Privacy Policy

Last updated: 21/10/2025

This Privacy Policy explains how our mobile application ("Hereditas") collects, uses, and protects personal data when you use our art and monument recognition service. By using the App, you agree to this Policy.

1. Information We Collect

Personal Identifiers

When you create an account, we collect your email address and authentication credentials. You can register with email/password or via third-party providers (Google or Apple). If you use Google or Apple login, we receive basic account information (name, verified email) to authenticate you. We do not collect passwords from those services, and we do not collect government IDs or phone numbers.

User Photos and Discoveries

The core function of the App is to recognize artworks, monuments, and cultural sites from photos. When you take or upload a photo, the App collects and uploads the image for analysis.

Each photo (a "discovery") is stored securely in your user profile together with the exact location where the photo was taken, which helps improve recognition accuracy and allows you to revisit your discoveries later.

The location is collected via your device's location services at the time of capture (with your consent). If you disable location access, the App can still work but recognition and record accuracy may be reduced. We do not derive or store location data from metadata in other photos without your permission.

Photos and their associated recognition data (description, date, and location) are stored permanently in your profile until you choose to delete them.

Automatic Device and Log Data

We collect limited technical information for security and operations, including:

  • IP address
  • Device type and operating system
  • App version and timestamps
  • Error or crash logs

This information helps ensure service reliability and detect abuse. It is not used for advertising or behavioral profiling.

2. How We Use Your Information

We use collected information to operate, maintain, and improve the App:

  • Recognition and Explanations: Your photo and its exact location are processed through AI recognition to identify the artwork, monument, or site and to generate an explanation.
  • Audio Narration: The textual explanation may be converted into speech using a third-party text-to-speech engine.
  • Profile History: We store each discovery - including its photo, explanation, and exact location - in your private user profile.
  • Authentication and Account Management: Your identifiers (email, Google/Apple ID) are used to authenticate your account, send password resets, and ensure security.
  • Support and Operations: Device and log data are used to monitor performance, troubleshoot issues, and prevent abuse.
  • Improvement: We may analyze aggregated, anonymized data to understand usage trends (e.g., most recognized monuments).
  • Advertising: We use Meta to track anonymized interactions and conversions for advertising purposes.

3. Third-Party Services

We integrate a few essential third-party providers to power the App's features:

  • OpenAI (ChatGPT API): We send your photo and its exact location to OpenAI's API for AI recognition and explanation. OpenAI also provides text-to-speech services to convert explanations into audio narration. OpenAI does not use API data for training and retains data for up to 30 days solely for abuse monitoring.
  • Supabase (Backend): We use Supabase for secure database and file storage. Supabase stores user profiles, discoveries, and location data on encrypted cloud infrastructure (AWS or GCP). Data is encrypted in transit and at rest. Supabase acts as our data processor and cannot access or use your data for any independent purpose.
  • Google and Apple (Authentication): When using Google or Apple sign-in, these providers verify your identity and share basic info (name and email). We do not access your passwords or any unrelated personal data. You remain subject to their respective privacy policies during sign-in.
  • Meta: We use Meta to track anonymized interactions and conversions for advertising purposes. Data is processed according to Meta's privacy policy.

We do not sell or share user data with data brokers. We may share anonymized or aggregated data with advertising platforms (such as Meta) for marketing and analytics purposes.

4. Data Sharing and Disclosure

We only disclose personal data in limited situations:

  • Legal Requirements: If required by law, subpoena, or court order, we may disclose information after verifying the request's validity.
  • Security and Fraud Prevention: We may disclose data to prevent fraud, abuse, or threats to safety.
  • Business Transfers: In case of a merger, acquisition, or sale of assets, user data may be transferred to the successor organization, provided they maintain equivalent privacy standards.
  • Third-Party Links: This Policy does not apply to third-party websites or services that may be linked through the App. We recommend reviewing their privacy policies separately.

We do not share your photos, exact locations, or profile information with other users. Your discoveries are private by default.

5. Data Retention and Security

Retention

  • Discoveries: Stored indefinitely in your profile (photo, explanation, exact location) until deleted by you or when your account is removed.
  • Chat Content: Processed transiently and not retained.
  • Logs: Retained briefly for operations and then deleted or anonymized.

If you delete your account, all discoveries and related data (including exact locations) are erased from our main systems within a reasonable time. Backups are securely purged in regular cycles.

Security

  • Encryption at rest and in transit (HTTPS/TLS)
  • Strong password hashing (bcrypt or equivalent)
  • Strict access controls and database isolation
  • Secure Supabase infrastructure (SOC 2– and GDPR-compliant)
  • Continuous monitoring and routine vulnerability updates

While no system is 100% secure, we apply best practices to prevent unauthorized access. Users should keep login credentials confidential and report any suspected breaches.

6. Legal Bases for Processing (GDPR)

Under the EU General Data Protection Regulation (GDPR), we process your personal data on the following legal grounds:

  • Contractual necessity: To deliver the core functions (recognition, profile storage, narration).
  • Consent: For using your device's camera and location services.
  • Legitimate interest: For ensuring security, preventing abuse, and improving functionality.

You can withdraw consent (for location or camera access) anytime through your device settings, though certain features may be limited.

7. International Data Transfers

Because our servers and providers (e.g., Supabase, OpenAI) may operate globally, your data may be stored or processed in countries outside your residence.

We implement safeguards such as EU Standard Contractual Clauses (SCCs) to ensure your data receives an equivalent level of protection wherever it is processed.

8. Your Rights

Depending on your jurisdiction (e.g., EU/UK GDPR, California CCPA/CPRA, Virginia CDPA), you have the right to:

  • Access and obtain a copy of your data
  • Correct inaccuracies
  • Delete your account and associated data
  • Withdraw consent (e.g., for location use)
  • Object or restrict certain processing
  • Request data portability

You can delete discoveries or your full account in-app or by contacting us at info@hereditas.dev. Because chat content is not stored, there is no chat history to export or erase.

We will respond to verified requests within the time required by law (typically within 30 days).

9. Cookies and Analytics

We use Meta for analytics and advertising. This technology tracks anonymized app events and conversions. Data is processed according to Meta's privacy policy.

If we introduce cookies, additional analytics, or advertising tools in the future, we will update this Policy and request any required user consent.

10. Newsletter and Push Notifications

If you opt in, we may use your email to send newsletters, product updates, and occasional offers. You may unsubscribe at any time using the link in the email.

The App may also send push notifications (e.g., feature updates or reminders). These can be disabled at any time through your device settings.

11. Children's Privacy

The App is not intended for children under 13 years old. We do not knowingly collect personal information from minors.

If you are under 13, do not use the App or provide personal data. If we discover that a child has provided personal data without parental consent, we will delete it promptly.

Parents who believe their child has an account should contact us at hereditas.dev@gmail.com.

12. Changes to This Policy

We may update this Policy periodically. Updates will be posted in the App and marked with a new "Last Updated" date.

For significant changes, we will notify users via email or in-app notice. Continued use of the App after updates means acceptance of the revised terms.

13. Contact Us

If you have questions or privacy-related requests, contact us at:
Email: info@hereditas.dev