Data Processing Assessment LarasDesk Apps
Transparency document of the controller. Effective 2026-05-18.
Purpose of this document
Art. 28 GDPR requires a controller to conclude a written Data Processing Agreement (DPA) with each processor. A processor relationship exists when a third party processes personal data on behalf of, and on the documented instructions of, the controller. It does not exist when the third party processes data as its own controller for its own purposes, or when no personal data is transferred to the third party at all.
App 1: LarasScan
External services integrated
| Service | Provider | Function |
|---|---|---|
| Google ML Kit Document Scanner | Google LLC | document detection, on-device |
| Google ML Kit Text Recognition v2 | Google LLC | OCR, on-device |
| Google Play Services | Google LLC | module delivery, SDK diagnostics |
Data flow
- Receipt images, OCR text, extracted fields, hashes: remain fully on the device.
- ML Kit SDK diagnostics to Google: device information, app package name/version, API configuration, performance metrics, event types (see ML Kit Android Data Disclosure). No receipt images, no OCR text.
DPA assessment
A DPA with Google for ML Kit is not required.
- No processing of user content as a processor: Google does not process personal content data of app users.
- SDK diagnostics is independent processing by Google: the transmitted diagnostics is technical in nature. According to Google's own disclosure it is used for diagnostics, abuse prevention and SDK improvement — i.e. for Google's own purposes. Google is therefore not acting on instructions but as its own controller.
- Google does not offer a DPA for ML Kit: unlike Firebase, no Data Processing Agreement is available for the ML Kit SDK.
Residual obligations without a DPA
- Transparency in the privacy policy: satisfied (see LarasScan privacy policy, section 5).
- Legal basis: Art. 6 (1) (f) GDPR with a balancing test.
- Third-country transfer: USA, secured via the EU-US Data Privacy Framework (DPF, Decision (EU) 2023/1795). Google LLC is DPF-certified (participant 5780).
Residual risk
If a supervisory authority later qualifies ML Kit SDK diagnostics as joint controllership, a joint-controller agreement under Art. 26 GDPR would be required, which Google does not provide for ML Kit. This risk applies equally to all app providers that integrate ML Kit.
App 2: LarasMemo
External services integrated
None. The app does not initiate any network connections on its own.
Not in scope: Capacitor (local framework), MediaRecorder (browser API, local), IndexedDB (browser database, local), Android share sheet (system function).
DPA assessment
No DPA required. There is no processor.
Re-evaluation trigger
As soon as a future version adds external data processing (e.g. Whisper model download via Google CDN, crash reporting, cloud backup, analytics), this memo must be re-evaluated.
App 3: LarasCalendar
External services integrated
None. The app does not initiate any network connections on its own.
Not in scope: Capacitor, ICS parser, Android share sheet.
DPA assessment
No DPA required. There is no processor.
Re-evaluation trigger
As soon as an integration with an external calendar provider (Google Calendar, Outlook, iCloud, CalDAV server) or cloud sync is implemented, this memo must be re-evaluated.
Related arrangements outside the app data processing
Closed beta test via Google Group / Google Forms
For closed testing phases, tester email addresses are collected via a Google Form and managed in a Google Group.
- Role: Google operates as the provider of an online service. For the platform-level processing of Google account data, Google is its own controller.
- DPA: for Google Workspace, an official Data Processing Addendum exists (Google Cloud Data Processing Addendum) that applies to paid Workspace accounts. For free private accounts the situation is less clear.
- Pragmatic assessment: use via a private owner identity without a Workspace plan. Legal basis: consent (Art. 6 (1) (a) GDPR) by the testers. Third-country transfer USA secured via DPF.
Website hosting
- Hosting provider: IONOS SE (Germany, EU).
- Role: processor for the hosting.
- DPA: IONOS provides a standard DPA (IONOS Data Processing Agreement).
- Third-country transfer: not applicable, servers in the EU.
Summary
| App | DPA required? | Reasoning |
|---|---|---|
| LarasScan | no | Google ML Kit = no processing of user content; SDK diagnostics = Google as own controller; DPF + SCC secure third-country transfer |
| LarasMemo | no | no external processors; fully local |
| LarasCalendar | no | no external processors; fully local |
| (Website hosting IONOS) | yes | IONOS standard DPA in place |
| (Beta test Google Group) | unclear — pragmatically no for a private account | transparency in the respective privacy policy |
Disclaimer
This memo is the controller's own assessment and not legal advice. For legally contested questions (in particular the joint-controller question for Google ML Kit), seeking legal counsel is recommended.