Privacy Policy
DRAFT — pending legal review before publication1. Who we are
Camino GO ("the App", "we", "us") is operated by:
- Operator: [LEGAL ENTITY NAME]
- Registered address: [ADDRESS]
- Contact (privacy): support@caminogo.app
- Contact (general support): support@caminogo.app
EU Representative (Art. 27 GDPR): [TO BE APPOINTED BEFORE LAUNCH]
We act as the data controller for the personal data described in this policy.
2. Scope
This policy covers the Camino GO mobile application, related backend services, and the caminogo.app website. It does not cover third-party websites or services we link to (e.g., an accommodation's own booking page).
3. What data we collect
3.1 Account data
- Email address, display name, profile photo (optional)
- Authentication identifiers from your sign-in provider (Apple, Google, or email) via Firebase Authentication
- Account settings (language, preferences)
3.2 Location and activity data
- Precise location (GPS) — only while you actively use location features: live map position, route tracking, daily route briefing, weather for your position, and location context for AI questions. Collected with your operating-system-level permission, which you can revoke at any time.
- Walking records — daily distance, step counts, elevation gain, and recorded track points for trips you track. Step counts are read from your device's motion sensors (Core Motion on iOS, the step counter sensor on Android), with your operating-system permission. We do not access HealthKit or Google Fit.
- Track history is stored so you can review your journey; see §7 for retention and §8 for deletion.
3.3 Photos and AI inputs
- Photos and text you submit to AI features (menu reading, sign translation, "ask about what you see", AI chat), plus optional GPS context.
- Server-side retention of AI photos is temporary (default: 30 minutes) to allow follow-up questions in the same session, after which they are automatically deleted. They are not added to your profile and are not used to train AI models (§5).
3.4 User-generated content (UGC)
- Chat messages, announcements/forum posts, diary entries, photos you upload, accommodation/POI reports and community data edits.
- Diary entries are private — visible only to you; they are stored on our servers to sync across your devices but are never shown to other users.
3.5 Purchases
Purchase entitlements (Trip Pass, subscription status, point balance) and platform receipts. Payment is processed entirely by Apple App Store / Google Play; we never receive your card details.
3.6 Technical data
- Device model, OS version, app version, language
- Push notification token (if you enable notifications)
- Server logs (IP address, request metadata, error logs) for security and reliability
- Crash and diagnostic reporting: none at present. If we introduce a crash-reporting tool, we will list it here and in §6 before enabling it.
3.7 Website visitors (caminogo.app)
- Launch notification list — if you submit your email address on our website, we store the address together with the signup time and your browser's user-agent and language, solely to send you one launch announcement. You can withdraw at any time by emailing support@caminogo.app.
- Privacy-first analytics (no cookies) — the website uses Cloudflare Web Analytics, a cookieless tool that sets no cookies and does no cross-site tracking or fingerprinting. It records aggregate, non-identifying statistics (page views, referrers, country, device/browser type) via a lightweight beacon; no individual profile is created and we cannot identify you from it. Because it is cookieless, no cookie-consent banner is required.
- Search performance — we use Google Search Console, a Google webmaster tool that reports how our pages appear in Google Search results. It does not run code, set cookies, or track visitors on our website; the data comes from Google's own search infrastructure.
- Standard CDN server logs (Cloudflare) for security and abuse prevention.
4. Why we process it (purposes and legal bases)
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Provide the App (account, maps, planner, tracking) | 3.1, 3.2, 3.6 | Art. 6(1)(b) contract |
| AI features you invoke (photo analysis, chat, daily briefing) | 3.2, 3.3 | Art. 6(1)(b) contract |
| Weather for your route | Approximate location | Art. 6(1)(b) contract |
| Community features (chat, forum, community edits) | 3.4 | Art. 6(1)(b) contract |
| Content moderation of public content | 3.4 | Art. 6(1)(f) legitimate interest (keeping the community safe) |
| Purchases and entitlements | 3.5 | Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation (accounting) |
| Security, abuse prevention, rate limiting | 3.6 | Art. 6(1)(f) legitimate interest |
| Service announcements | 3.1 | Art. 6(1)(b) contract |
| Launch notification list (website) | 3.7 | Art. 6(1)(a) consent |
| Aggregate, cookieless website analytics | 3.7 | Art. 6(1)(f) legitimate interest (understanding site usage without tracking individuals) |
| Website hosting, security & CDN server logs | 3.7 | Art. 6(1)(f) legitimate interest |
| Marketing communications (if any) | 3.1 | Art. 6(1)(a) consent — opt-in only |
We do not sell personal data. We do not use personal data for third-party advertising.
5. AI processing — what you should know
- AI assistant features are powered by Google Gemini API. Your submitted photos, questions, and optional location context are sent to Google for processing. Under the paid API terms we use, Google does not use this data to train its models.
- Public content moderation uses OpenAI's moderation service (
omni-moderation-latest). Public posts and messages may be automatically screened before or shortly after publication. Content flagged as violating our rules may be automatically hidden or blocked. - Automated moderation decisions can be contested. If your content is blocked and you believe this is wrong, contact support@caminogo.app; a human will review the decision.
- AI outputs (translations, menu explanations, route advice) are generated content and may be inaccurate. They are informational only — see the safety disclaimers in the Terms of Service.
6. Processors and international transfers
| Processor | Purpose | Location / transfer safeguard |
|---|---|---|
| Hetzner Online GmbH | Application servers, database | EU (Germany/Finland) |
| Cloudflare, Inc. (R2, Workers, Pages, Workers KV, Web Analytics) | Image storage, map tile delivery, website hosting, launch-list storage, cookieless website analytics | EU jurisdiction setting; EU–US Data Privacy Framework (DPF) / SCCs where applicable |
| Google (Firebase Authentication, Cloud Messaging) | Sign-in, push notifications | US; DPF / SCCs |
| Google (Gemini API) | AI features | US; DPF / SCCs |
| OpenAI, L.L.C. | Automated moderation of public content | US; DPF / SCCs |
| WeatherAPI.com | Weather forecasts for approximate route locations (coordinates only; no account identifiers are sent) | Per their privacy policy; SCCs where applicable |
| Apple / Google | In-app purchases | Per their own privacy policies (independent controllers) |
Where data leaves the EEA, we rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
7. Retention
| Data | Retention |
|---|---|
| Account data | Until account deletion |
| Walking records / tracks / diaries | Until you delete them or your account |
| AI photos & session context | ~30 minutes (server session), then deleted |
| AI text questions in server logs | Up to 30 days, for reliability and abuse prevention |
| UGC (posts, chat, direct messages) | Until you delete it or your account (see §8 for what remains anonymized); moderation records of removed content kept up to 12 months for abuse prevention |
| Purchase records | As required by tax/accounting law |
| Server logs (including IP addresses) | Up to 90 days |
| Launch notification list (website) | Until the launch announcement is sent, then deleted within 90 days — or immediately upon your request |
| Backups | Rolling backups retained up to 35 days; deleted data ages out of backups within this window |
8. Your rights
Under the GDPR (and, where applicable, Taiwan's PDPA and other local laws) you have the right to: access, rectify, erase, port, restrict, and object to processing of your personal data, and to withdraw consent at any time where processing is based on consent.
- Account deletion is available directly in the App (Settings → Delete account) and by emailing support@caminogo.app. Deletion permanently removes your profile, avatar, diaries, trips, GPS tracks, direct messages, and friendships within 30 days, subject to §7 backup aging and legal retention duties.
- Public posts, comments, and bulletins remain after account deletion, anonymized as "Deleted pilgrim" — so community conversations stay intact. If a specific public post contains personal data you want removed, delete it in-app before deleting your account, or ask us at support@caminogo.app and we will remove it.
- You may lodge a complaint with your local supervisory authority. If you are in the EU, you may also contact our EU representative (§1).
9. Security
Data in transit is encrypted (TLS). Access to production systems is restricted and logged. AI photo sessions are short-lived by design. No system is perfectly secure; we will notify affected users and authorities of personal data breaches as required by Art. 33/34 GDPR.
10. Children
Camino GO is not directed at children. You must be at least 16 years old (or the digital consent age in your country, if higher) to create an account.
11. Offline data
Route data, maps, and your settings are cached on your device for offline use. Data stored only on your device is under your control and is removed when you uninstall the App.
12. Changes
We will notify you of material changes in-app before they take effect. Continued use after the effective date constitutes acceptance.
13. Contact
Privacy requests: support@caminogo.app
General support: support@caminogo.app
EU representative: [TO BE APPOINTED — see §1]