Privacy Policy — Artelio

1) Data we collect

We collect the minimum data needed to operate the app, keep it secure, and improve reliability. We do not use your data for advertising and we do not track you across other companies’ apps or websites.

We do not maintain user accounts and we do not collect contact details inside the app. Your contact email is only used if you write to us.

2) How we use data

• Provide core functionality: process your submitted photo and return recognition results.
• Security and reliability: prevent abuse, ensure availability, debug issues.
• Basic service analytics: non-profiling, first-party measurements (e.g., request counts, error rates).

We do not use third-party advertising SDKs and we do not sell personal information.

3) Sub-processors / service providers

• Model API provider: OpenAI — processes recognition-related requests/content to generate results.
• Infrastructure/logs: storage and operations for request logs limited to what’s described in this policy.

Providers act on our instructions and may only process data for the purposes listed here. We do not share data with third parties for their marketing.

4) Legal bases (GDPR/EEA & UK GDPR)

• Contract (Art. 6(1)(b)) — to provide the service you request: when you submit a photo for recognition, we process it and return results.
• Legitimate Interests (Art. 6(1)(f)) — to keep the service secure and reliable (e.g., prevent abuse, ensure availability, measure basic performance with non-profiling, first-party analytics). We balance these interests against your rights and minimize data.
• Consent (Art. 6(1)(a)) — for device-level permissions such as camera access. Consent is obtained via the iOS prompt and can be withdrawn at any time in Settings.

If future features require a different legal basis, we will update this section before enabling them.

5) Retention

• Photos / image content: retained only as long as needed to process the request and ensure service integrity; default ≤ 24 hours, then deleted.
• IP addresses & request logs: retained 30 days for security/abuse prevention and troubleshooting, then deleted or anonymized.
• Aggregated, non-personal statistics: retained up to 12 months.

6) Security & Incident Response

Security measures

• Encryption in transit (TLS) and at rest for stored logs.
• Least-privilege access controls and MFA for admin access.
• Audit logging and environment segregation.
• Vulnerability management and timely patching.
• Data minimization and deletion aligned to the retention schedule.

Incident Response & Breach Notification

We maintain an incident response program to detect, investigate, and remediate security events. If we become aware of a personal data breach likely to result in a risk to individuals, we will:

1. Assess & contain promptly; initiate remediation without undue delay.
2. Notify authorities where required by GDPR Art. 33 within 72 hours of becoming aware.
3. Notify affected users where required by Art. 34, without undue delay, via in-app notice and/or email, including details of the incident, likely consequences, remedial steps, and a contact point (<email>).
4. Document & improve: keep internal records and implement corrective measures to prevent recurrence.

7) International transfers

Primary storage is in the EU. If any service provider processes data outside the EEA/UK, we use appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and require equivalent protections.

8) Your rights

Depending on your location, you may have the right to access, delete, correct, port, restrict, or object to certain processing.

Because we don’t maintain user accounts and store minimal logs, we may need details to locate relevant records (for example: approximate date/time and time zone of use, your public IP at that time, and device model/OS).

To exercise rights, contact <email>. We may ask for information to verify your request.

For California residents, we do not sell or share personal information as defined by CCPA/CPRA.

9) Children

The app is not directed to children under 13. If you are under the age of digital consent in your country (13–16 in the EU, depending on the member state), you must have parental permission to use the app. If we learn we collected data from a child without proper consent, we will delete it.

10) Your choices

• Camera permission: manage in iOS Settings → Privacy & Security → Camera.
• If you do not want your photos processed, do not submit them; recognition requires a photo.

11) In-app disclosures & where to find this policy

You can find this Privacy Policy in the app under More/Altro → Legal & Privacy → Privacy Policy and on our website at <website_url>.

12) App Store “App Privacy” summary (for transparency)

• Data collected:
  • User Content → Photos or Videos: Collected, Not Linked, Purpose: App Functionality.
  • Identifiers → IP Address: Collected, Linked, Purpose: App Functionality, Security, Analytics.
  • Usage Data → Product Interaction/Other Usage Data: Collected, Not Linked, Purpose: Analytics.
  • All other categories: Not Collected.
• Tracking: No (we do not track users across apps or websites).
• Third-party advertising: No.
• Developer’s advertising/marketing: No.

These selections should match what you declare in App Store Connect → App Privacy.

13) Changes to this policy

We may update this policy from time to time. We will post updates at <website_url> and update the Effective date above. For material changes, we will provide in-app notice in More/Altro → Legal & Privacy → Privacy Policy.

14) Contact

Controller: <developer name>, Italy
Privacy contact / DPO (if applicable): <name_or_remove_if_not_applicable>
Email: <email>
Website: <website_url>
Postal (optional): <postal_address_or_remove>