Privacy Policy

Last updated: October 17, 2025

Introduction

Welcome to Exera ("we", "us", "our"). Exera is a travel companion application that analyses photos you take in-app to provide contextual tips about your surroundings. We respect your privacy and handle personal data in accordance with the European Union General Data Protection Regulation (GDPR) and applicable privacy law.

Data Controller

The data controller for Exera is the Exera development team.
Contact:

• Email: [email protected]
• Address: Berlin, Germany

Overview — what we collect and why

We follow the principles of data minimisation and purpose limitation. Below is a short summary; full details are in the sections that follow.

• Photos (image data) — Temporarily processed to generate tips. Not stored after processing.
• Location (approximate) — Stored anonymously (city/region) and not linked to user accounts. Used to speed up region-specific results.
• Account data — Email and authentication data for registered users. Users can delete their account and have personal data anonymised.
• Technical & usage data — App version, device type, logs (for debugging and security).

Detailed description of processed data

1. Image data (photos taken in-app)

When you use Exera to take a picture, the image is processed to analyse the surroundings and produce helpful tips. Processing happens transiently — the image is used only for analysis and is not stored on our servers or on-device after processing finishes.

Technical note: depending on your device and configuration, the photo may be briefly held in memory or in a transient processing queue for the duration of analysis; we delete it immediately when processing completes.

2. Location data

Exera may access approximate location (city or region level) to produce geographically relevant insights. We may store this location data in our database, but it is stored in an anonymous form — it is not linked to a user identifier or account. We only store the minimum granularity required (typically city or postal region) so we can cache and serve faster local results.

3. User accounts and registration data

If you register for an account, we collect the information you provide (for example, email address and a hashed/encrypted password). We use account data to:

• Authenticate you when you sign in
• Provide account-specific settings and preferences
• Respond to support requests

4. Technical & usage information

We automatically collect limited technical data such as device model, operating system version, app version, crash logs, and basic usage metrics. This information helps us diagnose problems, improve the app, and maintain performance and security.

Legal bases for processing

Under the GDPR, our lawful bases for processing personal data include:

• Consent — For any optional features that require explicit consent (if introduced), we will ask you before processing.
• Contractual necessity — To provide the core functionality of the app (image analysis, account access).
• Legitimate interests — For app improvement, fraud detection, and security, balanced against your rights and freedoms.

Data retention

• Images: Immediately deleted after processing — not retained.
• Anonymous location data: Kept to improve caching and performance. Retention period: configurable — recommended default is 12 months; you should replace this with a policy that matches your operational needs.
• Account data: Retained while your account is active. If you delete your account, personal data will be anonymised or deleted as described below.
• Technical logs: Retained for a limited period for debugging and security (e.g., 30–90 days depending on severity). Configure to comply with data minimisation principles.

Account deletion & anonymisation

You can delete your account at any time using the app UI or by contacting support. After account deletion:

• We will remove or anonymise personal identifiers (email, profile data) within a reasonable timeframe (typically within 30 days).
• Aggregated or fully anonymised data (that cannot be traced back to an individual) may be kept for analytics and service improvement.

Data sharing & third parties

We do not sell or rent your personal data. We may share data only with:

• Service providers (e.g., hosting, analytics) who act as processors under GDPR — only under data processing agreements requiring appropriate safeguards.
• Legal authorities where required by law (court order, lawful request).

If you integrate other services (social login, cloud backup), those services will have their own privacy practices which you should review before connecting.

Transfers outside the EU / EEA

If we transfer personal data outside the EU/EEA, we will do so only where there are appropriate safeguards (e.g., adequacy decision, Standard Contractual Clauses, or other GDPR-compliant mechanisms). We will document and implement technical and contractual safeguards to protect your data.

Your rights under GDPR

As an EU data subject you have the right to:

• Request access to the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion (erasure) of personal data — "right to be forgotten".
• Request restriction of processing.
• Object to processing where applicable.
• Request data portability for data you provided to us in a structured, commonly used format.
• Withdraw consent at any time (where processing is based on consent) without affecting prior processing.

To exercise any of these rights, contact us at the email address above. We will respond within one month, or within the legally required timeframe; complex requests may require an extension in which case we will notify you.

Security measures

We apply reasonable technical and organisational measures to protect personal data, including encryption in transit (TLS) and access controls. We regularly review our security practices and perform security testing.

Children

Exera is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data, please contact us so we can delete it.

Changes to this privacy policy

We may update this Privacy Policy occasionally. We will publish the updated policy in the app and include the "Last updated" date at the top. For material changes, we will notify users by email or in-app notification when required by law.

Complaints & supervisory authority

If you believe we have not complied with applicable data protection law, you may file a complaint with your local data protection authority. In Germany this is typically the Landesdatenschutzbeauftragte for the state where you live — or you may contact the European Data Protection Board for cross-border issues.

How to contact us

For privacy questions, access requests, deletion requests, or other inquiries, please contact:

• Email: [email protected]
• Postal address: Berlin, Germany