage and Security

OAuth tokens: Your Google account access tokens are securely stored in the iOS Keychain under the service identifier com.photocleaner.gmail. The iOS Keychain provides hardware-backed encryption on devices equipped with a Secure Enclave (iPhone 5s and later). These tokens are automatically deleted when you sign out or uninstall the App.
Email data: Email content is never written to disk. It is held temporarily in device memory (RAM) only while you are viewing or selecting emails. No email data is cached, saved to UserDefaults, CoreData, or any file storage.
iOS sandboxing: All local processing benefits from iOS's app sandboxing and the hardware-level security features you enable (such as passcode, Face ID, or Touch ID).

4.5 Gmail Data Retention and Deletion

Temporary in-memory storage: Email data is retained in memory only for the duration of your active session in the Gmail cleanup feature. When you navigate away from the feature or close the App, this data is immediately cleared from memory.
No persistent storage: CleanSweep does not retain any Gmail data after you finish using the feature.
Revoking access: You can revoke CleanSweep's access to your Gmail at any time by:
1. Signing out of your Google account within the CleanSweep App (tap "Sign Out" in the Gmail cleanup screen).
2. Visiting your Google Account Permissions page and removing CleanSweep from the list of apps with account access.
Uninstalling the App: When you uninstall CleanSweep, all OAuth tokens stored in the iOS Keychain are automatically deleted by iOS, and no Gmail data remains on your device.

4.6 Gmail Data Sharing

CleanSweep does not share any Gmail data with third parties. Specifically:

No Gmail-derived information (including email counts, metadata, or aggregated statistics) is sent to our analytics providers (PostHog), advertising partners (Meta/Facebook, Google Ads), or subscription management service (RevenueCat).
No pseudonymized or anonymized Gmail data is transmitted off-device.
Gmail data is used solely for the on-device email cleanup functionality you request.

4.7 Compliance with Google API Services User Data Policy

CleanSweep's use of information received from Gmail APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We:

Use Gmail data only to provide and improve user-facing features that are prominent in the App's user interface (the Gmail cleanup feature).
Do not transfer Gmail data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets (and only after obtaining user consent where required).
Do not use Gmail data for serving advertisements.
Do not allow humans to read Gmail data unless we have your affirmative agreement, it is necessary for security purposes (e.g., investigating abuse), or it is required to comply with applicable law.

5 Data That Never Leaves Your Device

Photos, videos and contact cards processed for cleanup remain entirely on your iPhone; they are never uploaded to our servers.
Gmail data is processed entirely on-device as described in detail in Section 4 above.

6 iOS Permissions We Request

To deliver the App's functionality we ask for the following iOS permissions:

Photos Library – detect and remove similar images/videos, calculate space savings and delete unwanted files. Asked the first time you open Media Cleanup.
Contacts – identify and merge duplicate entries. Requested when you first open Contact Cleanup.
Notifications – remind you about cleanup progress or subscription status. Requested at the first moment a notification is required.
Tracking Transparency (IDFA) – enable analytics and remarketing attribution. Shown on first launch of a version that includes tracking.

You can revoke any permission at any time in Settings › Privacy & Security on your device.

7 Third‑Party Service Providers

We share limited data with service providers who act on our behalf under strict contractual safeguards:

PostHog (USA/EU) – receives pseudonymised usage events for product analytics.
Meta (Facebook) Analytics SDK (USA) – receives advertising identifiers and in‑app events for analytics and remarketing audience creation.
Google Ads & Google ID library (USA) – receives advertising identifiers and events for marketing attribution and audience management.
RevenueCat (USA) – receives Apple transaction receipts, subscription status and a device identifier for paywall logic and subscription validation.
Apple (global) – processes transaction data to complete In‑App Purchases.

We do not sell personal information and we do not share it for cross‑context behavioural advertising as defined by the California Privacy Rights Act (CPRA). You may opt‑out of analytics or remarketing via the App settings or your device‑level privacy controls.

Important: None of these service providers receive any Gmail data. Gmail data remains entirely on your device and is never shared with third parties.

8 International Data Transfers

Analytics and purchase data reside exclusively with the providers listed above. These processors may host their infrastructure in Canada, the United States, or other jurisdictions. When personal data originating from the EEA or UK leaves those regions, we rely on:

Canada's adequacy decision under GDPR Article 45 (for data routed to Canadian facilities); and
European Commission Standard Contractual Clauses (SCCs), supplemented by any necessary technical and organisational measures, for transfers to the United States or other non‑adequate countries.

CleanSweep itself operates no servers and therefore never hosts analytics or purchase data on its own infrastructure.

9 Security Measures

Because CleanSweep does not maintain its own backend, all analytics and purchase data is protected by our third‑party processors (Apple, PostHog, Meta/Facebook, Google and RevenueCat). These organisations apply industry‑standard safeguards such as TLS encryption in transit and encryption at rest, according to their published security policies. CleanSweep does not add additional layers beyond what these providers offer.

Media, contact and email data that we process locally never leave your device and remain protected by iOS sandboxing and the hardware‑level security features you enable (for example, Secure Enclave, passcode, Face ID or Touch ID).

10 Your Privacy Rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete data (most media and contacts can be removed directly in the App or by uninstalling).
Withdraw consent or opt‑out of analytics and remarketing at any time.
Receive a copy of certain data in a structured, machine‑readable format (data portability).
Lodge a complaint with your supervisory authority.

To exercise any of these rights, email help@cleansweep.photos. We will respond within 30 days or any shorter period required by applicable law.

11 Children's Privacy

The App is not directed to children under 13 and we do not knowingly collect personal data from them. If you believe a child has provided us data, please contact us so we can delete it.

12 Automated Decision‑Making

The App does not perform automated decision‑making that produces legal or similarly significant effects.

13 Changes to This Policy

We may update this Policy occasionally. Any material changes will be highlighted in the App's release notes and, where required, presented via an in‑app banner. The "Effective Date" at the top of this document will always show the latest revision date. Continued use of the App after changes means you accept the updated Policy.

14 Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: help@cleansweep.photos
Mail: Privacy Officer, SK Venture Ltd., 19 Moonstream Court, Mississauga, Ontario L5N 2P8, Canada