Privacy Policy — Guido
Status: Draft — recommended legal review before publication.
Effective date: 1 April 2026
Document version: 1.0 (see section 11).
Controller: SmartCode Krzysztof Piotrak, Żebrówka, Poland.
Contact (including privacy requests): developers.smartcode@gmail.com
Data Protection Officer (DPO): We have not appointed a DPO. Under Polish and EU law, a DPO is required only in specific cases; if that changes or if we designate a contact person, we will update this Policy. For all privacy-related requests, use the email above.
1. Scope
This Privacy Policy explains how Guido (“we”, “us”) processes personal data when you use the Guido mobile application (the “App”) and related online services we operate (e.g. backend APIs, Firebase).
The App is offered first in the EU and is intended to be available worldwide where allowed. If you use the App outside the EU, this Policy still applies, together with local laws where they give you stronger rights.
2. Data we process
Depending on how you use the App, we may process:
| Category | Examples |
|---|---|
| Account and profile | Name, email, nickname, phone (if you provide it), user ID, authentication tokens, roles (listener/author). |
| User content | Text, images, audio, video, location tied to stories or segments, titles, descriptions, categories, age-related labels (e.g. suitability / AgeRestriction for discovery filters), moderation status. |
| Usage and device | App version, device model, OS version; network connectivity; diagnostics and logs if you contact support or opt in to attach logs. |
| Location | Approximate or precise location when you grant location permissions (e.g. discover nearby stories, playback along a route, author tools). |
| Media and files | Content from camera, microphone, gallery / media library when you choose to add media; metadata needed to upload and display content. |
| Local / device storage | The App may store content on your device (e.g. offline or cached data) as implemented; see your device settings to manage storage. |
| Transactions | Purchases of Scrolls via Google Play, unlock events, wallet balance, transaction history; payout-related data when authors use Stripe through our onboarding link. |
| Support | Messages you send via contact/support (including subject such as “Account deletion” or general enquiries), and optional log attachments. |
We do not “sell” personal information within the meaning of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (and we do not share personal information for cross-context behavioural advertising as described in those laws). For a description of disclosures to service providers, see sections 4 and 5.
2.1 Data categories and purposes (alignment with Google Play Data Safety)
The following maps categories of data we process to typical purposes declared in Google Play — Data safety. The Data safety form must match this Policy; any purpose selected in Play Console (e.g. App functionality, Fraud prevention, security, and compliance) should be reflected here.
| Data type (Play-style category) | Purposes (examples) |
|---|---|
| Location (including precise location when you grant it) | App functionality (maps, discover nearby, route/playback along a path, author tools); Fraud prevention, security, and compliance where needed. |
| Photos and videos | App functionality (author uploads, gallery/camera); display and storage as part of stories. |
| Audio files (recordings and uploads) | App functionality (segments, playback, recording where enabled). |
| User-generated content (text, media, story metadata, bookmarks, unlocks) | App functionality; Fraud prevention, security, and compliance (abuse, chargebacks); Account management. |
| Financial info (in-app purchases, Scrolls, payout-related data via Stripe/Google Play) | App functionality; Fraud prevention, security, and compliance; legal/tax obligations. |
| App activity (e.g. unlocks, bookmarks, in-app events as implemented) | App functionality; Fraud prevention, security, and compliance where relevant. |
| Diagnostics (app version, device model, optional log attachments) | App functionality (reliability); support; Fraud prevention, security, and compliance if needed for abuse investigations. |
If we add tools (e.g. analytics or crash reporting) that process personal data, we will declare the same categories and purposes in Play Console and update this section accordingly.
Responsibility for content: You are solely responsible for having the rights (including copyright and related rights) to any text, audio, images, video, and other material you upload or submit. We process such content only as described in this Policy and in our Terms of Service.
3. Purposes and legal bases (EEA/UK)
We process personal data to:
- Provide the App and your account (performance of a contract, Art. 6(1)(b) GDPR).
- Process payments and payouts (contract; legal obligations for tax/accounting where applicable).
- Keep the service secure, fix bugs, and improve reliability (legitimate interests, Art. 6(1)(f) GDPR), where not overridden by your rights.
- Comply with law (Art. 6(1)(c) GDPR).
- Send support responses and handle reports (legitimate interests / contract).
Where we rely on consent (e.g. certain optional permissions or marketing, if we add it), you may withdraw consent at any time without affecting prior processing that was lawful.
4. How data is processed technically
- Firebase (Google): Authentication, Firestore (e.g. user profile, wallet, bookmarks, transactions), Cloud Functions (e.g. unlock, purchases, registration hooks), and related Google Cloud processing. Hosting / default region for our functions and services is aligned with europe-west2 (London) in our current backend configuration; Google may process data in the EU and, for some services, in other countries under Google’s terms and safeguards.
- Google Play Billing for in-app purchases.
- Google Maps / Places (and related Google APIs) for maps and location features, subject to Google’s policies.
- Stripe for author payouts: when you onboard as an author, Stripe acts as a separate controller or processor according to Stripe’s terms; we receive limited payout-related information as needed to operate the App.
- Email delivery (e.g. Mailgun) for support messages sent from the App configuration.
- OpenStreetMap-style tiles or other map tiles as configured for offline or map display, subject to third-party tile use policies.
- Internet and network state are used to connect to our services and to handle connectivity appropriately.
A non-exhaustive list of subprocessors / providers includes: Google (Firebase, Play, Maps), Stripe, Mailgun (or successor), and hosting/API providers we use for Guido. We will update this Policy if we add material new categories of recipients.
5. Sharing
We share data with:
- Service providers listed above, strictly as needed to operate the App.
- Payment and payout providers (Google Play, Stripe).
- Authorities when required by law or lawful requests.
We do not sell personal data in the ordinary sense of a sale for monetary or other valuable consideration, and we do not engage in sharing of personal information for cross-context behavioural advertising within the meaning of CCPA/CPRA. We disclose personal data only to processors and service providers as necessary to operate the App, as described above.
We do not share personal data with third parties for cross-context behavioural advertising or for profiling-based advertising as standalone purposes.
Advertising: We do not currently display third-party advertising in the App in a way that processes your personal data for ad targeting. If we introduce advertising that involves personal data processing, we will update this Privacy Policy, describe the processing, and obtain consent where required by applicable law (including in-app consent for optional advertising or tracking, where applicable).
6. Retention
Retention depends on the data type and legal obligations. Indicative periods (subject to change and to legal holds):
- Account and profile: until you ask for deletion, then completion of deletion within the timeframe in section 7, plus a short technical buffer.
- Support messages: typically up to 24 months unless a longer period is needed for unresolved disputes or legal claims.
- Transaction and tax records: as long as required by accounting and tax law (often several years).
- Logs attached to support: processed only for troubleshooting and kept no longer than necessary for that purpose, unless a longer period is justified (e.g. abuse investigation).
If you need a detailed retention schedule, contact us.
7. Your rights and account deletion
Depending on your location, you may have rights to access, rectify, erase, restrict, object, data portability, and to lodge a complaint with a supervisory authority (in Poland: UODO, https://uodo.gov.pl).
Account deletion: You can request deletion of your account and associated personal data by opening Contact / support from your profile screen. Choose the subject Account deletion, or a general subject and clearly ask for account deletion. We aim to complete deletion within 30 days of verifying your request, unless we must keep certain data longer (e.g. invoices, fraud prevention, legal claims).
Legal acceptance (Terms/Privacy): Your acceptance of the current policy version may be stored locally on your device; if that data is missing (e.g. new device or reinstall), we may ask you to accept again before continuing.
8. Age, children, and account eligibility
Minimum age: You must be at least 13 years old to create an account and use the App, and you must meet any higher minimum age required by Google Play, your app store account rules, or applicable law in your country (including where the digital age of consent in the EEA/UK is 16, in which case users under 16 may need parental or guardian consent where the law requires it). If you are not old enough, do not use the App or ask a parent or guardian to help you comply with local rules.
Google Play age signals: Google Play may, in certain jurisdictions (for example selected U.S. states), require age verification or parental consent for users declared as minors. We respect those signals from the platform and adapt the in-app experience where technically feasible.
Not directed at children under 13: The App is not directed to children under 13 years of age (including in the sense of children-specific services). We do not knowingly collect personal data from such users without verifiable parental consent where required, including approaches similar to U.S. COPPA and comparable rules. If we learn that personal data of a child under 13 has been collected in breach of this Policy, we will delete it promptly upon notification; you may also contact us at any time if you believe this has occurred.
Story age labels: Authors may set age-related metadata (e.g. AgeRestriction) so listeners can filter stories (e.g. suitable for all ages, or oriented toward younger audiences). Such labels describe content only; they do not replace the account minimum age above or parental controls on the device.
EEA digital age of consent: Where local law sets a digital age of consent above 13 (often 16 in many EEA Member States), processing based on consent may require parental authority for users between 13 and that age — we rely on your accurate age, account eligibility, and store rules; see also section 3 on lawful bases.
9. Automated decision-making and profiling
Current practice: We do not use solely automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. In particular:
- Content moderation is not performed by an automated system that, without meaningful human review, decides whether content is published or removed; human review forms part of our publication workflow as described in our Terms of Service.
- We do not operate personalised story recommendations driven solely by profiling that would constitute automated decision-making within the meaning above.
If we introduce processing that falls under Article 22 GDPR or materially changes profiling, we will update this Policy and, where required, obtain a legal basis (e.g. consent or contract) and inform you in the App and, where appropriate, through this document.
10. International transfers
Personal data may be processed in the EEA and in third countries where our processors or subprocessors operate (including the United States).
Where data is transferred to countries that do not benefit from an adequacy decision under Article 45 GDPR, we implement appropriate safeguards in accordance with Chapter V GDPR, including in particular:
- EU–US Data Privacy Framework (DPF): Certain providers (including Google and Stripe, subject to their then-current certifications and policies) may rely on transfers to the United States under the EU–US Data Privacy Framework, as supplemented by the European Commission Implementing Decision on the adequate level of protection for such transfers. You may consult each provider’s privacy notice and DPF certification for details.
- Standard Contractual Clauses (SCCs): Where the DPF or another adequacy mechanism does not apply, or as a supplementary measure, we or our processors may use Commission-approved Standard Contractual Clauses (including the 2021 modules) together with any technical and organisational measures required by applicable law and regulatory guidance.
Further information on international transfers is set out in the privacy notices of Google, Stripe, and our other providers; their documentation describes the instruments they apply to specific products and regions.
11. Document versioning and changes to this Policy
Versioning: This document carries a document version identifier at the top of this Policy (e.g. 1.0). Material changes will be reflected in an updated text, a new effective date, and, where we adopt a stricter in-app tracking practice, alignment with the legal documents version shipped with the App (see below).
How you are informed: When we publish a material change, we will:
- Publish the updated Privacy Policy at the URL referenced in the App (and keep prior versions available to us for our records).
- Notify you in the App, for example through a dialogue, mandatory re-acceptance flow, or in-app notice, as required by applicable law and as implemented in the product. The App may record acceptance of the current legal documents version locally on your device (see also section 7); if you install the App on a new device or reinstall it, we may ask you to accept the current Terms and Privacy Policy again before continuing.
Continued use of the App after the effective date of an update may constitute acceptance of the revised Policy where permitted by law. If you do not agree, you should stop using the App and may request account deletion as described in section 7.