Privacy / Notturno
Your data, your terms
We hold a few things for you.
We look after the things you upload like a maître d' looks after a coat. Quietly, carefully, and only used to make your trips feel known. Below is the long form of what that looks like in practice — what sits on our side, where it lives, who sees it, and how to take it back.
01
What we hold for you
Your photo
The avatar you set on your profile. Shared with the partners on your bookings — the maître d', the driver, the chef — so they recognise you on arrival. Nobody else sees it.
Travel documents
Your passport, national ID, and driver's licence — front and back where the document needs both. Used to pre-fill border forms and to satisfy a partner's check-in. Never browsed, never aggregated, never used to train any model.
Name, address, contact
What we would write on an envelope if we were sending you a hand-written note. Used to address you correctly, to ship the occasional thing, and to reach you about a trip in flight.
Payment methods
The cards you save are tokenised by our payment processor (Stripe). We hold a reference, not the full number. The CVV is never stored at all.
Trip history
Your bookings, the ledger of what was spent on each trip, and the partner reviews you've left. Used to suggest the next thing in a way that fits the last.
Location
Only while you're using the app, and only to surface what's near you — a recommended bar two streets over, a timed reminder on the day of travel. Never recorded in the background, never sold.
Concierge conversations
What you ask the concierge — by voice or in writing — and what it answers. Held against your trip so the assistant remembers context across days. Speech is transcribed on-device where the device allows it. The conversation content is sent to Google Vertex AI for inference (once you accept the in-app data-sharing notice on first concierge open) and is kept on our side alongside the trip it belongs to. See section 05 for the full disclosure.
02
Where it lives
Encrypted in transit and at rest
Everything you send to us travels over an encrypted connection (TLS 1.2+) and is held in encrypted storage on the other end. The keys are managed by our cloud provider; the bytes themselves are never readable in the open.
Held in regional cloud storage
Your files sit in Google Cloud's europe-west region, under an account scoped to you. A different signed-in person — even with the same app installed — can't see your files. We do not transfer your data outside the European Economic Area without an appropriate safeguard in place.
03
Who sees it
Never sold, never used for ads
Not with advertisers, not for training any external AI. Outside the partners on your trips, nothing about you leaves the house.
Partners on your bookings only
When you book a hotel, a car, a table — that partner sees the slice of your profile they need to host you. A different partner, on a different trip, sees a different slice. Nobody sees the whole.
Notturno staff don't browse
Day-to-day, no human at Notturno opens your files or reads your concierge thread. Engineers reach into individual records only on a documented incident, and only with a logged, time-boxed audit trail.
04
Your controls
See what we hold
Every piece of data on this page is visible to you inside the app — your profile photo, your saved documents, your trip ledger, your card tokens, your conversation history. The app is the canonical view.
Edit, replace, remove
Any field is editable from your Profile. Travel documents can be replaced or removed individually. The concierge thread can be cleared per-trip.
Close your account
From the bottom of your Profile, you can close your account. We delete your live profile, photo, documents, and active conversations right away, and we archive a copy of your records to a secure, locked-down archive only used to honour open tax / refund / dispute windows. The archive is purged on schedule and is never used for marketing.
Reach a human
Write to us at contact@notturno.studio with a request to see, correct, export, or erase your data. We respond within fourteen days and never charge for the work.
05
AI and the concierge
The Notturno concierge (“Ocean”) uses a third-party AI service — Google Vertex AI — to understand what you ask for and to plan your trip. We need this section to be unambiguous about it, because Vertex AI is a separate company from Notturno and conversation content has to leave our servers to reach it.
What we send to Vertex AI
Only the conversation itself: the words you type to Ocean, the words you say to Ocean when you use voice mode, the trip the message belongs to (so Ocean remembers context across turns), and a short technical record of the call (timestamps, latency) that we use for debugging.
What we do not send
Your name, your photo, your profile, your address, your travel documents, your payment methods. The rest of the app surface — bookings, trip history, account records — never touches Vertex AI. Only the words of the conversation itself.
Your permission, every install
The first time you open the concierge tab in the app, we show a full-screen notice that names Google Vertex AI by name, lists what is and isn't sent, and asks you to accept before any data leaves the device. If you decline, no conversation content is ever sent — the concierge surface shows a “permission required” placeholder until you change your mind. Reinstalling the app clears the flag and re-prompts; closing your account removes every trace of past conversation.
Equal protection on Google's side
Content sent to Vertex is governed by Google's Cloud Data Processing Addendum (cloud.google.com/terms/data-processing-addendum) and the Vertex AI service-specific terms (cloud.google.com/terms/service-terms), which together oblige Google to apply equivalent safeguards to those we apply ourselves — confidentiality, encryption in transit and at rest, breach notification, and audit rights. Inference runs in the EU region. Google does not use this content to train any general-purpose model.
06
Sub-processors
Firebase / Google Cloud (Google LLC)
Authentication, real-time database, encrypted file storage, cloud functions, and push notifications. Hosted in Google Cloud's europe-west region. Bound by Google's Cloud Data Processing Addendum (cloud.google.com/terms/data-processing-addendum), which obliges Google to apply the same safeguards we apply to your data — confidentiality, encryption in transit and at rest, breach notification, audit rights.
Stripe (Stripe Payments Europe Ltd.)
Card tokenisation, Apple Pay, settlement to partners. Card numbers and CVVs never touch our servers. Stripe is bound by its Data Processing Agreement (stripe.com/legal/dpa), which provides the same level of protection we apply — including PCI DSS compliance and EU data-residency commitments.
Google Vertex AI (Google Cloud)
The language and voice models behind the Notturno concierge ("Ocean"). Used only after you accept the in-app data-sharing notice on first concierge open. What we send: the words of your conversation (typed or spoken), the trip the message belongs to, and a short technical record of the call. What we do not send: your name, photo, profile, address, travel documents, or payment methods. Inference runs in the EU region. Vertex is bound by Google's Cloud Data Processing Addendum (cloud.google.com/terms/data-processing-addendum) and the Vertex AI service-specific terms (cloud.google.com/terms/service-terms), which together oblige Google to apply equivalent confidentiality, encryption, breach-notification, and audit safeguards to those we apply ourselves. Content sent for inference is not used to train any general-purpose model.
07
Retention
Active records live for as long as your account is open. Closed-account archives are kept for up to seven years to satisfy tax law and partner-side dispute windows, then permanently purged. Concierge transcripts and analytics events are summarised after ninety days and the raw form is deleted.
08
Contact
Write to us at contact@notturno.studio with any data-protection request — access, correction, export, erasure, or a complaint. We answer every email by hand and respond inside fourteen days.