Privacy Policy of the Gugu App
Effective Date: March 2026
Controller: theconcept technologies FlexKapG, Lödersdorf I 96 Haus B, Tür 7, 8334 Riegersburg, Austria
Contact: support@gugu-app.com
1. Overview
Gugu is an app for personalized children's stories. Protecting the data of families and especially children is our top priority.
This Privacy Policy informs you about what data we collect, how we use it, and what rights you have.
2. Controller
theconcept technologies FlexKapG
Lödersdorf I 96 Haus B, Tür 7
8334 Riegersburg
Austria
Email: support@gugu-app.com
3. What Data We Collect
3.1 Account Data (from Adults)
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, communication | Contract performance (Art. 6 (1) b GDPR) |
| Password (encrypted) | Authentication | Contract performance |
| Name (optional) | Personalization | Consent |
3.2 Family and Character Data
| Data | Purpose | Legal Basis |
|---|---|---|
| First names of family members | Personalization of stories | Contract performance |
| Age group of the child (e.g., "6 years") | Age-appropriate language | Contract performance |
| Relationships (e.g., "Dad of Emma") | Story context | Contract performance |
| Character descriptions (hair color, hobbies) | Avatar generation | Contract performance |
Important: We do not collect full birth dates, last names, addresses, or school information of children.
3.3 Generated Content and Sharing
| Data | Purpose | Storage Location |
|---|---|---|
| Stories (Text) | Repeated reading | Gugu Server (EU) |
| Audio files | Offline playback | Gugu Server (EU) + local cache |
| Images/Avatars | Story illustration | Gugu Server (EU) |
Sharing content: If you use the "Share" function in the app, a public or familial link is generated through which third parties can access the story (including the first names of the characters and voice output). You can deactivate or delete shared links at any time in the app.
3.4 Payment Data
We do not process credit card data directly. Payments are handled by the following providers:
- Stripe (for Web payments)
- Apple In-App Purchase (for iOS)
We only store a reference ID (Stripe Customer ID) to manage your subscription.
3.5 Technical Data
| Data | Purpose | Storage Duration |
|---|---|---|
| IP address | Security, fraud prevention | 7 days |
| Device type, OS version | App compatibility | Anonymized |
| Web Usage Data (Website only) | Marketing & Site Optimization (Google Analytics) | According to cookie preferences |
| Crash reports & Logs | Bug fixing, Performance (Datadog, Sentry) | 30 days |
| Authentication Tokens | Login Management (Firebase Auth) | Until logout/expiry |
| Device Tokens (App only) | Push Notifications (expo-notifications) | Until revoked |
| Billing Data | Processing of single purchases | Stripe / Gugu Server |
3.6 Improvement of Internal AI Models
For the improvement of our in-house AI models, we strictly distinguish between biometric data and other generated content:
A) Voice Data (Gugu-Voice - Opt-In): If you voluntarily opt-in through the app, we use your uploaded voice recordings and the transcribed texts to improve our own speech synthesis models ("Gugu-Voice"). This is a strictly regulated, privacy-compliant process:
- Pseudonymization Phase (90 Days): Your audio recordings are initially stored pseudonymized in a secure pool. Within 90 days of the recording, you can revoke your consent at any time via the app settings. Upon revocation, the data is irrevocably deleted.
- Anonymization Phase: After the 90 days have expired, the data is automatically processed by the system and completely and irreversibly anonymized (assignment of a random ID, separation from the user account). From this point on, it is technically impossible to trace the data back to your person.
B) Texts and Images (Opt-Out): Other content entered or generated by you (texts, stories, generated images) may be used by us in a completely anonymized form for the further development of our AI models. Since these are not biometric data, we base this on our legitimate interest (Art. 6(1)(f) GDPR). You can object to this use at any time in the app settings (Opt-Out).
4. Special Categories of Data
4.1 Voice Data (Voice Cloning)
If you use the optional "Own Voice" feature, you upload an audio sample of your voice.
⚠️ Note: Voice data are biometric data under the GDPR (Art. 9).
| Aspect | Details |
|---|---|
| Purpose | Creation of a personal voice profile for reading aloud |
| Recipient | ElevenLabs Inc. (USA) |
| Consent | Explicitly requested before the upload |
| Revocation | Possible at any time in the app settings |
| Deletion | All voice profiles are deleted upon revocation or account deletion |
You can use Gugu completely without voice cloning. Standard voices are available.
4.2 Photos (optional)
If you upload a photo as a reference for an avatar, this is transmitted to our image generators.
| Aspect | Details |
|---|---|
| Purpose | Avatar creation based on visual reference image |
| Recipient | Google (Gemini) or OpenAI (DALL-E) |
| Alternative | Avatars can also be created purely text-based |
| Recommendation | We recommend using children's drawings instead of photos |
5. Data Transfer to Third Parties
5.1 AI Service Providers
For the generation of stories, audio, and images, we work with the following providers:
| Provider | Purpose | Location | Data |
|---|---|---|---|
| Anthropic (Claude) | Text Generation | USA | First names, relationships, story prompts |
| OpenAI | Text Generation (Fallback) | USA | Same as above |
| Google (Gemini / Gemini TTS) | Text, Image & Audio/Speech Generation | EU / USA | Same as above + image references, story text |
| ElevenLabs | Speech Synthesis, Voice Cloning | USA | Story text, voice samples |
| Resemble AI | Speech Synthesis | USA | Story text |
Important:
- All requests run through our backend (proxy architecture)
- We do not transmit email addresses, passwords, or payment data to AI providers
- The mentioned providers do not use API data to train their models in accordance with the concluded Data Processing Agreements (DPA).
5.2 Data Transfer to Third Countries (USA)
The data processing by our AI and infrastructure service providers (e.g., Google, OpenAI, Anthropic, ElevenLabs, Resemble AI) takes place partly in the USA.
The USA is legally considered a third country. We base the data transfer to the USA on the EU-US Data Privacy Framework (DPF), provided the respective provider is certified under it. For providers or processing not covered by the DPF, we conclude the Standard Contractual Clauses (SCCs) approved by the EU Commission to ensure an adequate level of data protection comparable to the GDPR.
5.3 Payment Providers
| Provider | Purpose | Privacy |
|---|---|---|
| Stripe | Subscription Management | stripe.com/privacy |
| Apple | In-App Purchases | apple.com/privacy |
5.4 Infrastructure
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean | Server Hosting | Frankfurt, Germany (EU) |
| Sentry & Datadog | Error Monitoring, Performance | EU / USA |
| Google (Firebase) | Authentication | EU / USA |
| Google Analytics | Web Analytics (gugu-app.com only) | USA (with Standard Contractual Clauses) |
6. Data Security
| Measure | Details |
|---|---|
| Encryption | TLS 1.3 for all transmissions, AES-256 for stored data |
| Passwords | Bcrypt hashing (stored unreadably) |
| Backups | Daily encrypted backups, 14-day rotation |
| Access | Strictly limited to authorized developers |
7. Storage Duration
| Data Type | Storage Duration |
|---|---|
| Account Data | Until deleted by you |
| Stories & Audio (Gugu Server) | Until deleted by you |
| Voice Profiles | Until revoked or account deletion |
| API Data at AI Providers | Max. 30 days (exclusively for security/abuse monitoring, automatic deletion thereafter) |
| Crash Reports | 30 days |
| Backups | Max. 14 days after deletion |
8. Your Rights
Under the GDPR, you have the following rights:
| Right | Description | How-to |
|---|---|---|
| Access (Art. 15) | Know what data we have about you | Email support@gugu-app.com |
| Rectification (Art. 16) | Correct inaccurate data | In the app or via email |
| Erasure (Art. 17) | Delete all your data | "Delete Account" in settings |
| Restriction (Art. 18) | Restrict processing | Email support@gugu-app.com |
| Portability (Art. 20) | Export your data | Email support@gugu-app.com |
| Objection (Art. 21) | Object to processing | Email support@gugu-app.com |
| Revocation | Revoke consents | In the app or via email |
Account Deletion
You can completely delete your account in the app settings. All associated data will be irrevocably removed:
- Account data
- Family and character profiles
- All stories, audio files, and images
- Voice profiles
- Stripe references
Within 14 days at the latest, the data will also be removed from our backups.
9. Child Privacy (COPPA & GDPR)
Gugu is an app for families with children. We take the protection of children's data extremely seriously:
| Measure | Details |
|---|---|
| No Child Accounts | Only adults can create accounts |
| No PII from Children | We do not collect emails, addresses, or full names of children |
| Parental Gate | Sensitive settings are PIN-protected |
| Child Lock | Optional child-lock mode restricts functionality |
| Abstract Age info | Only age group (e.g., "6"), no birth date |
10. Cookies & Tracking
The Gugu App (iOS/Android) uses no advertising trackers or marketing cookies. We exclusively use in the app:
- Session tokens for authentication
- Local cache for offline functionality
On our Website (gugu-app.com) we use Google Analytics 4 to analyze visitor behavior, provided you have consented in the cookie banner. This helps us improve the website and our offerings (such as gift cards). You can revoke this consent at any time in the cookie settings of the website.
11. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. In the event of material changes, we will notify you by email or in-app notification.
12. Contact & Complaints
Privacy Inquiries & Support:
support@gugu-app.com
Complaints:
You have the right to lodge a complaint with a data protection supervisory authority:
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna, Austria
Email: dsb@dsb.gv.at
This Privacy Policy was last updated in March 2026.
