Privacy Policy

1. Who we are

Guilietta is a personal safety platform designed for women. We offer AI-powered conversation analysis, safe-travel mode with automatic alerts and emergency contact management. The data controller is Guilietta LLC, a company registered in the State of Florida, United States (hereinafter, "we" or "the platform").

2. Data we collect

• ·Account data: full name, email address, password (stored encrypted), country and optional phone.
• ·Google profile data: name and photo if you use Google sign-in (only with your explicit authorization).
• ·Conversation fragments: when you analyze a text, we process the content ephemerally. We only store the first 500 characters as a reference excerpt, never the full text.
• ·Location data: your physical address (optional) is used anonymized to show you relevant geolocated information. During safe travel mode, your real-time location is shared only with your designated emergency contacts.
• ·Menstrual cycle data: if you activate the "Cycle and protection" consent, we record data about your menstrual cycle and contraceptive methods. This data is especially sensitive and is protected with additional security measures.
• ·Emergency contacts: name, phone and email of people you register. We do not contact these people without your explicit instruction.
• ·Audit logs: security actions (sign-in, analysis, alerts) with IP anonymized via SHA-256 hash.

3. How we use your data

• ·Provide the conversation analysis and safe travel service.
• ·Send SMS alerts to your emergency contacts when you trigger an alert or don't confirm your arrival.
• ·Improve your account security through audit logs.
• ·Communicate important service information (never marketing without consent).

3.1 SMS Communications

When you start a safe travel session or trigger a manual alert, Guilietta sends transactional SMS messages to your selected emergency contacts via Twilio. These messages are one-time, event-driven notifications — not recurring or marketing messages. Recipients may reply STOP to opt out of future messages at any time.

• ·Your mobile phone number and the mobile phone numbers of your emergency contacts collected through Guilietta will not be shared with or sold to third parties or affiliates for marketing or promotional purposes. SMS opt-in data and consent records are used solely to deliver safety alerts within the Guilietta platform.
• ·Message frequency varies based on user activity (typically 1-5 messages per travel session). Standard message and data rates may apply. For support, contact hey@guilietta.com or reply HELP to any Guilietta SMS.

4. Who we share your data with

• ·Supabase (database and authentication infrastructure) — servers in the US, SOC 2 compliant.
• ·Anthropic (AI processing for conversation analysis) — content is processed ephemerally. Anthropic does not use data submitted through its API to train models, per its commercial data-use policy.
• ·OpenAI (AI processing as a fallback for analysis) — used as an alternative model when needed. Content is processed ephemerally. OpenAI does not use data submitted through its API to train models, per its commercial-use policy.
• ·Twilio (SMS alerts to emergency contacts) — only when you trigger an alert.
• ·Google (optional OAuth authentication) — only if you choose to sign in with Google.
• ·SerpAPI (digital exposure search) — when you use the digital exposure module, we look up your name, email and phone in public search engines to assess your digital footprint. No data is stored on their servers.
• ·HaveIBeenPwned (security breach check) — your email address is checked against public breach databases to alert you if your data has been compromised.
• ·Google Maps Platform (address autocomplete and geolocation) — when you search for an address we use the Google Places API. Your address is not shared with Google for advertising purposes.
• ·Stripe (payment processing) — payment data is handled directly by Stripe. Guilietta does not store credit card numbers. Stripe is PCI DSS Level 1 compliant.
• ·We do not sell, rent or transfer your data to third parties for commercial purposes.

5. Data retention

We retain your data only for as long as necessary to fulfill the purposes described. Concrete retention periods:

• ·Account data: while the account is active and 30 days after deletion (for recovery and legal obligations).
• ·Conversation analysis history: 30 days on the Free plan; while the account is active on the paid plans (Premium and Premium+).
• ·Safe-travel data (location, notified contacts): 90 days after the trip ends.
• ·Menstrual cycle and contraception data: while consent is active. Upon revocation, deletion within a maximum of 7 days.
• ·Audit logs: 1 year from the event.
• ·Payment data: managed by Stripe per its retention policy.
• ·You can request full deletion of your account and data at any time by writing to us.

6. Security

We implement technical and organizational measures to protect your data: in-transit encryption (HTTPS/TLS), secure authentication with Supabase, Row Level Security (RLS) in the database (each user only accesses her own data), rate limiting on all APIs, and IP anonymization in audit logs.

7. Your rights

• ·Access: you can query all the data we have about you.
• ·Rectification: you can correct your data from the profile section.
• ·Erasure: you can request the deletion of your account and all your data.
• ·Portability: you can request a copy of your data in a structured format.
• ·Withdrawal of consent: you can deactivate the consents for analysis, safe travel, geographic location or cycle and protection from your profile at any time. When you withdraw a consent, we stop processing that data immediately.

8. Cookies and local storage

We use strictly necessary cookies to keep your session authenticated (managed by Supabase). We do not use tracking or third-party advertising cookies.

9. Minors

Guilietta is intended for individuals 18 years or older (16 in the European Union with verifiable parental consent). We do not knowingly collect data from minors.

• ·We do not have an active age-verification mechanism: we rely on the user's declaration when accepting the Terms of Use.
• ·If a parent or legal guardian detects that a minor has an account on Guilietta, they may contact us at hey@guilietta.com to request immediate deletion.
• ·Deletion timeframe after verification: 48 hours maximum.
• ·If we discover by our own means that an account belongs to a minor below the applicable minimum age, we will delete it.

10. Additional rights for California residents (CCPA / CPRA)

If you reside in California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights over your personal information. Categories of personal information we collect under CCPA: identifiers (name, email, IP hash), commercial information (subscription plan), geolocation information (during safe-travel), internet activity (usage logs), and sensitive personal information (reproductive health data and precise location).

• ·Right to know: you may request the categories and specific pieces of personal information we have collected, the sources, the purposes of processing and the parties with whom we share it.
• ·Right to delete: you may request deletion of your personal information, subject to applicable legal exceptions.
• ·Right to correct: you may request correction of inaccurate data.
• ·Right to limit the use of sensitive personal information: you may request that we limit the use of your reproductive health information and precise location to strictly necessary purposes.
• ·Right to opt-out of sale or sharing: we explicitly declare that we DO NOT sell or share your personal information as defined by CCPA/CPRA. We do not engage in cross-context behavioral advertising.
• ·Right to non-discrimination: we will not penalize you in any way for exercising your CCPA/CPRA rights.
• ·To exercise these rights, write to hey@guilietta.com. We will respond within 45 days (extendable by an additional 45 days for complex cases, with prior notice).
• ·"Do Not Sell or Share My Personal Information" notice: because we do not sell or share data under CCPA/CPRA, no opt-out is necessary — however, you may confirm this status by writing to us.

11. Florida Digital Bill of Rights

For Florida residents (where Guilietta LLC is registered), under SB 262 (Florida Digital Bill of Rights): we declare that we do not process biometric data. Rights granted by this statute are exercised through the same channels described in Section 10 (CCPA/CPRA), since the scope of rights is equivalent for our operations.

12. Additional information for users in the European Union / EEA (GDPR)

If you are located in the European Union, the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) grants you specific rights. Legal bases for processing:

• ·Account data (email, name, password): performance of a contract (Art. 6(1)(b) GDPR).
• ·Conversation analysis: explicit consent (Art. 6(1)(a) GDPR).
• ·Location in safe-travel mode: explicit consent (Art. 6(1)(a) GDPR).
• ·Menstrual cycle and reproductive health data: explicit consent for processing of special category data (Art. 9(2)(a) GDPR).
• ·Audit logs and account security: legitimate interest (Art. 6(1)(f) GDPR).
• ·Session cookies: strictly necessary for the provision of the service (consent exemption under Art. 5(3) ePrivacy).
• ·International transfers: your data is transferred to the United States, where Supabase, Anthropic, OpenAI, Twilio, Stripe and Google operate. The transfer basis is the Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.
• ·Your GDPR rights: access, rectification, erasure, restriction of processing, portability, objection and withdrawal of consent at any time.
• ·Right to lodge a complaint with your national data protection authority (e.g., AEPD in Spain, CNIL in France, Garante in Italy, ICO in the UK).
• ·Data Protection Officer (DPO): we have not appointed a DPO as we do not meet the thresholds in Art. 37 GDPR. The contact for any privacy matter is hey@guilietta.com.
• ·Minimum age in the EU/EEA: 16 years with verifiable parental consent.

13. Information for users in Brazil (LGPD)

If you reside in Brazil, the Lei Geral de Proteção de Dados Pessoais (LGPD, Law 13.709/2018) applies to the processing of your data.

• ·Primary legal basis: consent (Art. 7, I LGPD) and, for sensitive health data, specific and highlighted consent (Art. 11, I LGPD).
• ·Data subject rights: confirmation of processing, access, correction, anonymization or deletion of unnecessary data, portability, deletion, information about data sharing, and withdrawal of consent.
• ·Contact: hey@guilietta.com.

14. Information for users in Latin America

Guilietta complies with data protection laws in the main Latin American jurisdictions where we offer the service. In every case we honor the ARCO rights (Access, Rectification, Cancellation and Objection).

• ·Mexico: we comply with the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP). Personal data is processed based on consent, as per the privacy notice.
• ·Colombia: we comply with Law 1581 of 2012 and Decree 1377 of 2013. Sensitive data is processed only with prior, express and informed authorization.
• ·Chile: we comply with Law 19.628 and, as it fully comes into force, with the new Personal Data Protection Law.
• ·Costa Rica: we comply with Law 8968 on the Protection of Individuals against the Processing of their Personal Data.
• ·Argentina, Peru, Uruguay and others: we apply the data protection principles recognized in their respective legislation.
• ·To exercise your rights in any country in the region, write to hey@guilietta.com.

15. Changes to this policy

We may update this policy occasionally. We will notify you by email at least 15 days in advance of any material changes. The last-updated date appears at the top of this page.

16. Contact

To exercise your rights or resolve any privacy question, write to: hey@guilietta.com. Data controller: Guilietta LLC, Florida, United States.