Privacy Policy

1. WHO WE ARE AND HOW TO CONTACT US

Data Controller (EU/EEA users):
info@aimdal.com

EU Representative (if applicable):
info@aimdal.com

Data Protection Officer (DPO) (if applicable):
info@aimdal.com

Canadian Privacy Officer:
info@aimdal.com

US Privacy Contact:
info@aimdal.com

For any privacy-related inquiries, requests, or complaints, please contact us at: info@aimdal.com

2. SCOPE OF THIS POLICY

This Policy describes:

• What personal data we collect from you.
• How and why we collect it.
• How we store, process, and protect it.
• With whom we share it.
• How long we retain it.
• Your rights and how to exercise them.
• Jurisdiction-specific disclosures (EU/EEA, US, Canada).

This Policy does NOT apply to third-party websites or services linked from the App. We encourage you to review their privacy policies independently.

3. WHAT DATA WE COLLECT AND WHY

3.1 ACCOUNT AND IDENTITY DATA

• Email address (when signing up with email/password).
• Display name / username (optional, set by the user).
• Google account name and profile picture (if using Google Sign-In).
• Firebase User UID (unique identifier assigned automatically).

Purpose: To create and manage your account, authenticate you, and personalise your experience.

Legal Basis (EU): Art. 6(1)(b) GDPR – performance of a contract.

3.2 USER PREFERENCES AND QUESTIONNAIRE DATA

• Interests selected during the onboarding questionnaire (e.g., Museums, Parks, Restaurants, Art, etc.).
• Questionnaire completion timestamp.

Purpose: To personalise AI-generated recommendations and map content.

Legal Basis (EU): Art. 6(1)(b) GDPR – performance of a contract; Art. 6(1)(a) GDPR – consent (where obtained explicitly).

3.3 PRECISE LOCATION DATA

• GPS latitude and longitude, updated in real time during active sessions.
• Location timestamps sent to the server every ~10 seconds while the Live AI audio feature is active.

Purpose: To provide location-aware AI responses, display relevant map markers, plan trips, and surface nearby points of interest.

Legal Basis (EU): Art. 6(1)(a) GDPR – explicit consent via OS permission prompt. Users may revoke this permission at any time in device settings.

US Note: Location data is considered sensitive under several state laws (see Section 10). We do not sell precise location data.

Canada Note: Location data is collected only with meaningful consent and is not used for profiling beyond the stated purpose.

3.4 AUDIO DATA (MICROPHONE)

• Real-time audio captured from the device microphone during active Live AI sessions.
• Audio is streamed via encrypted WebSocket to our server for processing.
• Raw audio is NOT retained by our server after processing. Audio bytes streamed through the WebSocket endpoints are forwarded in real time to the speech-to-text provider (AssemblyAI) and immediately discarded. We do not store, archive, or use raw audio for model training.

Purpose: To enable real-time, voice-activated AI assistance and to return contextualised spoken responses.

Legal Basis (EU): Art. 6(1)(a) GDPR – explicit consent via OS permission prompt. Audio capture only starts when the user actively initiates a session.

Important: We request microphone permission only when the Live AI feature is first used. The microphone is deactivated as soon as the session ends.

3.5 DEVICE AND TECHNICAL DATA

• Device operating system and version (iOS / Android).
• Anonymous device identifiers used by Firebase and RevenueCat.
• App version and build number.
• Crash logs and performance diagnostics (Firebase Crashlytics / RevenueCat).
• IP address (collected by our servers and third-party services on each request).

Purpose: To maintain app stability, debug issues, and improve performance.

Legal Basis (EU): Art. 6(1)(f) GDPR – legitimate interests.

3.6 SUBSCRIPTION AND PAYMENT DATA

• Subscription status (free / pro).
• Purchase history and entitlement records managed by RevenueCat.

Note: Payment card details are NOT collected or stored by us. All payment processing is handled exclusively by Apple App Store / Google Play. We only receive anonymised transaction references and entitlement status.

Purpose: To gate premium features and manage subscriptions.

Legal Basis (EU): Art. 6(1)(b) GDPR – performance of a contract.

3.7 USAGE AND INTERACTION DATA

• Chat messages sent to the AI (text prompts, voice transcripts).
• Points of interest browsed and interactions with map markers.
• Trip planning queries and saved trips.

Server-side conversation state: During an active WebSocket session the server maintains an in-memory conversation history (up to the last 10 turns) to provide context to the AI model. This in-memory history is destroyed when the session ends and is never written to disk or any database on our side. We do NOT use conversation content to train or fine-tune AI models. Daily per-user AI cost is accumulated in Firestore (field: usage.cost_usd) solely for quota enforcement and is not linked to message content.

Purpose: To deliver AI responses, maintain conversation continuity, and improve the service.

Legal Basis (EU): Art. 6(1)(b) GDPR – performance of a contract; Art. 6(1)(a) GDPR – consent where required.

3.8 SOCIAL SHARING DATA

When using the "Share to Instagram Stories" feature, a generated image is created on-device and shared through the Instagram app. No content is transmitted to us in this process.

4. HOW WE COLLECT DATA

• Directly from you: account registration, questionnaire, in-app inputs, voice sessions.
• Automatically: location services, device sensors, app analytics.
• From third parties: Google Sign-In (Google LLC), Firebase (Google LLC), RevenueCat Inc., Apple and Google Play billing systems.

5. THIRD-PARTY SERVICE PROVIDERS (SUB-PROCESSORS)

We share data with the following trusted third parties to operate the App. Where required by GDPR, we have Data Processing Agreements (DPAs) in place.

EU/EEA transfers: Where providers are located outside the EU/EEA (e.g., USA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other adequacy mechanisms, as the legal transfer mechanism.

6. INTERNATIONAL DATA TRANSFERS

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where data protection laws may differ from those in your country.

For EU/EEA users: Transfers are protected under the EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914). Where applicable, we rely on adequacy decisions (e.g., EU-US Data Privacy Framework) or Binding Corporate Rules.

For Canadian users (PIPEDA / Quebec Law 25): We execute Privacy Impact Assessments (PIAs) when required and rely on contractual protections before transferring data outside Canada.

For US users: We comply with applicable state law requirements regarding cross-border data transfers.

7. DATA RETENTION

We will not retain personal data longer than necessary for the stated purpose or as required by applicable law.

8. SECURITY

We implement the following technical and organisational measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher.
• Audio streams use encrypted WebSocket connections (WSS).
• Firebase Firestore data is protected by Firebase Security Rules.
• API access is authenticated using a shared API key (x-api-key header) and per-user Firebase UID verification (x-user-uuid header) on every request.
• Per-user daily spending quotas are enforced server-side (HTTP 429) to limit abuse and control AI inference costs.
• Access to production systems (Google Cloud Run, Firestore) is restricted to authorised personnel via Google Cloud IAM.
• Data at rest in Google Cloud Firestore and Cloud Run infrastructure is encrypted by default using AES-256 managed by Google.
• Secret keys (API keys, service credentials) are managed via environment variables injected at deployment time through Google Cloud Run secrets.

No method of electronic transmission or storage is 100% secure. If you believe your data has been compromised, contact us immediately at: info@aimdal.com

In the event of a personal data breach, we will notify affected users and, where required, supervisory authorities within:

• EU/EEA: 72 hours of becoming aware (Art. 33 GDPR).
• Canada: "as soon as feasible" after determining a real risk of significant harm (PIPEDA).
• US: According to applicable state breach notification laws.

9. COOKIES AND TRACKING TECHNOLOGIES

The App is a native mobile application and does not use browser cookies. However, we and our third-party partners may use:

• Firebase Analytics SDKs: To collect aggregate usage statistics.
• RevenueCat SDKs: To track subscription events.

You may opt out of analytics tracking via your device's privacy settings (e.g., "Limit Ad Tracking" on iOS, "Opt out of Ads Personalisation" on Android).

10. YOUR RIGHTS

To exercise any of the above rights, contact us at: info@aimdal.com
Subject line: "Privacy Rights Request – [Jurisdiction]"

11. CONSENT AND PERMISSIONS

The App requests the following device permissions:

You can revoke any permission at any time via your device's system settings. Revoking a permission will disable the corresponding feature.

For EU/EEA users: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

12. AUTOMATED DECISION-MAKING AND AI PROCESSING

The App uses AI and machine learning to generate personalised recommendations, audio responses, and trip suggestions. These are not purely automated decisions with "significant" legal or similarly significant effects as defined under GDPR Art. 22, as they serve as informational assistance only and require your active engagement.

Server-side AI processing: The backend uses Google Gemini models (gemini-2.5-flash and gemini-2.5-flash-lite) to generate responses for the "Goomby" (navigation & general assistant) and "Trip Planner" features. AI outputs serve solely as informational suggestions; the user always retains full control over their actions. Per-user daily cost tracking is used exclusively to enforce usage quotas and does not constitute profiling.

13. CHILDREN'S PRIVACY

The App is not directed to children under:

• 13 years of age (United States – COPPA).
• 16 years of age (EU/EEA – GDPR default, or lower national age where applicable).
• 13 years of age (Canada – PIPEDA).

We do not knowingly collect personal information from children below these ages. If we become aware that we have inadvertently collected such data, we will promptly delete it. Parents or guardians who believe their child has provided us data should contact us at info@aimdal.com.

14. DATA MINIMISATION AND PURPOSE LIMITATION

We collect only the minimum personal data necessary for each stated purpose and do not use data for purposes incompatible with those stated at the time of collection. If we wish to use your data for a new purpose, we will inform you and, where required, obtain fresh consent.

15. USER-GENERATED CONTENT AND SHARING

If you use the trip-saving or social sharing features, content you choose to share (e.g., trip summaries, AI-generated images) leaves our platform and is governed by the privacy policy of the destination platform (e.g., Instagram). We have no control over data once shared externally.

16. LINKS TO THIRD-PARTY SERVICES

The App may surface links to external websites or map providers. These are governed by their own privacy policies. We are not responsible for their data practices.

Map tile data: Provided by OpenStreetMap contributors, MapTiler, or Mapbox under their respective terms.

17. BACKEND SERVER PROCESSING

17.1 HOSTING AND INFRASTRUCTURE

The backend API is a containerised Python / FastAPI application deployed on Google Cloud Run. Cloud Run automatically provisions managed infrastructure; the physical data-centre region is configurable and is set to the region closest to our primary user base (EU/US). All network traffic between the App and the server is encrypted with TLS 1.2 or higher, including WebSocket connections (WSS).

17.2 API ENDPOINTS AND DATA HANDLING

The server exposes the following endpoints. Each endpoint requires two authentication headers on every request:

• x-api-key: validated against a server-side secret.
• x-user-uuid: validated against an existing Firebase Firestore user record. The UUID is used only for quota enforcement (see 17.4).

17.3 WEBSOCKET ENDPOINTS AND AUDIO PROCESSING

The server operates three WebSocket endpoints for real-time voice sessions:

17.4 USAGE QUOTA AND FIRESTORE DATA

For every authenticated request that incurs an AI inference cost, the server writes or updates a single usage field on the user's Firestore document:

users/{user_uuid}.usage = {
  "date": "YYYY-MM-DD",   (in Europe/Madrid timezone)
  "cost_usd": <float>
}

• Only the cumulative daily cost figure and the date are stored.
• No message content, audio, or location history is written to Firestore.
• The cost figure is reset to zero at the start of each new calendar day (Spain time).
• If the daily quota (configurable per deployment) is reached, subsequent requests from that user return HTTP 429 until the quota resets.

17.5 LOG RETENTION

• Google Cloud Run captures stdout/stderr from the server process. These logs may contain the x-user-uuid header value (for debugging), error stack traces, and AI usage cost summaries. They do NOT contain raw audio data or full conversation transcripts.
• Cloud Run log retention: 30 days (Google Cloud Logging default).
• Access logs (HTTP request metadata including IP address and endpoint path) are retained by Google Cloud for 30 days.

17.6 ABUSE PREVENTION AND RATE LIMITING

• Per-user daily spending quotas are enforced at the application layer (HTTP 429 response when quota is exceeded).
• All requests require a valid API key and a registered user UUID; unauthenticated requests are rejected immediately (HTTP 401).
• Infrastructure-level DDoS protection is provided by Google Cloud Run's managed networking layer.

17.7 PERSONAL DATA USE FOR AI TRAINING

We do NOT use any personal data processed through our server (including voice audio, conversation transcripts, or location history) to train, fine-tune, or evaluate any AI model. Data forwarded to third-party AI providers (Google Gemini, AssemblyAI, ElevenLabs, DeepInfra) is governed by those providers' data-use and training policies. We recommend reviewing the privacy policies of those providers for details.

17.8 BACKUP AND DISASTER RECOVERY

• Firestore data (user account records and usage quota fields) benefits from Google Cloud's built-in multi-region replication and automated daily backups with a 7-day retention window (default GCP settings).
• The cities.db SQLite database is read-only content bundled with the container image. It does not contain personal data.
• No additional backup mechanism is operated by us for session-scoped data, as none of it is persisted beyond the session.

18. CHANGES TO THIS PRIVACY POLICY

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will:

• Update the "Last Updated" date at the top of this document.
• Notify you via an in-app notification or email (for significant changes).
• Where required by law (e.g., GDPR consent refresh, Quebec Law 25), seek fresh consent before processing data under new terms.

Continued use of the App after the effective date of any updated Policy constitutes your acceptance of the changes, to the extent permitted by law.

19. GOVERNING LAW AND DISPUTE RESOLUTION

This Policy and any disputes related to it are governed by the laws of Girona, Spain, without regard to conflict-of-law principles.

Notwithstanding the above:

• EU/EEA residents retain the right to bring claims before their local supervisory authority or court, regardless of governing law.
• Canadian residents may bring complaints before the OPC or CAI.
• US residents may have rights under their state's law irrespective of this clause.

20. CONTACT US

For any privacy-related questions, requests, or complaints:

EU Representative: info@aimdal.com

Canadian Privacy Officer: info@aimdal.com

We aim to acknowledge all requests within 3 business days and resolve them within the statutory timeframes specified in Section 10.