Studio Hedera ("we," "us," or "our") operates the PAVO mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By using the Service, you consent to the data practices described in this policy.
Key Points:
- We collect precise location data to provide location-based AI content
- We use third-party AI services (Google Gemini) that process your location data
- We do not sell your personal data
- You have the right to access, delete, and control your data
- This Service is not directed to children under 13
1. Information We Collect
1.1 Location Data (Automatic Collection)
We collect precise GPS location data when you use the Service.
| Data Type | Purpose | Retention Period |
|---|---|---|
| GPS coordinates (latitude/longitude) | Generate location-based AI content and recommendations | Temporary (processed in real-time, not stored long-term) |
| Location history | Display previously visited locations in-app | Stored locally on device; deleted when app is uninstalled |
| Movement patterns | Detect when you've moved to a new area (distance calculation) | Not stored; calculated in real-time |
1.2 Usage Data
We collect information about how you interact with the Service:
- AI Generation Requests: Number of stories generated, timestamps, categories selected
- Credit Usage: Purchase history, remaining credits, transaction IDs
- Device Information: Device model, operating system version, app version, unique device identifiers
- Error Logs: Crash reports, API errors, performance metrics
1.3 Information You Provide
- Interest Tags: Categories and preferences you select (e.g., "History," "Gourmet," "Nature")
- Language Preference: Your selected language for AI-generated content
- Account Information: Email address (optional, if you create an account)
1.4 Information We Do NOT Collect
- We do not collect names, phone numbers, or postal addresses (unless you voluntarily provide them)
- We do not access your contacts, photos, or other media files
- We do not track location when the app is closed (except background service, if enabled)
2. How We Use Your Information
We use the collected data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Generate AI-powered location-based content | Performance of contract / Legitimate interest |
| Process credit purchases and manage subscriptions | Performance of contract |
| Improve and personalize the Service | Legitimate interest |
| Provide customer support and respond to inquiries | Performance of contract / Legitimate interest |
| Detect and prevent fraud and abuse | Legitimate interest / Legal obligation |
| Comply with legal obligations | Legal obligation |
| Analyze usage patterns and app performance | Legitimate interest |
3. Third-Party Services and Data Sharing
3.1 Third-Party Service Providers
We share your data with the following third-party service providers to operate the Service:
| Service Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google (Gemini AI) | AI content generation | GPS coordinates, interest tags, language preference | Google Privacy Policy |
| Amazon (Polly TTS) | Text-to-speech synthesis | Generated text content (no personal data) | AWS Privacy Notice |
| Mapbox | Maps and geocoding | GPS coordinates | Mapbox Privacy Policy |
| Firebase (Google) | Backend infrastructure, authentication | Device ID, usage data, crash logs | Firebase Privacy |
| App Store / Google Play | Payment processing | Purchase information (handled by platform) | Apple / Google payment policies |
3.2 Data Not Sold
We do not sell, rent, or trade your personal data to third parties for their marketing purposes.
3.3 Legal Disclosures
We may disclose your information if required by law or in response to:
- Valid legal requests (subpoenas, court orders)
- Law enforcement investigations
- Protection of our rights, property, or safety
- Enforcement of our Terms of Service
4. Data Retention
| Data Type | Retention Period |
|---|---|
| GPS location (real-time processing) | Not stored (processed and discarded immediately) |
| Location history (local device) | Until app is uninstalled or data is manually cleared |
| Account information | Until account deletion request |
| Transaction records | 7 years (legal requirement for financial records) |
| Usage analytics | 26 months (aggregate data) |
5. Your Rights (GDPR & CCPA)
5.1 European Union (GDPR)
If you are located in the EU/EEA, you have the following rights:
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate data
- Right to Erasure: Request deletion of your data
- Right to Restriction: Limit how we process your data
- Right to Data Portability: Receive your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time (e.g., disable location services)
To exercise these rights, contact us at: privacy@studio-hedera.com
5.2 California (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how we use it
- Request deletion of your personal information
- Opt-out of the "sale" of personal information (we do not sell data)
- Non-discrimination for exercising your privacy rights
5.3 How to Exercise Your Rights
To make a data request:
- Email us at privacy@studio-hedera.com with the subject "Data Request"
- Provide your device ID or email address (for verification)
- Specify your request (access, deletion, correction, etc.)
- We will respond within 30 days (GDPR) or 45 days (CCPA)
6. Data Security
We implement reasonable security measures to protect your data:
- Encryption: Data transmitted over HTTPS/TLS
- API Security: API keys stored securely in Firebase Secrets Manager
- Access Control: Limited access to production systems
- Regular Audits: Periodic security reviews of third-party services
However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.
7. International Data Transfers
Your data may be processed in countries outside your country of residence, including:
- United States: Google (Gemini, Firebase), Amazon (Polly)
- Japan: Studio Hedera servers
These transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Privacy Shield successor frameworks (where applicable)
- Third-party service providers' own data protection commitments
8. Children's Privacy
The Service is not directed to individuals under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children.
If you believe we have collected data from a child, please contact us immediately at privacy@studio-hedera.com, and we will delete it.
9. Cookies and Tracking Technologies
The mobile app uses the following tracking technologies:
- Local Storage: Store preferences and cache data on your device
- Firebase Analytics: Collect usage statistics (can be disabled in device settings)
- Crash Reporting: Collect error logs to improve app stability
We do not use advertising trackers or third-party cookies.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be notified by:
- Posting the updated policy on our website
- Displaying an in-app notification
- Sending an email (if you have provided one)
Material changes will take effect 30 days after notification (or immediately, if required by law).
11. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
Company Name: Studio Hedera
Representative: Ivy Comilang Venenoso
Data Protection Officer: pavo@studio-hedera.com
Address: 5081-1 Toyoda, Iiyama-shi, Nagano 389-2411, Japan
Website: https://pavo.studio-hedera.com
EU Representative (GDPR Article 27)
If you are in the EU and wish to contact our EU representative:
Email: eu-representative@studio-hedera.com
(To be appointed if required by law)
12. Supervisory Authority
If you are in the EU/EEA and believe we have not addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority: