Privacy Policy
Gleam takes your personal data seriously. This policy is carefully prepared to be aligned with the Turkish Personal Data Protection Law No. 6698 (KVKK) and the EU General Data Protection Regulation (GDPR). The binding version is the Turkish text. Read it together with the KVKK Disclosure and the Cookie Policy.
Our core principles: data minimisation (we collect only what is necessary), purpose limitation (we use data only for the purposes disclosed), transparency and accountability.
In short (TL;DR)
- We collect email + name + date of birth for your account.
- Only the people you choose can see your moments and feelings.
- No ads. No data sale. No profiling for advertising.
- Data is stored encrypted on Tokyo, Japan (Supabase, AWS ap-northeast-1) and EU Frankfurt (PostHog) servers.
- You can delete, export and object anytime.
1. Data controller
Bilal Uğur Yayla (individual project), Istanbul, Türkiye.
Contact: legal@yougleam.app · General support: help@yougleam.app
As the data controller is below the Turkish DPA threshold (10,000 individuals/year), registration with VERBİS is not required. A data protection representative is not appointed as the mandatory thresholds are not met; all requests go directly to the data controller.
2. Personal data we collect
The full table of categories and data types is in KVKK Disclosure Section 2. In summary: identity (name, username, date of birth), contact (email), account (profile photo, bio, preferences), content (moments, feelings, Glow/Relate interactions, bond chats, capsules, manifests), security (sign-in times, IP), optional (location, newsletter). We do not request special-category data (health, religion, biometrics, etc.); if a user shares such content in free text, it is their own declaration.
3. Purposes and legal bases of processing
Every processing activity relies on one of the following legal bases (KVKK Art. 5-6 / GDPR Art. 6):
| Purpose | Data processed | Legal basis |
|---|---|---|
| Account creation and management | Identity, contact, account | Performance of a contract |
| Bond system (mutual follow + mutual Glow match) | Content, account | Performance of a contract |
| Daily zodiac message | Date of birth | Performance of a contract |
| Notifications | Device/push token | Consent (can be turned off) |
| Newsletter / marketing | Consent (withdrawable) | |
| Product-usage analytics | Usage events (no content) | Legitimate interest |
| Location (city/country) | User-declared location | Consent |
| Security, fraud and abuse prevention | Sign-in times, IP, logs | Legitimate interest |
| Reports and moderation, community rules | Report record, related content | Legal obligation / legitimate interest |
| Legal obligations and legal claims | Minimum necessary data | Legal obligation |
4. Cookies
Only essential cookies (theme, cookie preference) and cookieless anonymous visitor counting are used. There are no third-party advertising cookies, tracking pixels, Facebook Pixel or Google Analytics. Details: Cookie Policy.
5. Sharing and transfers
Other users
- Your profile (depending on your visibility setting)
- The "moments" you share (depending on your sharing setting)
- Chat content with the person you bond with
Service providers (data processors)
- Supabase Inc. — Database, authentication, storage (Tokyo, Japan — AWS ap-northeast-1)
- PostHog Inc. — Product-usage analytics; chat/moment content is not sent (EU, Frankfurt)
- Functional Software, Inc. (Sentry) — Error and crash monitoring (US, SCC)
- Google LLC — Push notifications / FCM (US, SCC)
- Apple Inc. — Sign in with Apple (US, SCC)
- Resend Inc. — Newsletter / waitlist email (US, SCC)
- Vercel Inc. — Web hosting and edge functions (EU/Global)
- Zoho Corporation — Email receiving and transactional email (EU)
Service providers process data only on our instructions and within the limits of the contract.
International transfers
Primary database storage is in Tokyo, Japan (Supabase, AWS ap-northeast-1). Analytics in EU Frankfurt (PostHog). All cross-border transfers (Tokyo, US, EU) are made under Standard Contractual Clauses (SCC) + user explicit consent as per Turkish KVKK Art. 9 and GDPR Art. 46.
Legal authorities
Only with a valid court order or binding legal obligation, limited to the minimum data requested.
Advertisers
Never. Your data is not sold, rented or profiled for advertising.
6. Where data is stored
Primary storage: Tokyo, Japan (Supabase). Analytics: EU Frankfurt (PostHog). Backups kept encrypted. Cross-border transfers protected by SCCs.
7. Retention and erasure
- Account information: until the account is deleted + up to 30-day backup
- Moments: until the account is deleted
- Bond chats: the conversation window closes after 24 hours; messages are retained until the account is deleted
- IP / authentication logs: up to 30 days (sign-in attempts 7 days)
- Report records: until the account is deleted (abuse prevention)
- Marketing consent: until withdrawn
Data whose retention period has expired is deleted, destroyed or anonymised through periodic erasure (at most every 6 months) or within 30 days upon request. When an account is deleted, all data is permanently erased within 30 days (except data we must retain by law).
8. Data security (KVKK Art. 12)
We apply appropriate technical and organisational measures:
- TLS/HTTPS encryption in transit; encrypted database at rest (Supabase/PostgreSQL).
- Row Level Security for per-user data isolation.
- Passwords are irreversibly hashed (Supabase Auth); plaintext passwords are not stored.
- Least-privilege principle, access control and access logging.
- Regular backups and up-to-date dependency/patch management.
No system is 100% secure; we aim for the highest reasonable protection.
9. Data breach notification
In case of a personal data breach, we notify the Authority/competent supervisory authority and affected users without undue delay (as a rule, within 72 hours under the GDPR), in line with KVKK and the GDPR.
10. Automated decision-making and profiling
We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you. The zodiac message, Duel and Bond matching are app features only; no advertising, credit or employment-type profiling is performed.
11. Your rights
Under KVKK Art. 11 and the GDPR you have the rights of information/access, rectification, erasure ("to be forgotten"), restriction of processing, objection, data portability, withdrawal of consent, and objection to automated decisions.
To exercise them: email legal@yougleam.app with the subject "KVKK Application — [right]". Identity verification may be requested. Requests are answered free of charge within 30 days (a tariff set by the Authority may apply in case of disproportionate cost). If you are not satisfied, you may apply to the Turkish Data Protection Authority: kvkk.gov.tr.
12. Marketing and withdrawal of consent
Newsletter / waitlist sign-up is done only with explicit consent. You can request removal and to stop receiving email anytime via legal@yougleam.app. Withdrawal does not affect the lawfulness of prior processing.
13. Children's data
Gleam is for ages 13 and over. Date of birth is collected at sign-up and users under 13 are blocked from registering. If an under-13 user is detected, the account is closed and their data is deleted.
14. Third-party links
The site/app may contain third-party links. We are not responsible for the privacy practices of those sites; we recommend reviewing their policies.
15. Changes
We announce significant changes via in-app notification + email, with reasonable notice before they take effect. The current version is always on this page; the date is stated above.
16. Contact and complaints
- Data/privacy questions and KVKK applications: legal@yougleam.app
- General support: help@yougleam.app
- Supervisory authority: Turkish Data Protection Authority — kvkk.gov.tr
Data controller: Bilal Uğur Yayla (individual project), Istanbul, Türkiye. For detailed categories, legal bases and the application procedure, see the KVKK Disclosure.