Privacy Policy — Guido
Status: Draft — recommended legal review before publication.
Effective date: 1 April 2026
Document version: 1.0 (see section 11).
Controller: SmartCode Krzysztof Piotrak, Żebrówka, Poland.
Contact (including privacy requests): [email protected]
Data Protection Officer (DPO): We have not appointed a DPO. Under Polish and EU law, a DPO is required only in specific cases; if that changes or if we designate a contact person, we will update this Policy. For all privacy-related requests, use the email above.
1. Scope
This Privacy Policy explains how Guido (“we”, “us”) processes personal data when you use the Guido mobile application (the “App”) and related online services we operate (e.g. backend APIs, Firebase).
The App is offered first in the EU and is intended to be available worldwide where allowed. If you use the App outside the EU, this Policy still applies, together with local laws where they give you stronger rights.
2. Data we process
Depending on how you use the App, we may process:
| Category | Examples |
|---|---|
| Account and profile | Name, email, nickname, phone (if you provide it), user ID, authentication tokens, roles (listener/author). |
| User content | Text, images, audio, video, location tied to stories or segments, titles, descriptions, categories, age-related labels (e.g. suitability / AgeRestriction for discovery filters), moderation status. |
| Usage and device | App version, device model, OS version; network connectivity; diagnostics and logs if you contact support or opt in to attach logs. |
| Location | Approximate or precise location when you grant location permissions (e.g. discover nearby stories, playback along a route, author tools). |
| Media and files | Content from camera, microphone, gallery / media library when you choose to add media; metadata needed to upload and display content. |
| Local / device storage | The App may store content on your device (e.g. offline or cached data) as implemented; see your device settings to manage storage. |
| Transactions | Purchases of Scrolls via Google Play, unlock events, wallet balance, transaction history; payout-related data when authors use Stripe through our onboarding link. |
| Support | Messages you send via contact/support (including subject such as “Account deletion” or general enquiries), and optional log attachments. |
We do not “sell” personal information within the meaning of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (and we do not share personal information for cross-context behavioural advertising as described in those laws). For a description of disclosures to service providers, see sections 4 and 5.
2.1 Data categories and purposes (alignment with Google Play Data Safety)
The following maps categories of data we process to typical purposes declared in Google Play — Data safety. The Data safety form must match this Policy; any purpose selected in Play Console (e.g. App functionality, Fraud prevention, security, and compliance) should be reflected here.
| Data type (Play-style category) | Purposes (examples) |
|---|---|
| Location (including precise location when you grant it) | App functionality (maps, discover nearby, route/playback along a path, author tools); Fraud prevention, security, and compliance where needed. |
| Photos and videos | App functionality (author uploads, gallery/camera); display and storage as part of stories. |
| Audio files (recordings and uploads) | App functionality (segments, playback, recording where enabled). |
| User-generated content (text, media, story metadata, bookmarks, unlocks) | App functionality; Fraud prevention, security, and compliance (abuse, chargebacks); Account management. |
| Financial info (in-app purchases, Scrolls, payout-related data via Stripe/Google Play) | App functionality; Fraud prevention, security, and compliance; legal/tax obligations. |
| App activity (e.g. unlocks, bookmarks, in-app events as implemented) | App functionality; Fraud prevention, security, and compliance where relevant. |
| Diagnostics (app version, device model, optional log attachments) | App functionality (reliability); support; Fraud prevention, security, and compliance if needed for abuse investigations. |
If we add tools (e.g. analytics or crash reporting) that process personal data, we will declare the same categories and purposes in Play Console and update this section accordingly.
Responsibility for content: You are solely responsible for having the rights (including copyright and related rights) to any text, audio, images, video, and other material you upload or submit. We process such content only as described in this Policy and in our Terms of Service.
2.2 Sensitive information and U.S. state privacy laws
In some U.S. states, categories such as precise geolocation may be treated as sensitive or subject to additional rules. We use such data only for the purposes described in this Policy (primarily App functionality and, where applicable, security and compliance), and we do not sell personal information or use it for cross-context behavioural advertising as described in CCPA/CPRA. If we begin processing categories that qualify as “sensitive” under a specific state law in a new way, we will update this Policy and obtain opt-in consent where that law requires it.
3. Purposes and legal bases (EEA, UK, and Switzerland)
The purposes below describe our processing in line with the GDPR (EEA), UK GDPR (where applicable), and broadly comparable principles under Swiss data protection law where users in Switzerland are concerned.
We process personal data to:
- Provide the App and your account (performance of a contract, Art. 6(1)(b) GDPR).
- Process payments and payouts (contract; legal obligations for tax/accounting where applicable).
- Keep the service secure, fix bugs, and improve reliability (legitimate interests, Art. 6(1)(f) GDPR), where not overridden by your rights.
- Comply with law (Art. 6(1)(c) GDPR).
- Send support responses and handle reports (legitimate interests / contract).
Where we rely on consent (e.g. certain optional permissions or marketing, if we add it), you may withdraw consent at any time without affecting prior processing that was lawful.
4. How data is processed technically
- Firebase (Google): Authentication, Firestore (e.g. user profile, wallet, bookmarks, transactions), Cloud Functions (e.g. unlock, purchases, registration hooks), and related Google Cloud processing. Hosting / default region for our functions and services is aligned with europe-west2 (London) in our current backend configuration; Google may process data in the EU and, for some services, in other countries under Google’s terms and safeguards.
- Google Play Billing for in-app purchases.
- Google Maps / Places (and related Google APIs) for maps and location features, subject to Google’s policies.
- Stripe for author payouts: when you onboard as an author, Stripe acts as a separate controller or processor according to Stripe’s terms; we receive limited payout-related information as needed to operate the App.
- Email delivery (e.g. Mailgun) for support messages sent from the App configuration.
- OpenStreetMap-style tiles or other map tiles as configured for offline or map display, subject to third-party tile use policies.
- Internet and network state are used to connect to our services and to handle connectivity appropriately.
A non-exhaustive list of subprocessors / providers includes: Google (Firebase, Play, Maps), Stripe, Mailgun (or successor), and hosting/API providers we use for Guido. We will update this Policy if we add material new categories of recipients.
5. Sharing
We share data with:
- Service providers listed above, strictly as needed to operate the App.
- Payment and payout providers (Google Play, Stripe).
- Authorities when required by law or lawful requests.
We do not sell personal data in the ordinary sense of a sale for monetary or other valuable consideration, and we do not engage in sharing of personal information for cross-context behavioural advertising within the meaning of CCPA/CPRA. We disclose personal data only to processors and service providers as necessary to operate the App, as described above.
We do not share personal data with third parties for cross-context behavioural advertising or for profiling-based advertising as standalone purposes.
Advertising: We do not currently display third-party advertising in the App in a way that processes your personal data for ad targeting. If we introduce advertising that involves personal data processing, we will update this Privacy Policy, describe the processing, and obtain consent where required by applicable law (including in-app consent for optional advertising or tracking, where applicable).
Communications (email and push): We use your contact details to send service-related messages (for example support replies, security, or account notices) as needed to operate the App. We do not send marketing or promotional emails or push notifications unless we introduce that feature, tell you clearly in this Policy, and rely on a lawful basis (such as consent or soft opt-in where the law allows). Push notifications depend on your device and OS settings and any in-app choices we provide.
6. Retention
Retention depends on the data type and legal obligations. Indicative periods (subject to change and to legal holds):
- Account and profile: until you ask for deletion, then completion of deletion within the timeframe in section 7, plus a short technical buffer.
- Support messages: typically up to 24 months unless a longer period is needed for unresolved disputes or legal claims.
- Transaction and tax records: as long as required by accounting and tax law (often several years).
- Logs attached to support: processed only for troubleshooting and kept no longer than necessary for that purpose, unless a longer period is justified (e.g. abuse investigation).
If you need a detailed retention schedule, contact us.
7. Your rights and account deletion
Depending on your location, you may have rights to access, rectify, erase, restrict, object, data portability, and to lodge a complaint with a supervisory authority (in Poland: UODO, https://uodo.gov.pl).
If you are in the United Kingdom, similar rights apply under UK GDPR and the Data Protection Act 2018. The UK supervisory authority is the ICO (https://ico.org.uk).
Account deletion: You can request deletion of your account and associated personal data by opening Contact / support from your profile screen. Choose the subject Account deletion, or a general subject and clearly ask for account deletion. We aim to complete deletion within 30 days of verifying your request, unless we must keep certain data longer (e.g. invoices, fraud prevention, legal claims).
Legal acceptance (Terms/Privacy): Your acceptance of the current policy version may be stored locally on your device; if that data is missing (e.g. new device or reinstall), we may ask you to accept again before continuing.
8. Age, children, account eligibility, and adult content
Minimum age: You must be at least 13 years old to create an account and use the App, and you must meet any higher minimum age required by Google Play, your app store account rules, or applicable law in your country (including where the digital age of consent in the EEA/UK is 16, in which case users under 16 may need parental or guardian consent where the law requires it). If you are not old enough, do not use the App or ask a parent or guardian to help you comply with local rules.
Google Play age signals: Google Play may, in certain jurisdictions (for example selected U.S. states), require age verification or parental consent for users declared as minors. We respect those signals from the platform and adapt the in-app experience where technically feasible.
Not directed at children under 13: The App is not directed to children under 13 years of age (including in the sense of children-specific services). We do not knowingly collect personal data from such users without verifiable parental consent where required, including approaches similar to U.S. COPPA and comparable rules. If we learn that personal data of a child under 13 has been collected in breach of this Policy, we will delete it promptly upon notification; you may also contact us at any time if you believe this has occurred.
Adult content (18+): The App permits authors to publish content intended for adults aged 18 and over, provided the content is correctly labelled with an adult age restriction (AgeRestriction) before submission for review. We do not expose adult-labelled content to users who have not confirmed they are 18 or older, to the extent technically implemented in the App. The App is rated Mature on Google Play; access is subject to Google Play's age-gating controls.
Story age labels: Authors must set the appropriate age restriction (AgeRestriction) on stories containing adult themes, nudity, strong language, or other mature material. Listeners can use filters to discover content within their chosen age band. Such labels describe content suitability and are one layer of access control; they do not replace the account minimum age above, Google Play's platform controls, or parental controls on the device.
EEA digital age of consent: Where local law sets a digital age of consent above 13 (often 16 in many EEA Member States), processing based on consent may require parental authority for users between 13 and that age — we rely on your accurate age, account eligibility, and store rules; see also section 3 on lawful bases.
9. Automated decision-making and profiling
Current practice: We do not use solely automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. In particular:
- Story moderation is not performed by an automated system that, without meaningful human review, decides whether content is published or removed; human review forms part of our publication workflow as described in our Terms of Service.
- Listener review scanning: We use AI-assisted tools to automatically scan the text of listener reviews after publication to detect potential policy violations (e.g. inappropriate language, hate speech, spam). This scanning flags reviews for human assessment — it does not automatically remove reviews without a human making the final decision. The legal basis for this processing is our legitimate interest in keeping the platform safe and compliant with our Terms of Service (Art. 6(1)(f) GDPR), balanced against users' interests in fair moderation.
- We do not operate personalised story recommendations driven solely by profiling that would constitute automated decision-making within the meaning above.
If we introduce processing that falls under Article 22 GDPR or materially changes profiling, we will update this Policy and, where required, obtain a legal basis (e.g. consent or contract) and inform you in the App and, where appropriate, through this document.
9.1 AI, machine learning, and use of your content
We do not use your personal data or user-generated content to train machine-learning or generative-AI models for ourselves or to license such use to third parties. Technical processing needed to run the App (such as transcoding, storage, delivery, virus scanning, or format conversion) is not model training. If we ever introduce processing that uses your content or personal data to train or improve automated systems in a way that goes beyond providing the App, we will update this Policy and obtain consent or another lawful basis where required.
10. International transfers
Personal data may be processed in the EEA, the United Kingdom, Switzerland, and in third countries where our processors or subprocessors operate (including the United States).
Where data is transferred from the EEA to countries that do not benefit from an adequacy decision under Article 45 GDPR, we implement appropriate safeguards in accordance with Chapter V GDPR, including in particular:
- EU–US Data Privacy Framework (DPF): Certain providers (including Google and Stripe, subject to their then-current certifications and policies) may rely on transfers to the United States under the EU–US Data Privacy Framework, as supplemented by the European Commission Implementing Decision on the adequate level of protection for such transfers. You may consult each provider’s privacy notice and DPF certification for details.
- Standard Contractual Clauses (SCCs): Where the DPF or another adequacy mechanism does not apply, or as a supplementary measure, we or our processors may use Commission-approved Standard Contractual Clauses (including the 2021 modules) together with any technical and organisational measures required by applicable law and regulatory guidance.
Transfers from the UK are subject to UK GDPR and UK adequacy regulations, International Data Transfer Agreements / Addendum, or other mechanisms required by UK law, as implemented by our providers and by us when we act as controller.
Further information on international transfers is set out in the privacy notices of Google, Stripe, and our other providers; their documentation describes the instruments they apply to specific products and regions.
11. Document versioning and changes to this Policy
Versioning: This document carries a document version identifier at the top of this Policy (e.g. 1.0). Material changes will be reflected in an updated text, a new effective date, and, where we adopt a stricter in-app tracking practice, alignment with the legal documents version shipped with the App (see below).
How you are informed: When we publish a material change, we will:
- Publish the updated Privacy Policy at the URL referenced in the App (and keep prior versions available to us for our records).
- Notify you in the App, for example through a dialogue, mandatory re-acceptance flow, or in-app notice, as required by applicable law and as implemented in the product. The App may record acceptance of the current legal documents version locally on your device (see also section 7); if you install the App on a new device or reinstall it, we may ask you to accept the current Terms and Privacy Policy again before continuing.
Continued use of the App after the effective date of an update may constitute acceptance of the revised Policy where permitted by law. If you do not agree, you should stop using the App and may request account deletion as described in section 7.