Hugo Data Protection Impact Assessment

1. Description of Processing

• Data categories: Name, email, password, voice recordings, transcripts, device identifiers, usage logs, crash reports, subscription status, location data.
• Purpose: Provide voice-based tour guide functionality, manage subscriptions, personalise experience, improve app, marketing.
• Data subjects: Hugo users (13+).
• Data flow:
  • Supabase: authentication and encrypted database storage.
  • ElevenLabs: voice input processing.
  • RevenueCat: subscription management.
  • Advertising and analytics partners: marketing and usage analysis.

2. Necessity and Proportionality

• Account data required to authenticate and manage subscriptions.
• Voice and location required to deliver core service (tour guidance).
• Logs and analytics necessary to improve stability and performance.
• Retention periods defined and minimised where possible.

3. Risks Identified

• Data breach risk (voice and location data are sensitive).
• Profiling and marketing risk (sharing with advertising partners).
• Retention creep (logs retained longer than necessary).
• Children risk (if under-13s bypass age gate).

4. Mitigations

• Supabase encryption at rest plus TLS in transit.
• Retention schedules:
  • Account: 3 years post-deletion.
  • Billing: 6 years.
  • Voice: 12 months (ElevenLabs up to 3 years).
  • Location logs: 12 months.
  • Analytics logs: 12 months.
  • Crash reports: 6-12 months.
• Age gate at signup (13+ only).
• Unsubscribe links plus in-app toggle for marketing.
• Data subject request procedure with 1-month turnaround.
• Signed data processing agreements with processors.
• Breach notification plan (72 hours under GDPR).

5. Outcome

With mitigations in place, processing is proportionate and compliant with GDPR, UK law, and CCPA/CPRA. No residual risks require prior consultation with regulators.