1. Introduction
This Privacy Policy explains how [LEGAL ENTITY NAME] ("we," "our," "us," or the "Company") collects, uses, discloses, and protects your information when you use the trippinguide mobile application (the "App").
This Policy is incorporated into our Terms and Conditions by reference. Capitalized terms not defined here have the meaning given in the Terms.
2. Who We Are and How to Contact Us
Controller:
[LEGAL ENTITY NAME], a company
established in Germany
Address:
[POSTAL ADDRESS, GERMANY]
Email:
[SUPPORT EMAIL]
Lead supervisory authority:
[GERMAN STATE DPA]
We are not required to appoint a Data Protection Officer under German law. If this changes, this Policy will be updated.
3. Scope
This Policy applies to information collected through the App and any related backend services. It does not apply to third-party services that the App connects to (such as the Apple App Store, Google Play, or AI Providers), which are governed by their own privacy policies.
4. Information We Collect
4.1 Information You Provide
Account information (registered users only): email address and password (stored only as a hashed value using Argon2). Optionally, a display name.
Subscription information: the type of pass purchased and Store-issued purchase receipts. We do not collect or store payment card numbers; payments are processed by Apple or Google.
User-submitted photos (registered users only): photos you upload of attractions. Photos may contain embedded metadata (EXIF), including GPS coordinates, capture time, and device information. We re-encode uploaded photos to strip EXIF metadata before storage. We retain the uploader's account ID, IP address, and upload timestamp alongside the photo record for security and abuse-traceability purposes.
Support correspondence: if you contact us, we keep the messages and your contact details to respond and improve the service.
4.2 Information Collected Automatically
Precise location (GPS): collected only with your explicit OS-level permission. Used to identify nearby points of interest within approximately 10 km of your position.
Device and technical data: device type, model, operating system and version, language, time zone, app version, and unique device identifiers used for guest usage limits and abuse prevention.
IP address: logged when you connect to our backend.
Usage and analytics events: which screens you view, which attractions you select, feature interactions, performance metrics, and aggregated usage trends.
Crash and diagnostic logs: technical information when the App fails or behaves unexpectedly.
4.3 Information Generated by the Service
AI-generated guides (text and audio) for attractions you select. The guides themselves describe public landmarks and are not personal data. The record linking your account or session to specific requests is personal data and is governed by §8.
Audit and security records: authentication events, in-app purchase verification, and device attestation results used to prevent fraud and abuse.
4.4 What We Do Not Collect
We do not knowingly collect: payment card numbers, government IDs, biometric data, health data, contact lists, photos other than user-initiated attraction submissions, microphone input, or content from other apps.
5. How We Use Your Information and Legal Bases (GDPR)
| Purpose | Categories used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Provide nearby-attraction discovery | Precise location, device data | Performance of contract; consent (for precise location) |
| Generate AI text and audio guides | Selected attraction metadata, language preference | Performance of contract |
| Authenticate users and manage subscriptions | Account info, IAP receipts, device identifiers | Performance of contract |
| Enforce free-tier limits, prevent fraud and abuse | Device identifiers, IP address, attestation results, audit logs | Legitimate interests (protecting the service) |
| Diagnose crashes, monitor performance | Crash logs, device data | Legitimate interests (operating a reliable service) |
| Analyze usage and improve the App | Aggregated usage events, device data | Legitimate interests; consent where required by §25 TTDSG/TDDDG |
| Display user-submitted photos as illustrative content for attractions | User-submitted photos (after EXIF stripping) | Performance of contract; consent (granted on upload); legitimate interests (illustrating the catalog) |
| Moderate user-submitted photos before publication | User-submitted photos | Legitimate interests (safety, legal compliance); legal obligation (DSA, NetzDG, KUG) |
| Respond to support requests | Contact details, correspondence | Legitimate interests; performance of contract |
| Comply with legal obligations | Any of the above as required | Legal obligation |
| Send service announcements (e.g., outages, T&Cs changes) | Legitimate interests; legal obligation |
We do not sell your personal information. We do not use your information for automated decision-making that produces legal or similarly significant effects.
6. AI Providers and How Your Data Is Used to Generate Content
When you select an attraction, our backend constructs a prompt and sends it to a third-party AI Provider — currently OpenAI and Google (for both LLMs and text-to-speech). The user does not type or control prompts; selection is from a fixed list curated by us.
What we send to AI Providers:
- The name and metadata of the attraction you selected (including its static coordinates and category)
- Your language preference
- Limited session metadata required to deliver the response
What we do not send to AI Providers:
- Your account email, password, or persistent user identifier
- Your live GPS coordinates
- Your IP address (beyond what is incidental to the network connection)
- Payment information
Inference risk. Even though we do not transmit your live coordinates, an attraction's identity may indirectly imply your general area (e.g., a request about the Eiffel Tower implies interest in Paris). We disclose this so you can make an informed choice.
Training. We use AI Provider APIs configured so that inputs and outputs are not used to train their models. Because we do not transmit user-identifying information to AI Providers in any case, training settings have negligible impact on your privacy.
Photo moderation. User-submitted photos are reviewed before publication through a moderation workflow that combines automated image-classification services (such as Google Cloud Vision or OpenAI moderation) with manual review by Company personnel through an internal admin dashboard. Moderation results, the moderator's decision, and any annotations are stored alongside the photo record. Automated moderation services do not receive account-identifying information. Photos that are rejected are not published and are deleted in accordance with §8.
7. How We Share Your Information
We share information only with the categories of recipients listed below, and only to the extent needed for the purpose described.
| Recipient | Role | What we share |
|---|---|---|
| Apple Inc. / Google LLC (Stores) | Payment, app distribution, device attestation | Receipt data; Store-issued identifiers; attestation tokens |
| OpenAI, Google (AI Providers) | Generate text and audio | Selected attraction metadata, language, session metadata |
| Image moderation providers | Detect prohibited content in user-submitted photos | The photo itself (EXIF stripped); no account-identifying information |
| Authorized Company personnel (moderators) | Pre-publication review of user-submitted photos via an internal admin dashboard | The photo (EXIF stripped), uploader's account ID, IP address, timestamp, and prior submission history |
| Map / Places providers (e.g., Google Maps Platform) | Resolve nearby points of interest | Approximate location bounding box |
| Cloud hosting and database providers | Run our backend | All categories above, as required, on our instructions only |
| Crash reporting and analytics providers | Diagnose crashes, measure usage | Diagnostic and event data |
| Email delivery providers | Send transactional emails | Email address, message content |
| General audiences via the App, our website, newsletters, social media, and advertising | Display approved User Photos as illustrative content | The photo only (EXIF stripped); no uploader identity |
| Professional advisors (lawyers, auditors) | Legal and compliance | As needed |
| Authorities | Comply with legally binding requests | As required |
| Successors | Merger, acquisition, or asset sale | All categories, subject to this Policy |
We require service providers to handle your data only on our instructions and to apply appropriate safeguards. A current list of named sub-processors is available on request at [SUPPORT EMAIL].
8. Data Retention
We retain personal data only as long as needed for the purposes described in this Policy or as required by law.
| Data | Retention |
|---|---|
| Account information | While your account is active, then deleted within 30 days of deletion request (subject to legal holds) |
| Subscription and IAP receipts | Up to 10 years after the transaction, as required under §147 of the German Fiscal Code (Abgabenordnung) |
| Precise location coordinates | Transient. Used to compute nearby attractions and not stored as a movement history; coordinate values are discarded after the request is served |
| IP addresses | 90 days, for fraud detection and abuse prevention. After 90 days, IP addresses are deleted or irreversibly truncated |
| Device identifiers (guest usage) | Up to 30 days after last use, to enforce free-tier limits |
| AI-generated guide content (about attractions) | Retained without time limit, as it concerns public landmarks and is not personal data |
| Record linking your account/session to specific guide requests | While your account is active; deleted within 30 days of account deletion |
| User-submitted photos (pending review) | Held in authenticated, non-public storage until reviewed. Review timing is not guaranteed |
| User-submitted photos (rejected) | Up to 90 days after rejection, for moderation history and abuse-pattern detection, then deleted |
| User-submitted photos (approved) | Retained for as long as we choose to display or use them, unless removed for policy violation or by your withdrawal request |
| Upload and moderation metadata (uploader account, IP, timestamp, moderation decisions, moderator ID, annotations) | Up to 24 months |
| User-submitted photos (after your withdrawal request) | Removed from active systems within 30 days; backup copies expire within 35 days; copies already published in newsletters, social media, or advertising may persist outside our control |
| Crash and diagnostic logs | Up to 90 days |
| Analytics events (linked to user/device) | Up to 24 months, then aggregated or deleted |
| Audit and security logs | Up to 12 months |
| Support correspondence | Up to 24 months after the issue is closed |
| Backups | Up to 35 days; deletion requests are honored on live systems immediately and propagate to backups in the ordinary backup-rotation cycle |
9. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area, including the United States, where some of our service providers and AI Providers operate. These countries may have different data-protection laws.
For such transfers, we rely on appropriate safeguards under Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (SCCs), the EU–U.S. Data Privacy Framework where applicable, and supplementary measures where appropriate. You may request a copy of the safeguards by contacting us at [SUPPORT EMAIL].
10. Your Rights
10.1 Rights Under the GDPR
If you are in the EU/EEA, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten")
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
- Lodge a complaint with the supervisory authority listed in §2 or with the data protection authority of your habitual residence
10.2 How to Exercise Your Rights
Email [SUPPORT EMAIL] or use in-app account settings. We will verify your identity before responding and will reply within one month, as required by Art. 12(3) GDPR (extendable by two further months for complex requests).
10.3 Revoking Location Permission
You can revoke location permission at any time in your device settings. The nearby-attractions feature will not function without it; you may still access other features.
10.4 User-Submitted Photos
You may request removal of photos you uploaded by contacting [SUPPORT EMAIL]. Removal is subject to §9.9 of the Terms. The license you granted at upload survives for copies lawfully distributed before your removal request.
11. Children's Privacy
The minimum age to use the App is 16, and 18 to make purchases (or the age of majority in your jurisdiction), as set out in our Terms and Conditions. We do not knowingly collect personal information from children under 16.
The App's photo upload feature does not permit submission of photos depicting any identifiable person, including children. If you believe a published photo nonetheless contains a child or other person, contact [SUPPORT EMAIL] and we will promptly investigate and remove it.
12. Data Security
We use administrative, technical, and physical safeguards to protect your data, including:
- Encryption in transit (TLS) and at rest where supported
- Hashed passwords (Argon2)
- Access controls and least-privilege principles for our personnel
- Device attestation (Apple App Attest / Google Play Integrity) to detect tampered clients
- Audit logging and monitoring
- EXIF metadata stripping on user-submitted photos before storage
User-submitted photos are stored in authenticated, non-public storage until they are approved through our internal moderation process. Unapproved photos are not accessible to other users or to third parties.
No system is perfectly secure. If we become aware of a personal-data breach, we will notify the supervisory authority and affected users as required under Art. 33 and 34 GDPR.
13. Automated Decision-Making
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. Fraud-prevention checks (e.g., flagging anomalous IP or device signals) are reviewed by humans before any account action with significant impact is taken.
14. Marketing Communications
We send transactional emails (purchase confirmations, security alerts, T&Cs updates) as part of providing the service. Marketing emails, if any, are sent only with your prior consent and you can unsubscribe at any time.
15. SDKs and On-Device Storage
The App uses third-party SDKs for purposes described in this Policy (analytics, crash reporting, attestation, in-app purchases). Where required under §25 TTDSG/TDDDG and the GDPR, we will request your consent before non-essential SDKs are activated. Strictly necessary SDKs (such as those used for authentication, fraud prevention, and core delivery of the service you requested) operate without consent under §25(2) TTDSG/TDDDG.
16. Changes to This Policy
We may update this Policy from time to time. The "Last Updated" date reflects the latest revision. For material changes, we will provide prominent notice (in-app banner or email) before the change takes effect, and obtain consent where required by law.
17. Contact
[LEGAL ENTITY NAME]
[POSTAL ADDRESS, GERMANY]
Email: [SUPPORT EMAIL]