Last updated: April 27, 2026

ScopeProof ("the App") is designed to respect your privacy and operate transparently. This Privacy Policy explains what information the App handles, where it is stored, and how it is used.

1. No Account Required

ScopeProof does not require you to create an account or sign in. You can use the App fully without providing any personal information about yourself. (See Section 4 for a limited exception when using the optional remote-signing feature.)

2. Data Stored on Your Device

All data you create in ScopeProof is stored locally on your device, including:

• Change orders, line items, and totals
• Customer contact details you enter (name, email address, phone number)
• Photos you attach as job evidence
• Customer signatures (captured in person or returned from remote signing)
• Company information, logo, brand color, and contractor signature
• Line item templates, projects, and change order history
• GPS coordinates and timestamps recorded at the time of signing (if Location is enabled)

By default, none of this data is transmitted to any server — including the customer contact details listed above. The customer's email address and phone number are only transmitted off-device, and only in encrypted form, when you explicitly initiate remote signing (see Section 4). The customer's name is transmitted in plaintext as part of that same flow so that push notifications about the signing request can identify which customer the notification refers to; it is not used for any other purpose.

3. No Tracking or Analytics

ScopeProof does not use analytics tools, tracking SDKs, advertising frameworks, or behavioral-data collectors. We do not collect usage analytics, device identifiers for tracking, or behavioral data.

4. Remote Signing (Pro Feature, Optional)

Remote signing is an optional Pro feature that lets your customer sign a change order from their own device by opening a secure web link. It is strictly opt-in — if you never use it, no change-order data, customer information, or metadata leaves your device beyond standard App Store purchase validation.

When you initiate remote signing, ScopeProof uses Google Firebase to deliver the change order to your customer's web browser and to receive the signed document back. Specifically, the App uses the following Firebase services:

• Firebase Authentication (anonymous sign-in): The App signs in anonymously so that Firebase security rules can gate read/write access. No email, name, account, or personal identifier about you is sent to Firebase for authentication — Firebase issues a random, ephemeral anonymous user ID.
• Cloud Firestore: Stores one document per signing request, containing the encrypted change-order payload, the customer's name in plaintext (used solely to personalize the push notification you receive when the customer interacts with the request), a hash of the update secret, status (sent / viewed / signed / expired / rejected), creation and expiry timestamps, and your device's push notification token. Apart from the customer name field, Firestore sees only ciphertext — it never has access to the decryption key.
• Cloud Functions: A single server-side function validates an update secret and writes the customer's signature back to the Firestore document once they sign; a second function can extend the 7-day expiry. Cloud Functions do not have access to the decryption key and cannot read the plaintext change order.
• Firebase Cloud Messaging (FCM): Delivers push notifications to your device when the customer views, signs, rejects, or lets the request expire. Your device's FCM token is stored inside the signing-request document only while the request is active (a maximum of 7 days, until the request expires or is signed) so that only the relevant notifications are routed to you.
• Firebase App Check (App Attest): The App uses App Check, backed by Apple's App Attest, to prevent abuse of our Cloud Functions. App Check generates an anonymous attestation token that proves the call is coming from a legitimate copy of ScopeProof on a real Apple device. The token contains no personal data about you and cannot be used to identify or track you across apps.

What is transmitted and how it is protected:

• The change-order payload — including customer email, phone number, line items, totals, attached photos, your GPS coordinates at creation (if enabled), and company info — is encrypted on your device with AES-256-GCM using a freshly generated key before upload. Only the ciphertext is stored in Firestore.
• The customer's name is the one field stored in plaintext alongside the encrypted payload, for the sole purpose of letting our push-notification Cloud Function include the customer's name in the alert you receive (e.g., “Jane Doe signed your change order”). It is not used for any other purpose and is not shared with third parties.
• The AES decryption key and an update-secret authorization token are never uploaded to Firebase. They live only in the URL fragment (#key=...&auth=...) of the signing link that you deliver to the customer. Web browsers do not transmit URL fragments to servers, so the key stays between you and the customer.
• When the customer signs on the web, the signing page records the customer's drawn signature (PNG image), typed name, signing timestamp, IP address, browser user-agent string, and consent acknowledgment. These are written back to the Firestore document by the Cloud Function as part of the dispute-proof signature record, then downloaded to your device and stored locally as a signed, immutable record.

Data retention. Signing requests automatically expire 7 days after creation. Once expired, the encrypted payload is no longer retrievable through the signing link, and the record is marked for cleanup. You can also contact us (see Section 17) at any time to request earlier deletion of a specific signing document before its expiry. Once your device has downloaded the returned signature, the signed change order is preserved locally on your device regardless of the remote document's status.

Firebase is a Google service. Google's handling of technical metadata such as IP addresses and server request logs is governed by Google's Firebase privacy practices.

5. Push Notifications

ScopeProof requests permission to send push notifications only when you first use remote signing. Notifications are used exclusively to alert you when a customer views, signs, or lets a signing request expire. You can revoke notification permission at any time in your device settings.

6. Location Data

If enabled, ScopeProof may access your device location to:

• Auto-fill a job name from the street address of the job site
• Tag change orders with GPS coordinates for job-site verification
• Attach GPS metadata to photos you capture as evidence

Location data is used only on your device (and, if you use remote signing, it is included inside the encrypted payload described in Section 4). You can disable location access at any time in your device settings.

7. Photos and Camera Access

ScopeProof requests access to your camera and photo library to attach evidence photos to change orders, upload a company logo, and save generated PDFs. All images remain on your device unless you choose to share them (via email, Messages, AirDrop, remote signing, etc.).

8. Cryptographic Proof Features (Dispute-Proof, Pro)

Dispute-Proof mode is an optional Pro feature that protects the integrity of signed change orders:

• Line items, attached photo bytes, the customer signature, GPS, and timestamp are hashed using SHA-256 at the moment of signing.
• An HMAC-SHA256 signature is generated using a device-local key stored in the iOS Keychain (which is hardware-backed by the Secure Enclave on supported devices).
• All verification data is stored locally on your device. The HMAC key never leaves your device, is never backed up to iCloud, and is never transmitted to any external service.

If the App is deleted, the HMAC key in the Keychain is removed and previously sealed orders can no longer be re-verified on that device (though the hashes themselves remain publicly verifiable via exported evidence packages).

9. In-App Purchases

ScopeProof offers a single one-time purchase to unlock Pro features. Payments are processed securely by Apple via the App Store. ScopeProof does not have access to your payment information.

10. Data Sharing and Sub-Processors

ScopeProof does not sell, share, or transmit your data to third parties for advertising or analytics. Data leaves your device only when you take an explicit action:

• When you export or send files (PDF, CSV, QuickBooks, JSON, evidence ZIP) via email, Messages, AirDrop, or other apps you choose.
• When you initiate remote signing. In that case Google Firebase (Google LLC) acts as our sole data sub-processor under GDPR Art. 28, providing the storage, push delivery, and abuse-prevention services described in Section 4. Apart from Firebase, ScopeProof has no third-party data processors.

11. Data Deletion

You can delete your data at any time by:

• Deleting individual change orders or projects within the App
• Removing the App from your device (this clears all locally stored data, including cryptographic keys in the Keychain)
• Letting remote signing requests expire after 7 days, or contacting us to request earlier deletion of a specific signing document

12. Legal Basis for Processing (GDPR)

To the extent any data processing occurs, our legal bases are:

• Consent: You grant device permissions (camera, location, photo library, push notifications) voluntarily and can revoke them at any time in your device settings. Remote signing is triggered only by your explicit action.
• Legitimate interest: Providing core App functionality such as local data storage, cryptographic verification, PDF generation, and delivering remote-signing documents you choose to send.
• Contract: Processing the one-time Pro purchase via Apple's App Store.

13. Your Rights (EU/EEA Users)

Under the General Data Protection Regulation (GDPR), you have the right to access, rectify, erase, restrict processing of, and request portability of your personal data.

Because ScopeProof stores all data locally by default, you exercise most of these rights directly:

• Access and portability: Use the App's export features (PDF, CSV, JSON, evidence ZIP) to retrieve your data at any time.
• Erasure: Delete individual change orders in the App, or delete the App entirely to remove all local data.
• Restriction and rectification: Edit drafts directly in the App. Signed change orders are intentionally immutable; create a revision or duplicate-as-draft to issue a correction.
• Remote signing records: Contact us at forthemcreation@gmail.com to request deletion of a specific encrypted signing document before its 7-day expiry.

14. Children's Privacy

ScopeProof is a professional tool for contractors and trade businesses. It is not directed toward children, and we do not knowingly collect personal information from anyone under the age of 17.

15. Changes to This Policy

This Privacy Policy may be updated from time to time to reflect changes in the App or legal requirements. Any changes will be posted on this page with an updated date.

16. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Province of Quebec, Canada, without regard to its conflict of law provisions.

17. Contact

ScopeProof is developed and maintained by ForThemCreation. If you have any questions about this Privacy Policy, or wish to exercise any of the rights described above, you can contact us at: forthemcreation@gmail.com.

18. Website Hosting

This privacy policy page is hosted on GitHub Pages. When you visit this page, GitHub may process technical information such as IP address, browser details, and server request data as part of providing web hosting infrastructure.