Personal Data Protection Disclosure
This disclosure is prepared under Article 10 of the Turkish Personal Data Protection Law No. 6698 ("KVKK") and the related Communiqué on the disclosure obligation, and is aligned with the GDPR. The binding version is the Turkish text. Read it together with the Privacy Policy.
1. Data Controller
Under KVKK, the data controller is:
Bilal Uğur Yayla (individual project)
Istanbul, Türkiye
Contact: legal@yougleam.app
VERBİS Registration: As the data controller is below the Turkish DPA threshold (10,000 individuals per year), registration with VERBİS is not required.
2. Categories of Personal Data Processed
| Category | Data type |
|---|---|
| Identity | Name, username, date of birth (for zodiac) |
| Contact | Email address |
| Location | City/country (only if the user shares it, not GPS) |
| Account | Profile photo, bio, theme/avatar preferences |
| Content | Moments, feelings, Glow and Relate interactions, bond chats, capsules, manifests |
| Transaction security | Sign-in times, IP, session/log records (sign-in attempts 7 days, alert logs 30 days) |
| Marketing (optional) | Email newsletter sign-up |
| Analytics | Product-usage statistics — no content sent (PostHog) |
Special-category data is not requested. Content shared by the user in free text is their own declaration.
3. Purposes of Processing
- Account creation and management
- Bond system (mutual follow + mutual Glow)
- Daily zodiac message
- Notification service
- Service quality and improvement (product-usage analytics)
- Security, fraud and abuse prevention
- Enforcing community guidelines (reports/blocks)
- Fulfilling legal obligations
4. Legal Basis (KVKK Art. 5-6)
- Explicit consent: Newsletter / waitlist, location, push notifications
- Formation/performance of a contract: Account, bond, chat, capsule, manifest
- Legal obligation: Reports, moderation, statutory retention
- Legitimate interest: Security logs, abuse prevention, product-usage analytics
5. Transfers of Personal Data
| Data processor | Service | Location |
|---|---|---|
| Supabase Inc. | DB, auth, storage | Tokyo, Japan (AWS ap-northeast-1) |
| PostHog Inc. | Product-usage analytics (no content) | EU Frankfurt |
| Functional Software, Inc. (Sentry) | Error/crash monitoring | US (SCC) |
| Google LLC | Push (FCM) | US (SCC) |
| Apple Inc. | Sign in with Apple | US (SCC) |
| Resend Inc. | Newsletter/waitlist email | US (SCC) |
| Vercel Inc. | Web hosting | EU/Global |
| Zoho Corporation | Email receiving + transactional | EU |
Cross-border transfers are made under KVKK Art. 9 and the GDPR with Standard Contractual Clauses (SCC). Transferred data is limited to the minimum required by the relevant service.
6. Collection Method
- Directly: sign-up form, profile settings, shared content
- Automatically: device info, IP, session logs
- Third parties: sign-in with Apple/Google (email + name only)
7. Retention Period and Erasure
| Data | Period |
|---|---|
| Account information | Until deleted + 30-day backup |
| Moments | Until deleted |
| Bond chats | Conversation window closes at 24h; retained until account deletion |
| IP / sign-in attempts | Up to 30 days (attempts 7 days) |
| Report records | Until the account is deleted |
| Marketing consent | Until withdrawn |
Expired data is deleted, destroyed or anonymised through periodic erasure (at most every 6 months) or within 30 days upon request.
8. Data Security Measures (KVKK Art. 12)
- TLS/HTTPS in transit, encrypted database at rest
- Row Level Security (RLS) for data isolation
- Irreversible password hashing (no plaintext passwords stored)
- Least-privilege principle, access control and logging
- Regular backups, patch and dependency management
9. Automated Analysis / Profiling
No decision is made based solely on automated processing that produces legal effects on, or similarly significantly affects, the data subject. No profiling for advertising is performed.
10. Rights of the Data Subject (KVKK Art. 11)
- To learn whether your personal data is processed
- To request information if it has been processed
- To learn the purpose and whether it is used appropriately
- To know the third parties to whom it is transferred at home or abroad
- To request correction if processed incompletely/incorrectly
- To request deletion/destruction
- To request that correction/deletion be notified to third parties
- To object to an adverse result arising solely from automated analysis
- To claim compensation for damage due to unlawful processing
11. Application Procedure
You may submit your application, in line with the Communiqué on the Procedures and Principles of Application to the Data Controller:
- Email: legal@yougleam.app
- Subject: "KVKK Application — [name of right]"
- Verification information may be requested to confirm identity.
The request is concluded free of charge within 30 days; if the process requires an additional cost, a fee in the tariff set by the Authority may be charged (KVKK Art. 13). If you are not satisfied, you may file a complaint with the Authority via kvkk.gov.tr.
12. Explicit Consent
Consent-based processing (newsletter / waitlist, location, push) is obtained freely, for a specific matter and based on information. Consent can be withdrawn anytime; withdrawal does not affect the lawfulness of past processing.
13. Children
Gleam is for ages 13 and over. Users under 13 are blocked at sign-up. If an under-13 user is detected, the account is closed and their data is deleted.
14. Changes
The current version is always at yougleam.app/kvkk; the date is stated above.