Privacy Policy
Privacy Policy
Last updated: 6 May 2026
This Privacy Policy describes how Strim Mobility, SAS ("we", "us", "Strim Mobility") collects, uses and protects your personal data when you use aline.guide ("Aline", "the Service"). It is written to comply with the European General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the French Data Protection Act ("Loi Informatique et Libertés").
1. Who we are
Data controller: Strim Mobility, SAS à associé unique — 3 Rue de Saint-Quentin, 67000 Strasbourg, France RCS Strasbourg 894 082 486 — Capital 5 100 € — VAT FR 75 894 082 486 Contact for privacy matters: tours@strim.mobi
We do not currently appoint a Data Protection Officer (DPO), as our processing does not meet the thresholds set out in Article 37 of the GDPR. If this changes, we will update this Policy.
2. The data we collect
We try to collect as little as possible. In practice, the data we may process falls into the following categories.
a) Site & app analytics — collected automatically when you use Aline
- Pages and screens visited, in-app events (tour started, stop completed, AI question asked, tour finished, tip screen shown, etc.)
- Approximate location derived from IP address (country and city level — never your precise GPS unless you explicitly enable it)
- Device type, browser, operating system, screen size, language preference
- A randomly generated anonymous identifier stored locally on your device
b) Tour-progress and AI assistant interactions — collected when you use the tour
- Which stops you have started or completed
- Questions you ask the AI assistant ("raise hand to ask"), in their text or voice form
- Anonymous identifier linking these events to a single tour session
We do not retain the raw audio of voice questions after they have been transcribed and answered, unless you explicitly opt in to a beta-feedback program.
c) Voluntary geolocation — opt-in only
- If you enable precise geolocation, your real-time GPS position is used in your browser to advance the tour. This data is not transmitted to our servers; it stays on your device.
d) Email — only if you give it to us
- If you sign up for language-availability notifications, we collect your email address and the language you selected.
e) Tip payment data — handled by our payment processor
- When you choose to leave a voluntary tip at the end of a tour, payment details (card number, billing details) are entered directly into our payment processor's interface (Stripe Payments Europe, Ltd., based in Dublin, Ireland) and are never seen or stored by us. We only receive a payment reference, the amount, the currency and the success/failure status.
f) Customer support correspondence
- If you write to us, we keep your message and our reply for as long as needed to handle your request and a reasonable period afterwards.
We do not knowingly collect information about racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data, or any other "special category" data within the meaning of Article 9 of the GDPR.
3. Why we process your data, and on what legal basis
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Operate the Service: serve the audio guide, advance you through stops, answer questions | tour-progress data, AI conversations | Performance of a contract — Art. 6(1)(b) |
| Improve content and product (which stops bore people, which questions the AI gets) | aggregated analytics events | Legitimate interest — Art. 6(1)(f) |
| Measure traffic and the effectiveness of partnerships (UTM tracking from QR codes) | analytics events | Consent for non-essential cookies — Art. 6(1)(a) |
| Process voluntary tips | payment reference returned by Stripe | Performance of a contract — Art. 6(1)(b) |
| Send you a notification when Aline becomes available in your language | email address | Consent — Art. 6(1)(a) |
| Comply with legal obligations (tax, accounting, requests from authorities) | minimum necessary | Legal obligation — Art. 6(1)(c) |
| Defend our rights in case of fraud, abuse, or litigation | minimum necessary | Legitimate interest — Art. 6(1)(f) |
You can withdraw consent at any time by clearing cookies, refusing them in the cookie banner, or unsubscribing from emails. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
4. Cookies and similar technologies
When you first visit aline.guide, a banner asks for your preferences. There are two categories:
- Strictly necessary cookies — required to make the Service work (session, security, language preference, tour progress). They do not require consent.
- Analytics cookies — used by PostHog (see below) to understand how the Service is used. They are set only after you consent to them in the banner.
We do not set marketing or advertising cookies of any kind.
You can change your choice at any time via the "Cookie preferences" link in the footer. The full list of cookies we use, their providers, purposes, and durations is published in our Cookie Policy.
5. Who we share your data with
We do not sell your personal data. We share it only with carefully selected service providers, each acting either as a processor (under our instructions, bound by GDPR Art. 28 contracts) or as an independent controller for their own narrow purposes:
- Lovable AB — Stockholm, Sweden — application hosting and development platform. Acts as our processor.
- Cloudflare, Inc. — 101 Townsend Street, San Francisco, CA 94107, USA — content delivery and edge security layer. Acts as our processor under EU Standard Contractual Clauses.
- PostHog (EU Cloud) — product analytics, hosted in the European Union. Acts as our processor.
- Stripe Payments Europe, Ltd. — 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland — processes voluntary tip payments. Acts as an independent controller for payment data, under its own privacy policy at https://stripe.com/privacy.
- Resend — Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA — for transactional and notification emails. Acts as our processor under EU Standard Contractual Clauses.
- Authorities — when required by law, court order, or to protect our rights.
We may publish anonymous, aggregated usage statistics (e.g. "85 % of testers finished the tour"). Aggregated statistics are not personal data.
6. International transfers
Our default infrastructure is hosted in the European Union (PostHog EU Cloud, EU-region hosting). When a service provider transfers data outside the European Economic Area (for example, technical sub-processors based in the United States), we rely on:
- the European Commission's adequacy decisions where they exist (e.g., the EU–US Data Privacy Framework); or
- Standard Contractual Clauses (Modules 2 / 3, Commission Implementing Decision (EU) 2021/914) supplemented by appropriate technical and organizational measures.
The list of sub-processors and the safeguards in place for each transfer is available on request.
7. How long we keep your data
| Data | Retention |
|---|---|
| Anonymous analytics events (PostHog) | 12 months from collection |
| AI assistant questions (anonymized) | 12 months from collection |
| Email for language-availability notifications | Until you unsubscribe, or 24 months of inactivity, whichever comes first |
| Tip payment reference and amount | 10 years (French commercial and tax law obligations) |
| Customer support correspondence | 3 years from the last contact |
| Site logs (technical) | 12 months |
8. Your rights under the GDPR
You have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate or incomplete data (Art. 16)
- Erase your data ("right to be forgotten") in the cases listed in Art. 17
- Restrict processing in the cases listed in Art. 18
- Object to processing based on legitimate interest, including profiling (Art. 21)
- Receive your data in a structured, commonly used and machine-readable format and have it transmitted to another controller (Art. 20)
- Withdraw consent at any time (Art. 7(3))
- Not be subject to a decision based solely on automated processing producing legal effects (Art. 22) — we do not currently make any such decisions
- Lodge a complaint with a supervisory authority. In France, this is the CNIL — Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr.
To exercise any of these rights, write to tours@strim.mobi. We will reply within one month, as required by Art. 12(3) GDPR.
9. Security
We apply technical and organizational measures aiming to protect your data against unauthorized access, loss, alteration, or disclosure. These include encryption in transit (TLS), restricted access to backend systems, EU-region hosting, and regular review of our processors.
No system can be guaranteed 100 % secure. If a breach affects your personal data and creates a high risk to your rights and freedoms, we will notify you in accordance with GDPR Art. 34.
10. Children
Aline is a general-audience cultural product. We do not specifically target children. In France, the minimum age at which a person can give valid consent for the processing of personal data by an information society service is 15 (Art. 7-1 of the Loi Informatique et Libertés). Below this age, parental authorization is required. If we become aware that we are processing personal data of a child below this age without parental consent, we will delete it.
11. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top of the Policy will reflect the date of the most recent change. If a change is material, we will inform users through the Service before it takes effect.
12. Contact
For any question about this Policy or about how we process your data, write to tours@strim.mobi.