Privacy Policy

1. Introduction

Naruho is an iOS app that helps you discover and learn about the places around you through short, AI-generated stories. This policy explains what data Naruho collects, how it is used, and your rights under applicable data protection laws, including the General Data Protection Regulation (GDPR) and the UK GDPR.

Naruho is developed and operated by Hugo Hodinka, based in Barcelona, Spain.

2. Data Controller

The data controller for Naruho is:

3. What Data We Collect

Naruho is designed to collect only what is necessary for the app to function. Most of your activity stays on your device. The following data is transmitted off-device to third-party services so Naruho can work.

Precise Location

When you grant location permission, Naruho sends your current latitude and longitude to the OpenStreetMap Overpass API and the Wikipedia Geosearch API to find nearby landmarks. Location context is also included in requests to the Anthropic Claude API to generate stories about those places. Naruho Pro's ambient walking mode requires Always-On location while a session is active so it can detect when you walk past a point of interest with the screen locked. Location data stays on your device beyond what is sent to those APIs to look up nearby places.

Plan prompts (Other User Content)

When you use the Plan feature to generate an itinerary, the text you type (for example, "museums in London") is sent to Anthropic Claude for processing.

Microphone and on-device speech recognition (Ask the guide, Naruho Pro)

When you use the Ask the guide feature inside an ambient walking session, Naruho records what you say and transcribes it using Apple's on-device speech recognition. The audio is processed entirely on your phone and is never transmitted, stored, or shared. Naruho only accesses the microphone while you are actively recording a question; the indicator in the iOS status bar shows you when this is happening.

Spoken question text (Other User Content)

Once your question has been transcribed on-device, the resulting text is sent to a Naruho-operated proxy that forwards it to the Anthropic Claude API to generate the answer. A short topic classifier rejects anything that is not about the place you are walking past, so even the text reaching the backend is constrained. The audio is never sent; only the transcribed text. No account or device identifier is attached.

Proximity story notifications (local-only)

When you opt in to proximity story notifications, Naruho schedules region triggers on your phone for nearby points of interest. When you walk within range, your phone fires a local notification. There is no remote push server. The triggers, the daily cap, and the delivery all happen on-device. We do not receive any data about which notifications were scheduled, delivered, or tapped beyond the aggregated, anonymous analytics described below.

Camera images (Snap to Discover)

When you use the Snap to Discover feature to point your camera at a building, monument, or sculpture, the captured image is sent to a Naruho-operated proxy that forwards it to the Anthropic Claude API for landmark recognition. Your current location may be included alongside the image to help disambiguate similar landmarks. The proxy adds the API key and forwards the request without storing or logging the image, and the request carries no user account, device identifier, or other persistent ID that could link the image back to you. Naruho only accesses the camera while you are actively using the Snap feature, and never accesses your photo library.

Narration scripts (Naruho Pro audio only)

When you play the studio-quality audio guide on a Pro subscription, the AI-generated narration text is sent to OpenAI through a Naruho-operated proxy to be converted into speech. The proxy adds the API key and forwards your request without storing the script. Generated audio is cached on your device so the same place does not re-trigger a request.

In-app analytics (Naruho iOS app)

The Naruho iOS app uses PostHog (EU Cloud, Frankfurt) for product analytics. Captured events are aggregated and intentionally narrow: app launches, paywall views, story playback, ambient session start and stop, time-to-first-audio latency, and a handful of diagnostic counters. After purchase, events are linked to your anonymous RevenueCat subscriber identifier (a User ID) so subscription state can be reconciled. We do not capture session replays, screen recordings, your typed prompts, the contents of stories you read, or your precise location. You can opt out at any time in Settings under "Share anonymous usage data".

Crash and diagnostic data

PostHog's SDK includes a bundled crash reporter that captures a stack trace and basic device metadata if the app crashes, so regressions can be spotted before users report them. The same SDK collects short diagnostic strings such as "premium_audio_failed: http_502" or "ambient_geofence_failed: monitoring/…" when the app falls back from a feature for technical reasons. Both flow through the same in-app analytics opt-out toggle described above.

Website analytics (naruho.app only)

Visitors to the Naruho website may be measured with PostHog, a first-party product analytics service hosted in the EU (Frankfurt). PostHog only loads if you accept the cookie banner. When enabled, it captures aggregated events like which pages you viewed, which buttons you clicked, and whether the App Store CTA was tapped. Requests are routed through naruho.app/ingest so no third-party domain is contacted from your browser. We do not enable session replay or autocapture, and we do not track you across other websites or apps.

Subscription and entitlement data

When you subscribe to Naruho Pro, RevenueCat handles subscription management. This involves an anonymous user identifier, purchase events, subscription state, and product interaction events (such as which paywall you saw and which package you tapped).

Technical diagnostics

RevenueCat's SDK collects minimal technical telemetry (API call errors, retries) to monitor SDK health.

We do not collect:

• Your name, email address, or phone number
• Your device advertising identifier (IDFA)
• Your contacts, your photo library, health data, or calendar
• Your payment card or bank details (handled entirely by Apple)
• The itineraries, plans, or notes you create in the app. These remain on your device only.

4. How We Use Your Data

We use the collected data only for the following purposes:

• App Functionality: finding nearby places, generating stories and itineraries, managing your subscription, and keeping the app working.
• Analytics: aggregated subscription metrics and conversion data provided by RevenueCat, plus first-party product analytics (PostHog, EU-hosted) for the iOS app and the website. Used to understand which parts of the product help users, which do not, and how Naruho is performing as a business.
• Product Personalisation (location only): tailoring the suggestions shown in the Discover row to your current city.

We do not use your data for advertising, marketing, or tracking across other apps or websites. Naruho does not include any advertising SDKs, does not share data with data brokers, and does not link your activity across third-party apps.

5. Third-Party Services

Naruho uses the following third-party services. Each has its own privacy policy governing how they handle data.

Anthropic (Claude API)

Used for: generating stories about places, creating AI-powered itineraries from your prompts, recognising landmarks from camera images you capture using Snap to Discover, and answering spoken questions sent through the Ask the guide feature.

Data sent: user prompts, location context, place names, camera images (Snap to Discover only), and transcribed question text (Ask the guide only — the audio itself stays on your device).

Retention:Anthropic retains API inputs for up to 30 days for safety and abuse monitoring, then deletes them. API inputs are not used to train Anthropic's models.

Privacy policy: https://www.anthropic.com/privacy

OpenStreetMap Overpass API

Used for: primary discovery source for the artefacts, buildings, and points of interest displayed around you.

Data sent: your current latitude and longitude, plus a search radius, as standard HTTPS query parameters. No identifiers are attached.

Privacy policy: https://wiki.openstreetmap.org/wiki/Privacy_Policy

Wikipedia and Wikimedia Commons (Wikimedia Foundation)

Used for: supplementary historical and cultural context for named landmarks, and image lookups via the Commons GeoSearch API.

Data sent: your current latitude and longitude, plus place names and Wikidata identifiers, as standard HTTPS query parameters.

Privacy policy: https://foundation.wikimedia.org/wiki/Policy:Privacy_policy

OpenAI (premium audio narration, Naruho Pro)

Used for:generating studio-quality voice narration from the AI-written story when you tap "Play audio guide" on a Pro subscription.

Data sent: the narration text (a short, AI-written paragraph about a place). No location, account, or device identifiers are attached. Requests are routed through a Naruho-operated proxy that adds the API key and does not log scripts.

Retention:OpenAI may retain API inputs for up to 30 days for abuse monitoring before deletion. API inputs are not used to train OpenAI's models when sent through the API.

Privacy policy: https://openai.com/policies/privacy-policy

PostHog (website analytics, EU Cloud)

Used for: measuring which parts of the Naruho website are useful, only after you accept the cookie banner.

Data sent: page URL, anonymous visitor identifier, event name (e.g. App Store button clicked), country derived from IP at the edge. IP address itself is discarded by PostHog on EU projects. We do not record sessions or autocapture form contents.

Region: EU Cloud (Frankfurt). Data does not leave the EEA.

Privacy policy: https://posthog.com/privacy

RevenueCat

Used for: managing Naruho Pro subscriptions, verifying entitlements, and providing subscription analytics.

Data sent: anonymous user identifier, purchase events, device and region metadata.

Privacy policy: https://www.revenuecat.com/privacy

6. Data Retention

Data transmitted to Anthropic and OpenAI is retained for up to 30 days for safety and abuse monitoring, then deleted. Data held by RevenueCat is retained for as long as you have an active subscription or for legitimate business purposes such as supporting restore purchases and handling refunds. Wikipedia and OpenStreetMap requests follow each foundation's standard anonymous logging practices.

The Naruho proxy that forwards OpenAI requests does not log the narration scripts it relays. Beyond that, we do not operate our own servers and do not store your data outside what is held on your device and by the third parties listed above.

7. Your Rights Under GDPR and UK GDPR

If you are in the European Union, the United Kingdom, or another region with similar data protection laws, you have the following rights:

• Right of access: ask what data we or our third-party partners hold about you.
• Right to rectification: ask us to correct inaccurate data.
• Right to erasure: ask us to delete your data.
• Right to restrict processing: ask us to limit how we use your data.
• Right to data portability: ask for your data in a machine-readable format.
• Right to object: object to us processing your data.
• Right to lodge a complaint with a supervisory authority. In the EU, this is the data protection authority in your country. In the UK, it is the Information Commissioner's Office (ICO).

To exercise any of these rights, email hello@naruho.app. We aim to respond within 30 days.

Because Naruho stores most user data locally on your device, you can also exercise some of these rights directly by deleting the app (which removes local data) or by managing your subscription through App Store settings.

8. Children

Naruho is not directed at children under 13, and we do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it.

9. International Data Transfers

Naruho uses third-party services based in the United States (Anthropic, OpenAI, RevenueCat) and globally distributed infrastructure (Wikimedia, OpenStreetMap). Some data may therefore be transferred outside the European Economic Area. These transfers occur under the safeguards described in each third party's privacy policy.

10. Security

All communication between Naruho and the services above uses HTTPS with standard TLS encryption. No system is 100% secure. If we become aware of a security incident affecting user data, we will notify affected users through the app and, where required by law, report it to the relevant supervisory authority.

11. Changes to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated through the app. The "Last updated" date at the top of the page always reflects the current version.