TopoLex Privacy Policy
This Privacy Policy (“Policy”) describes the practices of TopoLex (“we,” “us,” or “our”) regarding the collection, use, and disclosure of personal information through our mobile application (the “App”). This Policy is designed to comply with the California Consumer Privacy Act (CCPA) as amended by the CPRA, the EU General Data Protection Regulation (GDPR), the EU AI Act, and emerging U.S. state privacy statutes.
By utilizing TopoLex, you acknowledge that you have read and understood the data processing activities described herein. If you do not agree with these practices, you must cease use of the App immediately.
1. Information We Collect
Information You Provide
- Account Information. When you sign in using Sign in with Apple, we receive your Apple User ID (an opaque identifier unique to our app) and, if you choose to share it, your email address. If you use Apple’s private email relay, we receive only the relay address.
- Tour Content. When you create a tour, we collect the tour title, optional description, selected points of interest, and the walking route coordinates you compose on the map.
- Preferences. We collect your content preferences, including interest categories, narrative style, tour depth, and voice selection.
- Feedback. If you rate a narration (thumbs up/down) or provide optional free-text feedback (up to 500 characters), we collect that response.
Information Collected Automatically
- Purpose of Collection: All data is collected to facilitate the core “Walking Tour” experience and to personalize the generative AI audio narrations.
- Approximate Location (Bounding Box). When you search for nearby points of interest, the App derives a geographic bounding box from your current position and transmits it to our servers. Your precise GPS coordinates are not sent to our servers. For the purposes of this policy and applicable privacy law, we classify this as coarse/approximate location data. (See below)
- Precise Location (On-Device Only). The App uses your device’s GPS to determine your position for geofence-based narration playback. Precise location data is processed entirely on your device and is never transmitted to our servers or any third party. (See below)
- Audio Interaction and Preference Data: We collect records of your “thumbs up/down” feedback and completion rates to refine the AI-generated narrative logic.
- Inferred Characteristics: Our AI systems may infer your interest in specific historical eras (e.g., “Civil War History”) based on your tour selections. We do not use AI to infer protected characteristics such as race, religion, or health status.
- Background Location. With your permission, the App accesses your location in the background so narrations continue to play as you walk, even when the App is not in the foreground. This is necessary because the core use case — walking a tour route — requires narrations to trigger as you pass points of interest, regardless of whether the App is in the foreground.
- Server Logs. Our servers automatically log request metadata (HTTP method, URL path, response status, and latency). Logs do not contain IP addresses, device identifiers, or personally identifiable information.
- Usage Analytics. The App collects first-party usage events to help us understand how tours are experienced and where we can improve. These events include: app session starts (with app version, OS version, and device model), tour playback actions (start, stop reached, complete, abandon), and narration skips. Each event includes a timestamp, your opaque user ID, and behavioral properties such as tour identifier, stop index, elapsed time, and skip count. Usage analytics do not include your location, name, email address, device identifiers (IDFA/IDFV), or any other personally identifiable information. No third-party analytics SDKs are used; events are sent directly to our own infrastructure.
Location Privacy: “Coarse” vs. “Precise”
We prioritize “Privacy by Design” regarding your movement data. Your device provides two levels of location accuracy, both of which are managed under Apple’s 2026 Privacy Framework:
- Precise Location (Sensitive PI): When enabled, the App accesses your coordinates within a 10-meter radius to trigger audio exactly as you approach a landmark. This data remains in the “Protected Enclave” of your device and is never uploaded to TopoLex or third-party AI providers.
- Coarse Location (Approximate): If you disable “Precise Location” in your iOS settings, the App receives only neighborhood-level data (approx. 2–5 sq. km). In this mode, you must manually select landmarks on the map to hear narrations.
- Core Functionality Rule: Per Apple Guideline 5.1.1, we do not “gate” the app. You may still view maps and read historical text if you decline location sharing; only the automated “walk-and-trigger” feature will be disabled.
Information We Do NOT Collect
- Microphone audio or voice recordings
- Contacts, calendar, camera, or photo library data
- Advertising identifiers (IDFA) or vendor identifiers (IDFV)
- Cross-site or cross-app tracking data
- Crash reports or telemetry via third-party SDKs
2. How We Use Your Information
We use the information we collect to:
- Authenticate your account using Sign in with Apple.
- Generate personalized narrations by sending your content preferences and tour metadata (not your identity) to our AI content-generation providers.
- Generate calibrated narrations by providing our AI models with your preferences, tour metadata, and pre-vetted historical dossiers. Unlike standard retrieval systems, TopoLex utilizes an engineered research pipeline as a dedicated validation step. In this stage, TopoLex researchers and editors apply human judgment and editorial criteria to assign veracity scores that influence the narrative tone and level of certainty in the final audio.
- Synthesize audio narrations by sending validated narration text (historical prose containing no personal information) to our text-to-speech providers.
- Trigger location-based narrations using on-device geofencing as you walk your tour route.
- Calculate walking routes between tour stops using Apple MapKit.
- Improve content quality using your narration feedback.
- Understand tour engagement by analyzing playback events such as completion rates, drop-off points, and narration skip patterns, so we can improve tour quality and the walking experience.
- Maintain and improve the App’s functionality and performance.
We do not use your information for advertising, profiling, or sale to third parties.
Automated Decision-Making (ADMT) and Research Logic
TopoLex utilizes Automated Decision-Making Technology (ADMT) to curate your tour experience. Our proprietary architecture uses a multi-stage research pipeline to validate all historical data:
- The Validation Pipeline: Instead of a simple statistical search (RAG), TopoLex employs a “Researcher Agent” that reads and reasons about multiple historical sources for every landmark. This pipeline identifies contradictions and submits claims for human review.
- Human-Derived Veracity Scores: Veracity scores are not purely automated; they are human judgment calls made by TopoLex researchers and editors based on internal editorial criteria. These scores provide a qualitative measure of a claim’s historical reliability.
- Calibrated Narrations: These veracity scores dictate how the Narrator “hedges” its claims. Facts with lower scores—as determined by our editorial team—are still included in the tour but are automatically presented with qualifying language (e.g., “legend has it” or “some accounts suggest”) to maintain transparency regarding the strength of the evidence.
- Separation of Concerns: By splitting research and generation, we ensure the Narrator LLM is specifically prompted to reflect the level of certainty established during the human-led research stage, avoiding the “confidently wrong” assertions common in uncalibrated AI systems.
- Right to Opt-Out: You have the right to opt-out of this automated profiling. If you opt-out, the AI will deliver a “Standard Tour” that does not adapt to your specific interaction history or preferences.
Accuracy and Hallucination Disclaimer
While our engineered research pipeline acts as a validation step to identify inconsistencies and calibrate the certainty of the narration, users are advised that all AI-generated content carries an inherent risk of error.
- Human-Led Calibration: Our system is designed to disclose uncertainty by using “hedged” language for claims our editors have flagged with lower veracity scores. However, the application of human judgment does not guarantee the absolute accuracy of every historical claim.
- Verification Measures: The research pipeline flags disagreements between sources, which TopoLex researchers use to adjust narrative tone rather than to suppress content, ensuring you receive a comprehensive—if qualified—view of local history.
3. Disclosure of Your Information
We do not sell, rent, or trade your personal information. We share information only with the following categories of service providers, and only to the extent necessary to operate the App:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Apple (Sign in with Apple) | Authentication | Identity token verification |
| Apple (MapKit) | Walking route calculation, location search | POI coordinates, search queries |
| AI Language Model Providers (currently via OpenRouter) | Narration script generation | Tour metadata, POI information, content preferences. No personal information is shared. |
| Text-to-Speech Providers (currently Inworld, with Google and Azure as fallbacks) | Audio narration synthesis | Narration text (historical prose). No personal information is shared. |
| Microsoft Azure | Cloud hosting and database | All stored data is hosted on Azure infrastructure in the United States |
| Microsoft Azure (Application Insights) | Usage analytics storage and analysis | First-party usage events (session, playback, and skip data) with opaque user ID only. No personally identifiable information is shared. |
We do not share user data with any third-party AI providers for the purpose of training their models. Data sent to AI providers is used solely to generate responses for you in real time.
We may also disclose your information if required to do so by law or in response to valid legal process.
4. Data Storage and Security
- Database. Your account information, tours, narrations, and preferences are stored in Azure Cosmos DB, hosted in the United States.
- Authentication tokens are stored on your device in the iOS Keychain, which is encrypted by the operating system.
- On-device storage. The App uses UserDefaults to persist playback state and cache metadata, and the device’s Caches directory for tour details and audio files. Cached data is automatically purged by iOS when storage is low. Audio files expire after 7 days; tour data expires after 1 hour; playback state expires after 24 hours.
- Encryption in Transit. All communication between the App and our servers uses HTTPS (TLS encryption).
- Access Control. API access requires authentication via bearer tokens. Service tokens used by internal systems are restricted to read-only access.
5. Your Rights and Choices
Your Privacy Rights (2026 Standards)
- Expanded Right to Know (The “Lookback” Rule): You may request, and in many jurisdictions you are entitled to, a report of all personal information we have collected about you dating back to January 1, 2022.
- Right to Correct: You may request that we correct inaccurate historical references or account data. We will propagate these corrections to our AI partners (e.g., OpenRouter) within 30 days. All requests must come with corroborating sources from one or multiple of the following sources: primary sources, peer-reviewed secondary source literature, government sources, accredited museums, public history displays or exhibits, and any other competent secondary source rooted and grounded in primary source research.
- Account Deletion. You may delete your account and all associated data directly within the App, or by contacting us at legal@topolex.com. Upon deletion, we will remove your user record, tours, narrations, preferences, and feedback from our systems within 30 days. Usage analytics events associated with your opaque user ID will be purged according to our standard 90-day retention cycle.
- Right to Delete: You may request the permanent deletion of your account. We will also signal our service providers to delete any “Fine-Tuning” data associated with your opaque User ID. We honor all deletion requests under the California DELETE Act and the California DROP platform. We are not a “Data Broker.” Residents may submit a single deletion request via the CPPA, if applicable, to be processed by all registered entities, including TopoLex service providers.
- Universal Opt-Out (GPC): We automatically honor the Global Privacy Control (GPC) signal. If your browser or device sends this signal, we will treat it as a valid request to opt-out of any “sharing” of data for cross-contextual advertising.
- Location Permission. You can revoke location access at any time through iOS Settings. Without location access, tour narrations will not trigger automatically, but you can still browse and read non-generated content that is freely available.
- Email. If you provided your email through Sign in with Apple and wish to remove it, you can manage this through your Apple ID settings. If you used Apple’s private email relay, we do not have access to your actual email address.
- Data Portability. You may request a copy of your data by contacting us at legal@topolex.com.
6. Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area or United Kingdom, we process your personal data on the following legal bases:
- Contract performance. Processing necessary to provide the App’s services (authentication, tour generation, narration playback).
- Legitimate interests. Usage analytics to improve tour quality and the walking experience, where our interests do not override your rights.
- Consent. Location access (both foreground and background) is granted through iOS permission prompts, which you may revoke at any time.
You have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing based on legitimate interests. To exercise these rights, contact us at legal@topolex.com.
7. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know. You may request the categories and specific pieces of personal information we have collected about you.
- Right to Delete. You may request deletion of your personal information.
- Right to Opt-Out of Sale. We do not sell your personal information.
- Right to Non-Discrimination. We will not discriminate against you for exercising your rights.
To exercise these rights, contact us at legal@topolex.com. We will respond within 45 days.
8. Children’s Privacy
Age Assurance and Minor Protections
In compliance with relevant state statutes and regulations, such, for example, as the Texas SECURE Act and the Utah Social Media Regulation Act:
- Age Signals: We receive an “Age Category” signal from the Apple App Store at the time of download.
- Default Privacy for Minors: For users identified as being under 18, “Precise Location” and “ADMT Profiling” are disabled by default. Parental consent via the Apple “Family Sharing” link is required to enable these features.
- COPPA Compliance: We do not knowingly collect data from children under 13. If such data is identified, it is purged using “Secure Erase” protocols within 48 hours.
The App is not directed to children under the age of 13 (or 16 in jurisdictions where GDPR applies). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child under the applicable age threshold, we will take steps to delete that information promptly.
9. Third-Party Services
The App integrates with third-party services as described in Section 3. These services have their own privacy policies, and we encourage you to review them:
- Apple Privacy Policy
- Microsoft Azure Privacy Statement
- OpenRouter Privacy Policy
- Inworld AI Privacy Policy
10. Data Retention
- Account data is retained as long as your account is active and is deleted within 30 days of an account deletion request.
- Tour and narration data is retained as long as your account is active or until you delete a tour.
- Feedback data is retained for content quality purposes and deleted upon account deletion.
- Server logs are retained for 30 days and then automatically purged.
- Usage analytics are retained for 90 days in Azure Application Insights and then automatically purged.
- On-device caches are managed automatically (audio: 7 days, tour data: 1 hour, playback state: 24 hours).
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy within the App and updating the “Last Updated” date. You are advised to review this Privacy Policy periodically for any changes.
12. Contact Us
If you have questions or concerns about this Privacy Policy, please contact us at:
TopoLex legal@topolex.com