Privacy Policy
Vladimir Anisimov · Effective Date: 2026-05-29 · Last Updated: 2026-05-29
Privacy at a glance. Vladimir Anisimov ("we," "us," "our") respects your privacy. SortBox is designed so that your photos, videos, and library content stay on your device. We process the minimum data necessary to run the app, deliver subscriptions, prevent abuse, and improve the product.
Photos stay on device. SortBox does not upload, store, or transmit your photos or videos to our servers. All organisation, scanning, and grouping is performed locally on your iPhone or iPad.
No selling of personal data. We do not sell your personal information and we do not "share" it for cross-context behavioural advertising as defined by California's CCPA/CPRA.
Your controls. You can revoke Photo Library access in iOS Settings at any time, opt out of analytics in the app, request a copy or deletion of your data, and cancel subscriptions in your Apple ID settings.
Contents
- Scope of this Policy
- Who is the Data Controller
- Personal Data We Collect
- How & Why We Use Your Data
- Legal Bases (GDPR)
- Photo Library & On-Device Processing
- Third-Party Processors & SDKs
- Advertising & Tracking
- Cookies & Similar Technologies
- Data Retention
- How We Protect Your Data
- International Data Transfers
- Your Rights
- GDPR / EEA, UK, Switzerland
- California Residents (CCPA/CPRA)
- Other U.S. State Rights
- Brazil (LGPD)
- Children's Privacy
- Automated Decision-Making
- Changes to this Policy
- Contact & Data Protection Officer
1. Scope of this Policy
This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you use the SortBox mobile application and related websites and services (collectively, the "Service"). It applies to information processed by Vladimir Anisimov as a "data controller" (or equivalent) under applicable privacy laws.
By using the Service, you acknowledge that you have read this Policy. If you do not agree with our practices, please do not use the Service.
2. Who is the Data Controller
The data controller is:
- Vladimir Anisimov
- Email: dev.anisim101@gmail.com
If you reside in the European Economic Area or the United Kingdom and we are required to appoint a representative, you can contact our EU/UK Representative at [eu-rep@email] ([EU Representative Name and Address]).
3. Personal Data We Collect
We collect only what is reasonably necessary to operate, secure, and improve the Service. The categories below describe what may be collected when you use SortBox.
| Category | Examples | Source |
|---|---|---|
| Device & technical data | Device model, iOS version, language, region, app version, anonymous device identifier (e.g., installation UUID generated by the app or Apple's IDFV), crash logs and stack traces, performance metrics | Collected automatically from your device |
| Usage data | Events such as app launches, feature interactions (e.g., "swipe", "delete confirmed"), screen views, error counts; pseudonymous session identifiers | Collected automatically when you use the app |
| Subscription & purchase data | Subscription status, plan, renewal status, country, anonymous Apple transaction identifier, currency, receipt token (validated server-side) | Provided via Apple's StoreKit / your subscription provider |
| Support & communications | Email address, contents of support messages, attachments you choose to share, language | Provided by you when you contact us |
| Marketing preferences | Opt-in/opt-out status for push notifications, newsletters, or in-app promotional messages | Provided by you / your device settings |
| Photo metadata (on-device only) | Asset identifiers, file sizes, durations, capture dates, and perceptual hashes used for duplicate detection — processed locally on your device | Generated locally; not transmitted to us |
What we do NOT collect. We do not collect your contacts, location, microphone or camera input, browsing history outside the app, biometric data, government identifiers, or precise advertising identifiers (IDFA) unless you explicitly grant App Tracking Transparency permission for a feature that requires it.
4. How & Why We Use Your Data
We process personal data for the following purposes:
- Provide the Service. Run and maintain the app, deliver Premium Features, validate subscription receipts, restore purchases, and synchronise preferences across your devices via iCloud (managed by Apple).
- Improve and develop the Service. Understand which features are used, diagnose crashes and performance issues, A/B-test improvements, and prioritise product roadmap items.
- Security and fraud prevention. Detect and prevent abuse, fraudulent subscriptions, automated misuse, and security incidents.
- Customer support. Respond to your questions, troubleshoot issues, and follow up on feedback.
- Communicate with you. Send service announcements, security notices, and — where you have opted in — product news.
- Legal and compliance. Comply with legal obligations, enforce our Terms, and protect our rights and the rights of others.
5. Legal Bases (GDPR)
If you are in the EEA, UK, or Switzerland, we rely on the following lawful bases under the GDPR and equivalent laws:
- Performance of a contract (Art. 6(1)(b)) — to deliver the Service, manage subscriptions, and respond to support requests.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud, improve features, and conduct limited product analytics. We balance these against your rights and offer opt-outs where appropriate.
- Consent (Art. 6(1)(a)) — for optional analytics, push notifications, marketing emails, and any processing that requires tracking permission. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — to comply with laws, court orders, and regulator requests.
6. Photo Library & On-Device Processing
SortBox needs access to your iOS Photo Library to do its job: scanning for duplicates, similar shots, screenshots, large videos, and other items you may want to clean up. This access is granted by you via the standard iOS permission prompt and can be revoked at any time in Settings → Privacy & Security → Photos → SortBox.
All photo and video analysis happens locally on your device , using Apple's PhotoKit, Vision, and Core ML frameworks where applicable. We do not upload or back up your library to our servers. Deletion actions you confirm in the app are performed via iOS and move items to your "Recently Deleted" album, where iOS keeps them for the system-defined period (typically 30 days) before permanently removing them.
Limited Library Access. If you select Limited Access, only the photos you chose remain visible to the app. We never see, list, or process other items.
7. Third-Party Processors & SDKs
We use a small number of carefully selected service providers to deliver and improve the Service. These providers act as our "processors" and are contractually bound to use personal data only on our instructions and to protect it appropriately.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Apple Inc. | App distribution, in-app purchases & subscriptions, push notifications, crash reporting (if opted in via iOS), iCloud sync | Apple ID-level identifiers, transaction data, device data, crash logs | United States, EU |
| Google Firebase (Google Ireland Ltd. / Google LLC) | Crashlytics (crash reporting), Analytics for Firebase, Remote Config, Firebase Cloud Messaging (push delivery) | Pseudonymous Firebase install IDs, device & usage data, crash stacks, event data | United States, EU |
| Google AdMob (Google Ireland Ltd. / Google LLC) | Display of in-app advertisements (where applicable) | Pseudonymous advertising identifiers (IDFA — only with your ATT consent), coarse geography, device data | United States, EU |
| RevenueCat, Inc. | Subscription management, receipt validation, entitlement sync, subscription analytics | Anonymous app user ID, Apple transaction ID, country, subscription status, plan, lifecycle events | United States |
| AppsFlyer Ltd. | Marketing attribution, install measurement, deferred deep linking | Pseudonymous device identifiers (IDFA only with your ATT consent), install / re-engagement events, campaign source | United States, Israel, EU |
| Amplitude, Inc. | Product analytics — understanding feature usage, retention, funnels, A/B outcomes | Pseudonymous device & user IDs, event data, session metadata, app version | United States, EU |
| [Customer support tool] | Handling support tickets, email correspondence | Email address, message contents, attachments you provide | [Region] |
We may update this list as our stack evolves. Material changes will be reflected in the "Last Updated" date and, where required, with prior notice.
8. Advertising & Tracking
Where SortBox displays advertisements, ads are served via Google AdMob. We do not sell your personal information and we do not engage in cross-app or cross-site behavioural advertising based on personal data collected outside the app without your explicit consent.
App Tracking Transparency (ATT). On iOS 14.5+, before any third-party SDK accesses the IDFA (Apple's identifier for advertisers) for cross-app tracking, the app presents Apple's ATT prompt. If you choose "Ask App Not to Track," our advertising (AdMob) and attribution (AppsFlyer) SDKs operate in a limited, non-personalised mode and will not receive your IDFA. Analytics SDKs (Firebase Analytics, Amplitude) continue to work using pseudonymous identifiers that are not tied to your IDFA.
You can review and change tracking permissions at any time in iOS Settings → Privacy & Security → Tracking. You can also opt out of personalised ads in iOS Settings → Privacy & Security → Apple Advertising and reset your advertising identifier there.
9. Cookies & Similar Technologies
The SortBox mobile app itself does not use cookies. Our marketing website may use a small number of cookies and similar technologies (e.g., for measuring page performance and remembering language preferences). Where required, our website will present a cookie banner that lets you accept, reject, or manage non-essential cookies.
10. Data Retention
We retain personal data only for as long as needed for the purposes described in this Policy, or as required by law. Typical retention periods are summarised below; actual periods may vary based on legal, accounting, or security requirements.
- Crash logs & analytics events: up to 14 months from collection.
- Subscription & purchase records: for the duration of the subscription and for as long as required to comply with tax and accounting obligations (typically up to 10 years).
- Support correspondence: up to 36 months after the ticket is closed.
- Marketing preferences (opt-outs): kept indefinitely to honour your choice.
- Logs used for security or fraud prevention: up to 24 months.
11. How We Protect Your Data
We implement appropriate technical and organisational measures designed to protect personal data, including:
- Encryption in transit (TLS 1.2+) for all network communications.
- Encryption at rest at our cloud providers using industry-standard mechanisms.
- Strict access controls, least-privilege role-based permissions, and multi-factor authentication for our team.
- Network segmentation, logging, and monitoring for our backend infrastructure.
- Regular review of dependencies and third-party SDKs for known vulnerabilities.
- Privacy-by-design: keeping photo and video data on the device wherever possible.
No method of transmission or storage is 100% secure. If we become aware of a personal-data breach that creates a high risk to your rights, we will notify you and the relevant supervisory authorities as required by applicable law.
12. International Data Transfers
Personal data we process may be transferred to and processed in countries other than the one in which you live, including the United States. When we transfer personal data outside the EEA, the UK, or Switzerland, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), supplementary technical and organisational measures, and adequacy decisions where available. You may request a copy of the relevant safeguards by contacting dev.anisim101@gmail.com.
13. Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete your personal data, subject to legal retention requirements.
- Restriction — ask us to limit the processing of your data in certain circumstances.
- Portability — receive a copy of your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interests, including profiling.
- Withdraw consent — where processing is based on consent, at any time, without affecting the lawfulness of past processing.
- Lodge a complaint — with your local data-protection supervisory authority.
To exercise these rights, email dev.anisim101@gmail.com from the email address associated with your support correspondence, or use the in-app "Contact Us" option. We will respond within the time limits required by applicable law (generally within 30 days). We may need to verify your identity before responding, and we will not discriminate against you for exercising your rights.
14. GDPR / EEA, UK, Switzerland
If you are located in the EEA, the United Kingdom, or Switzerland, you have the rights set out in Section 13 above and you may also:
- Contact our Data Protection Officer at dev.anisim101@gmail.com for privacy-related questions.
- Lodge a complaint with the supervisory authority in your country of residence, work, or where the alleged infringement took place.
- Contact our EU / UK Representative at [eu-rep@email].
15. California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the following rights:
- Right to know what categories of personal information we collect, the sources, the business or commercial purposes, and the categories of third parties with whom we share it.
- Right to access the specific pieces of personal information we have collected about you.
- Right to delete personal information we have collected, subject to legal exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. We do not sell or share personal information as those terms are defined by the CCPA/CPRA.
- Right to limit the use of sensitive personal information; we do not use sensitive personal information for purposes that would trigger this right.
- Right to non-discrimination for exercising your rights.
You may submit requests to dev.anisim101@gmail.com. Authorised agents may submit requests on your behalf with appropriate proof of authorisation.
16. Other U.S. State Rights
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have rights similar to those described above, including the right to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale, and certain forms of profiling. We honour applicable state-law rights and do not engage in targeted advertising or the sale of personal information.
17. Brazil (LGPD)
If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you rights similar to those under the GDPR, including confirmation of processing, access, correction, anonymisation, portability, deletion, information about sharing, and revocation of consent. You may contact the Brazilian National Data Protection Authority (ANPD) if you believe your rights have been infringed. To exercise your LGPD rights, contact dev.anisim101@gmail.com.
18. Children's Privacy
The Service is not directed to children under 13 years of age (or the minimum digital-consent age in your jurisdiction, such as 16 in some EEA member states). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verifiable parental consent, we will delete that information promptly. If you believe a child has provided personal information to us, please contact dev.anisim101@gmail.com.
19. Automated Decision-Making
We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on you. The on-device grouping, ranking, and duplicate-detection performed by the app is informational only — final decisions about deleting or keeping items are always made by you.
20. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date and provide reasonable notice through the app or via email where appropriate. Your continued use of the Service after the effective date of an update means you accept the revised Policy.
21. Contact & Data Protection Officer
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
- Vladimir Anisimov
- Privacy Team / Data Protection Officer
- Privacy email: dev.anisim101@gmail.com
- General support: dev.anisim101@gmail.com
© 2026 Vladimir Anisimov. All rights reserved.
See also our Terms of Use.