Privacy Policy

Last updated: 14 May 2026

This Privacy Policy describes how m24media ("we", "us", or "our") collects, uses and shares personal information when you use the Pedro AI mobile application and related services (collectively, the "Service").

Pedro AI is an AI assistant for fragrance enthusiasts and perfumers. It lets you have conversations with an AI model, scan perfume bottles using your camera, save formulas and notes, and synchronise your data across your devices.

1. Who is the data controller?

The data controller for personal information processed through the Service is:

• m24media
• Email: [email protected]

If you are in the EEA, the UK or Switzerland and would like to exercise your data protection rights, please contact us at the address above.

2. Information we collect

2.1 Information you provide

• Account — email address, display name, password (hashed by Firebase Authentication), and, where you choose, a profile photo.
• Sign-in identifiers — if you sign in with Apple or Google, the unique identifier and email returned by the provider. If you use Sign in with Apple with the "Hide My Email" option, we receive a private relay email.
• Profile preferences — experience level (e.g. hobbyist, pro), appearance mode, haptic and timestamp preferences, timezone.
• User content — conversations and messages you send to the AI, formulas and notes you save, "memories" you ask Pedro to remember, projects, and any photos you upload (for example, a picture of a perfume bottle). All chat messages are logged automatically for security monitoring and AI training purposes.
• Support & reports — the contents of any support ticket, content report or other communication you send us.

2.2 Information collected automatically

• Usage data — daily question counts, feature interactions, screens viewed, session metadata.
• Device & diagnostics — device model, operating system version, language, time zone, app version, crash reports and performance metrics (e.g. start-up time, network latency).
• Push notification tokens — an anonymous token issued by Apple Push Notification service / Firebase Cloud Messaging so we can send you notifications you have enabled.
• Subscription & purchase — subscription status, product identifier, purchase and renewal events received from RevenueCat / the App Store. We do not see your payment card details.

Pedro AI does not use third-party advertising trackers and does not engage in cross-app tracking under the Apple App Tracking Transparency framework.

2.3 Camera and photo library

If you use the perfume scanner, the app needs access to your camera or photo library to let you select or capture an image. The image is sent to our AI provider (see Section 4) for analysis. We do not retain raw scanned images on our servers beyond what is necessary to return a response and store it in your conversation history.

3. How we use your information

We use personal information to:

• Create and maintain your account and authenticate you across devices.
• Operate core features — chat, formula generation, perfume scanning, saved memories, projects and conversation sharing.
• Process subscriptions, manage entitlements, and provide receipts and renewal information.
• Provide customer support and respond to tickets, content reports and other inquiries.
• Send transactional and (if you enable them) optional notifications.
• Detect, investigate and prevent fraud, abuse, content policy violations and security incidents.
• Log and review chat conversations for security monitoring, content moderation, and to enforce our Terms of Service.
• Train and improve the AI models and features that power the Service using conversation data.
• Take enforcement action — including issuing warnings, suspending features, or permanently banning accounts — where a user engages in inappropriate, abusive, or policy-violating behaviour.
• Measure and improve performance, fix crashes, and develop new features.
• Comply with applicable law and enforce our Terms of Service.

4. AI processing

When you send a prompt, image or other content to Pedro, that content is transmitted to Google's Gemini models via the Firebase AI Logic SDK so that a response can be generated. The provider processes your input as a data processor on our behalf under Google's terms.

Important things to know:

• Do not include information you do not want processed by an AI model. Avoid sending highly sensitive data (for example, government identifiers, health records or other special-category data).
• AI outputs may be inaccurate, incomplete or unsuitable for safety-critical decisions. Do not rely on Pedro for medical, legal, regulatory (e.g. IFRA) or other professional advice.
• Conversations are stored in your account so that you can revisit them. You can delete individual conversations or all of your data at any time (see Section 9).
• All chats are logged. Logs are retained for security monitoring, abuse investigation, and to train and improve our AI models. Even if you delete a conversation from your account view, server-side logs may be retained for a limited period as described in Section 8.
• Administrators of m24media may access stored conversation content and logs to investigate abuse reports, security issues, or to provide support you have requested. All admin access is logged. Where a review reveals a violation of our Terms of Service or community standards — including harassment, hate speech, illegal content, or other inappropriate behaviour — administrators may issue warnings, restrict features, suspend, or permanently ban the account in question.

5. Legal bases for processing (EEA / UK)

If the GDPR or UK GDPR applies to you, we rely on the following legal bases:

• Performance of a contract — to provide the Service you request, including AI responses, sync and subscriptions.
• Legitimate interests — to keep the Service secure, prevent abuse, debug crashes, and improve product quality. You may object to this processing at any time.
• Consent — for camera and photo library access, push notifications, and any optional analytics that require consent in your jurisdiction. You may withdraw consent in your device settings at any time.
• Legal obligation — to comply with applicable laws and respond to lawful requests.

6. Sharing of information

We do not sell your personal information. We share data only with the following categories of recipients:

• Google LLC (Firebase: Authentication, Firestore, Storage, Cloud Functions, Cloud Messaging, Analytics, Performance Monitoring, Remote Config; Firebase AI Logic / Gemini) — hosting our backend, authenticating users, storing your account and content, sending notifications, generating AI responses. United States and other regions where Google operates.
• Apple Inc. — app distribution, Sign in with Apple, Push Notifications, in-app purchases. Worldwide.
• RevenueCat, Inc. — managing subscription state and entitlements. United States.
• Companion apps you choose to link (e.g. Perfumer's Vault 2, AromaLab) — only when you initiate a deep link from Pedro to one of these apps; data passed is limited to what is needed for the requested action.
• Professional advisers, auditors, regulators and law-enforcement authorities — where reasonably necessary to comply with the law, enforce our Terms, or protect our rights, users or the public.
• A successor entity — in connection with a merger, acquisition, financing or sale of assets, subject to appropriate confidentiality protections.

7. International transfers

Our service providers operate globally, including in the United States. Where we transfer personal data out of the EEA, UK or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK Addendum, the Swiss Addendum or other recognised transfer mechanisms.

8. Data retention

We retain personal information for as long as your account is active and for as long as we need it to provide the Service or to comply with legal obligations. In particular:

• Account & content: kept until you delete the data or your account.
• Support tickets and content reports: kept for up to 24 months after closure for audit and abuse-prevention purposes.
• Crash, performance and aggregated analytics: retained on rolling windows configured in our analytics tools, typically up to 14 months.
• Subscription records: retained as long as required by tax, accounting and consumer-law obligations.

When you delete your account, we delete or irreversibly anonymise your personal data within 30 days, except where retention is required by law or for the establishment, exercise or defence of legal claims.

9. Your rights and choices

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your personal information ("right to be forgotten").
• Restrict or object to certain processing.
• Receive your data in a portable, machine-readable format.
• Withdraw consent at any time, without affecting prior processing.
• Lodge a complaint with your local data protection authority. In the UK, this is the ICO (ico.org.uk).

You can exercise the most important of these rights directly inside the app:

• Settings › Privacy › Export My Data — downloads a JSON archive of your profile, preferences and conversations.
• Settings › Privacy › Delete Account — permanently deletes your profile, conversations, projects, memories, profile image and authentication record.

You can also email [email protected] at any time. We may need to verify your identity before fulfilling a request.

California residents

If you are a California resident, the CCPA / CPRA gives you additional rights, including the right to know what categories of personal information we collect, the right to request deletion or correction, and the right to opt-out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising.

10. Security

We use technical and organisational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest for our Firebase data stores, access controls, authentication, audit logging, and the principle of least privilege for administrators. No system is perfectly secure; if you believe your account has been compromised, please contact us immediately.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. In jurisdictions where the minimum age for digital consent is higher (for example, 16 in parts of the EEA), the Service is not intended for users below that age. If you believe a child has provided us with personal information, please contact us so that we can delete it.

12. Push notifications

If you allow notifications, we may send you transactional messages (for example, replies to a support ticket) and, if enabled, optional notifications such as feature updates. You can disable notifications at any time in your device settings.

13. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where the changes are material, we will provide additional notice (for example, an in-app banner). Your continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.

14. Contact us

If you have any questions or concerns about this Privacy Policy or our processing of your data, please contact:

m24media — [email protected]