Privacy Policy

Last Updated: January 16, 2025

Studio Hedera ("we," "us," or "our") operates the PAVO mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you consent to the data practices described in this policy.

Key Points:

We collect precise location data to provide location-based AI content
We use third-party AI services (Google Gemini) that process your location data
We do not sell your personal data
You have the right to access, delete, and control your data
This Service is not directed to children under 13

1. Information We Collect

1.1 Location Data (Automatic Collection)

We collect precise GPS location data when you use the Service.

Data Type	Purpose	Retention Period
GPS coordinates (latitude/longitude)	Generate location-based AI content and recommendations	Temporary (processed in real-time, not stored long-term)
Location history	Display previously visited locations in-app	Stored locally on device; deleted when app is uninstalled
Movement patterns	Detect when you've moved to a new area (distance calculation)	Not stored; calculated in real-time

1.2 Usage Data

We collect information about how you interact with the Service:

AI Generation Requests: Number of stories generated, timestamps, categories selected
Credit Usage: Purchase history, remaining credits, transaction IDs
Device Information: Device model, operating system version, app version, unique device identifiers
Error Logs: Crash reports, API errors, performance metrics

1.3 Information You Provide

Interest Tags: Categories and preferences you select (e.g., "History," "Gourmet," "Nature")
Language Preference: Your selected language for AI-generated content
Account Information: Email address (optional, if you create an account)

1.4 Information We Do NOT Collect

We do not collect names, phone numbers, or postal addresses (unless you voluntarily provide them)
We do not access your contacts, photos, or other media files
We do not track location when the app is closed (except background service, if enabled)

2. How We Use Your Information

We use the collected data for the following purposes:

Purpose	Legal Basis (GDPR)
Generate AI-powered location-based content	Performance of contract / Legitimate interest
Process credit purchases and manage subscriptions	Performance of contract
Improve and personalize the Service	Legitimate interest
Provide customer support and respond to inquiries	Performance of contract / Legitimate interest
Detect and prevent fraud and abuse	Legitimate interest / Legal obligation
Comply with legal obligations	Legal obligation
Analyze usage patterns and app performance	Legitimate interest

3. Third-Party Services and Data Sharing

3.1 Third-Party Service Providers

We share your data with the following third-party service providers to operate the Service:

Service Provider	Purpose	Data Shared	Privacy Policy
Google (Gemini AI)	AI content generation	GPS coordinates, interest tags, language preference	Google Privacy Policy
Amazon (Polly TTS)	Text-to-speech synthesis	Generated text content (no personal data)	AWS Privacy Notice
Mapbox	Maps and geocoding	GPS coordinates	Mapbox Privacy Policy
Firebase (Google)	Backend infrastructure, authentication	Device ID, usage data, crash logs	Firebase Privacy
App Store / Google Play	Payment processing	Purchase information (handled by platform)	Apple / Google payment policies

3.2 Data Not Sold

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

3.3 Legal Disclosures

We may disclose your information if required by law or in response to:

Valid legal requests (subpoenas, court orders)
Law enforcement investigations
Protection of our rights, property, or safety
Enforcement of our Terms of Service

4. Data Retention

Data Type	Retention Period
GPS location (real-time processing)	Not stored (processed and discarded immediately)
Location history (local device)	Until app is uninstalled or data is manually cleared
Account information	Until account deletion request
Transaction records	7 years (legal requirement for financial records)
Usage analytics	26 months (aggregate data)

5. Your Rights (GDPR & CCPA)

5.1 European Union (GDPR)

If you are located in the EU/EEA, you have the following rights:

Right to Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate data
Right to Erasure: Request deletion of your data
Right to Restriction: Limit how we process your data
Right to Data Portability: Receive your data in a machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time (e.g., disable location services)

To exercise these rights, contact us at: privacy@studio-hedera.com

5.2 California (CCPA)

If you are a California resident, you have the right to:

Know what personal information we collect and how we use it
Request deletion of your personal information
Opt-out of the "sale" of personal information (we do not sell data)
Non-discrimination for exercising your privacy rights

5.3 How to Exercise Your Rights

To make a data request:

Email us at privacy@studio-hedera.com with the subject "Data Request"
Provide your device ID or email address (for verification)
Specify your request (access, deletion, correction, etc.)
We will respond within 30 days (GDPR) or 45 days (CCPA)

6. Data Security

We implement reasonable security measures to protect your data:

Encryption: Data transmitted over HTTPS/TLS
API Security: API keys stored securely in Firebase Secrets Manager
Access Control: Limited access to production systems
Regular Audits: Periodic security reviews of third-party services

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.

7. International Data Transfers

Your data may be processed in countries outside your country of residence, including:

United States: Google (Gemini, Firebase), Amazon (Polly)
Japan: Studio Hedera servers

These transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
Privacy Shield successor frameworks (where applicable)
Third-party service providers' own data protection commitments

8. Children's Privacy

The Service is not directed to individuals under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children.

If you believe we have collected data from a child, please contact us immediately at privacy@studio-hedera.com, and we will delete it.

9. Cookies and Tracking Technologies

The mobile app uses the following tracking technologies:

Local Storage: Store preferences and cache data on your device
Firebase Analytics: Collect usage statistics (can be disabled in device settings)
Crash Reporting: Collect error logs to improve app stability

We do not use advertising trackers or third-party cookies.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be notified by:

Posting the updated policy on our website
Displaying an in-app notification
Sending an email (if you have provided one)

Material changes will take effect 30 days after notification (or immediately, if required by law).

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Company Name: Studio Hedera
Representative: Ivy Comilang Venenoso
Data Protection Officer: pavo@studio-hedera.com
Address: 5081-1 Toyoda, Iiyama-shi, Nagano 389-2411, Japan
Website: https://pavo.studio-hedera.com

EU Representative (GDPR Article 27)

If you are in the EU and wish to contact our EU representative:

Email: eu-representative@studio-hedera.com
(To be appointed if required by law)

12. Supervisory Authority

If you are in the EU/EEA and believe we have not addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

EU Data Protection Authorities