Privacy Policy

Effective date: 23 May 2026 · Last updated: 21 June 2026

This privacy policy describes how the ShotFinder Android application (the “App”) handles your information. The App is published by Optygate (“we”, “us”). The application package name is com.optygate.screenshotsearch.

This version of the policy covers ShotFinder including its online features: optional account sign-in, customization sync, AI Enhance, and opt-in crash reports. Each of those features is described below, including exactly what data it sends and where it goes.

Summary

ShotFinder works fully on your device. Search, tags, categories, smart actions, and cleanup run on-device and make no network calls.
Five things can touch the internet, and you control each one. None of them turn on automatically; they only fire when you sign in, buy something, tap AI Enhance, opt into crash reports, or explicitly enable customization sync.
Your screenshots and the text extracted from them leave your device only when you tap AI Enhance on a single screenshot. Never automatically, never in bulk.
Customization sync is off by default, and when on it syncs metadata only (your tags, categories, archive flags, and collections), never your screenshots or their text.
The App contains no product-analytics SDK and no advertising SDK. The only telemetry is optional, opt-in crash reporting to our own self-hosted service.

The five network surfaces

ShotFinder reaches the network in exactly five ways. Each is listed in the app under Settings → Privacy → “Network surfaces,” and each is described here.

Google sign-in: optional. Sign in if you want to attach your Pro purchase and AI credits to your account, sync your customizations, or use AI Enhance. The App works fully without an account. Sign-in uses Google services (Android’s Credential Manager and Google identity) to Google-controlled endpoints; our server only verifies the resulting Google ID token.
Customization sync: off by default after sign-in. You turn it on yourself in Settings → Account, after a consent screen that names what crosses the wire. When on, it syncs across your signed-in devices: your custom tags, custom categories, archive flags, collections, and any category or tag edits you made by hand. No screenshots. No OCR text. No app preferences. Talks to ShotFinder’s own server at api.shotfinder.optygate.com only.
Billing & credits: when you purchase Pro, restore a purchase, top up AI credits, or when the App verifies your purchase or credit balance before a paid action, the App talks to Google Play and to our server (api.shotfinder.optygate.com) to verify the purchase and grant credits.
AI Enhance: only when you tap the AI Enhance button on a single screenshot. One tap, one screenshot. Never automatic, never batch. That screenshot and the text we already extracted from it (the currentOcrText field) are sent to ShotFinder’s API at api.shotfinder.optygate.com, which forwards them to Google’s Gemini API, the third-party AI provider that powers AI Enhance, on a paid tier whose terms do not use your content to train Google’s models. Your screenshot and its input text are not stored on our server after the call returns. The improved result the AI returns (better text, refined category, tags, entities, and an optional summary) is cached on our server for up to 7 days so that a retry returns the same result without charging you again, then it is deleted.
Anonymous crash reports: off by default. If you turn them on, anonymous error reports are sent to our own self-hosted crash-reporting service at glitchtip.shotfinder.optygate.com. They never contain your screenshots, their text, file paths, or anything you typed.

Adding a sixth network surface would require updating this policy, the in-app “Network surfaces” screen, and the Google Play Data Safety form together.

What information the App accesses

To do its job, indexing and organizing your screenshots, the App needs to read images on your device. Depending on your Android version, this may use one or more of the following permissions:

READ_MEDIA_IMAGES (Android 13 and newer): to read images for indexing.
READ_MEDIA_VISUAL_USER_SELECTED (Android 14 and newer): if you grant access only to selected images.
READ_EXTERNAL_STORAGE (Android 12 and older): the older equivalent permission.
POST_NOTIFICATIONS: to show indexing progress and helpful banners.
FOREGROUND_SERVICE and FOREGROUND_SERVICE_DATA_SYNC: so initial indexing can finish reliably.
com.android.vending.BILLING: to support in-app purchases through Google Play.
INTERNET and ACCESS_NETWORK_STATE: for the five network surfaces above. The App does not use the network for indexing, search, tags, categories, smart actions, or cleanup; those run on your device.

Image content is read locally and leaves your device only on a user-initiated AI Enhance tap, as described above.

What the App stores on your device

The App stores the following inside its private application storage:

References to your screenshot images (as Android MediaStore identifiers, not copies of the images).
Text extracted from your screenshots by on-device OCR (Google ML Kit Text Recognition, which covers English and 20+ other Latin-script languages).
Tags, categories, detected entities, and any edits you make.
Your collections and app preferences.
If you make a purchase, your Google Play purchase token, so the App can recognize that you have a paid plan.
If you sign in, your account session and a local mirror of your AI credit balance.

This on-device data is never transmitted to us or to any third party except through the five network surfaces described above.

What we store on our server

If you sign in and use the online features, our server (at api.shotfinder.optygate.com) stores only what those features require:

Account: your Google Account ID, a SHA-256 hash of your email (for support lookup and account de-duplication, never your email in readable form), and your display name.
Customization sync (only if you turn sync on): your custom tags, custom categories, archive flags, collections, and hand edits, plus a stable identity for each screenshot (a content hash and basic file attributes, never the image itself). No screenshots. No OCR text.
Credits & billing: your purchase tokens, plan state, and AI credit balance.
AI Enhance: a record of each request (account, request id, time, credits used, and success/refund state) kept for accounting. The input screenshot bytes are never stored; the input text is dropped after the call; the AI’s output is cached for up to 7 days, then deleted.

Opt-in crash reports are stored separately on our self-hosted crash-reporting service at glitchtip.shotfinder.optygate.com, and only if you opt in.

On-device OCR

The App reads the text in your screenshots on your device. It uses Google ML Kit Text Recognition, covering English and 20+ other Latin-script languages. It runs entirely on your device and requires no internet connection; the model ships inside the App, so nothing is downloaded from a network at runtime. AI Enhance is a separate, opt-in feature that can send a single screenshot to a cloud AI provider when you tap it (see above).

Google Sign-In and Google user data

Sign-in is optional and is only prompted when you choose to buy Pro, enable sync, or use AI Enhance, never on first launch, and the App works fully without an account. Sign-in uses Android’s Credential Manager with Google Sign-In, requesting the standard openid, email, and profile scopes. When you sign in, the App receives a Google ID token, which our server verifies before issuing a ShotFinder session.

Google user data we access. Through Google Sign-In we access only the basic identity contained in your Google ID token:

Your Google Account ID: the stable unique identifier (the OpenID sub) for your Google account.
Your email address, and whether Google has verified it.
Your name (display name) from your basic Google profile.

How we use this data.

Google Account ID: identifies your ShotFinder account across sign-ins and across your devices; it is what your Pro purchase, AI credits, and (if you turn on sync) your synced customizations attach to.
Email address: shown in the App so you can see which account you are signed in as. On our server we keep it only as a SHA-256 hash (for support lookup and account de-duplication); we do not store your email in readable form. The verified flag is used to reject sign-ins from unverified email addresses.
Name: shown in the App (your signed-in name and avatar initials) and stored on our server as your display name.

Where it is stored and for how long. On your device, your name, email, account id, and session token live in the App’s private storage so it can show who is signed in and call our API; they are cleared when you sign out. On our server (api.shotfinder.optygate.com) we store your ShotFinder account id, your Google Account ID, a SHA-256 hash of your email, and your display name. To delete this and all other server-side data, open Settings → Account → Delete account in the App, which removes it right away. You can also email us at dev@optygate.com from the address you signed in with, and we delete it within 30 days.

What we do not access. We request no other Google data. ShotFinder does not access your Google Contacts, Gmail, Drive, Calendar, Google Photos, or any other Google service, only the basic sign-in identity listed above. We do not sell your Google user data, do not share it with third parties, and do not use it for advertising.

ShotFinder’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google’s own handling of your sign-in is governed by Google’s privacy policy. You can sign out at any time from Settings → Account.

Google Play Billing & credits

In-app purchases are processed by Google Play Billing, a Google service that is part of your device’s Google Play Services. When you make a purchase, your payment interaction is between you and Google; the App receives a purchase token, and our server verifies that token with Google to unlock paid features and grant any bundled AI credits. We do not see your name, payment method, or billing address. Google’s handling of your purchase is governed by Google’s privacy policy.

Crash reporting

Crash reporting is off by default. You can turn it on in Settings → Privacy; the first time you do, the App explains what is collected. When on, anonymous error reports (stack traces, device model, OS version, app version) are sent to our own self-hosted crash-reporting service at glitchtip.shotfinder.optygate.com. Reports are scrubbed on your device before sending and never contain your screenshots, their text, file paths, or anything you typed.

What the App does not do

The App does not upload your screenshots or their text to any server except on a screenshot-by-screenshot AI Enhance tap that you initiate.
The App does not sync your screenshots or the text extracted from them. Sync carries metadata only.
The App does not include Firebase Analytics, Google Analytics, Mixpanel, Amplitude, PostHog, or any other product-analytics SDK, permanently.
The App does not include any advertising or ad-attribution SDK.
The App does not require an account. Sign-in is optional and only requested when you use an online feature.

Children’s privacy

The App is not directed to children under 13. We do not knowingly collect any personal information from children.

Your control over your data

You stay in control of your data:

Revoke the App’s access to your media in Android Settings at any time.
Reset the local index from Settings → Privacy → “Reset local index” (clears the on-device text, tags, and categories; the App rebuilds them from your screenshots on its next pass).
Turn customization sync off at any time from Settings → Account, which keeps your data on the device and stops syncing.
Delete your account and all server-side data from Settings → Account → Delete account in the App (or by emailing dev@optygate.com from the address you signed in with). This removes your synced customizations, AI Enhance history, and AI credits; your on-device index stays on your phone, and your Google Play purchase remains valid.
Turn crash reporting off at any time from Settings → Privacy.
Clear the App’s storage from Android Settings, or uninstall the App to remove all of its local data.

Data sharing

We do not sell or rent your data. The only third parties involved are Google (for sign-in, Play Billing, and abuse-prevention checks) and Google’s Gemini API, which powers AI Enhance, and only for the specific, user-initiated purposes described above. We use Gemini on a paid tier whose terms do not use your content to train Google’s models.

Security

On-device data lives in the application-private area of your device’s storage, sandboxed by Android from other apps, and protected by your device’s screen lock and disk encryption. Network traffic to our server uses TLS (HTTPS). Server-side data is access-controlled and stored only as long as the relevant feature requires.

Changes to this policy

If we change this policy (for example, if a future version adds a new feature or changes the AI Enhance provider), we will update this page and clearly mark what changed. The current version of the policy is always available at this URL.

Contact

If you have questions about this policy or about the App, email dev@optygate.com.