Privacy Policy

Effective date: 1 May 2026 · Last updated: 2 May 2026

RevailLab (“RevailLab”, “we”, “our”) is a mobile app that helps you check whether a song is AI-generated. This policy explains what we collect, why, who we share it with, and the rights you have. We tried to write it in plain English — if anything is unclear, email msquaregiza@gmail.com.

Short version. We analyse the audio and text you submit and delete it immediately — neither is ever written to disk on our servers. Photos you take or pick for OCR are processed entirely on your device and never uploaded; only the recognised text is sent for classification, and only after you review it. Your scan history lives only on your phone. We don’t collect your name, email, location, contacts, or your photo library as a whole. We ask for App Tracking Transparency (iOS) and Google UMP (Android) consent before any analytics or advertising SDK touches your device — and you can decline both with no loss of functionality.

1. Who we are

RevailLab is published by MsquareTravel. The data controller under GDPR / UK-GDPR is Michal Giza, reachable at msquaregiza@gmail.com.

2. What the app does with your audio

When you paste a link or scan audio through the microphone, the app sends the audio to our processing backend (hosted on Hugging Face Spaces) where it is analysed in memory. The backend never writes the audio to disk, never logs the audio, and discards it as soon as the response is returned — typically within a few seconds. We do not build profiles from audio you send.

For URLs from known AI-only platforms (Suno, Udio, ElevenLabs, AIVA, Soundraw, Mubert, Boomy, Loudly, Beatoven), the app short-circuits and returns a “verified AI” verdict without sending anything to the backend. Those platforms only host AI-generated music, so no analysis is needed.

2a. What the app does with text and images (added in v1.1)

v1.1 adds an AI-text detector that classifies typed, pasted, or OCR’d text. Three input flows exist:

Paste / type. The text you put into the editor is sent to our text-classification backend (a separate Hugging Face Space, hardened the same way as the audio one). Same retention policy: analysed in memory, never written to disk, discarded immediately.
Camera. When you tap the Camera button on the “Scan text” screen, the app opens the device camera and captures a single still image. The image is processed locally on your device by Apple Vision (iPhone) or Google ML Kit (Android) — both run completely offline — to extract the recognised text. The photo itself is never uploaded to our servers. Only the recognised text — and only after you review and edit it in the in-app editor — is transmitted to the text-classification backend.
Photo library. When you tap the Gallery button, the system file picker lets you choose one image. Same handling as the Camera flow above: OCR runs on-device, the image stays on your phone, only the OCR’d text leaves the device after you review it.

The editable text field between OCR and classification is intentional — handwriting recognition is not 100% accurate, and you should be able to correct mis-recognised words before any text is transmitted. Tapping “Analyze Text” is the explicit consent step for the upload.

Camera and photo-library access are requested at the moment you tap the corresponding button, never on app launch. If you decline, the rest of the app — paste, type, mic, URL paste — keeps working normally.

3. Data we collect

Stored only on your phone (never uploaded)

Scan history — each scan’s result (verdict, confidence, title, date, and for text scans the analyzed text itself) is written to a local SQLite database. Uninstalling the app deletes it all.
Onboarding & freemium counters — a small key-value store remembering whether you finished onboarding and how many scans you have performed today.
Photographs you take or pick — when you use the camera or gallery flow on the Scan text screen, the captured image is processed locally for OCR and is not retained by the app beyond the duration of the scan. The image never leaves the device.

Sent off-device (only for the specific purposes below)

Data	Where it goes	Purpose	Retention
Audio you submit (file or URL contents)	Hugging Face Spaces (our audio backend)	Real-time AI / human classification	Analysed in memory, never stored
Text you submit (typed, pasted, or OCR’d)	Hugging Face Spaces (our text backend, separate Space)	Real-time AI / human text classification	Analysed in memory, never stored. Sent only after you tap “Analyze Text” — never automatically.
Crash logs + performance diagnostics	Firebase Crashlytics (Google)	Fixing bugs	Retained per Google’s Firebase data-processing terms
Anonymous usage events (e.g. screen views, feature taps)	Firebase Analytics (Google)	Understanding feature use	Retained per Google’s terms; only collected after you consent
AdMob Advertising Identifier (IDFA on iOS / GAID on Android)	Google AdMob	Ad attribution & personalization	Only collected after App Tracking Transparency (iOS) or UMP (Android) consent

Data we do NOT collect

Your name, email address, phone number, or other contact details.
Your location or address.
Your contacts, calendar, call history, SMS, or browser history.
Photos, videos, or any other files beyond the single image you explicitly pick for an OCR scan — and even that image is processed only on your device and never transmitted to us. We have no access to your photo library as a whole.
Any account credentials — we don’t have accounts.

4. How consent works in RevailLab

Apple requires apps to request App Tracking Transparency (ATT) before any tracking SDK initialises. Google requires equivalent UMP / IAB-TCF consent in the EU/UK. RevailLab treats both seriously:

Firebase Analytics and Firebase Crashlytics are disabled at the native SDK level (via Info.plist / AndroidManifest.xml flags) at app launch, before any Firebase code executes.
During onboarding the app presents ATT first (iOS only), then the Google UMP consent form, on separate screens.
Only after both have been answered does the app enable analytics, crashlytics and AdMob — and the four Firebase consent-v2 signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) mirror your ATT answer.
You can change your mind at any time in your device Settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Google → Ads). RevailLab respects the new answer on the next app launch.

5. Sub-processors

Third-party services that process data on our behalf:

Hugging Face, Inc. — hosts our audio classification backend AND (since v1.1) our separate text classification backend, both as Hugging Face Spaces. Audio and text submitted for classification flow through Hugging Face’s infrastructure. Privacy policy.
Google LLC (Firebase + AdMob + ML Kit) — analytics, crash reporting, advertising, and (Android only) on-device OCR for the Scan-text feature. ML Kit text recognition runs entirely on the device; no image data is transmitted to Google through the OCR path. Privacy policy.
Apple Inc. — App Store distribution, iTunes Search API (for looking up Apple Music previews), and (iOS only) on-device OCR via the Vision framework for the Scan-text feature. Apple Vision runs entirely on the device; no image data is transmitted to Apple through the OCR path. Privacy policy.

6. Your rights

Depending on where you live, you have the following rights:

Europe (GDPR) and the UK (UK-GDPR)

Right of access — we’ll tell you what we hold about you.
Right to rectification.
Right to erasure — there’s nothing personal to erase server-side; scan history is local and you can delete it from the History screen or by uninstalling the app.
Right to restrict or object to processing.
Right to data portability.
Right to withdraw consent — revoke ATT / UMP at any time; we stop tracking on the next app launch.
Right to lodge a complaint with your local supervisory authority (for example, the ICO in the UK or your national DPA in the EU).

California (CCPA / CPRA)

Right to know what personal information is collected.
Right to delete personal information.
Right to opt out of “sale” or “sharing”. We do not sell personal information. We do share identifiers with AdMob for ad attribution only after ATT consent — declining ATT prevents this sharing.
Right to non-discrimination when you exercise these rights.

To exercise any right, email msquaregiza@gmail.com from the address you’d like us to respond to. We’ll reply within 30 days.

7. Children

RevailLab is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we’ll delete it.

8. Security

All network traffic between the app and our backend is encrypted with TLS (HTTPS). Audio is processed in memory and never written to disk server-side. Local data on your phone is stored in the app’s sandbox — other apps cannot read it.

No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly to msquaregiza@gmail.com.

9. International data transfers

Our processors (Google, Hugging Face, Apple) operate globally. When data leaves the EEA / UK, transfers happen under appropriate safeguards — typically Standard Contractual Clauses — as documented by each sub-processor.

10. Changes to this policy

When we materially change this policy we update the “Last updated” date at the top and, for significant changes, surface a notice inside the app. Your continued use after an update means you accept the revised policy.

11. Contact

Michal Giza / MsquareTravel
Email: msquaregiza@gmail.com