RIVAYETPrivacy Policy
Last updated: 28 Nisan 2026
1. Data Controller
The controller of personal data processed through this app ("Rivayet" or the "Service") is:
- Name: Onur Meşta
- Email: onurmesta@gmail.com
2. Scope
This Privacy Policy explains how we collect, process, transfer, and protect your personal data when you use the Rivayet iOS app. It is prepared in line with Turkey's Personal Data Protection Law No. 6698 (KVKK) and, where applicable, the EU General Data Protection Regulation (GDPR).
3. Personal Data We Collect
| Category | Data | Source |
|---|---|---|
| Identity | Apple user identifier (sub), email (or anonymous alias if "Hide My Email" is used) | Sign in with Apple |
| Profile | Auto-generated username, account creation date | App |
| Activity | Votes, lock attempts, won-decision history | In-app activity |
| Payment | Apple transaction ID, subscription state, expiry date | RevenueCat → Apple |
| Technical | Device type (iOS version), app version, crash logs (only if errors occur) | Device / SDKs |
We do not collect: real name, date of birth, phone number, location, photos, contacts, health data, biometric data.
4. Purposes and Legal Bases for Processing
| Purpose | Data | KVKK Art. 5 / GDPR Art. 6 Basis |
|---|---|---|
| Account creation and session management | Identity, profile | Performance of contract |
| Voting and lock-in flow | Activity | Performance of contract |
| Payment processing and subscription management | Payment | Legal obligation + contract |
| Service security, fraud prevention | All | Legitimate interest |
| Account deletion request fulfillment | Identity | Data subject request |
We do not process data for marketing, third-party advertising, or cross-app tracking. Sign in with Apple may emit an anonymized email alias if you choose; we honor that anonymization.
5. Third Parties and International Transfers
We work with the following data processors, each bound by contractual obligations and accessing only the data necessary to deliver the service.
| Provider | Purpose | Location | Data Transferred |
|---|---|---|---|
| Apple | Sign-In, payments | US / Ireland | Apple identifier, payment data |
| Supabase Inc. | Database, auth, storage | Tokyo, Japan (ap-northeast-1) | All app data |
| Anthropic, PBC | Story option and text generation (world-bible only; no user data sent) | US | — |
| Replicate, Inc. | Panel image generation (image prompt only; no user data sent) | US | — |
| RevenueCat, Inc. | Apple StoreKit verification, subscription state | US | Apple user id, transaction id |
International transfer: Some providers operate outside Türkiye. Your data is transferred internationally under KVKK Art. 9 / GDPR Chapter V. Transfer is necessary to provide the Service; provider contracts maintain appropriate safeguards. By using the app, you consent to these transfers.
6. Retention Periods
- Active account: Until deletion or 24 months of inactivity.
- After deletion: Identity and profile data are deleted immediately. Your won decisions (canon picks) remain in the archive anonymized — your name and account id are removed.
- Payment records: 10 years under Turkish Commercial Code (Apple transaction id only; no PII).
- Crash logs: Up to 90 days.
7. Children
The Service is for users 13 and over. Sign in with Apple applies its own under-13 restrictions, and the App Store age rating is 13+. If we learn we have collected data from a child under 13, we delete it immediately.
8. Security
- All traffic encrypted via TLS 1.3.
- Database access enforced by Row Level Security; each user can only read their own rows.
- Server-side secrets stored in Supabase Vault and encrypted env vars.
- API keys rotated periodically.
9. Your Rights (KVKK Art. 11 / GDPR Ch. III)
You have the right to: be informed about, request access to, correct, delete, restrict, port, and object to the processing of your personal data; and to lodge a complaint with a supervisory authority.
How to exercise:
- Account deletion: One tap in-app (Profile → Settings → Delete account). Always available per Apple Guideline 5.1.1(v).
- Other requests: Email
onurmesta@gmail.comfrom a verifiable address. Requests are answered within 30 days.
EU residents may also lodge a complaint with their local Data Protection Authority. Turkish residents may apply to KVKK at kvkk.gov.tr.
10. Cookies and Tracking
The Rivayet iOS app does not use cookies. There is no cross-app tracking, no third-party advertising network, and no use of App Tracking Transparency identifiers (IDFA).
11. Changes to This Policy
We will announce material changes at least 14 days before they take effect, in-app and/or via email. The "Last updated" date is revised on each version.
12. Contact
- General: onurmesta@gmail.com
- Data subject requests: kvkk@rivayet.online