Privacy Policy
Last updated: 5 June 2026 · Effective: 5 June 2026
This Privacy Policy describes how Bracino OÜ ("we", "us", "our") collects, uses, and protects your personal data when you use TellRide ("the Service") at tellride.xyz and its app at tellride.xyz/app. We are an Estonian company and a data controller under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
1. Data controller
| Company | Bracino OÜ |
|---|---|
| Registry code | 12452492 |
| Jurisdiction | Republic of Estonia |
| Contact email | info@tellride.xyz |
2. What data we collect
2.1 Account data
When you create an account, we collect:
- Your email address.
- A password hash, stored and verified by Amazon Cognito. We never see or store your password in plain text.
- If you sign in with Google: your Google account identifier (the "sub" claim) and the email Google releases to us. We do not request access to your Google contacts, calendar, drive, or any other Google data.
- A Cognito-issued user identifier (the "sub" claim), which is the internal key we use to link your data together.
2.2 Location data
While the app is open and you have tapped Start, your browser sends us your current latitude and longitude so we can find points of interest near you. This is the only time we receive your location. We do not run in the background, we do not maintain a continuous track of your route, and we do not infer your home or workplace.
Each story we deliver is recorded with the approximate coordinates at which it was triggered, so that we don't play you the same story twice. We do not assemble these points into a continuous trace, and they expire automatically (see Section 6).
2.3 Listening history
For each story narrated to you, we record: the story identifier, its title, its source ("wikipedia" or "custom"), the trigger coordinates, and the timestamp. This is what lets us avoid repeating stories you've already heard.
2.4 Service usage and technical data
Standard server logs are written by our infrastructure (Amazon ECS, AWS Application Load Balancer, AWS Lambda, Amazon API Gateway) and include your IP address, the request path, the response status, the user-agent string, and the request timestamp. These logs are used to operate and secure the Service.
2.5 Waitlist data
If you join the Pro waitlist, we collect the email you submit, the tier you indicated interest in, and the timestamp. We use this only to notify you when Pro launches.
2.6 Analytics
We use Google Analytics 4 (measurement ID G-9JY6TWZQK9) to understand how the Service is used in aggregate. Google Analytics collects standard web telemetry: page views, referrers, screen size, and a randomized client identifier stored in a first-party cookie. IP addresses are anonymized by Google before storage.
2.7 Payment data
The Service is currently free and we collect no payment data. If and when paid tiers launch, payments will be handled by Paddle.com Market Limited as Merchant of Record. Paddle will collect the data necessary to process the transaction (name, billing address, card or other payment method details, tax identifiers where applicable). We do not receive or store full card numbers.
3. Legal bases for processing (GDPR Article 6)
| Data | Legal basis |
|---|---|
| Account data | Performance of a contract (Art. 6(1)(b)) — we need this to give you the Service. |
| Location data | Your consent (Art. 6(1)(a)) — your browser asks you to allow location access, and you can revoke at any time. |
| Listening history | Legitimate interest (Art. 6(1)(f)) — keeping the Service useful by avoiding duplicate stories. |
| Server logs and security | Legitimate interest (Art. 6(1)(f)) — operating and securing the Service. |
| Waitlist | Your consent (Art. 6(1)(a)) — given by submitting the form. |
| Analytics | Legitimate interest (Art. 6(1)(f)) for anonymous aggregate analytics. If a future deployment requires consent for analytics under your local rules, we will obtain it. |
| Payment data (future) | Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax and accounting. |
4. How we use your data
- To deliver narrated stories based on your current location.
- To remember which stories you've already heard, across drives, so we don't repeat them.
- To operate, secure, and improve the Service.
- To respond to your requests, including support and rights requests under GDPR.
- To notify you about your account or material changes to the Service.
- To notify you about Pro launch, if you joined the waitlist.
We do not sell your personal data. We do not use your data to build advertising profiles. We do not share your location with third parties for marketing.
5. Who processes your data on our behalf
We use the following processors. Each is engaged under appropriate data-processing terms.
| Processor | Purpose | Region |
|---|---|---|
| Amazon Web Services EMEA SARL | Hosting (ECS, Lambda), storage (DynamoDB), authentication (Cognito), CDN (CloudFront), email (SES, if used) | eu-west-1 (Ireland) |
| Anthropic, PBC | Generating narration text from Wikipedia source material. We send only the article extract plus your approximate area (city / coordinates rounded), never your account identifier. | United States |
| Wikimedia Foundation | Source content (Wikipedia GeoSearch and Extracts APIs). We send only coordinates, never your identity. | United States |
| Google LLC | (a) Google Analytics 4 for usage metrics. (b) Optional Google sign-in via OAuth, if you choose it. | European Union / United States |
| Paddle.com Market Limited (future) | Payment processing as Merchant of Record, if and when paid tiers launch. | United Kingdom |
6. International data transfers
Some of our processors are located outside the European Economic Area, principally in the United States. Transfers to the United States rely on the EU-US Data Privacy Framework where the processor is certified (AWS, Anthropic, Google) and on Standard Contractual Clauses where applicable. You can request a copy of the applicable safeguard at info@tellride.xyz.
7. Retention
| Data | Retention |
|---|---|
| Account data | Until you delete your account. On deletion, removed from Cognito and our databases within 30 days. |
| Listening history | 90 days from the time the story was played, after which DynamoDB removes the row automatically via Time-To-Live. Earlier removal on request. |
| Waitlist | Until you ask us to remove your email, or until Pro launches and you either sign up or unsubscribe. |
| Server logs | Up to 90 days, then deleted automatically. |
| Payment records (future) | 7 years for tax and accounting purposes (Estonian Accounting Act). |
8. Cookies and local storage
- Authentication tokens — Amazon Cognito stores your ID, access, and refresh tokens in your browser's
localStoragewhile you are signed in. They are required to use the Service. - UI preferences — your search-radius preference is stored in
localStorageso it survives reloads. - Google Analytics cookies —
_gaand related cookies (first-party, 2-year maximum). You can block them by enabling Do Not Track or by using a browser extension. - Google sign-in — if you use Google sign-in, Google may set its own cookies on its domain. That is governed by Google's privacy policy.
9. Your rights under GDPR
If you are in the EU, EEA, or United Kingdom, you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — ask us to delete your data ("right to be forgotten").
- Restriction — limit what we do with your data.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent (e.g. location, waitlist).
- Complain — lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee) or your local supervisory authority.
To exercise any of these rights, email info@tellride.xyz. We aim to respond within 30 days.
10. Security
All traffic to TellRide is served over TLS. Account passwords are hashed by Amazon Cognito. Data at rest in DynamoDB is encrypted with AWS-managed keys. Access to operational systems is restricted to authorized personnel and audited via AWS CloudTrail.
11. Children
TellRide is not directed to children. You must be at least 16 years old (or the equivalent minimum age in your jurisdiction) to use the Service. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this Privacy Policy as the Service evolves. The "Last updated" date at the top reflects the most recent revision. If we make material changes (for example, introducing payment processing or a new data category), we will notify registered users by email at least 14 days before the change takes effect.
13. Contact
For any privacy question, request, or complaint:
Bracino OÜ
Email: info@tellride.xyz