AutoVlog Privacy Policy
Effective 12 May 2026 · version 1 · Previous versions
Initial release.
AutoVlog Privacy Policy
Effective date: 12 May 2026 Version: 1
This Privacy Policy explains how we collect, use, share and protect your personal data when you use the AutoVlog mobile application and the website at www.autovlog-app.com (together, the "Service").
We follow the European General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Slovenian Personal Data Protection Act (ZVOP-2), the Slovenian Electronic Communications Act (ZEKom-2) and the Slovenian Consumer Protection Act (ZVPot-1).
1. Who we are
The data controller responsible for your personal data is:
Računalniške storitve REK, Mihael Rek s.p. Ulica heroja Jevtiča 5, 2000 Maribor, Slovenia Matična številka: 7412037000 Davčna številka: 89184882 Privacy contact: support@autovlog-app.com Postal contact: the address above
We act as the controller under GDPR Article 4(7) for personal data processed through the Service. We have not appointed a Data Protection Officer; under GDPR Article 37 a DPO is not required for our scale and processing activities. You can reach our privacy contact directly at the email or postal address above.
2. What we collect
We collect only the personal data we need to deliver the Service, comply with our legal obligations, and protect the Service against abuse. We never sell your personal data and we never share it for third-party advertising.
2.1 Identity and account data
When you create an account or sign in, we collect:
- Your email address
- A user-chosen handle (username) and optional display name
- An identifier from your chosen sign-in provider — the opaque Apple user identifier (Sign in with Apple), or your Google account ID and the email/name claims you choose to share (Google Sign-In)
- Passkey credentials (WebAuthn public key, credential ID) for two-factor authentication, if you enroll one
- An optional avatar image that you upload
2.2 Device data
When the app connects to our backend, we collect:
- A device identifier generated locally on first launch
- The Apple Push Notification Service token that allows us to deliver push notifications you have asked for
- Your device's platform (iOS), app version, build number and locale (e.g.,
sl_SI) - The IP address of API requests and a short User-Agent string (kept in session records to detect token theft and to revoke compromised sessions)
2.3 Content and media data
AutoVlog generates short vertical vlogs from media you choose. To do this we process, on your device:
- Photos and videos you select from your camera roll
- The technical metadata of those assets — creation timestamp, duration, resolution, frame rate, video codec, perceptual hashes (for deduplication), aesthetic scores (computed locally with Apple's Vision framework), and any EXIF location the camera embedded
- GPS waypoints (latitude, longitude, altitude, speed) sampled from location-tagged assets and used to compose the vlog's route
- Reverse-geocoded city and country names derived from those coordinates
When you save a vlog to the cloud (subscribers only), the following data is uploaded to our backend:
- The rendered vlog video file (MP4) and thumbnail image
- A composition snapshot in JSON form — the title, mood, music selection, captions, asset references, GPS waypoints, peak altitude and reverse-geocoded city/country
- The size of the file and our internal storage key
If you do not save a vlog to the cloud, none of this is uploaded — it stays on your device.
2.4 Usage and behaviour data
To improve the auto-selection algorithm and protect against abuse we record, server-side:
- Auto-select telemetry events — anonymised at the algorithmic level (per-asset decisions, asset actions, composition completions and abandonments). Stored in monthly partitions and deleted after 30 days; aggregated rollups are retained for up to 2 years.
- Abuse signals — rate-limit breaches, schema rejections, deduplication storms, oversize batches. Used to detect and block automated abuse.
- AI quota ledger — a per-month count of AI editorial requests you have made, with a request identifier (no content).
- AI call log — for each AI editorial request: model used, token counts, cost, latency, error code (if any). The request body itself is not retained.
If you turn on telemetry opt-out in Settings, we no longer record auto-select telemetry for you. Abuse signals and AI call logs are kept under our legitimate interest in operating the Service safely.
2.5 Diagnostics
We use Firebase Crashlytics and Apple's MetricKit to collect crash logs and performance diagnostics. These include:
- Crash stack traces and the application state at the moment of the crash
- Performance metrics (launch time, hangs, energy, disk space)
- Your user identifier (so we can correlate crashes with the affected account and reach you if there is an account-level problem)
2.6 Billing data
We use RevenueCat (and, for App Store purchases, Apple) to manage subscriptions and one-time in-app purchases. We receive, depending on the product:
- Your subscription status (active / trial / grace / expired / canceled / refunded), the plan you are on, the billing period and the anniversary day — for auto-renewing subscriptions (Traveler / Daily Vlogger)
- A record of one-time purchases — product ID, purchase date and the AI-vlog quota credited to your account — for consumable AI vlog packs (10 / 20 / 100)
- A non-financial purchase or subscription identifier issued by RevenueCat or Apple
Apple is the merchant of record for App Store purchases. We never see your payment card or bank account details.
2.7 What we do NOT collect
To be specific: we do not collect health or fitness data, browsing history outside our app, search history, contacts, sensitive personal data within the meaning of GDPR Article 9, or financial information beyond purchase history. We do not use your data for tracking across apps or websites.
3. Why we process your data and on what legal basis
| Purpose | Data categories | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and manage your account | Identity, Device | Art. 6(1)(b) — contract performance |
| Generate vlogs (on-device + cloud render) | Content, GPS, Identity | Art. 6(1)(b) — contract performance |
| AI-assisted editorial suggestions | Limited Content metadata, GPS timeline | Art. 6(1)(b) — contract performance |
| Music suggestions (music catalogue lookup) | Mood / activity / location keywords | Art. 6(1)(b) — contract performance |
| Billing and entitlements (subscriptions + one-time purchases) | Billing, Identity | Art. 6(1)(b) — contract performance |
| Security, abuse prevention and audit logging | Device, IP, Abuse signals | Art. 6(1)(f) — legitimate interests |
| Crash diagnostics and performance monitoring | Diagnostics | Art. 6(1)(f) — legitimate interests |
| Auto-select algorithm improvement | Auto-select telemetry | Art. 6(1)(f) — legitimate interests (with opt-out) |
| Use of precise location | GPS, EXIF location | Art. 6(1)(a) — your consent (revocable in iOS Settings → Privacy) |
| Sending push notifications you asked for | Device token, content | Art. 6(1)(a) — your consent (revocable in iOS Settings → Notifications) |
| Compliance with legal obligations | All categories as required | Art. 6(1)(c) — legal obligation |
Where we rely on legitimate interests, we have weighed them against your fundamental rights and freedoms. You can object to that processing at any time (see Section 8).
4. Automated decision-making
AutoVlog uses artificial intelligence (Anthropic's Claude model, via our backend) to suggest an editorial composition for your vlog — which clips to feature, in what order, and with what tone. These suggestions are not solely automated decisions within the meaning of GDPR Article 22(1): you can always preview, edit, override or discard them before exporting your vlog. They produce no legal or similarly significant effect on you. We do not profile you for credit, employment or other consequential purposes.
In line with EU AI Act Article 50 (transparency obligation for AI systems generating content), this Privacy Policy is the place where we tell you that AI is used to suggest editorial choices.
5. Who we share your data with
We share personal data only with the processors listed below, each acting under a Data Processing Agreement that complies with GDPR Article 28. We never sell your data.
| Recipient | Role | Data shared | Location |
|---|---|---|---|
| Anthropic, PBC | AI editorial suggestions (Claude API) | A summary of your trip — asset count, drone ratio, reverse-geocoded place names, GPS timeline (lat/lon/altitude/speed), drone clip summaries. No photos or videos. No email, no user ID. | United States |
| RevenueCat, Inc. | Subscription and one-time purchase state management | A pseudonymous user ID, your plan and status (for subscriptions), purchase records (for one-time AI vlog packs), and relevant timestamps | United States |
| Cloudflare, Inc. (R2) | Object storage of cloud-saved vlogs and avatars | The vlog video, the thumbnail, your avatar | EU + United States |
| Google LLC (Firebase Crashlytics) | Crash reporting and performance diagnostics | Crash stack traces, MetricKit payloads, user ID | United States |
| Apple Inc. | App distribution, Sign in with Apple, App Store payments, push notifications | What Apple needs to deliver each function | United States and EU |
| Google LLC (Sign-In) | OAuth authentication if you choose Google | OAuth ID token, your email and name claims | United States |
| Jamendo SA | Music catalog search | Anonymous mood / activity / location keywords. No PII. | Luxembourg (EU) |
We may also disclose personal data (a) to comply with a legally binding request from a competent authority, (b) to protect our or others' rights, property or safety, (c) in connection with a corporate transaction (merger, acquisition or sale of assets), in which case the recipient will be bound by privacy commitments at least as protective as these.
6. International transfers
Some of our processors are based outside the European Economic Area, primarily in the United States. When we send personal data there we rely on the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) under GDPR Chapter V, supplemented by additional safeguards where appropriate. You can ask us for a copy of these clauses by writing to support@autovlog-app.com.
For the United States specifically, we additionally rely on the EU–US Data Privacy Framework where the recipient is certified.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account, profile, billing | For the life of your account, then 30 days soft-delete grace, then permanent erasure |
| Cloud-saved vlogs and avatars | Until you delete them, or until your account is permanently erased |
| Sessions and refresh tokens | 30 days, or until revoked |
| Auto-select telemetry events | 30 days (monthly partitions are dropped) |
| Auto-select aggregate rollups | Up to 2 years (no per-user data) |
| AI call logs | 12 months for cost and abuse analysis, then aggregated |
| Abuse signals | 24 months |
| Crash diagnostics (Firebase) | Per Firebase's retention — typically 90 days for crashes, 30 days for performance |
| Acceptance records (legal documents) | For the lifetime of your account, plus 6 years after deletion (Slovenian limitation period for civil claims) |
| Backups | Encrypted off-site backups, rotated within 30 days |
When you delete your account we erase or anonymise your personal data within 30 days unless we are legally required to keep it longer (for example, billing records under Slovenian tax law).
8. Your rights
Under the GDPR you have the rights to:
- Access the personal data we hold about you (Art. 15) — in-app at Settings → Account → Export my data, or by emailing
support@autovlog-app.com - Rectify inaccurate or incomplete data (Art. 16) — most fields are editable in Settings → Account; for the rest, email us
- Erase your data, the "right to be forgotten" (Art. 17) — in-app at Settings → Account → Delete my account, or by email
- Restrict processing while a dispute is being resolved (Art. 18)
- Receive a portable copy in a structured, machine-readable format (Art. 20) — same export as above
- Object to processing based on legitimate interests, including profiling (Art. 21)
- Withdraw consent at any time, where processing is based on your consent (Art. 7(3)) — without affecting lawfulness of processing before withdrawal
- Not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Art. 22) — see Section 4
- Lodge a complaint with a supervisory authority (Art. 77)
To exercise any right, write to support@autovlog-app.com. We will respond within one month of receiving your request (extendable by two further months for complex requests, in which case we will tell you why). Most requests are free; we may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests as permitted by GDPR Article 12(5).
If you believe we have not handled your data correctly, you can complain to the Slovenian supervisory authority:
Informacijski pooblaščenec RS Dunajska cesta 22, 1000 Ljubljana, Slovenia Phone: +386 (0)1 230 9730 Web: https://www.ip-rs.si
You may also contact the supervisory authority of your EU country of residence.
9. How to delete your account
You can delete your account at any time:
- In the app: Settings → Account → Delete my account. We will ask you to confirm.
- By email: write to
support@autovlog-app.comfrom the address on your account.
After confirmation, your account enters a 30-day grace period during which you can sign back in to recover it. After 30 days we permanently erase or anonymise your personal data. Some data may be retained beyond that window when we are legally required to keep it (for example, billing records under Slovenian tax law) — those records are kept only for the legally required period and only for the legally required purpose.
10. Children
AutoVlog is not directed at users under 15 years of age, which is the digital-consent age in Slovenia under ZVOP-2 (implementing GDPR Art. 8). We do not knowingly collect personal data from anyone under 15. If you believe a child under 15 has provided us with personal data, please contact us at support@autovlog-app.com and we will delete it.
For users under the age of 18 (the age of majority in Slovenia), parental authorisation may also be required for in-app purchases under the Slovenian Civil Code (OZ).
11. Security
We protect your personal data using:
- Encryption in transit — HTTPS / TLS 1.2 or higher for all client–server traffic
- Encryption at rest — Postgres data encryption and Cloudflare R2 object encryption
- Authentication — Sign in with Apple, Google Sign-In, or passkey-based two-factor authentication for high-risk actions
- Access control — admin access requires passkeys, an IP allow-list, and full audit logging
- Operational hardening — least-privilege roles, dependency scanning, and regular review of our security posture
No system is perfectly secure. We continually work to improve our defences and to detect, contain and notify in the event of an incident.
12. Data breach notification
If we become aware of a personal data breach within the meaning of GDPR Article 4(12), we will:
- Notify the Slovenian Information Commissioner (Informacijski pooblaščenec RS) within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to your rights and freedoms (GDPR Art. 33).
- Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34), describing the nature of the breach, the likely consequences and the measures taken or proposed.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we do, we publish the new version on www.autovlog-app.com/privacy together with the new effective date and an archive of all previous versions.
For material changes — for example, a new processor receiving sensitive data, a new processing purpose, or a change to your rights — we will ask you to review and accept the updated Policy in the app before you can continue using AutoVlog. For non-material changes (typo fixes, clarifications) we publish the new version without asking for re-acceptance, but you can always read the current text and the change log on the website.
We keep a permanent record of which version of this Policy you accepted and when, so we can demonstrate compliance.
14. Contact
For any privacy question or to exercise any of your rights:
- Email:
support@autovlog-app.com - Post: Računalniške storitve REK, Mihael Rek s.p., Ulica heroja Jevtiča 5, 2000 Maribor, Slovenia
For complaints you cannot resolve with us, please contact the Informacijski pooblaščenec RS as described in Section 8.
This Privacy Policy is also available in Slovenian at https://www.autovlog-app.com/privacy?locale=sl. In case of any discrepancy between the English and Slovenian versions, the Slovenian version prevails for users domiciled in Slovenia.