Privacy & Cookie Policy.
This document is a translation of the Polish Privacy & Cookie Policy (Polityka Prywatności i Cookies). In the event of any discrepancy between the Polish and English versions, the Polish version shall prevail.
This document describes the rules governing the processing of personal data and the use of cookies and similar technologies on the website available at https://ai.in-thecity.com (the "Service"), in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national legislation.
1. Data Controller
The controller of your personal data is EAST WEST CONSULTING sp. z o.o., Aleja Grunwaldzka 472, 80-309 Gdańsk, Poland. KRS 0000602766, NIP 8371818070, REGON 363760385. E-mail: support@in-thecity.com.
The Controller has not appointed a Data Protection Officer (DPO), as it is not required to do so under Art. 37 GDPR. Any questions regarding data processing may be directed to support@in-thecity.com.
2. Scope of Personal Data Processed
2.1 Data Provided Directly by the User
- e-mail address — required to create an account and recover a password,
- password — stored exclusively as a cryptographic hash (bcrypt) by our authentication service provider (Supabase Auth); we do not have access to passwords in plain text.
We do not collect first name, last name, profile picture, phone number, or any other identifying data beyond the e-mail address.
2.2 Data from External Login (OAuth)
If the User logs in via their Google account, we receive their e-mail address from Google. We do not receive or store any other Google account information (name, profile picture, contacts, etc.).
2.3 Technical Data (Collected Automatically)
- IP address — processed only briefly by our anti-spam service provider (Upstash Redis) to limit registrations from a single IP. The IP address is automatically deleted after 60 seconds and is not stored in our database,
- authentication cookies — described in detail in Section 6,
- technical server logs — endpoint URL, HTTP response code, execution time. Logs do not contain e-mail addresses or IP addresses. Stored for 90 days on a rolling basis by the hosting provider (Railway).
2.4 Data Generated by the User
- YouTube video URLs submitted by the User to generate a Guide,
- selected preferences (e.g. culinary, cultural interests) — passed to the AI model to personalise results,
- generated Guides — the AI analysis output, stored in our database so it can be retrieved by the User,
- selected interface language.
2.5 Payment Data
When purchasing a credit package: payment card details are not processed by us — all payment handling is performed by Stripe Payments Europe Limited (Ireland). We receive from Stripe only the Stripe customer ID, payment event ID, session ID, transaction amount and currency, and type of package purchased; plus the User's credit balance history. This data is retained for the purpose of contract performance and compliance with statutory accounting obligations (7 years under the Polish Accounting Act).
2.6 No Special Category Data
We do not process special categories of data within the meaning of Art. 9 GDPR (health, ethnic origin, political opinions, etc.).
3. Purposes and Legal Bases for Processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and maintaining an account | Art. 6(1)(b) — performance of a contract |
| Generating Guides (service delivery) | Art. 6(1)(b) — performance of a contract |
| Payment processing and accounting | Art. 6(1)(b) and (c) — contract and legal obligation |
| Communication with the User (e.g. confirmations, errors) | Art. 6(1)(b) — performance of a contract |
| Service security (rate-limiting, anti-spam) | Art. 6(1)(f) — legitimate interest |
| Compliance with accounting obligations (7 years) | Art. 6(1)(c) — legal obligation |
| Defence against claims | Art. 6(1)(f) — legitimate interest |
4. Artificial Intelligence (AI) and Automated Processing
4.1 AI Models Used
The Service uses generative AI models (LLMs and multimodal models). We currently use Google Gemini models (Google LLC, USA) as our primary AI provider. These models are used to analyse publicly available video content from platforms such as YouTube, generate structured travel guides, and translate content into the interface languages. We have entered into a Data Processing Agreement (DPA) with Google LLC in accordance with Art. 28 GDPR, along with Standard Contractual Clauses (SCCs) for data transfers outside the EEA.
4.2 No Training on User Data
User data (URLs, preferences, generated Guides) is not used to train AI models — neither by Google LLC nor by the Operator. We use Google's services in production mode under a "no data retention for training" policy pursuant to the applicable DPA.
4.3 AI Hallucinations — Technology Limitations
Generative AI language models may produce inaccurate, incomplete, or false information (known as "hallucinations"). This is a common limitation of AI technology, not a Service error. Users are required to independently verify all information (addresses, prices, opening hours, current status of places) before using it for travel planning.
4.4 Automated Decisions
Guide generation is an automated process, but it does not produce legal effects on the User and does not significantly affect their situation within the meaning of Art. 22 GDPR.
4.5 Data Transferred to Google LLC (Gemini API)
We transfer the public YouTube video URL (the video itself is not downloaded — analysis is performed by Google through its internal integration), User-selected preferences, interface language, and technically necessary query parameters. What is NOT transferred to Google LLC (Gemini API): the User's e-mail address; account ID; stripe_customer_id or any payment data; history of other User queries; data from other sessions or accounts. Data is transferred to Google LLC solely to generate a specific Guide and is not linked to the User's profile on Google's side.
5. Recipients of Data (Sub-processors)
| Sub-processor | Location | Purpose | Legal mechanism |
|---|---|---|---|
| Supabase Inc. | Ireland (EEA) | Database hosting, authentication, storage | DPA + EEA |
| Stripe Payments Europe Ltd. | Ireland (EEA) | Payment processing | DPA + EEA |
| Google LLC (Gemini API) | USA | Content generation (video analysis, guide generation) | DPA + SCC |
| Google LLC (YouTube Data API, Maps) | USA | Video metadata, place verification, map visualisation | DPA + SCC |
| Resend Inc. | USA | Sending transactional e-mails | DPA + SCC |
| Railway Corp. | Netherlands (Amsterdam, EEA) | Application hosting | DPA + EEA |
| Upstash Inc. | Ireland (EEA) | Anti-spam (rate-limiting) | DPA + EEA |
We have never sold and will never sell your personal data to third parties for marketing purposes.
5.1 Use of YouTube API Services
The Service uses YouTube API (YouTube Data API v3) to retrieve public video metadata (title, description, duration, channel author). By using the Service's video analysis feature, Users are also bound by YouTube Terms of Service and Google Privacy Policy. The Operator does not download, store, or modify YouTube video files — only public metadata and audio transcriptions provided by the API are processed.
6. Cookies and Tracking Technologies
6.1 What Are Cookies
Cookies are small text files stored by the web browser on the User's device when using the Service. They contain information that enables session authentication (maintaining login) and remembering user preferences. They are divided into first-party cookies (set by the Service itself, ai.in-thecity.com) and third-party cookies (set by external service providers, e.g. Stripe during checkout). Local Storage and Session Storage are similar mechanisms in which the browser stores data locally — they are not sent to the server in HTTP headers.
6.2 Cookie Categories
The Service currently uses only necessary cookies (Strictly Necessary) — essential for the Service to function and not requiring the User's consent (under Art. 173(3) of the Polish Telecommunications Law and Art. 6(1)(f) GDPR — legitimate interest). Without these cookies, it is not possible to log in to an account, purchase a package, or use the Service securely. The Service does not currently use analytical or marketing cookies. If these are introduced in the future, this Policy will be updated and Users will be informed with appropriate advance notice.
6.3 Cookie List — Necessary Cookies
| Name | Provider | Purpose | Lifetime |
|---|---|---|---|
sb-access-token | ai.in-thecity.com (Supabase Auth) | Access token for the logged-in user | 1 hour |
sb-refresh-token | ai.in-thecity.com (Supabase Auth) | Session refresh token | 365 days |
ref_code | ai.in-thecity.com | Referral programme attribution (referrer's code) | 7 days |
cookie_consent | ai.in-thecity.com | Saving the User's cookie information choice | 365 days |
All cookies are of type httpOnly, Secure, SameSite=Lax, meaning: they are not accessible to JavaScript (XSS protection), they are transmitted only over HTTPS, and they are not sent with cross-origin requests (CSRF protection).
6.4 Third-Party Cookies During Checkout
During package purchase, the User is redirected to Stripe Checkout (checkout.stripe.com). Stripe sets its own cookies for payment processing and fraud detection. The Operator does not have access to these cookies. Stripe's full policy: https://stripe.com/privacy
6.5 What We Do NOT Use
In the interest of User privacy, we deliberately do not use Google Analytics, Google Ads, Google Tag Manager or any other behavioural tracking tools; heatmap tools (Hotjar, SmartLook, MouseFlow, etc.); advertising pixels (Facebook, TikTok, LinkedIn, and other platforms); cross-site tracking; behavioural profiling for sales purposes; or loyalty programmes based on tracking.
6.6 Local Storage and Session Storage
The Service uses Local Storage to temporarily cache generation results (for re-display without re-querying the server), remember UI preferences (selected language, light/dark mode), and remember cookie information status. Local Storage is stored exclusively locally on the User's device, is not sent to the server in any HTTP requests, and can be cleared at any time in browser settings.
6.7 Cookie Notice
Upon first visiting the Service, we display a cookie notice informing Users about the cookies in use. Since the Service uses only necessary cookies, this notice is informational — no separate consent for these cookies is required. A link to this Privacy & Cookie Policy is available in the Service footer.
6.8 How to Manage Cookies
Every browser allows Users to view, delete, and block cookies (Chrome: Settings → Privacy and security → Cookies; Firefox: Preferences → Privacy & Security → Cookies; Safari: Preferences → Privacy → Manage Website Data; Edge: Settings → Privacy → Cookies). Note: Blocking necessary cookies prevents login and use of the Service.
7. International Data Transfers
Data may be transferred outside the European Economic Area (EEA) only to the USA (Google LLC, Resend) on the basis of European Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 (EU–US Data Privacy Framework) and Standard Contractual Clauses approved by the European Commission (Decision 2021/914). Data is protected in accordance with Art. 44–49 GDPR. The primary infrastructure (database, application hosting, authentication) is located within the EEA (Ireland, Netherlands).
8. Data Retention Periods
| Data category | Retention period |
|---|---|
| User account (e-mail, password) | Until account deletion by the User |
| Generated Guides | Until deleted by the User or account deletion |
| Cache of generated content | Anonymised, no PII — retained indefinitely |
| IP address (rate-limiting) | 60 seconds (Upstash Redis) |
| Server logs | 90 days (Railway) |
Payment events (purchase_events) | 7 years — statutory accounting obligation |
| Credit balance and history | Until account deletion + 7 years for payment-related data |
| Session cookies (auth) | 1 hour (access) / 365 days (refresh) |
8.1 Account Deletion Procedure
A User may request account deletion via the "Delete account" function in the account panel — the request is processed by the administrator within 30 days; or by e-mail to support@in-thecity.com — response within 30 days. Upon account deletion, the following are automatically erased: authentication data, User profile, generated Guides, generation jobs, referral codes, and referral commissions. Not deleted (statutory obligation): payment events (purchase_events) — retained for 7 years pursuant to the Polish Accounting Act.
9. Your Rights (Art. 15–22 GDPR)
In connection with the processing of your personal data, you have the following rights:
- Right of access (Art. 15) — to obtain a copy of your data
- Right to rectification (Art. 16) — to request correction of inaccurate data
- Right to erasure (Art. 17) — "right to be forgotten"
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — data export in a structured format
- Right to object (Art. 21) — to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — at any time where processing is based on consent
- Right to lodge a complaint with a supervisory authority (Art. 77)
9.1 How to Exercise Your Rights
Send a request to support@in-thecity.com. We respond within 30 days (exceptionally up to 90 days for complex matters — with appropriate notification).
9.2 Complaint to the President of UODO
If you believe your data is being processed unlawfully, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl.
10. Data Security
We apply appropriate technical and organisational measures to protect data: connection encryption (HTTPS/TLS 1.3); password hashing (bcrypt via Supabase Auth); cookies (httpOnly, Secure, SameSite=Lax); payments fully delegated to Stripe (PCI-DSS Level 1); hosting on SOC 2-certified providers (Supabase, Railway); access control via Row-Level Security (RLS) authorisation in the database; backup — regular backups by the database provider. Despite the measures applied, no method of transmission or storage on the internet is 100% secure.
11. Children's Data
The Service is not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If a parent/guardian becomes aware that their child has provided us with personal data, please contact support@in-thecity.com — we will delete such data immediately. The credit package purchase feature requires the User to be at least 18 years old, as required by the payment processor (Stripe).
12. Voluntary Nature of Data Provision
Providing personal data is voluntary, but necessary to use the Service: without an e-mail address, an account cannot be created; without accepting necessary cookies, login is not possible; without payment data (provided to Stripe), a package cannot be purchased.
13. Changes to This Policy
13.1 Good Faith and Early Stage of Development
The Service is in an early stage of development — inaccuracies or areas requiring clarification may arise. The Operator commits to promptly correcting any errors upon their detection or notification. If you notice an error or area for improvement, please contact support@in-thecity.com.
13.2 Right to Amend
We reserve the right to update this Policy in the event of changes in personal data processing (new purposes, new sub-processors), introduction of new analytical or advertising tools, or changes in legislation (e.g. ePrivacy Regulation, EU AI Act). We will notify you of material changes by e-mail to the address provided at registration (for changes affecting User rights), by a prominent notice in the Service, and by updating the date and version number at the beginning of this document. The current version of the Policy is always available at /privacy.
14. Contact and Complaints
For matters relating to privacy, data protection, and cookies: support@in-thecity.com. In the event of a breach of rights related to privacy or cookies, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl.
This Privacy Policy & Cookie Policy has been in force since 28 April 2026. Version 2.1 (EN) from 3 May 2026.