1. Executive summary (TL;DR)
| Aspect | Status |
|---|---|
| Cloud storage of case files | β NO β exclusively on User's device |
| Transmission of case file content to third parties | β NO |
| Telemetry / Analytics of content | β NO |
| Tracking / Profiling | β NO |
| Cookies | β NO (mobile application) |
| User account | β οΈ MINIMAL β email address only for Pro subscription management |
| Third-party payment processors | β οΈ YES β Google Play Billing / Apple App Store + RevenueCat (subscription status management) |
| Local encryption of case files | β YES β AES |
| Biometric lock | β YES β optional |
| GDPR compliance | β YES |
| Offline processing of case files | β YES β fully local PDF/DOCX generation |
In summary: The content of case files (personal data, vehicles, narratives, generated documents) remains exclusively local on the device β no text, image or content from your case files leaves the phone. The only data that goes out is the User's email address and subscription status, strictly for payment processing and Pro subscription management (see Section 7).
2. Who we are and what the Application does
CaseClosed is a mobile application that assists with the drafting of procedural documents specific to the reporting of traffic events. The Application runs entirely on the User's device, without communication with external servers.
Important: The Application does not represent a public authority, governmental institution or official body. It is a private, independent product. For details, please consult the Terms and Conditions, section 2.1.
3. Roles under GDPR
3.1. The User = data CONTROLLER
Since the User decides which data to enter, for what purpose and on what device, the User is, within the meaning of Article 4 point 7 of GDPR, a controller of personal data. This status entails:
Obligations (under GDPR):
- Ensuring a lawful basis for data processing (e.g., legal obligation, consent, legitimate interest)
- Compliance with data protection principles (lawfulness, fairness, minimisation, accuracy, integrity)
- Implementation of appropriate technical and organisational measures
- Responding to requests from data subjects (access, rectification, erasure, portability)
- Notifying the competent authorities in the event of a security incident (ANSPDCP, in accordance with Article 33 GDPR)
Rights:
- Exclusive control over his/her data
- Free decision regarding the use, export or deletion of data
3.2. The Application's author β data processor
The Application's author does NOT process the User's data in any form whatsoever. The Application operates entirely locally β the author has no technical or legal access to the content of the User's case files.
Consequently, the author is not a controller, processor or joint controller within the meaning of GDPR with regard to the data entered by the User.
4. What data is collected
The Application processes the following categories of data β entered manually or scanned optically by the User:
4.1. Personal identification data (sensitive)
- Surname, given name
- Personal Identification Number (CNP)
- Date of birth, place of birth
- Full residential address
- Sex
- Identity card details (series, number, issuer, date of issue)
- Telephone number
- Data about parents (father's/mother's name)
4.2. Vehicle data
- Make, model, registration number
- Chassis number (VIN)
- Owner's name
- Compulsory motor liability insurance (RCA), technical inspection (ITP)
4.3. Event-specific data
- Location, date, time of occurrence
- Medical details (diagnosis, injuries, hospital of transport β sensitive data under GDPR)
- Alcohol/drug testing results (sensitive data)
- Driving licence status
- Statements, descriptions, observations
4.4. Procedural operator data
- Professional rank / title
- Surname and given name
- Institutional affiliation (entered manually by the User)
- Digital signature (optional)
4.5. Images
- Camera captures of identity cards (processed offline)
- Camera captures of vehicle registration certificates
- Auxiliary photographed documents
- Signatures captured on screen
4.6. Special categories under GDPR (Article 9)
Certain entered data may fall within the special categories under GDPR which require enhanced protection:
- Data concerning health (diagnosis, injuries)
- Data concerning criminal convictions and offences (Article 10 GDPR)
The User has the special obligation to ensure that:
- There is a sufficient lawful basis for processing such data
- Proportionate protection measures are applied
5. How data is stored
5.1. Physical location
All data is stored exclusively on the User's mobile device, in its internal memory (the Application's private storage). There are no:
- Cloud servers (the Application has no cloud)
- Automatic backups to external services
- Synchronisation between devices
- Distributed replication
5.2. Local encryption
Sensitive data is encrypted with the AES algorithm (industry standard) prior to storage in AsyncStorage (the system's storage mechanism). The encryption key is derived locally on the device.
5.3. Biometric access
The Application provides additional protection through biometric lock (Face ID, Touch ID, fingerprint). After 5 minutes of inactivity, the Application automatically locks and requires biometric authentication to continue.
5.4. Permissions requested
| Permission | Purpose |
|---|---|
| Camera | Scanning identity card + vehicle registration certificate |
| Gallery / Photo Library | Selecting pre-existing images for scanning |
| Biometric (Face ID / fingerprint) | Locking/unlocking the Application |
| File saving | Exporting generated documents as PDF/DOCX |
The Application does NOT request permissions for: location, contacts, messages, microphone, calendar, external push notifications, advertising identifier.
6. How data is NOT used
The content of case files (personal data, vehicles, narratives, generated documents) is NOT:
- Transmitted to external servers (own or third-party)
- Processed via analytics services (Google Analytics, Firebase Analytics, Mixpanel, Amplitude, etc.)
- Used by tracking or profiling SDKs
- Included in automated error reports (crash reports) sent to servers
- Processed via cloud-based artificial intelligence (all OCR and narrative processing runs offline)
- Shared with advertising networks
- Sold, leased or shared with third parties
- Used for direct marketing
- Used to create behavioural profiles of the User
The only data that leaves the device is described in Section 7 β strictly for Pro subscription management.
7. Data collected for Pro subscription management
CaseClosed is a subscription-based application (monthly / 3 months / 6 months / annual). For subscription management, the following minimal data is required:
7.1. Data collected
| Category | Content | Purpose | Storage |
|---|---|---|---|
| User email | Email address entered when activating subscription | Pro account identification + technical support | Local + RevenueCat (customer attribute) |
| Subscription status | Active / Trial / Expired / Cancelled | Validation of access to Pro features | RevenueCat |
| Plan type | Monthly / 3 months / 6 months / Annual | Billing + automatic renewal | Google Play / Apple + RevenueCat |
| Payment data | Bank card, amount, currency | Payment processing | Google Play / Apple β never CaseClosed |
7.2. Third-party processors (GDPR Sub-processors)
CaseClosed uses the following sub-processors, each with its own privacy policy and GDPR compliance:
Google Play Billing (Google Ireland Limited)
- Role: payment processor for Android Users
- Data received: Google account email, amount, frequency, bank card
- Data NOT received: case file content, personal data subjects, generated documents
- Policy: policies.google.com/privacy
Apple App Store Billing (Apple Distribution International Limited)
- Role: payment processor for iOS Users
- Data received: Apple ID email, amount, frequency, bank card
- Data NOT received: case file content, personal data subjects, generated documents
- Policy: apple.com/legal/privacy
RevenueCat, Inc. (San Francisco, California, US)
- Role: technical intermediary for synchronizing subscription status between the application and app stores
- Data received: User email (as customer attribute), App User ID identifier (anonymous auto-generated or reviewer/ambassador-type code), subscription status, plan type, anonymous device identifier
- Data NOT received: case file content, personal data subjects, generated documents, bank card
- Policy: revenuecat.com/privacy
- Extra-EU transfer: RevenueCat is a US-based processor. The transfer of data (email + subscription status) to the US is conducted on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission and the RevenueCat Data Processing Addendum (DPA).
7.3. No case file content transferred to sub-processors
Neither Google, Apple, nor RevenueCat receive the content of the User's case files. All data introduced about data subjects, vehicles and events remain entirely on the User's device, encrypted with AES.
7.4. Subscription data retention period
| Data | Duration |
|---|---|
| Email + subscription status in RevenueCat | For the duration of the subscription + 24 months for tax audit |
| Payment data Google/Apple | According to Google/Apple policies (~7 years audit) |
| Email locally on device | Until application uninstallation or manual deletion |
7.5. Request for deletion of subscription data
The User may request the deletion of email and subscription history from RevenueCat by sending an email to legal@caseclosed.ro. The request will be processed within a maximum of 30 days, in accordance with Art. 17 GDPR (right to erasure).
Limitation: payment data stored by Google/Apple for tax audit CANNOT be deleted until the expiration of the legal period (~7 years), in accordance with applicable tax regulations.
8. Offline image processing (OCR)
The Application uses Google ML Kit Text Recognition for extracting text from images (ID and certificate scanning). This processing is performed entirely on the device (on-device):
- The ML models run locally
- Images are NOT uploaded to Google servers or any other services
- The extracted text remains on the device
ML Kit is a Google SDK that operates offline for text recognition. Google's official documentation confirms on-device processing for this model. No image or OCR data leaves the device.
9. User rights as a data subject
The User has all the rights conferred by GDPR with regard to his/her own data:
9.1. Right of access (Article 15 GDPR)
All data is directly accessible through the Application's interface. The User views the saved case files in full.
9.2. Right of rectification (Article 16 GDPR)
Any data may be freely edited through the Application's interface.
9.3. Right to erasure (βright to be forgotten" β Article 17 GDPR)
- Individual case files may be deleted from the interface (case file list β swipe β delete)
- All data may be deleted by uninstalling the Application
- Resetting the application from system settings deletes all data
9.4. Right to data portability (Article 20 GDPR)
The Application provides export of documents in PDF and DOCX formats. Structured data may be exported as standard files, transferable to other systems.
9.5. Right to object (Article 21 GDPR)
The User may discontinue use of the Application at any time by uninstalling it.
9.6. Rights of data subjects represented by the User
For data entered concerning third parties (persons involved in case files), the data subjects (third parties) may exercise their GDPR rights directly with the User, who is their data controller in accordance with section 3.1. The author of the Application cannot give effect to such requests, as it has no access to the data.
10. Data security
9.1. Technical measures implemented
- AES encryption of sensitive data in storage
- Biometric lock after 5 minutes of inactivity
- Storage strictly within the Application's sandbox (isolated from other applications by the operating system)
- Local key generation β no key leaves the device
9.2. Measures recommended to the User
The User is responsible for implementing the following additional measures:
- Enabling PIN / Face ID / Touch ID at system level
- Regular updating of the device's operating system
- Avoiding the installation of untrusted applications which may compromise the sandbox
- Periodic manual backup (PDF/DOCX export) of important documents
- Securely uninstalling the Application before transferring or disposing of the device
- Using a professionally secured device for official activity
9.3. Limitations
No technical measure guarantees absolute security. In the event of loss, theft or compromise of the device, local data may be exposed. The User has the obligation to notify the competent authorities (ANSPDCP) within a maximum of 72 hours in the event of a security incident, in accordance with Article 33 GDPR.
11. International data transfers
11.1. Case file content β no transfer
The content of the User's case files (personal data, vehicles, narratives, documents) is NOT transferred outside the device. All this data remains within the User's physical jurisdiction.
11.2. Subscription data β regulated transfer to the US (RevenueCat)
The User's email and subscription status are processed by RevenueCat, Inc. (San Francisco, California, US β see Section 7.2). The transfer of this data from the EU to the US is conducted under:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914)
- Data Processing Addendum (DPA) signed between the Controller and RevenueCat
- Additional safeguards provided by RevenueCat for data protection (SOC 2 Type II certification)
11.3. Payment data β regulated transfer (Google / Apple)
Payment data is transferred to Google Ireland Limited (EU) or Apple Distribution International Limited (EU) for Android and iOS users respectively. These entities may subsequently transfer the data to their US headquarters, under the EU-US Data Privacy Framework protection regime.
12. Data retention period
The Application does not impose a retention period. Data remains on the device until the User:
- Manually deletes it
- Uninstalls the Application
- Resets the device
The User has the obligation to establish an appropriate retention period for the categories of data processed, in accordance with the GDPR minimisation principle (Article 5(1)(e)).
13. Minors' data
The Application is not intended for use by minors. To the extent that data concerning minors (e.g., minor pedestrian involved in an accident) appears within the User's case files, the User has the obligation to apply the special protection provided by GDPR (Article 8) and applicable national legislation.
14. Cookies and similar technologies
The Application does not use cookies. It is a native mobile application (React Native + Expo), without web components that could store cookies.
The Application does not use:
- Advertising identifiers (IDFA, GAID)
- Device fingerprinting
- Local Storage for tracking
- Tracking pixels
15. Amendments to the Privacy Policy
This Policy may be updated from time to time. Amendments shall take effect from the date of publication of the new version. Earlier versions may be retained for consultation in the βAbout" section of the Application.
In the event of substantial amendments affecting the manner of data processing, the User shall be notified upon first opening the Application after the update.
16. Supervisory authority
In Romania, the competent authority for personal data protection is:
The National Supervisory Authority for Personal Data Processing (ANSPDCP)
- Address: B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, Bucharest
- Web: dataprotection.ro
The User has the right to lodge a complaint with this authority if he/she considers that his/her GDPR rights have been infringed.
17. Contact
For questions regarding this Policy, please contact the author through the channels indicated in the βAbout" section of the Application or directly at the following addresses:
- legal@caseclosed.ro β GDPR requests (access, erasure, portability, objection), questions about data processing
- support@caseclosed.ro β technical issues with the Application, account, subscription
- contact@caseclosed.ro β general inquiries, commercial, partnerships
To exercise GDPR rights (Art. 15β22 of Regulation 2016/679), use legal@caseclosed.ro. Requests are processed within a maximum of 30 days.
18. Final declaration
By installing and using the CaseClosed Application, you confirm that:
- You have read and understood this Privacy Policy
- You accept the role of data controller for the data you enter
- You understand that the Application's author has no access to your data
- You are responsible for the security of the device and of the data stored locally
- You shall carry out your data processing activity in accordance with GDPR and applicable national legislation
This Policy has been drafted in accordance with Regulation (EU) 2016/679 (GDPR), Romanian Law no. 190/2018 implementing GDPR in Romania, and best practices in the field of personal data protection.