FileBay Privacy Policy
Last updated: May 13, 2026
Welcome to FileBay (the "Service", the "App" or "our Service"). This Privacy Policy (the "Policy") explains how Xiaosheng APAC Technology Limited (the "Company", "we", "us" or "our") collects, uses, retains, discloses, transfers, protects and processes your personal data when you use the Service, and how you may exercise related rights.
FileBay is an AI + OCR scanning tool for scanning, importing, recognizing, organizing, translating, summarizing, exporting and managing documents. The Service is currently primarily intended for users in Hong Kong and other applicable regions. By registering, signing in to, accessing or using the Service, you confirm that you have read and understood this Policy.
Where certain data processing activities require your authorization or consent under law, platform requirements or feature design, we will provide separate notices and obtain your consent where applicable. If you do not agree with this Policy, please stop using the Service.
1. Data user identity and contact details
For the purposes of the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong), Xiaosheng APAC Technology Limited is the data user responsible for determining the purposes and manner of collection and processing of personal data when you use the Service.
Company name: Xiaosheng APAC Technology Limited
Contact email: chris@dawnai.tech
If you contact us about personal data matters, please include "FileBay Data Privacy Inquiry" in the subject line.
2. Scope of this Policy
This Policy applies to personal data processing activities when you use:
- The FileBay App;
- Websites, campaign pages, listing pages or support pages related to the Service;
- Scanning, image or file import, OCR recognition, AI post-processing, translation, summaries, export and document management features;
- Account sign-in, membership, subscriptions, usage quotas, notifications, customer support, user feedback, complaints and after-sales service;
- Other services provided by us that expressly apply this Policy.
If you sign in, download, purchase, pay or share content through Apple App Store, Google Play, Apple, Google, Supabase or other third-party platforms, those third parties process your data under their own privacy policies. This Policy does not apply to data processing independently conducted by such third parties.
3. Purposes for which we collect and use your data
We may collect and use your personal data for the following purposes:
- Creating, verifying, signing in to and managing your account;
- Providing identity verification, security checks, risk control, rate limiting and abuse prevention;
- Providing camera scanning, image or file import, page organization, image processing, OCR recognition and result display;
- Saving and managing your documents, pages, titles, classifications, tags, folders, favorites, search indexes and export records;
- Providing text cleanup, structured extraction, summaries, translation, key point extraction, document Q&A and other AI post-processing based on scanned content or OCR text;
- Managing memberships, subscriptions, usage quotas, orders, transaction verification and entitlement restoration;
- Sending service notifications, system reminders, task completion reminders, account messages, transaction messages and notifications you have agreed to receive;
- Responding to inquiries, feedback, complaints, disputes and technical support requests;
- Conducting statistical analysis, product operations analysis, troubleshooting, service monitoring, security audits and feature improvements;
- Preventing fraud, bot abuse, unauthorized use, quota circumvention and other violations or unlawful acts;
- Fulfilling legal, regulatory, tax, accounting, audit, dispute handling, compliance and platform review obligations;
- Other purposes directly related to the above, with your consent where required or where permitted by law.
Unless we have notified you separately and obtained your consent where applicable, we will not use your personal data for new purposes that are not directly related to the above purposes.
4. Types of data we may collect
Depending on the features and interactions you actually use, we may collect the following data.
4.1 Account and basic data
This may include:
- User ID, account creation time, last sign-in time and account status;
- Email address;
- Nickname, display name, avatar or basic account data returned by third-party sign-in providers;
- App language, OCR language, translation target language, export preferences, notification preferences and other settings;
- Membership plan, subscription status, entitlement status, usage amount, quotas and relevant validity periods;
- The sign-in method you choose and related account identifiers.
4.2 Sign-in and verification data
Depending on your sign-in method, we may process:
- Email verification code sign-in: email address and records of code sending and verification;
- Apple sign-in: user identifier, email address or relay email provided by Apple;
- Google sign-in: account identifier, name, avatar, email address or other data you authorize Google to provide;
- Necessary identity credentials, sign-in status and session data returned by Supabase Auth or other identity services;
- Security verification data, including risk control results, device security check results, request records, error records and other necessary security data.
FileBay's email sign-in is based on verification codes and does not require you to create a password account.
4.3 Scanning, import and document content data
When you use scanning, photo import, file import, OCR or document management features, we may process:
- Images, scanned pages, PDFs or other files that you capture or import;
- Document titles, page counts, page order, rotation, cropping, enhancement settings, thumbnails, previews and exported files;
- OCR text, Markdown, structured blocks, tables, fields, confidence scores, recognition languages and necessary result data returned by providers;
- Document classifications, document types, tags, folders, favorites, archives, search text and update time;
- Content contained in medical, insurance, invoice, receipt, identity or other documents. Such content may include names, addresses, phone numbers, email addresses, member numbers, policy numbers, transaction data, medical or financial information and other sensitive or important data, depending on the documents you actively scan or import.
Please avoid scanning, uploading or sharing other people's personal data that is unrelated to the Service, that you are not authorized to process, or that you do not want us to process.
4.4 AI, OCR, translation and document Q&A data
If you use AI post-processing, translation, summaries, structured extraction, document Q&A or related intelligent features, we may process:
- OCR text, document summaries, structured results, document types, field content and necessary context that you choose to process;
- Questions, prompts, conversation content and replies generated by the Service during document Q&A;
- Translation target language, AI action type, processing status, error codes, error messages and generated results;
- Necessary content transmitted to OCR, AI, translation or cloud technology providers to complete the relevant features.
We will seek to process data under the principle of data minimization and avoid transmitting unnecessary direct identifiers to third-party technology providers. However, if the document content itself contains personal data, such data may be processed together with the OCR, AI or translation feature you choose.
Unless otherwise stated in this Policy, or unless we provide clear separate notice and obtain your consent where applicable, we will not use your private scanned documents, OCR text, document Q&A content or structured results to train our own public-facing general AI models.
4.5 Device, application and network data
This may include:
- Device model, operating system version, App version and build number;
- Installation instance ID, anonymous analytics ID, app session ID and push device ID;
- IP address, request ID, request time, network type, system language, region and time zone;
- Sign-in credentials, security verification data, error logs, security logs, performance logs and necessary technical logs.
4.6 System permissions and device feature data
You may decide whether to authorize the App to use certain system permissions, such as:
- Camera permission: used to photograph and scan documents, receipts, notes, book pages, identity documents or other content;
- Photo or media library read permission: used to let you select images from your photo library for OCR;
- Photo or media library add permission: used to save processed scans, images or export results back to your device;
- Notification permission: used to receive OCR completion, task status, account, subscription or service reminders;
- Local network permission: used in specific testing, development or local processing scenarios to connect to local OCR or relay services that you authorize; in official releases, this depends on the App's actual configuration and system prompts.
Unless you actively operate or expressly authorize, we will not automatically read existing content in your photo library. You may withdraw permissions in system settings at any time. After withdrawal, some features may not work properly, but other basic features are usually unaffected.
4.7 Notification and push data
If you enable notifications, we may process:
- Notification permission status;
- Push token;
- Installation instance ID, push device ID, App version, build number, language and time zone;
- Notification delivery, open, tap and related deep link events;
- Data necessary for binding, unbinding and troubleshooting notification services.
4.8 Product analytics and operations statistics
To understand service usage and improve the Service, we may collect:
- Behavioral data such as page views, button taps, scanning flows, OCR tasks, AI actions, export, subscription, notification and error events;
- Anonymous analytics ID, session ID, hashed user ID, App version, build number, platform, language, timestamp and event properties;
- Anonymized, aggregated or de-identified statistical data.
We do not sell product analytics data to third parties for their independent marketing purposes.
4.9 Payment, subscription and transaction data
If you purchase subscriptions or other paid features, we may collect:
- Product ID, plan type, purchase time, expiry time, original transaction ID, transaction ID, transaction platform, receipt or transaction verification result and payment status;
- Subscription status, entitlement status, restore purchase records, usage records and necessary reconciliation data;
- Necessary transaction data returned by Apple App Store, Google Play or other payment service providers.
We do not store your full credit card number, full bank account number or other full sensitive payment instrument information in the Service.
4.10 Customer support, complaints and feedback data
When you submit inquiries, complaints or feedback, we may collect:
- Feedback or complaint content;
- Your account email address or other contact details you voluntarily provide;
- Screenshots, images or other attachments you submit;
- App version, build number, iOS version, device model, App language and other troubleshooting data;
- Subsequent handling, contact and reply records between you and us.
5. Mandatory and voluntary data
Some data is necessary to provide core features. If you do not provide it, we may be unable to provide the corresponding features or services. Such data may include:
- Necessary identity data for the sign-in method you choose, such as email address or third-party sign-in credentials;
- Files, images, OCR text and necessary context required for scanning, import, OCR, AI post-processing or export;
- Necessary transaction verification data for paid features;
- Necessary technical data for security verification, risk control, rate limiting, fraud prevention or system operations.
Other data is generally voluntary, such as display name, avatar, language preferences, folders, tags, notification settings and feedback contact details. Not providing such data usually does not affect basic use of the Service, but may affect personalization, feature completeness or our ability to respond.
6. How we use your data
We use your data only within the scope that has been notified, is reasonably necessary, is directly related to the original collection purposes, or is permitted by law, including:
- Completing registration, sign-in, identity verification and account management;
- Providing scanning, import, OCR, document management, search, export and sharing;
- Providing OCR text cleanup, summaries, translation, key point extraction, structured extraction, document Q&A and other AI post-processing;
- Providing membership, subscription, quota, purchase verification, restore purchase and after-sales support;
- Sending service notifications, system reminders, transaction messages and account messages;
- Improving feature performance, recognition quality, stability and performance;
- Analyzing service usage, testing, operations, bug fixes and security monitoring;
- Preventing fraud, abuse, unauthorized use and other violations;
- Fulfilling legal, regulatory, platform and compliance obligations.
Unless we obtain your additional consent, or applicable law permits or requires otherwise, we will not use your personal data for new purposes unrelated to the above.
7. Special notice on AI, OCR and third-party technology
To provide OCR recognition, text reconstruction, structured extraction, summaries, translation, document Q&A or other intelligent features, we may use third-party AI, OCR, translation, cloud computing or machine learning technology providers, such as Supabase, Volcano Ark / Doubao Vision, DeepSeek, Google Cloud Translation, Cloudflare, Tencent Cloud email service or similar providers.
Where reasonably practicable, we apply the principle of data minimization and try to avoid transmitting unnecessary direct identifiers to third-party technology providers. However, to the extent necessary for relevant features, files, images, OCR text, structured results, translated text, document Q&A content or other necessary context that you capture or import may be processed by relevant entrusted service providers.
Unless otherwise stated in this Policy, or unless we provide clear separate notice and obtain your consent where applicable:
- We will not use your private scanned documents, OCR text, document Q&A content or structured results to train our own public-facing general AI models;
- We will not arrange human review, manual labeling or manual customer support inspection of your private scanned documents, OCR text or document Q&A content, except where required by law, necessary for complaints or dispute handling, payment or account troubleshooting, or platform security;
- Third-party AI, OCR, translation or cloud service providers' handling of data they receive is governed by their applicable terms, privacy policies and service arrangements with us.
8. Third-party disclosure, transfer and entrusted processing
We do not sell your personal data to third parties for their independent marketing purposes.
We may disclose, transfer or entrust third parties to process your data in the following circumstances, only to the extent necessary for the purposes described in this Policy:
- Cloud infrastructure, database, storage, content delivery, tunnel and system operations service providers;
- Sign-in, identity authentication, email verification and account service providers, such as Apple, Google, Supabase and email service providers;
- OCR, AI, translation and document processing technology providers, such as Volcano Ark / Doubao Vision, DeepSeek, Google Cloud Translation or similar providers;
- Notification, communication and push service providers, such as Apple Push Notification service or similar providers;
- Payment, subscription and transaction verification providers, such as Apple App Store, Google Play and other payment or subscription management providers;
- Product analytics, performance monitoring, error diagnostics, security risk control and anti-abuse service providers;
- Customer support, legal, accounting, audit, information security and professional advisers;
- Courts, regulators, law enforcement agencies, government authorities or bodies legally entitled to request data;
- Relevant transferees or transaction counterparties and their advisers in corporate restructuring, merger, investment, acquisition, asset sale or business transfer.
Where reasonably practicable, we require the above third parties to process your data only under our instructions, within the necessary scope, and with appropriate confidentiality and security measures.
9. Cross-border data transfer
Because the Service may be available to users outside Hong Kong and because we may use cloud, OCR, AI, translation, notification, analytics, payment or other technology providers located outside Hong Kong, your personal data may be transferred outside Hong Kong, or accessed, processed or stored outside Hong Kong.
When conducting cross-border transfers, we will take appropriate measures where reasonably practicable, such as:
- Transmitting only necessary data to service providers with a business need;
- Using contractual restrictions, confidentiality requirements and supplier management measures;
- Applying access controls, transmission encryption, permission restrictions and security monitoring;
- Using de-identification, data minimization or tiered management where practicable.
By using the Service, you understand that cross-border data processing may be involved in providing the Service.
10. Data retention period
We retain your data for a reasonable period necessary for the purposes described in this Policy and for applicable legal, tax, accounting, audit, dispute handling, security and compliance requirements. Different types of data may have different retention periods.
Generally:
- Account data: retained during the account lifecycle; after account cancellation, deleted or anonymized where reasonably practicable, unless legally required or needed for disputes or security audits;
- Scanned files, images, OCR text, structured results, AI post-processing results, folders, tags and search data: retained while you use relevant features and your account exists. After you delete documents, delete the account or we no longer need the data, we will delete, de-identify or anonymize it where reasonably practicable, unless legal, security, dispute, backup or audit reasons require retention;
- Exported files and download links: retained for the period necessary for export, download, security and cost control, and may be deleted or expired afterwards;
- Transaction, subscription and payment verification data: retained for legal, financial, reconciliation, tax and audit periods;
- Verification records, technical logs, security logs, risk control data and audit data: retained for operations, security, anti-abuse and compliance needs;
- Notification binding data and installation data: deleted or updated when you sign out, unbind, push token expires, delete the account or when we no longer need it;
- Customer support, complaint and feedback data: retained for ticket handling, dispute resolution and internal audit needs.
In some cases, we may retain anonymized, de-identified or aggregated statistical data that no longer directly identifies you.
11. Account deletion and data deletion
If you request account deletion or cancellation, we will handle it according to the system process available at that time.
Generally:
- After you submit a cancellation request, the account enters a 7-day grace period;
- During the grace period, you may withdraw the cancellation request if supported by the system;
- After the grace period expires, we will delete, de-identify or anonymize identifiable personal data directly related to that account.
However, we may still need to retain certain data:
- To comply with legal, tax, accounting, audit or regulatory requirements;
- To handle complaints, disputes, law enforcement requests or security incidents;
- To prevent fraud or abuse and protect platform and user security;
- To retain anonymized, de-identified or aggregated statistical data;
- Where backup, disaster recovery or technical limitations require retention for a reasonable period.
12. Your rights
Under applicable law, you may have the following rights:
- Ask whether we hold your personal data;
- Request access to a copy of your personal data;
- Request correction of inaccurate or incomplete personal data;
- Request account or related data deletion where applicable;
- Delete specific documents, scanned pages, export results or other content through features provided by the Service;
- Withdraw consent for processing based on consent;
- Manage system permissions such as camera, photos, notifications and local network;
- Make inquiries, appeals or complaints about data processing.
To exercise these rights, please contact us using the contact details in this Policy and provide the information necessary to verify your identity and locate the relevant account. We may require reasonable identity verification to prevent unauthorized access, change or deletion requests.
For data access requests, we may charge a reasonable administrative fee where permitted by law. We will handle your request as soon as reasonably practicable. Data access or correction requests under the Hong Kong Personal Data (Privacy) Ordinance will be handled according to applicable law.
13. Data security
We take reasonably practicable technical and organizational measures to protect your data, including:
- Authentication and access control;
- Transmission encryption;
- Access restrictions and least-privilege management;
- Security logs, risk monitoring and anomaly detection;
- System configuration, security updates and vulnerability fixes;
- Reasonable supplier management and security requirements;
- Data tiering, de-identification, hashing or anonymization where practicable.
However, no internet transmission or electronic storage method can be guaranteed to be absolutely secure. To the maximum extent permitted by law, we do not guarantee that data is 100% secure in all circumstances. If a data security incident may affect your rights, we will take appropriate measures according to applicable law and the actual circumstances.
14. Direct marketing
Currently, we do not use your personal data for direct marketing unrelated to the Service, and we do not provide your personal data to third parties for direct marketing unless we have complied with applicable legal requirements.
If in the future we intend to use your personal data for direct marketing, we will provide clear notice as required by applicable law, obtain your consent where needed, and provide a simple and free way for you to refuse or stop receiving such messages.
15. Minors
The Service is primarily intended for adults and persons with the required legal capacity.
If you are under 18, you should use the Service with the knowledge and consent of your parent or guardian, who should help you read and understand this Policy.
If we reasonably believe that we have collected a minor's personal data without appropriate consent, we will stop the relevant processing and take deletion or other appropriate measures where reasonably practicable.
16. Data we generally do not actively collect
Unless you actively provide it, expressly authorize it, or it is necessary for a relevant feature, we generally do not actively collect:
- Other images, videos or files in your photo library that you have not selected for import or saving;
- Contacts, calendar, precise location, Bluetooth data or health data;
- Full credit card numbers, full bank account details or payment passwords;
- Other sensitive data unrelated to scanning, OCR, document management, subscriptions, customer support or security.
However, if documents you actively scan, import, upload or share contain the above or other sensitive data, such data may be processed together with the document content. Please decide before use whether the relevant documents are suitable for submission.
17. Third-party websites, platforms and services
The Service may integrate, call, depend on or link to third-party platforms, sign-in services, payment platforms, app stores, cloud infrastructure, push services, OCR services, AI models, translation services or other technology providers. Such services are provided and controlled by the relevant third parties. We cannot fully control their content, availability, stability, security, data processing methods, policies or results.
When using third-party services, you may also be bound by the relevant third-party terms, policies and platform rules. If you do not agree to those third-party rules, some features may not be available.
18. Updates to this Policy
We may update this Policy from time to time for legal, regulatory, platform, technical, product, operational or security reasons. The updated version will be published through the App, website or another appropriate channel and will take effect upon publication or on the effective date stated.
If an update involves material changes to your important rights or personal data processing methods, we will notify you where reasonably practicable through in-app notices, pop-ups, announcements or other appropriate means. Unless applicable law requires otherwise, your continued use of the Service after the update means you understand the updated Policy. If you do not agree, you should stop using the Service.
19. Inquiries and complaints
If you have questions, inquiries, complaints or requests about this Policy, the Service's data processing methods, or your personal data rights, please contact us:
Company name: Xiaosheng APAC Technology Limited
Email: chris@dawnai.tech
Please include "FileBay Data Privacy Inquiry" in the email subject and provide the information necessary to verify your identity and locate the relevant account.