Effective: 2026-05-12 Last updated: 2026-07-07 Version: 1.2.0

1. Who we are

ScoreDesk is developed by Marcos Navarro, an individual developer based in Spain, who is the data controller for this policy. For any privacy-related question, write to support@scoredesk.app. We read every email and reply; correspondence is processed under legitimate interest (answering your question) and retained indefinitely unless you ask us to delete it.

2. Scope

This policy applies to the ScoreDesk Android application on Google Play and to the public website at https://scoredesk.app, whose only data processing is the cookieless, aggregated visit measurement described in §3.7. It does not cover your separate relationship with Google, Microsoft, or Dropbox once you have connected those services to ScoreDesk via OAuth. Those relationships are governed by each provider’s own privacy policy, linked in §6.

3. What data ScoreDesk processes

3.1 Data that stays on your device

The following items are stored only on your device (in app-private SQLite databases and the app’s private file directory) and are never transmitted anywhere by ScoreDesk:

  • PDF files you import (scores, sheet music).
  • Score metadata you enter (title, artist, genre, tags, key, BPM, time signature).
  • Bookmarks and their metadata.
  • Setlists.
  • Annotations you draw or type onto your scores (strokes, text, stamps).
  • Snippet images you create.
  • Audio backing tracks you import.
  • App settings (theme, swipe-to-turn, pedal configuration, touch zones).
  • Your consent decision (the toggles you set in the consent dialog or in Settings → Privacy).

These items are deleted when you uninstall the app, when you delete an individual score/bookmark/setlist/track from inside the app, or when you use the in-app “Erase all my data” action (planned for a future release).

If you export a backup .zip to a location you choose via the system file picker, the contents of that file are under your control — ScoreDesk does not upload it anywhere automatically.

3.2 Data transmitted to Google (Firebase + Drive + Play Billing)

The following items are transmitted to Google only in release builds and, for telemetry items, only after you have given consent (or have not opted out, depending on your region — see §3.6).

  • Crash reports. When the app crashes or reports a non-fatal exception internally, the stack trace and Firebase-collected device metadata (device model, OS version, locale, Firebase installation ID) are sent to Firebase Crashlytics. We also attach a short trail of recent breadcrumbs (severity, tag, message) and the name of the screen that was active.
  • Analytics events. A fixed catalog of bucketed events (approximately 130 event types) is sent to Firebase Analytics — for example, “score opened”, “annotation drawn”, “paywall shown”. The values attached to each event are always pre-bucketed (e.g. file-size buckets, duration buckets) so that no free-text or user-generated content reaches Google.
  • User properties. A small set of state flags is attached to your Analytics profile: device form factor, current theme palette, current theme mode, the app version of your first install, and whether you have connected Google Drive / created setlists / created annotations / imported audio tracks.
  • Purchase data. When you buy ScoreDesk Pro, the purchase token and product ID flow through Google Play Billing so we can confirm and acknowledge the purchase.
  • Google Drive imports. If you connect Google Drive and use the in-app Picker to choose a file, the file IDs you select and the download requests for those files are sent to the Google Drive API on your behalf. ScoreDesk has no permission to list the rest of your Drive contents — the OAuth scope is drive.file, and the browser is rendered by Google outside our process.

ScoreDesk does not transmit the contents of your scores, annotations, setlists, bookmarks, or audio tracks to Google. Those remain entirely on your device.

3.3 Data transmitted to Microsoft (OneDrive)

If you connect OneDrive, ScoreDesk reads your files via Microsoft Graph with the read-only scope Files.Read.All. Requests are only issued when you actively browse or import from inside the app.

3.4 Data transmitted to Dropbox

If you connect Dropbox, ScoreDesk reads your files via Dropbox’s API with the read-only scopes files.metadata.read and files.content.read. Requests are only issued when you actively browse or import from inside the app.

3.5 Android permissions requested

ScoreDesk’s release build carries the following permissions:

  • INTERNET — required for Firebase telemetry, cloud imports, and Google Play Billing.
  • WAKE_LOCK — keeps the screen on while you are reading or playing a score.
  • ACCESS_NETWORK_STATE — network-reachability checks performed internally by the sign-in (MSAL) and Play Services libraries; ScoreDesk itself does not read this data.
  • com.android.vending.BILLING — enables Google Play in-app purchases (ScoreDesk Pro).
  • app.scoredesk.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION — an internal Android safety mechanism, automatically added by the AndroidX library, that prevents other apps from sending signals to ScoreDesk’s internal broadcast receivers. It is not a data-access permission and does not expose any of your data.

No storage, location, microphone, camera, contacts, or other sensitive permissions are requested.

3.6 Regional default

In the EU/EEA/UK, telemetry is off by default and requires explicit consent on first launch. Elsewhere, telemetry is on by default; you can opt out at any time in Settings → Privacy.

3.7 Website analytics (scoredesk.app)

The scoredesk.app website uses Umami (Umami Software, Inc.), a privacy-focused analytics service, to measure visits in aggregate. Umami does not use cookies or any other storage on your device, does not store IP addresses, and does not create persistent identifiers — visitors cannot be identified or tracked across sites. The data collected is aggregate only: pages viewed, referrer, country, browser, operating system and device type, plus clicks on the Google Play download links and the language switcher. Because no identifier is stored, this data cannot be linked back to you and there is no per-visitor record to access or delete. https://umami.is/privacy.

4. How we use the data we do process

  • App functionality — purchase token and product ID (to confirm your Pro entitlement); OAuth tokens (to fulfil cloud imports you initiated); state flags (e.g. whether you’ve created setlists or annotations) so you don’t lose Pro feature access on reinstall.
  • Diagnostics — crash stacks, non-fatal exceptions, breadcrumbs, and active-screen markers (Crashlytics).
  • Analytics — bucketed event catalog + user-property state flags (Firebase Analytics), used to understand which features are used and which flows underperform.

We do not combine telemetry across user identities and we do not enrich it with third-party data.

5. Legal bases (GDPR Article 6)

  • Consent (Art. 6(1)(a)) — covers all Crashlytics and Analytics collection from EU/EEA/UK users. The consent dialog is bottom-sheet, non-dismissable, and grants you separate toggles for crash reporting and analytics.
  • Legitimate interest (Art. 6(1)(f)) — covers Crashlytics and Analytics collection from users in regions where consent is not legally required (the default-on regions). Our interest is in detecting crashes and understanding feature usage so we can fix and improve the app; the data is pre-bucketed and never includes content you authored. You can opt out at any time in Settings → Privacy. This basis also covers the cookieless, aggregated website analytics described in §3.7 — our interest is understanding whether the website works and where its visitors come from; the data contains no identifiers and cannot single anyone out.
  • Contract performance (Art. 6(1)(b)) — covers Play Billing data flow when you purchase Pro.

6. Subprocessors

ScoreDesk uses six subprocessors. Their roles and links to their own GDPR documentation:

7. Data retention

Category Where Retention
On-device data (§3.1) Your device Until deleted or uninstalled
Crash reports Firebase Crashlytics 90 days
Analytics events Firebase Analytics 14 months
OAuth access tokens Your device Until revoked or disconnected
Purchase data Google Play Per Google’s policy
Website analytics (aggregated, §3.7) Umami Cloud 6 months

8. Your rights under GDPR

You have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data. You can exercise these rights at any time:

  • Telemetry processed by ScoreDesk via Firebase: open Settings → Privacy inside the app to stop future events. Existing Firebase-side data is retained per §7 unless you request deletion. To request erasure of telemetry already collected, open Settings → Privacy → Diagnostics info inside the app, copy your installation ID, and include it in an email to support@scoredesk.app. We will use that ID to locate and delete data linked to your install via Google’s Firebase user-deletion tools.
  • On-device data: delete items individually in-app, uninstall the app, or use “Erase all my data” (when available).
  • OAuth tokens: revoke at the provider end — https://myaccount.google.com/permissions (Google), https://account.live.com/consent/Manage (Microsoft), https://www.dropbox.com/account/connected_apps (Dropbox) — or disconnect the provider from inside ScoreDesk.

For any other request — including access to support-email correspondence, clarifications, or complaints — write to support@scoredesk.app. You also have the right to lodge a complaint with your local data protection authority.

9. International transfers

Google, Microsoft, Dropbox, and Cloudflare process data on infrastructure that may be located outside the European Economic Area (typically in the United States or other regions). Transfers are covered by the Standard Contractual Clauses (SCCs) included in each provider’s data-processing terms (linked in §6). Umami Software, Inc. (website analytics, §3.7) is also US-based; the data it processes for us is aggregated and contains no personal identifiers.

10. Security

All network traffic uses TLS. On-device data and OAuth tokens are protected by the standard Android per-app sandbox; device-level encryption applies on modern devices.

11. Children’s privacy

ScoreDesk is not directed to children under 13 (United States COPPA) or under 16 (EU member states applying the GDPR national-law option). This matches the target-audience declaration in our Play Store listing. We do not knowingly collect data from children.