1. Introduction and Scope

MIMIR Travel Oy (“MIMIR,” “we,” “us,” or “our”) is committed to protecting the privacy of individuals who use the MIMIR Travel mobile application and related services (collectively, the “Service”). This Privacy Policy details our practices concerning the collection, utilization, and disclosure of your Personal Data and outlines your choices regarding that data.

This Policy applies to all users of the Service, which leverages persistent geolocation services to deliver gamified travel experiences.

2. Data Controller and Contact Information

The data controller responsible for the processing of your Personal Data is:

MIMIR Travel — Established in Vantaa, Finland
Contact Email: support@mimir.fi

3. Data Processing Principles and Legal Basis

We collect and process your Personal Data only when we have a legitimate legal basis to do so, which primarily includes:

• Contractual Necessity: Processing data required to fulfill our contractual obligation to provide the Service to you (e.g., account management, game functionality).
• Consent: Processing data where you have provided explicit, informed consent (e.g., enabling precise location tracking).
• Legitimate Interests: Processing data necessary for our legitimate business interests, provided those interests do not override your rights and freedoms (e.g., improving security, internal analytics).
• Legal Obligation: Processing data necessary to comply with applicable laws and regulations (e.g., European Union General Data Protection Regulation — GDPR).

4. Categories of Data Collected

We collect the following categories of information:

4.1. Identity and Account Data (Personal Data)

• Identifiers: Email address (if provided for registration), username, and profile image (optional).
• Authentication: Encrypted passwords or device authentication tokens.

4.2. Device and Technical Data (Automatically Collected)

• Device Information: Device model, operating system, unique device identifiers (e.g., IDFA, Android ID), browser type, and time zone settings.
• Network Data: IP address, mobile carrier, and connectivity type.

4.3. Usage, Gamification, and Interactive Data

• Activity Metrics: Details regarding your interaction with the Service, including pages viewed, features accessed, session duration, date of last activity, and crash reports.
• Game Progress: Scores, achievements, challenge completion rates, inventory of in-app items/currency, and leaderboard placement.
• Statistical Data: Counts of countries and cities visited, and the number of stories listened for gamification and progress tracking.
• User-Generated Content (UGC) Metadata: Timestamps, device identifiers, and location of UGC creation.

4.4. Sensitive and Specific Permissions Data (Requires Explicit Consent)

Precise Geolocation Data: We collect your precise location data (GPS coordinates) to facilitate location-based challenges and real-time guidance.

• Foreground Use: When the app is actively open, location data is used to provide relevant, real-time content based on your surroundings.
• Background Use: With your separate and explicit consent, we may collect and use your precise location data when the app is closed or running in the background to trigger relevant, proximity-based notifications (e.g., motivational check-ins, nearby challenge alerts) and to update location-dependent progress.
• Retention Limit: Any precise location data collected is used only for the immediate purpose it serves and is not retained as a history or travel log. Precise location data is retained for a maximum of 24 hours as a temporary geofence coordinate to trigger a notification, after which it is promptly deleted or anonymized. Aggregated, anonymized location data may be retained for service analytics.

5. Purpose of Data Utilization

We utilize the collected data for the following essential business functions:

• Provision of Core Services: To operate, deliver, maintain, and enhance gamification and geolocation features of the Service, including showing your statistical progress. (Legal Basis: Contractual Necessity).
• Account Management: To verify your identity, maintain security, and manage your subscriptions and game progress. (Legal Basis: Contractual Necessity).
• Performance and Analytics: To monitor the usage and effectiveness of the Service, identify technical issues, and optimize resource allocation. (Legal Basis: Legitimate Interests).
• Communication: To send essential administrative messages, security alerts, and customer support responses. (Legal Basis: Contractual Necessity/Legitimate Interests).
• Compliance: To satisfy legal and regulatory obligations, and to prevent, detect, and investigate illegal activities. (Legal Basis: Legal Obligation).

6. Data Retention Policy

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements.

• Account Data: Retained indefinitely while your account remains active, regardless of periods of inactivity, to preserve your game progress, achievements, and virtual items.
• User-Initiated Account Closure: Upon your formal request to close your account, we will delete or anonymize all Personal Data within 180 days, except where required to retain transactional records for legal or regulatory compliance (e.g., receipts, tax records).
• Geolocation Data: Precise, real-time geolocation is deleted immediately upon the conclusion of a session or after 24 hours of retention for background notification purposes. Aggregated usage data derived from location is retained for analytical purposes indefinitely.
• Usage/Gamification Data: Retained for the duration necessary for ongoing trend analysis and service improvement.

7. Third-Party Data Disclosure and Service Providers

We engage third-party processors and use third-party technologies to perform essential functions on our behalf. We only share the minimum necessary Personal Data with these service providers. Categories of recipients include:

• Cloud Hosting Providers: For secure data storage and operational backend services.
• Analytics & Mapping Providers: Including Google Firebase Analytics and the Google Maps SDK for crash reporting, usage monitoring, and delivering location-based services.
• Generative AI Providers: Including large language models (LLMs) used to generate dynamic content narratives and audio components within the Service.
• Legal and Regulatory Authorities: When required to do so by court order or applicable law.

8. International Data Transfers

MIMIR Travel Oy is based in the European Union (Finland). Your information, including Personal Data, may be processed both within the European Economic Area (EEA) and transferred to — and maintained on — computers located outside of your state, province, or country where the data protection laws may differ from those in your jurisdiction. By using the Service, you acknowledge and consent to this transfer, provided we take all reasonably necessary steps (such as utilizing Standard Contractual Clauses) to ensure your data is treated securely and in accordance with this Privacy Policy and the GDPR.

9. Your Data Protection Rights (GDPR/CCPA)

Depending on your jurisdiction, you may have the following rights concerning your Personal Data:

• Right of Access: The right to request copies of the Personal Data we hold about you.
• Right to Rectification: The right to request correction of inaccurate or incomplete data.
• Right to Erasure (‘Right to be Forgotten’): The right to request the deletion of your Personal Data, subject to our legal obligations.
• Right to Object/Opt-Out: The right to object to the processing of your data for certain purposes, such as direct marketing. (For CCPA users, the right to opt-out of the “sale” or “sharing” of personal information).
• Right to Restrict Processing: The right to request that we limit the way we use your data.
• Right to Data Portability: The right to receive your Personal Data in a structured, commonly used, machine-readable format.

To exercise any of these rights, please submit a request to the Contact Email address listed in Section 2.

10. Policy Amendments

MIMIR reserves the right to modify this Privacy Policy at any time. We will provide notice of significant material changes through the Service or via email, and by updating the “Effective Date” at the top of this document. Your continued use of the Service after any modification constitutes your acceptance of the updated Policy.