Privacy Policy
Company: InitHere ApS · Contact: contact-guidude@inithere.com
Effective date and last updated date will be added before publishing.
This Privacy Policy explains how InitHere ApS collects, uses, stores, and shares your personal data when you use the Guidude mobile application ("App"). It applies to all users of the App and is written in accordance with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven, Act No. 502 of 23 May 2018).
Please read this policy carefully before using the App. By creating an account, you confirm that you have read and understood this policy.
1. Who We Are (Data Controller)
The data controller responsible for your personal data is:
InitHere ApS
Løvetandsvej 22, 2. tv.
2700 Brønshøj
CVR: 46004043
Denmark
Privacy contact: contact-guidude@inithere.com
We have not appointed a formal Data Protection Officer (DPO). For any data protection enquiries, contact us at the email above. We will respond within 30 days.
2. Age Requirement
The App is intended for users 16 years of age and older. We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor has registered an account, please contact us at contact-guidude@inithere.com and we will delete it promptly.
Under the Danish Data Protection Act §6, the minimum age for consent to information society services is 13 years. Guidude's age requirement of 16 is higher and we do not make exceptions.
3. What Personal Data We Collect and Why
We collect only the data that is necessary to operate the App and deliver the features you use. For each category of data, we state the legal basis under GDPR Article 6.
3.1 Account Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Create and manage your account; send account-related communications | Contract (Art. 6(1)(b)) |
| First and last name | Personalise your experience | Contract (Art. 6(1)(b)) |
| Password | Authenticate your account (stored as a secure cryptographic hash — never in plain text) | Contract (Art. 6(1)(b)) |
If you sign in with Google, we receive your email address and name from Google. We do not receive your Google password and we only request the minimum scopes necessary (email and profile).
3.2 Precise GPS Location Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Continuous GPS coordinates (latitude, longitude, timestamp) | Detect nearby points of interest and trigger audio narrations while an active tour session is running | Consent (Art. 6(1)(a)) |
| GPS breadcrumb trail | Generate your post-tour route map and session history replay | Consent (Art. 6(1)(a)) |
Important: Location data is collected only while you have an active tour session running. It is not collected when the App is closed or when no session is active.
You must grant location permission to use the tour narration feature. You may revoke location permission at any time in your device settings, though this will stop tour narration from functioning.
3.3 Voice and Audio Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Voice recordings of your spoken questions | Transcribe your question so the AI guide can respond | Contract (Art. 6(1)(b)) |
When you speak a question, your audio is temporarily uploaded to secure cloud storage for transcription. Audio recordings are used solely for the purpose of transcribing your question and are deleted within 30 days of the session ending.
Voice data is used for transcription only. We do not use your voice to identify you, create a voiceprint, or perform any speaker identification or biometric processing. Your voice recordings are therefore not treated as biometric data under GDPR Article 9.
3.4 Device Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Push notification token (FCM token) | Send you push notifications (e.g., post-tour prompt to rate your experience) | Consent (Art. 6(1)(a)) |
| Platform type (iOS or Android) | Format push notifications correctly for your device | Consent (Art. 6(1)(a)) |
Push notifications are entirely optional. You must grant notification permission explicitly. You can withdraw this consent at any time in your device settings or within the App — this will not affect your ability to use any other feature.
3.5 Tour and Session Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Tour session records (start time, end time, tour plan used) | Provide tour history and session management | Contract (Art. 6(1)(b)) |
| Points of interest narrated during a session | Prevent the AI from repeating narrations within the same session | Contract (Art. 6(1)(b)) |
| Tour ratings and written feedback | Improve the service; display aggregate quality metrics | Contract (Art. 6(1)(b)) |
| Tour plans you create and share publicly | Enable you to create and share custom routes | Contract (Art. 6(1)(b)) |
| Likes placed on tour plans | Enable social features of the App | Contract (Art. 6(1)(b)) |
3.6 Conversation Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Messages exchanged with the AI guide (text and transcribed voice) | Maintain conversation context so the AI can give coherent, continuous responses during a tour | Contract (Art. 6(1)(b)) |
| Conversation history linked to your account | Allow you to review past tour conversations | Contract (Art. 6(1)(b)) |
3.7 User Preferences
| Data | Purpose | Legal Basis |
|---|---|---|
| Preferred language | Deliver narrations and responses in your chosen language | Contract (Art. 6(1)(b)) |
| Preferred voice gender | Select the AWS Polly voice for audio narrations | Contract (Art. 6(1)(b)) |
| Preferred narration tone (casual, academic, storytelling) | Tailor the style of AI narrations to your preference | Contract (Art. 6(1)(b)) |
| Interest scores across 9 categories | Score and rank nearby points of interest to prioritise what is most relevant to you | Contract (Art. 6(1)(b)) |
| Walking speed estimate | Adjust geofence timing for POI detection | Contract (Art. 6(1)(b)) |
| Narration length preference | Control the depth of AI narrations | Contract (Art. 6(1)(b)) |
3.8 Automated Profiling Disclosure
Guidude uses an automated scoring system to rank and select which nearby points of interest to narrate to you. This system considers your GPS proximity to a POI, your interest scores across 9 categories, the POI's priority rating, and your current tour plan. This constitutes profiling under GDPR Article 4(4).
The profiling is used solely to personalise your in-app tour experience — to decide which point of interest to narrate next. It does not produce legal effects or significantly affect you outside the App. You may review and update your interest scores in the App at any time.
4. International Data Transfers
Some of our third-party service providers operate outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for all international transfers as required by GDPR Article 46.
| Provider | Country | Transfer Mechanism |
|---|---|---|
| Amazon Web Services (AWS) | United States | EU–US Data Privacy Framework (DPF) + AWS Standard Contractual Clauses |
| Google LLC (Firebase, Gemini API, OAuth2) | United States | EU–US Data Privacy Framework (DPF) |
5. Third-Party Service Providers
We use the following processors to operate the App. Each acts as a data processor under GDPR Article 28, processing data only on our instructions and bound by appropriate data processing agreements.
| Processor | Purpose | Data Received |
|---|---|---|
| Amazon Web Services (S3) | Store voice audio files and POI images | Audio recordings, tour plan images |
| Amazon Web Services (Polly) | Convert AI narration text to speech | Narration text strings |
| Google Firebase (FCM) | Deliver push notifications | FCM device tokens |
| Google LLC (OAuth2) | Sign in with Google (optional) | Email address, name |
| Google LLC (Gemini API) | Generate AI tour narrations, transcribe voice, and power the AI chat assistant | Conversation text, narration context |
We use the paid API tier of the Google Gemini API. Under Google's paid terms, your data is not used to train Google's AI models and is retained only for a limited period for safety and abuse detection purposes.
We do not sell, rent, or share your personal data with any third party for advertising or marketing purposes.
6. Data Sharing
We share personal data only in the following circumstances:
- With service providers named in Section 5, strictly to operate and deliver App features
- Legal obligations — if we receive a valid, legally enforceable request from a competent authority (e.g., a court order, law enforcement request)
- Business transfer — if InitHere ApS is sold, merged, or acquired, your data may transfer to the new entity, which will be contractually bound to honour this policy. We will notify you in advance of any such transfer.
We do not sell, rent, or trade personal data.
7. Data Retention
We retain personal data only for as long as necessary for the stated purpose, in line with the GDPR storage limitation principle (Article 5(1)(e)).
| Data Category | Retention Period |
|---|---|
| Account data (email, name, password hash) | Duration of account + 30 days after deletion |
| GPS location / tour route data | Duration of account + 30 days after deletion |
| Voice audio recordings | Deleted within 30 days after the session ends |
| Conversation history (chat messages) | Duration of account + 30 days after deletion |
| Push notification tokens (FCM) | Until you revoke notification permission or delete your account |
| Tour session data (ratings, POI logs, plans, likes) | Duration of account + 30 days after deletion |
| User preferences | Duration of account + 30 days after deletion |
When you delete your account, all personal data listed above is permanently and irreversibly deleted within 30 days. Backups that contain your data are purged within the same window. We do not retain personal data in back-end systems after account deletion, except where we are subject to a legal obligation to retain specific records (for example, Danish bookkeeping law requires retention of financial transaction records for 5 years — this applies only to records of any financial transactions, not to your personal profile data).
8. Your Rights Under GDPR
As a user in the European Economic Area, you have the following rights under GDPR Articles 15–22:
- Right of access (Art. 15) — Request a copy of all personal data we hold about you
- Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data
- Right to erasure / "right to be forgotten" (Art. 17) — Request deletion of your personal data. You can also delete your account directly within the App.
- Right to restriction of processing (Art. 18) — Request that we pause processing of your data in certain circumstances
- Right to data portability (Art. 20) — Receive your personal data (account details, preferences, tour history, conversation history) in a structured, machine-readable format (JSON or CSV). This right applies where processing is based on contract or consent and carried out by automated means.
- Right to object (Art. 21) — Object to processing based on legitimate interest or for profiling purposes
- Right not to be subject to solely automated decision-making (Art. 22) — The POI scoring system (Section 3.8) constitutes profiling, but it does not produce decisions that legally or significantly affect you outside the App
- Right to withdraw consent (Art. 7(3)) — Where processing is based on consent (location tracking, push notifications), you may withdraw consent at any time via your device settings or within the App, without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at contact-guidude@inithere.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
9. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or where the alleged infringement occurred.
For users in Denmark, the competent authority is:
Datatilsynet — Danish Data Protection Agency
Carl Jacobsens Vej 35, 2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk
Users in other EU/EEA countries may also contact the supervisory authority in their own country of residence.
We encourage you to contact us directly first at contact-guidude@inithere.com — we will do our best to resolve any concern without the need for a formal complaint.
10. Consent and How to Withdraw It
The following features require your explicit consent. You may withdraw consent at any time without affecting your ability to use other features.
| Feature | How to Withdraw Consent |
|---|---|
| Location tracking (tour narration) | Revoke location permission in your device settings, or end/not start a tour session |
| Push notifications | Revoke notification permission in your device settings, or turn off notifications in App Settings |
Withdrawing location consent stops the tour narration feature from functioning. Withdrawing notification consent means you will not receive post-tour prompts or welcome messages.
11. Security
We implement the following measures to protect your personal data:
- All data in transit is encrypted using TLS/HTTPS
- Passwords are stored as secure cryptographic hashes — never in plain text
- Authentication uses short-lived JWT access tokens (30-minute expiry) with rotating refresh tokens and token blacklisting on logout
- Voice audio files and POI images are stored in AWS S3 with restricted access controls
- AI-generated audio narrations are stored privately and delivered via time-limited presigned URLs
- Application servers and databases are hosted on secured, private infrastructure
No system is completely secure. If you believe your account or data has been compromised, contact us immediately at contact-guidude@inithere.com.
12. Account Deletion
You can delete your account at any time from within the App (Settings → Account → Delete Account). Deleting your account permanently removes all personal data associated with your account as described in Section 7. This action is irreversible.
13. Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this document
- Notify you via an in-app notice or push notification before the changes take effect
Continued use of the App after the updated policy takes effect constitutes your acceptance of the new terms. If you do not agree with any changes, you should stop using the App and delete your account.
14. Contact
For privacy-related questions, data requests, or concerns:
InitHere ApS
Løvetandsvej 22, 2. tv., 2700 Brønshøj, Denmark
CVR: 46004043
Email: contact-guidude@inithere.com
We aim to respond to all requests within 30 days.
This policy is subject to Danish law and the General Data Protection Regulation (EU) 2016/679.