PRIVACY POLICY — InstantSpot (Global Policy)

1. Information We Collect

1.1 Personal Information

When you sign up or log in using Google Authentication, we collect:

• Email Address
• Display Name
• Profile Picture (if provided by Google)

1.2 Device & Technical Data

Collected automatically through Vercel and Google Analytics (GA4):

• IP Address (used for rate limiting/security)
• Browser type and version
• Operating System
• Device identifiers
• Session logs and interactions

1.3 Usage Data

Through Google Analytics (GA4), we collect:

• Button clicks
• Page views
• Tourist spot selections
• Time spent in the app
• Frequency of feature usage (e.g., Spot Guide)

1.4 Location Data

To provide nearby tourist spots, we access:

• Precise GPS location (Latitude & Longitude)

This data is:

• Accessed only with user permission
• Used in real time
• Not permanently stored

1.5 Cookies & Local Storage

We use:

• Firebase Auth cookies (essential for login sessions)
• Google Analytics cookies (_ga)
• Local storage for app preferences

1.6 No Payment or Upload Data

We do not collect:

• Payment details (app is free)
• Uploaded images, files, documents

2. How We Use Your Information

We use collected data to:

2.1 Provide Core Functionality

• Access location to show nearby attractions
• Authenticate and manage accounts
• Display maps, weather, and AI-generated guides

2.2 Security & Abuse Prevention

• Rate limiting (via IP and auth ID)
• Detect suspicious activity
• Prevent bot activity

2.3 Analytics & Improvement

• Understand feature usage
• Improve app performance
• Fix bugs and user experience issues

2.4 AI Processing

Our "Spot Guide" feature uses Google Gemini.

We only send:

• Place Name
• Address or coordinates relevant to the place

We never send personal data (email, profile picture, IP, etc.) to AI systems.

2.5 No AI Training

User data is not used to train any AI models.

3. Third-Party Services

Your data may be processed by:

3.1 Google Firebase

• Authentication (Email/Google Sign-in)
• Hosting
• Receives: Email, display name, profile picture

3.2 Google Analytics (GA4)

• Usage analytics
• Receives: anonymized usage data, device info, IP (truncated/processed by Google)

3.3 Google Gemini API

• Generates travel guides
• Receives: place names only

3.4 Geoapify

• Map tiles, Places API
• Receives: location coordinates (proxied, not tied to identity)

3.5 Open-Meteo

• Weather data
• Receives: location coordinates

3.6 Vercel

• Hosting, serverless backend
• Processes IP for security/rate limiting

We ensure all vendors maintain industry-standard security and privacy practices.

4. Data Storage & Security

4.1 Storage Locations

• Google Firebase (US-central / Global CDN)
• Vercel infrastructure (AWS-based global network)

4.2 Retention

• Account data: retained until user deletes their account
• Analytics data: subject to GA4 retention (2–14 months)

4.3 Security Measures

• HTTPS/TLS encryption
• Firebase Security Rules
• Backend proxying for API key safety
• Rate-limiting & DDOS protection

5. User Rights

Depending on your location (e.g., EU, UK, US, India), you have the right to:

• ✔ Access your data
• ✔ Delete your account and personal information
• ✔ Request data export (via email request)
• ✔ Withdraw consent for location access
• ✔ Opt-out of analytics cookies (via browser settings)

Account deletion is available directly inside the app.

6. Children's Privacy

InstantSpot is intended for users 13+.

We do not knowingly collect personal data from children under 13.

7. International Transfers

Data may be stored or processed in the United States, Europe, or other regions through Google Cloud and Vercel.

We use lawful methods such as Standard Contractual Clauses for cross-border data transfers.

8. Changes to This Policy

We may update this Privacy Policy to reflect changes in technology, regulation, or features.

Updates will be posted with a revised "Last Updated" date.

9. Contact Information

InstantSpot Tech
Support Email: instantspot.tech@gmail.com