VueScan Review

The scanner software VueScan from Hamrick Software is likely familiar to some users, as it was first released in 1998 and has been continuously developed since then. The program is distributed as shareware.

What does the product do?

VueScan is one of those programs that annoys users with pop-ups and redirects them to the manufacturer’s website. In addition to this behavior, extensive data is collected that goes beyond the usual scope. Beyond the "regular" data collection, users are tracked with every action.

Who operates the product?

Hamrick Software

Which service providers are involved?

Everything remains with Hamrick. A server from BunnyCDN is responsible for version checking. Everything else runs under their own domain.

Hamrick Software - 16850 Collins Ave Suite 112-711, Sunny Isles Beach, FL 33160, USA
DigiCert, Inc. - 2801 N Thanksgiving Way, Suite 500, Lehi, Utah 84043, USA
BunnyWay d.o.o. - Dunajska cesta 165, 1000 Ljubljana, Slowenia

What data is collected?

Everything that is clickable and more

Installation time, version number, user ID, session ID, event time, platform (build, arch), number of CPUs, user language, WebView backend, registered yes/no, customer ID, curl, email, serial number, MAC addresses, scanner data (manufacturer, model name, driver), other connected devices such as streaming cameras are tracked

In addition, all user actions are tracked > which menu items are clicked, e.g., preview, processed document types, scan commands, resolution, color settings, number of scanned pages, scan viewed, filters used such as flip, mirror, and much more

For those who haven’t had enough, there are also the aforementioned pop-ups and redirects to enjoy.

Privacy policy and opt-in/opt-out

A minimal Privacy Policy   can be found on the website, which, however, violates several core provisions of the GDPR.

GDPR Violations and Risks

1. Incomplete or misleading privacy policy: Violation of Art. 5(1)(a) and Art. 13 GDPR
2. No explicit consent for telemetry, tracking, and device analytics: Violation of Art. 6(1)(a) and Art. 7 GDPR
3. Lack of purpose limitation and data minimization (collection of all usage and system data): Violation of Art. 5(1)(b) and (c) GDPR
4. Profiling through tracking of user behavior (menu clicks, filters, scanning activity): Art. 4(4) GDPR without valid consent
5. Collection of personal data (email, serial number, MAC address, customer ID): Violation of Art. 4(1) in conjunction with Art. 6 GDPR
6. No transparency regarding server locations and data transfers to third countries: Violation of Art. 13(1)(f), Art. 44 et seq. GDPR
7. No technical or organizational means to opt out: Violation of Art. 7, 12, and 25(2) GDPR
8. Disproportionate data collection (installation time, CPU count, hardware details, language): Violation of Art. 5(1)(c) GDPR
9. Lack of proof of adequate security and possible disclosure of sensitive device information: Violation of Art. 5(1)(f) and Art. 32 GDPR
10. Non-transparent use of personal data as consideration for software licensing: Violation of § 327(3) BGB in conjunction with Art. 6 GDPR
11. Misleading privacy statements – consumers are deceived about the extent and purpose of data processing: Violation of § 3a UWG (Unfair Competition Act)
12. No disclosure of automatic data transmission during startup and normal operation: Violation of Art. 5(1)(a) GDPR

Additional Violations:
VueScan is marketed as a local, offline-capable scanning application but continuously collects telemetry and usage data without disclosing the required internet connection. This is misleading and constitutes a violation of competition law (§ 5(1) UWG), as consumers are deceived about the actual functionality of the software.

Furthermore, the aggressive background data collection without any option for deactivation violates the GDPR requirement for privacy-friendly default settings under Art. 25(2) GDPR.

Can this behavior be blocked?

Yes, completely.

Summary

This software is not recommended for casual or uninformed users. Despite its extensive scanning capabilities, the lack of transparency in data processing and excessive collection of personal data pose a serious risk to privacy.