InkStrip Privacy Policy
Plain-English Summary
InkStrip is built around a simple promise: your comics stay yours.
- We never upload your comic files. They stay on your device, or on a cloud folder you connect (iCloud Drive, Google Drive, Dropbox) that you already control.
- We do collect a small amount of account, subscription, and usage data needed to run the service — described in detail below.
- We do not sell your data, run ads, use advertising identifiers, or share data with third-party advertisers.
- You can request a copy of your data, or delete it permanently, at any time by emailing privacy@themattlabs.com.
If anything in this policy is unclear, email us and we’ll explain.
Contents
- Who We Are
- Scope
- App Store Privacy Label Summary
- What We Collect and Why
- Third Parties Who Process Your Data
- International Data Transfers
- How Long We Keep Your Data
- Your Rights
- Children
- Security
- Beta Testing (TestFlight)
- Cookies and Similar Technologies
- Automated Decisions and Profiling
- Changes to This Policy
- Contact
1. Who We Are
InkStrip is operated by TheMattLabs Ltd (“TheMattLabs”, “we”, “us”), registered at 2C Tudor Road, Kingston Upon Thames, KT2 6AW, United Kingdom.
For privacy questions or to exercise your rights, contact: privacy@themattlabs.com.
For users in the EU/UK, TheMattLabs is the data controller for personal data processed by InkStrip.
2. Scope
This policy covers the InkStrip iOS application, including beta builds distributed through Apple’s TestFlight program. It does not cover:
- Other TheMattLabs products (e.g., UpMark — see themattlabs.com/privacy)
- Third-party services you reach from within InkStrip (e.g., your Google Drive account, your Dropbox account)
- Comic content you legally obtain elsewhere
3. App Store Privacy Label Summary
| Category | Collected? | Linked to you? | Used for tracking? |
|---|---|---|---|
| Contact Info (email, name) | Yes — if you create an account | Yes | No |
| User Content (reading progress, preferences, library metadata) | Yes — local; synced if Pro | Yes | No |
| Identifiers (Firebase UID, IDFV) | Yes | Yes | No |
| Usage Data (app interactions, sessions, screen views) | Yes | Yes | No |
| Diagnostics (crash logs, performance data) | Yes | Yes | No |
| Purchases (subscription status) | Yes | Yes | No |
| Comic files / page images | No — never uploaded | — | — |
| Advertising identifiers (IDFA) | No | — | — |
| Location, Contacts, Photos library, Health, Browsing history | No | — | — |
| Sensitive Info (race, religion, sexual orientation, political views) | No | — | — |
4. What We Collect and Why
4.1 Account Data
When you create an account or sign in:
- Sign in with Apple: Apple-provided email (or relay email), name (if you share it), and an Apple user identifier
- Sign in with Google: Email address, display name, profile picture URL, and a Google user identifier
- Email and password: Email address and a securely hashed password (managed by Firebase Authentication)
- Firebase user ID (UID): A unique identifier issued by Firebase that lets us recognise you across sessions and devices
Purpose: to create your account, authenticate you, sync your data across your devices, and contact you about service issues if needed.
Legal basis (EU/UK): performance of the contract you enter into when you sign up.
4.2 Subscription Data
When you subscribe to InkStrip Pro:
- Subscription status, plan, renewal date, trial state — managed by RevenueCat on our behalf
- Apple App Store transaction identifier — used to verify your subscription is valid
- Anonymous device identifier (if you are not signed in) — to associate the subscription with your device
We do not receive or store your payment card details, billing address, or Apple ID password. Those are handled entirely by Apple.
Legal basis: performance of the contract.
4.3 Reading Data (Synced for Pro Users)
If you have an active InkStrip Pro subscription and have signed in, the following data may be synced to your account so you can pick up where you left off on another device:
- Reading progress — which page of which issue you are on, last-read timestamps, completion status
- Reading preferences — reading direction (LTR/RTL/vertical), brightness, page-turn animation, per-series overrides
- Library manifest — your list of series and issues (titles, page counts, file sizes, your custom tags and collections)
- Reading sessions — start time, end time, pages read, for the reading-stats feature
- Deletion tombstones — small markers indicating items you deleted, so the deletion propagates across your devices
What is NOT synced: the comic files themselves, page images, your file paths, or any other content from your device’s storage.
Purpose: to provide the cross-device sync feature advertised for Pro users.
Legal basis: performance of the contract.
Hosting: Sync data is stored on InkStrip’s backend infrastructure hosted by Railway (running on Google Cloud Platform) in the Netherlands (europe-west4). It is transmitted over TLS 1.2 or higher and encrypted at rest. Railway maintains SOC 2 Type II, SOC 3, HIPAA, and GDPR compliance and offers a Data Processing Agreement.
4.4 Local Library Data (Stored Only on Your Device)
The following data is stored locally on your device using Apple’s SwiftData framework and is not transmitted to us unless you have Pro and sync is enabled (see 4.3):
- File paths and security-scoped bookmarks for comic files you have imported or connected
- Locally generated cover thumbnails and reading-progress markers
- Free-tier reading history, preferences, and collections
If you delete the InkStrip app, all locally stored data is removed by iOS along with the app.
4.5 Cloud Library Sources (User-Connected Folders)
If you connect a cloud folder (iCloud Drive, Google Drive, or Dropbox) as a library source, InkStrip uses iOS security-scoped bookmarks to access the folder on your behalf. We store the folder reference and metadata about its contents (file names, sizes, modification dates, scan timestamps).
We do not upload your comic files to InkStrip servers, and we do not read file contents beyond what is needed to detect that a file is a comic archive (CBZ/CBR/PDF) and generate a thumbnail. The files remain in your cloud account under your control.
When you sign in to Google Drive or Dropbox through InkStrip, the OAuth tokens are stored in the iOS Keychain on your device. We do not have access to those tokens.
4.6 Analytics
InkStrip uses Firebase Analytics (Google) to understand which features are used, which screens cause friction, and how to improve the app. By default, Firebase Analytics collects:
- Anonymous events such as session start, app open, screen view, and in-app purchase
- The Identifier for Vendors (IDFV) — an Apple-provided identifier that is the same across all apps from TheMattLabs on a single device but is reset when you delete all our apps
- Approximate region (country-level) derived from IP address; we do not store precise location
- Device model, iOS version, app version, locale, time zone
We do not use the Identifier for Advertisers (IDFA) and we do not prompt for App Tracking Transparency, because we do not track you across other companies’ apps or websites.
Purpose: product improvement and aggregated usage statistics.
Legal basis: legitimate interests (improving the service).
How to opt out: During the beta, the only way to opt out of analytics is to delete the InkStrip app from your device. Once the app is removed, no further analytics events are collected. We plan to add an in-app analytics toggle in a future release.
4.7 Crash and Performance Diagnostics
InkStrip uses Firebase Crashlytics to receive automatic reports when the app crashes or hits a non-fatal error. Crash reports include:
- Stack trace and exception type
- App version, build, iOS version, device model
- A non-resettable Firebase installation identifier
- Anonymous breadcrumbs of the last few in-app actions (e.g., “opened reader”, “imported file”)
Crash reports do not include the content of your comics, your file paths, your email address, or any personal account data.
Purpose: to detect and fix bugs.
Legal basis: legitimate interests in maintaining a stable product.
4.8 User-Initiated Diagnostic Export
InkStrip includes a Settings → Export Diagnostics feature. When you tap it, the app creates a ZIP file on your device containing your local error log, a count of items in your library (no titles), and basic app/device version information.
This ZIP is not uploaded anywhere. It is shared only to wherever you choose via the iOS share sheet (e.g., Mail, Messages, AirDrop, Files). If you send it to us for support, you are choosing to do so, and we will only retain it as long as needed to resolve your support request (typically under 30 days).
5. Third Parties Who Process Your Data on Our Behalf
These are our “data processors” (or “subprocessors”). They handle your data under contract on our behalf:
| Service | Provider | What it does | Where data is processed |
|---|---|---|---|
| Firebase Authentication | Google LLC | User sign-in, password management | United States |
| Firebase Analytics | Google LLC | App usage analytics | United States |
| Firebase Crashlytics | Google LLC | Crash reporting | United States |
| RevenueCat | RevenueCat, Inc. | Subscription state management | United States |
| Apple Sign In | Apple Inc. | Apple ID sign-in flow | Per Apple’s policy |
| Google Sign-In | Google LLC | Google account sign-in flow | United States |
| Apple App Store / StoreKit | Apple Inc. | Subscription billing | Per Apple’s policy |
| InkStrip Sync Backend | TheMattLabs, hosted on Railway (GCP) | Cross-device sync of reading data (Pro) | Netherlands (europe-west4) |
Third Parties You Connect Yourself (Independent Controllers)
When you connect a cloud library source, those providers act as independent data controllers for the data they hold:
| Provider | Why it’s connected | Their privacy policy |
|---|---|---|
| Apple iCloud Drive | Comic file source | apple.com/legal/privacy |
| Google Drive | Comic file source | policies.google.com/privacy |
| Dropbox | Comic file source | dropbox.com/privacy |
We have no visibility into what you store with those providers beyond the specific folder you grant InkStrip access to.
6. International Data Transfers
If you are in the EU/UK and we transfer your data to the United States (e.g., Firebase, RevenueCat), the transfer is covered by Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner’s Office, and by each provider’s adherence to the EU-US Data Privacy Framework where applicable.
You can request a copy of the safeguards in place by emailing privacy@themattlabs.com.
7. How Long We Keep Your Data
| Data | Retention period |
|---|---|
| Account data (email, Firebase UID) | Until you request deletion, then removed within 30 days |
| Sync data (reading progress, preferences, library manifest) | Until you request deletion, then removed within 30 days |
| Deletion markers (tombstones) | Up to 90 days, then automatically purged |
| Subscription records | Retained as required for tax and accounting (typically 7 years), anonymised after account deletion |
| Crash reports (Firebase Crashlytics) | 90 days (Firebase default) |
| Analytics events (Firebase Analytics) | 14 months (Firebase default for app event data) |
| Diagnostic ZIPs you send us by email | Up to 30 days after your support ticket is resolved |
Local data on your device persists until you delete the app.
During the beta program, account deletion is processed manually on request. Email privacy@themattlabs.com and we will permanently delete your account and synced data within 30 days. A self-serve in-app account-deletion flow will be available before the public App Store launch.
8. Your Rights
Regardless of where you live, you can:
- Access the personal data we hold about you
- Correct inaccurate data (most fields are editable in-app via Settings)
- Delete your account and all associated data — during the beta, email privacy@themattlabs.com; a self-serve in-app deletion flow is in development for the public release
- Export a machine-readable copy of your data
- Withdraw consent for analytics by deleting the InkStrip app from your device (a future release will add an in-app toggle)
- Object to processing based on legitimate interests
- Lodge a complaint with your local data protection authority
Subscription expiry never deletes your data. If your InkStrip Pro subscription ends, your local comics, reading progress, and preferences remain intact. Cross-device sync stops, and synced data on our servers is retained for 90 days in case you renew, then deleted.
To exercise any right, email privacy@themattlabs.com. We will respond within 30 days.
9. Children
InkStrip is intended for users aged 13 and over (16 and over in the EU, 18 and over in the UK where required by the Age Appropriate Design Code).
We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided personal information to us, contact privacy@themattlabs.com and we will delete it.
We do not direct InkStrip at children, do not include child-targeted features, and have not been designed under Apple’s Kids Category.
10. Security
We protect your data with:
- TLS 1.2 or higher for all network connections (enforced by Apple’s App Transport Security; we use no exemptions)
- Encryption at rest for synced data — our backend runs on Railway (on Google Cloud Platform), where database and disk storage are encrypted at rest by default. Railway is SOC 2 Type II and SOC 3 certified, and HIPAA- and GDPR-aligned.
- iOS Keychain storage for authentication credentials and OAuth tokens — Firebase Authentication, Apple Sign In, and Google Sign-In each use the device Keychain to store their tokens
- Security-scoped bookmarks so that cloud-folder access (iCloud Drive, Google Drive, Dropbox) is sandboxed to the specific folder you select and revocable at any time from iOS Settings
- Archive extraction limits that protect against malicious or malformed comic files. We enforce a 100 MB per-file cap, a 4 GB total archive cap, a 5,000-entry cap, path-traversal protection, symlink rejection, and an image-type allow-list
No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you and the relevant regulators as required by law (typically within 72 hours for GDPR/UK GDPR).
11. Beta Testing (TestFlight)
If you participate in the InkStrip beta program via Apple TestFlight:
- Apple shares your TestFlight tester email and basic install/crash information with us so we can manage the beta and respond to feedback
- Crash reports and feedback you submit via TestFlight are governed by Apple’s TestFlight terms and Apple’s privacy policy
- Beta builds may include additional logging that is removed before App Store release
- Your TestFlight participation can be ended at any time by removing the app or leaving the test group in TestFlight
Once a build is released on the App Store, the beta data collected by TestFlight is retained by Apple per Apple’s policy, not by us.
12. Cookies and Similar Technologies
InkStrip is a native iOS app and does not use browser cookies. It uses:
- iOS UserDefaults for non-sensitive preferences
- iOS Keychain for credentials and tokens
- SwiftData local database for your library
- Firebase Installation ID for analytics and crash attribution
These are not transmitted to third parties beyond the processors listed in Section 5.
13. Automated Decisions and Profiling
We do not use your data to make automated decisions that produce legal or similarly significant effects about you. We do not profile you for advertising or scoring.
14. Changes to This Policy
We may update this policy as the product evolves. When we make material changes:
- We will update the Last Updated date at the top
- For significant changes, we will notify you via the app on next launch and, where required by law, by email
- The previous version will be archived and available on request
Continued use of InkStrip after a change indicates acceptance of the updated policy. If you do not agree, you can delete your account.
15. Contact
Privacy questions, requests, and complaints: privacy@themattlabs.com
Postal address: TheMattLabs Ltd, 2C Tudor Road, Kingston Upon Thames, KT2 6AW, United Kingdom