Privacy Policy

Last updated: 22/10/2025

Welcome to Hereditas. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and what rights you have.

1. Information We Collect

Personal Identifiers

When you create an account, we collect your email address and authentication credentials. You can register with email/password or via third-party providers (Google or Apple). If you use Google or Apple login, we receive basic account information (name, verified email) to authenticate you. We do not collect passwords from those services, and we do not collect government IDs or phone numbers.

User Photos and Discoveries

The core function of the App is to recognize artworks, monuments, and cultural sites from photos. When you take or upload a photo, the App collects and uploads the image for analysis. Each photo (a “discovery”) is stored securely in your user profile together with the exact location where the photo was taken, which helps improve recognition accuracy and allows you to revisit your discoveries later.

The location is collected via your device’s location services at the time of capture (with your consent). If you disable location access, the App can still work but recognition and record accuracy may be reduced. We do not derive or store location data from metadata in other photos without your permission.

Photos and their associated recognition data (description, date, and location) are stored permanently in your profile until you choose to delete them.

Follow-Up Questions (Chat Content)

After a discovery, you can ask follow-up questions through a chatbot. Your question text is processed only transiently to generate an answer and is not stored in our database or user profile after the response is delivered. We do not retain or reuse chat content, nor do we use it for profiling or analytics.

Automatic Device and Log Data

We collect limited technical information for security and operations, including:

  • IP address
  • Device type and operating system
  • App version and timestamps
  • Error or crash logs

This information helps ensure service reliability and detect abuse. It is not used for advertising or behavioral profiling.

2. How We Use Your Information

  • Recognition and Explanations: Your photo and its exact location are processed through AI recognition to identify the artwork, monument, or site and to generate an explanation.
  • Audio Narration: The textual explanation may be converted into speech using a third-party text-to-speech engine.
  • Profile History: We store each discovery — including its photo, explanation, and exact location — in your private user profile.
  • Authentication and Account Management: Your identifiers (email, Google/Apple ID) are used to authenticate your account, send password resets, and ensure security.
  • Support and Operations: Device and log data are used to monitor performance, troubleshoot issues, and prevent abuse.
  • Improvement: We may analyze aggregated, anonymized data to understand usage trends. We never use your identifiable data for marketing or behavioral analytics.

3. Third-Party Services

  • OpenAI (ChatGPT API): We send your photo and its exact location to OpenAI’s API for AI recognition and explanation. For chat interactions, we send your question text transiently to OpenAI for a response. OpenAI does not use API data for training and retains data for up to 30 days solely for abuse monitoring.
  • ElevenLabs (Text-to-Speech): We send explanatory text to ElevenLabs to generate audio narration. ElevenLabs processes the text and returns an audio file. No personal or location data are shared for this feature.
  • Supabase (Backend): We use Supabase for secure database and file storage. Supabase stores user profiles, discoveries, and location data on encrypted cloud infrastructure (AWS or GCP). Data is encrypted in transit and at rest.
  • Google and Apple (Authentication): When using Google or Apple sign-in, these providers verify your identity and share basic info (name and email). We do not access your passwords or unrelated personal data.

We do not use analytics, tracking, or advertising SDKs. We do not sell or share user data with advertisers, data brokers, or social media networks.

4. Data Sharing and Disclosure

  • Legal Requirements: If required by law, subpoena, or court order, we may disclose information after verifying the request’s validity.
  • Security and Fraud Prevention: We may disclose data to prevent fraud, abuse, or threats to safety.
  • Business Transfers: In case of a merger, acquisition, or sale of assets, user data may be transferred to the successor organization, provided they maintain equivalent privacy standards.
  • Third-Party Links: This Policy does not apply to third-party websites or services linked through the App. Review their privacy policies separately.

We do not share your photos, exact locations, or profile information with other users. Your discoveries are private by default.

5. Data Retention and Security

Retention

  • Discoveries: Stored indefinitely in your profile until deleted by you or when your account is removed.
  • Chat Content: Processed transiently and not retained.
  • Logs: Retained briefly for operations and then deleted or anonymized.

If you delete your account, all discoveries and related data are erased within a reasonable time. Backups are securely purged in regular cycles.

Security

  • Encryption at rest and in transit (HTTPS/TLS)
  • Strong password hashing (bcrypt or equivalent)
  • Strict access controls and database isolation
  • Secure Supabase infrastructure (SOC 2– and GDPR-compliant)
  • Continuous monitoring and routine vulnerability updates

While no system is 100% secure, we apply best practices to prevent unauthorized access. Users should keep login credentials confidential and report any suspected breaches.

6. Legal Bases for Processing (GDPR)

Under the EU GDPR, we process personal data on the following legal grounds:

  • Contractual necessity: To deliver core functions.
  • Consent: For using your device’s camera and location services.
  • Legitimate interest: For ensuring security, preventing abuse, and improving functionality.

7. International Data Transfers

Because our servers and providers (e.g., Supabase, OpenAI) may operate globally, your data may be processed in countries outside your residence. We implement safeguards such as EU Standard Contractual Clauses (SCCs) to ensure your data receives an equivalent level of protection.

8. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access and obtain a copy of your data
  • Correct inaccuracies
  • Delete your account and associated data
  • Withdraw consent (e.g., for location use)
  • Object or restrict certain processing
  • Request data portability

You can delete discoveries or your account in-app or by contacting us at hereditas.dev@gmail.com.

9. Cookies and Future Analytics

We currently do not use cookies or analytics technologies. If we introduce them in the future, we will update this Policy and request any required user consent.

10. Children’s Privacy

The App is not intended for children under 13 years old. We do not knowingly collect personal information from minors. If we discover that a child has provided personal data without parental consent, we will delete it promptly. Parents who believe their child has an account should contact us at hereditas.dev@gmail.com.

11. Changes to This Policy

We may update this Policy periodically. Updates will be posted in the App and marked with a new “Last Updated” date. For significant changes, we will notify users via email or in-app notice.

12. Contact Us

If you have questions or privacy-related requests, contact us at:
Email: hereditas.dev@gmail.com