Privacy Policy

1. Introduction and Data Controller

YallAmigo is a mobile application operated by a self-employed individual (trabajador autónomo) based in Spain ("we," "our," or "us"). This Privacy Policy is provided in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), Spain's Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales ("LOPDGDD"), and Ley 34/2002 de Servicios de la Sociedad de la Información y de Comercio Electrónico ("LSSI-CE").

The Data Controller (Responsable del Tratamiento) for the personal data processed through the App is:

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the YallAmigo mobile application (the "App"). By downloading, installing, or using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the App.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: When you register, we collect your email address, username, display name, and password (stored securely using industry-standard hashing).
• Profile Information: Your preferred language for message translation, app display language, and optional avatar image.
• Messages and Content: Text messages, voice messages (audio recordings), images, and files you send through the App.
• Guest Information: If you join a conversation as a guest (without creating an account), we collect the display name and preferred language you provide.

2.2 Information Collected Automatically

• Device Information: Device type, operating system version, and unique device identifiers for push notifications.
• Usage Data: Features used, conversation participation, message timestamps, and audio usage statistics (duration of voice messages sent per day).
• IP Address: Collected during authentication, guest session creation, and content policy acceptance for security and abuse prevention purposes.
• User Agent: Browser or app client information collected during session creation.
• Online/Offline Status: Your last seen timestamp is recorded when you connect to or disconnect from the App.

2.3 Information from Third-Party Services

• Push Notification Tokens: We receive device tokens from Apple Push Notification Service (APNs) and Google Firebase Cloud Messaging (FCM) to deliver push notifications.
• In-App Purchase Data: If you subscribe to a paid plan, we receive purchase verification data from Apple App Store or Google Play Store. We do not receive or store your payment card details.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide Core Services: To facilitate real-time messaging, translate messages between languages using AI, transcribe voice messages, and manage conversations.
• AI Translation: Your message content is sent to third-party AI translation services (OpenRouter/OpenAI) to provide real-time translation. Messages are processed for translation purposes only and are not used to train AI models.
• Audio Transcription: Voice messages are sent to third-party transcription services (OpenAI Whisper) to convert speech to text and enable translation.
• Account Management: To create and manage your account, authenticate your identity, reset passwords, and process subscription purchases.
• Notifications: To send push notifications about new messages, friend requests, guest join requests, and other relevant activity.
• Content Moderation: To detect and prevent policy violations, harmful content, and abuse. Moderation logs may include IP address and content hash information.
• Security: To prevent fraud, abuse, and unauthorized access, including rate limiting and IP-based security measures.
• Service Improvement: To understand usage patterns, diagnose technical issues, and improve the App's functionality.

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

• With Other Users: Your display name, username, avatar, online status, and messages are visible to other participants in your conversations. Your email address is visible on your profile to facilitate friend requests.
• AI Translation Providers: Message content is transmitted to OpenRouter and OpenAI for translation and transcription. These providers process data according to their own privacy policies and data processing agreements.
• Cloud Storage: Files, images, and audio recordings you share are stored on Linode Object Storage (Akamai) with industry-standard security.
• Email Services: Your email address is shared with Mailgun for transactional emails such as password reset requests.
• Push Notification Services: Device tokens are shared with Apple (APNs) and Google (FCM) to deliver push notifications.
• Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
• Safety: We may disclose information to protect the safety of our users, the public, or our services.

5. Data Storage and Security

• Storage Location: Your data is stored on secure servers. Database services are hosted using PostgreSQL with encrypted connections.
• Password Security: Passwords are hashed using industry-standard cryptographic algorithms (bcrypt) and are never stored in plain text.
• Authentication Tokens: We use JSON Web Tokens (JWT) for session management with short-lived access tokens (15 minutes) and longer-lived refresh tokens (7 days).
• Sensitive Data on Device: Authentication tokens are stored in your device's secure storage (iOS Keychain / Android Keystore) and not in plain text.
• File Storage: Uploaded files and media are stored with unique cryptographic keys and served via time-limited presigned URLs.

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

6. Guest Users

YallAmigo allows unregistered users ("guests") to join conversations via invite links without creating an account. If you use the App as a guest:

• We collect only the display name and preferred language you provide, along with your IP address and user agent for security purposes.
• Guest sessions have limited durations: pending sessions expire after 7 days, and approved sessions expire after 24 hours.
• The conversation host can end or revoke your guest session at any time.
• Messages sent as a guest are stored in the conversation and are visible to all conversation participants.
• Guest sessions do not require an email address or password.

7. Children's Privacy

The App is not intended for children under the age of 14. In accordance with Article 7 of Spain's LOPDGDD, the minimum age for providing consent for data processing in Spain is 14 years. In other jurisdictions, the applicable minimum age of digital consent applies (e.g., 13 in the United States under COPPA, 16 in some EU member states).

We do not knowingly collect personal information from children under the applicable minimum age. If we become aware that we have collected personal information from a child below the required age, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at admin@yallamigo.com.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: You can view your profile information, messages, and conversation history within the App at any time.
• Correction: You can update your display name, username, and language preferences through the App's Profile settings.
• Deletion: You can delete your account and all associated data through the App's settings (Profile > Delete My Data). This action is permanent and removes your account, messages, files, and all personal data from our servers in compliance with GDPR and applicable data protection regulations.
• Data Portability: You may request a copy of your personal data by contacting us.
• Notification Preferences: You can enable or disable push notifications through your device settings or within the App.
• Language Preferences: You can change your preferred translation language and app display language at any time.

Legal Basis for Processing (RGPD Art. 6)

Under the GDPR (RGPD) and LOPDGDD, we process your data on the following legal bases:

Your Rights under RGPD / LOPDGDD

Under the GDPR and LOPDGDD, you have the following rights, which you may exercise by contacting admin@yallamigo.com:

• Right of access (Art. 15 RGPD) - obtain confirmation of whether your data is being processed and access to it.
• Right to rectification (Art. 16 RGPD) - correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17 RGPD) - request deletion of your personal data ("right to be forgotten"). Available in-app via Profile > Delete My Data.
• Right to restriction of processing (Art. 18 RGPD) - request limitation of processing in certain circumstances.
• Right to data portability (Art. 20 RGPD) - receive your data in a structured, machine-readable format.
• Right to object (Art. 21 RGPD) - object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7.3 RGPD) - withdraw consent at any time where processing is based on consent.
• Right to lodge a complaint - with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es, or with your local supervisory authority.

We will respond to your request within one month, as required by the RGPD. This period may be extended by two further months for complex requests.

For California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to know what personal information we collect, request deletion of your data, and opt out of the sale of personal information. We do not sell personal information.

9. Data Retention

• Account Data: Retained for as long as your account is active. When you delete your account, all personal data is permanently removed.
• Messages: Retained for the duration of the conversation's existence. Conversation owners can permanently delete conversations, which removes all associated messages and files.
• Guest Sessions: Guest session data is retained for the duration of the session (maximum 24 hours after approval, 7 days if pending). Expired sessions are automatically cleaned up.
• Audio Files: Voice messages are retained as part of the conversation. Daily audio usage statistics are tracked for subscription limit enforcement.
• Security Logs: IP addresses, moderation logs, and security-related data may be retained for up to 90 days for abuse prevention.
• Translation Cache: Translated message content may be cached temporarily to improve performance and reduce redundant API calls.

10. Third-Party Services

The App integrates with the following third-party services, each governed by their own privacy policies:

11. Content Moderation

To maintain a safe environment, the App may use automated content moderation to detect harmful or policy-violating content. This includes:

• Automated scanning of message content using AI-based moderation tools.
• Content hashing to detect repeated policy violations.
• Logging of moderation events, including IP address and user agent, for audit and appeals purposes.
• Account restrictions (temporary or permanent freezing) for severe or repeated violations.

You will be notified if your content is flagged or if action is taken on your account. You may contact us to appeal any moderation decision.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction. When we transfer data internationally, we implement appropriate safeguards to protect your information, including standard contractual clauses where applicable.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy within the App or on our website with an updated "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the App after any modification to this Privacy Policy constitutes your acceptance of the modified policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

For EEA residents, you may also lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos - AEPD) at www.aepd.es if you believe your data protection rights have been violated.