Privacy Policy

Data controller

The data controller is Duksia, the app's publisher.

For any question about your personal data: contact@duksia.com.

Data we collect

When you use the Application, we may collect:

• Account data: the email address and name you provide at sign-up, or the identifier passed by “Sign in with Apple” / Google if you use those options.
• Location: your approximate or precise position, only when you allow it, to show nearby points of interest and compute itineraries.
• Photos and camera: the images you choose to attach to a point of interest. We do not access your photo library without your action.
• Content you create: reviews, ratings, points of interest you add and, for guides, audio descriptions.
• Automatically collected data: your device's IP address, the pages of the Application you visit, the date and time of your visit, the time spent, and the operating system you use.

Cookies and tracking technologies

The Application or its third-party SDKs may use cookies, SDKs, pixels, and similar technologies to support functionality, analytics, or service delivery. Where required by applicable law, the Service Provider will obtain consent before using non-essential tracking technologies.

Purposes and legal bases

We process your data for the following purposes:

• Providing the service (account, itineraries, content) — performance of the contract.
• Showing nearby places via location — your consent, withdrawable at any time in your device settings.
• Analytics and product improvement — your consent (analytics) and our legitimate interest in fixing issues (diagnostics).
• Sending you important information and required notices, and, where permitted by law, marketing communications.
• Complying with our legal obligations where applicable.

Location information

The Application collects your device's location to provide location-based features, improve the Application, and support related services.

• Geolocation features: location data may be used to provide location-based features or content.
• Analytics and improvements: aggregated location data may help understand usage patterns and improve performance.
• Third-party services: location data may be shared with third-party services that support the Application's functionality, subject to this policy and applicable law.

Hosting and processors

Your data is hosted in the European Union (Supabase, Frankfurt region, Germany).

We use processors acting on our instructions. Each has its own privacy policy:

• Supabase — hosting and database (https://supabase.com/privacy)
• Sentry — crash reports and diagnostics (https://sentry.io/privacy/)
• PostHog — analytics, EU hosting (https://posthog.com/privacy)
• Apple and Google — authentication and app-store distribution (https://www.google.com/policies/privacy/)

Third-party disclosure

We do not sell your personal data. We may disclose it:

• to our trusted processors who work on our behalf, do not use the data independently, and have agreed to adhere to this policy;
• as required by law, such as to comply with a subpoena or similar legal process;
• when we believe in good faith that disclosure is necessary to protect our rights, your safety or that of others, investigate fraud, or respond to a government request.

International data transfers

The Service Provider or its processors may transfer personal data to countries outside your country of residence, including outside the European Economic Area (EEA). Where applicable law requires safeguards, the following mechanisms are used:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• an adequacy decision or another legally recognized transfer mechanism;
• your consent, where required and legally permitted.

Data retention

We retain personal data based on its necessity for the stated purposes:

• User-provided data: retained for the duration of your use of the Application plus 12 months, unless longer retention is required by law.
• Automatically collected data: retained for up to 24 months from collection, unless longer retention is required by law.
• Aggregated and anonymized data: retained indefinitely as it no longer identifies you.
• Data required for legal compliance: retained as long as required by applicable law.

Your rights

Under the GDPR, you have the rights of access, rectification, erasure, restriction, objection and portability, and the right to withdraw consent at any time.

To exercise these rights, contact us at contact@duksia.com. You may also lodge a complaint with the French data-protection authority, the CNIL (www.cnil.fr).

Your California privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information is collected, the right to delete it, the right to opt out of its sale or sharing, and the right to non-discrimination for exercising these rights.

To exercise your CCPA/CPRA rights, contact the Service Provider at contact@duksia.com.

Account deletion and opt-out

You can delete your account and associated data directly in the app, from the account settings.

You can stop further collection by uninstalling the Application. Uninstalling stops collection from your device but does not automatically delete data already transmitted.

To request deletion of your data, withdraw consent, or exercise any of your rights, contact us at contact@duksia.com.

Security

The Service Provider is concerned about safeguarding the confidentiality of your information. It provides physical, electronic, and procedural safeguards to protect the information it processes and maintains.

Data breach notification

If a data breach occurs that affects your personal data, the Service Provider will notify you in accordance with applicable legal requirements, including, where required, the nature of the breach and the steps being taken to address it.

Children

The Application is not intended for children under 15 years of age (or the applicable age of digital consent in your country). The Service Provider does not knowingly collect data from children or market the Application to them.

If we discover that a child has provided personal information, we will delete it from our servers immediately. If you are a parent or guardian and become aware that your child has provided us with personal data, contact us at contact@duksia.com.

Changes

The Service Provider may update this policy from time to time. Material changes will be signalled by posting the updated policy with an effective date. Where required by law, your consent will be sought before they take effect. Previous versions are kept and available on request.

Your consent

Where processing is based on consent, you provide it by affirmatively opting in to the relevant feature or action. You may withdraw consent at any time without affecting processing carried out before withdrawal. Processing based on other lawful bases is carried out as described above.

Contact us

If you have any questions about privacy or our practices while using the Application, contact the Service Provider by email at contact@duksia.com.