Privacy Policy
Effective: 2026-05-12 Last updated: 2026-07-07 Version: 1.2.0
1. Who we are
ScoreDesk is developed by Marcos Navarro, an individual developer based in Spain, who is the data controller for this policy. For any privacy-related question, write to support@scoredesk.app. We read every email and reply; correspondence is processed under legitimate interest (answering your question) and retained indefinitely unless you ask us to delete it.
2. Scope
This policy applies to the ScoreDesk Android application on Google Play and to the public website at https://scoredesk.app, whose only data processing is the cookieless, aggregated visit measurement described in §3.7. It does not cover your separate relationship with Google, Microsoft, or Dropbox once you have connected those services to ScoreDesk via OAuth. Those relationships are governed by each provider’s own privacy policy, linked in §6.
3. What data ScoreDesk processes
3.1 Data that stays on your device
The following items are stored only on your device (in app-private SQLite databases and the app’s private file directory) and are never transmitted anywhere by ScoreDesk:
- PDF files you import (scores, sheet music).
- Score metadata you enter (title, artist, genre, tags, key, BPM, time signature).
- Bookmarks and their metadata.
- Setlists.
- Annotations you draw or type onto your scores (strokes, text, stamps).
- Snippet images you create.
- Audio backing tracks you import.
- App settings (theme, swipe-to-turn, pedal configuration, touch zones).
- Your consent decision (the toggles you set in the consent dialog or in Settings → Privacy).
These items are deleted when you uninstall the app, when you delete an individual score/bookmark/setlist/track from inside the app, or when you use the in-app “Erase all my data” action (planned for a future release).
If you export a backup .zip to a location you choose via the system file
picker, the contents of that file are under your control — ScoreDesk does
not upload it anywhere automatically.
3.2 Data transmitted to Google (Firebase + Drive + Play Billing)
The following items are transmitted to Google only in release builds and, for telemetry items, only after you have given consent (or have not opted out, depending on your region — see §3.6).
- Crash reports. When the app crashes or reports a non-fatal exception internally, the stack trace and Firebase-collected device metadata (device model, OS version, locale, Firebase installation ID) are sent to Firebase Crashlytics. We also attach a short trail of recent breadcrumbs (severity, tag, message) and the name of the screen that was active.
- Analytics events. A fixed catalog of bucketed events (approximately 130 event types) is sent to Firebase Analytics — for example, “score opened”, “annotation drawn”, “paywall shown”. The values attached to each event are always pre-bucketed (e.g. file-size buckets, duration buckets) so that no free-text or user-generated content reaches Google.
- User properties. A small set of state flags is attached to your Analytics profile: device form factor, current theme palette, current theme mode, the app version of your first install, and whether you have connected Google Drive / created setlists / created annotations / imported audio tracks.
- Purchase data. When you buy ScoreDesk Pro, the purchase token and product ID flow through Google Play Billing so we can confirm and acknowledge the purchase.
- Google Drive imports. If you connect Google Drive and use the in-app
Picker to choose a file, the file IDs you select and the download requests
for those files are sent to the Google Drive API on your behalf. ScoreDesk
has no permission to list the rest of your Drive contents — the OAuth
scope is
drive.file, and the browser is rendered by Google outside our process.
ScoreDesk does not transmit the contents of your scores, annotations, setlists, bookmarks, or audio tracks to Google. Those remain entirely on your device.
3.3 Data transmitted to Microsoft (OneDrive)
If you connect OneDrive, ScoreDesk reads your files via Microsoft Graph with
the read-only scope Files.Read.All. Requests are only issued when you
actively browse or import from inside the app.
3.4 Data transmitted to Dropbox
If you connect Dropbox, ScoreDesk reads your files via Dropbox’s API with
the read-only scopes files.metadata.read and files.content.read.
Requests are only issued when you actively browse or import from inside
the app.
3.5 Android permissions requested
ScoreDesk’s release build carries the following permissions:
- INTERNET — required for Firebase telemetry, cloud imports, and Google Play Billing.
- WAKE_LOCK — keeps the screen on while you are reading or playing a score.
- ACCESS_NETWORK_STATE — network-reachability checks performed internally by the sign-in (MSAL) and Play Services libraries; ScoreDesk itself does not read this data.
- com.android.vending.BILLING — enables Google Play in-app purchases (ScoreDesk Pro).
- app.scoredesk.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION — an internal Android safety mechanism, automatically added by the AndroidX library, that prevents other apps from sending signals to ScoreDesk’s internal broadcast receivers. It is not a data-access permission and does not expose any of your data.
No storage, location, microphone, camera, contacts, or other sensitive permissions are requested.
3.6 Regional default
In the EU/EEA/UK, telemetry is off by default and requires explicit consent on first launch. Elsewhere, telemetry is on by default; you can opt out at any time in Settings → Privacy.
3.7 Website analytics (scoredesk.app)
The scoredesk.app website uses Umami (Umami Software, Inc.), a privacy-focused analytics service, to measure visits in aggregate. Umami does not use cookies or any other storage on your device, does not store IP addresses, and does not create persistent identifiers — visitors cannot be identified or tracked across sites. The data collected is aggregate only: pages viewed, referrer, country, browser, operating system and device type, plus clicks on the Google Play download links and the language switcher. Because no identifier is stored, this data cannot be linked back to you and there is no per-visitor record to access or delete. https://umami.is/privacy.
4. How we use the data we do process
- App functionality — purchase token and product ID (to confirm your Pro entitlement); OAuth tokens (to fulfil cloud imports you initiated); state flags (e.g. whether you’ve created setlists or annotations) so you don’t lose Pro feature access on reinstall.
- Diagnostics — crash stacks, non-fatal exceptions, breadcrumbs, and active-screen markers (Crashlytics).
- Analytics — bucketed event catalog + user-property state flags (Firebase Analytics), used to understand which features are used and which flows underperform.
We do not combine telemetry across user identities and we do not enrich it with third-party data.
5. Legal bases (GDPR Article 6)
- Consent (Art. 6(1)(a)) — covers all Crashlytics and Analytics collection from EU/EEA/UK users. The consent dialog is bottom-sheet, non-dismissable, and grants you separate toggles for crash reporting and analytics.
- Legitimate interest (Art. 6(1)(f)) — covers Crashlytics and Analytics collection from users in regions where consent is not legally required (the default-on regions). Our interest is in detecting crashes and understanding feature usage so we can fix and improve the app; the data is pre-bucketed and never includes content you authored. You can opt out at any time in Settings → Privacy. This basis also covers the cookieless, aggregated website analytics described in §3.7 — our interest is understanding whether the website works and where its visitors come from; the data contains no identifiers and cannot single anyone out.
- Contract performance (Art. 6(1)(b)) — covers Play Billing data flow when you purchase Pro.
6. Subprocessors
ScoreDesk uses six subprocessors. Their roles and links to their own GDPR documentation:
- Google LLC — Firebase Crashlytics, Firebase Analytics, Google Play Billing, and Google Drive API. https://policies.google.com/privacy and Firebase data-processing terms at https://firebase.google.com/support/privacy.
- Microsoft Corporation — Microsoft Graph (for OneDrive imports, only if you connect OneDrive). https://privacy.microsoft.com/privacystatement.
- Dropbox, Inc. — Dropbox API (for Dropbox imports, only if you connect Dropbox). https://www.dropbox.com/privacy.
- Cloudflare, Inc. — DNS resolution for the scoredesk.app domain, inbound email routing for support@scoredesk.app, and static site hosting for this privacy policy. https://www.cloudflare.com/privacypolicy/.
- Brevo (Sendinblue SA) — outbound SMTP delivery for replies sent from support@scoredesk.app. https://www.brevo.com/legal/privacypolicy/.
- Umami Software, Inc. — cookieless, aggregated website analytics for scoredesk.app (§3.7). https://umami.is/privacy.
7. Data retention
| Category | Where | Retention |
|---|---|---|
| On-device data (§3.1) | Your device | Until deleted or uninstalled |
| Crash reports | Firebase Crashlytics | 90 days |
| Analytics events | Firebase Analytics | 14 months |
| OAuth access tokens | Your device | Until revoked or disconnected |
| Purchase data | Google Play | Per Google’s policy |
| Website analytics (aggregated, §3.7) | Umami Cloud | 6 months |
8. Your rights under GDPR
You have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data. You can exercise these rights at any time:
- Telemetry processed by ScoreDesk via Firebase: open Settings → Privacy inside the app to stop future events. Existing Firebase-side data is retained per §7 unless you request deletion. To request erasure of telemetry already collected, open Settings → Privacy → Diagnostics info inside the app, copy your installation ID, and include it in an email to support@scoredesk.app. We will use that ID to locate and delete data linked to your install via Google’s Firebase user-deletion tools.
- On-device data: delete items individually in-app, uninstall the app, or use “Erase all my data” (when available).
- OAuth tokens: revoke at the provider end — https://myaccount.google.com/permissions (Google), https://account.live.com/consent/Manage (Microsoft), https://www.dropbox.com/account/connected_apps (Dropbox) — or disconnect the provider from inside ScoreDesk.
For any other request — including access to support-email correspondence, clarifications, or complaints — write to support@scoredesk.app. You also have the right to lodge a complaint with your local data protection authority.
9. International transfers
Google, Microsoft, Dropbox, and Cloudflare process data on infrastructure that may be located outside the European Economic Area (typically in the United States or other regions). Transfers are covered by the Standard Contractual Clauses (SCCs) included in each provider’s data-processing terms (linked in §6). Umami Software, Inc. (website analytics, §3.7) is also US-based; the data it processes for us is aggregated and contains no personal identifiers.
10. Security
All network traffic uses TLS. On-device data and OAuth tokens are protected by the standard Android per-app sandbox; device-level encryption applies on modern devices.
11. Children’s privacy
ScoreDesk is not directed to children under 13 (United States COPPA) or under 16 (EU member states applying the GDPR national-law option). This matches the target-audience declaration in our Play Store listing. We do not knowingly collect data from children.