01The on-device promise
Cleanroom scans your photo library entirely on your iPhone. All detection — screenshots, documents, receipts, duplicates, the Sensitive category, video analysis — runs on your device's own chip.
Your photos, videos, and documents are never uploaded, transmitted, or shared by Cleanroom. There is no account to create, and we operate no server. We could not see a photo of yours even if we wanted to — there is nowhere for it to go.
Photos you place in the Keep are stored encrypted on your device only (see Security). We never receive them, and we cannot recover them.
Being precise matters more to us than sounding perfect, so this policy also discloses the small amount of data that is involved when you use the free, ad-supported version: advertising data handled by Google, and purchase processing handled by Apple. None of it includes your photos. The sections below explain each part.
02Who we are
Cleanroom is developed by [Developer legal name], [registered address] (the "developer", "we"). For the limited processing described in this policy that we are responsible for, we are the data controller under the GDPR and UK GDPR. You can reach us at support@cleanroomapp.net.
For advertising data, Google is a separate party that processes data under its own policies, as described in section 04.
03What we don't collect
Cleanroom has no developer-operated backend, no analytics SDK, and no crash-reporting SDK. The app itself sends us nothing. Specifically, we do not collect, receive, or store:
- Your photos, videos, or documents — or any thumbnails, crops, or derived versions of them.
- The results of any scan: what categories were found, what was flagged as Sensitive, what you deleted, compressed, or moved to the Keep.
- Your name, email address, contacts, or location. There is no account or sign-up.
- Usage analytics or crash reports sent to us.
The only network activity the app itself initiates related to your library is iOS downloading your own iCloud Photos originals to your device during a scan, if you use iCloud Photos (see section 07). That is a download to your phone, not an upload from it.
04Advertising — Google AdMob
The free version of Cleanroom shows ads using Google AdMob (the Google Mobile Ads SDK). This is the one part of the app where a third party collects data from your device, and we want to describe it accurately rather than pretend it away.
To deliver and measure ads, the AdMob SDK may collect and send to Google:
- The device advertising identifier (IDFA) — only if you allow tracking in the App Tracking Transparency prompt (see section 05).
- Device and app information — such as device model, operating system version, language, general (coarse) location inferred from IP address, and app identifier.
- Ad interaction data — such as which ads were served and whether they were viewed or tapped, plus diagnostic and fraud-prevention signals.
Ad data never includes your photos, videos, documents, or any scan results. The ad SDK has no access to your photo library or the Keep.
Google processes this data under its own terms. To understand Google's practices, see:
- Google Privacy Policy
- How Google uses information from sites or apps that use its services
- Google — Advertising technologies
Buying the one-time supporter unlock removes ads, and with them the ad SDK's data collection during use.
05Tracking & consent (ATT and the EU/UK consent form)
App Tracking Transparency (everyone)
Before Cleanroom can allow the ad SDK to access your device's advertising identifier (IDFA) for tracking, iOS shows Apple's App Tracking Transparency prompt. If you choose Ask App Not to Track, the IDFA is not available to Google and you will see non-personalized (contextual) ads instead. The app works identically either way.
You can change this choice at any time in iOS Settings → Privacy & Security → Tracking.
Consent in the EU, EEA, and UK
If you are in the European Economic Area or the United Kingdom, Cleanroom shows Google's consent form (the User Messaging Platform, "UMP") before any ads are served. You can choose whether to consent to personalized ads; if you decline, ads are non-personalized. You can review or change your choice later from the app's settings.
Personalized ads happen only with your consent. Declining costs you nothing — the app is fully functional with non-personalized ads, or with no ads at all after the one-time unlock.
06Purchases — Apple
The optional supporter unlock ($1.99 one-time, or $2.49 one-time for Family Sharing with up to six people) is processed entirely by Apple through the App Store's in-app purchase system.
- We never see or receive your payment card details, billing address, or Apple ID credentials. Apple processes the payment under its own terms and privacy policy.
- The app only learns whether the unlock is active, so it can remove ads. That entitlement check happens through Apple's on-device StoreKit framework.
- Refunds are requested from and decided by Apple, not by us.
See the Apple Privacy Policy for how Apple handles purchase data.
07iCloud Photos — a note on Apple's system behavior
If you use iCloud Photos, some of your originals may live in iCloud rather than on your phone. When Cleanroom scans your library, iOS itself may download your own originals to your device so they can be analyzed on-device. This is Apple's standard PhotoKit behavior between your own devices and your own iCloud account.
To be exact: this is a download of your own photos to your own phone, performed by iOS. It is not an upload, and Cleanroom never sends your photos anywhere.
08Security
Photos and videos you move into the Keep are protected on your device:
- AES-GCM encryption — an authenticated encryption standard — protects every item in the Keep, stored only in the app's local storage on your iPhone.
- Face ID (or your device passcode) is required to unlock the Keep. The encryption key is held in the iOS Keychain, restricted to this device, and requires your presence to use.
- The Keep's contents are excluded from device backups and never synced anywhere.
Because there is no server, there is also no cloud recovery. If your device is lost or erased and you have no local copy, the Keep's contents cannot be recovered by us — by design, we never had them.
No security measure is absolute, but on-device encryption with hardware-backed keys is the strongest posture we can offer without ever taking possession of your data.
09Data retention
- By us: nothing. We hold no personal data about you or your library, so there is nothing for us to retain or delete. If you email us for support, we keep the correspondence only as long as needed to help you.
- On your device: scan results, settings, and the Keep live only in the app's local storage. Deleting the app deletes them (deleting the app also permanently deletes the Keep's contents — export first if you want them).
- By Google: advertising data collected by the AdMob SDK is retained by Google under Google's retention policies.
10For users in the EU, EEA, and UK — GDPR
Legal bases
- Personalized advertising: your consent (Art. 6(1)(a) GDPR), collected via the consent form described in section 05. You can withdraw it at any time with effect for the future.
- Non-personalized advertising and app delivery: legitimate interests (Art. 6(1)(f)) in funding a free app with contextual ads that involve minimal data.
- The in-app purchase: performance of a contract (Art. 6(1)(b)) — processed by Apple.
- Your photo library: processed only on your device at your direction. It never reaches us, so we perform no processing of it as a controller.
Your rights
You have the rights of access, rectification, erasure, restriction, data portability, and objection, the right to withdraw consent at any time, and the right to lodge a complaint with a supervisory authority in your country of residence.
Two practical notes, offered honestly:
- We hold no personal data about you or your photos, so an access or erasure request to us will normally come back empty — everything lives on your device, under your control. Deleting the app is the most complete erasure that exists for Cleanroom data.
- For advertising data, Google is the party that holds it. Exercise those rights through Google's tools — Google's My Ad Center and the controls in the Google Privacy Policy — and through the consent and tracking controls in section 05.
11For California residents — CCPA/CPRA
We do not collect personal information about you ourselves. However, when ads are shown, the AdMob SDK may collect on Google's behalf the categories California law calls identifiers (the advertising identifier), device information, and internet or network activity (ad interactions). We do not collect sensitive personal information, and your photos are never involved.
"Sale" or "sharing": under the CPRA's broad definitions, allowing an advertising SDK to use your identifier for cross-context behavioral (personalized) advertising may qualify as "sharing" or a "sale" of personal information. We do not sell or share personal information in any other sense, and we receive no money for data.
Do Not Sell or Share My Personal Information
You can opt out of any such sharing at any time, and the app fully respects it:
- Choose Ask App Not to Track in the App Tracking Transparency prompt, or turn tracking off later in iOS Settings → Privacy & Security → Tracking. Without the identifier, ads are non-personalized.
- Where the consent form is shown, decline personalized ads.
- Or purchase the one-time unlock, which removes ads entirely.
California residents also have rights to know, delete, and correct, and the right not to be discriminated against for exercising them. Because we hold no personal information, requests to us will normally return nothing; for ad data, direct requests to Google via the links in section 10. We will never treat you differently for opting out.
12International transfers
We transfer nothing internationally, because we hold nothing. Advertising data collected by the AdMob SDK is processed by Google LLC and its affiliates, which may process data on servers around the world, including in the United States. Google states that it relies on appropriate safeguards such as standard contractual clauses and participates in applicable data-transfer frameworks; see Google's data transfer frameworks.
13Children
Cleanroom is a utility for managing your own photo library and is not directed to children. Its App Store age rating (4+) reflects the absence of objectionable content in the app itself, not an intent to attract children.
We do not knowingly collect personal information from children under 13 (or the equivalent minimum age in your country). Because the app shows ads, we configure ad serving to comply with applicable children's-privacy rules, including relying on non-personalized ads where required. If you believe a child has used the app and that an advertising identifier was collected as a result, use the controls in section 05 and contact us at support@cleanroomapp.net so we can help.
14Changes to this policy
If the app's data practices ever change — for example, a different ad provider, or the removal of ads — we will update this policy and change the "Last updated" date at the top. For material changes, we will also make the change prominent in the app or its App Store release notes. The current version always lives at this page.
15Contact
Questions, rights requests, or concerns about privacy:
Postal address: [Developer legal name], [registered address].