🔒 Privacy Policy

1. Data Controller

The Ödexi mobile application is operated as a sole proprietorship by Ali Rıza Yüksektepe (Ankara, Turkey). The Data Controller under KVKK is Ali Rıza Yüksektepe.

Contact: support@odexi.app

2. Personal Data Collected

(a) Account Information (Supabase Auth)

• Email address
• Password (bcrypt hashed, plain text not stored)
• Account creation date
• Last login date

(b) Profile Information (optional)

• Display name
• Preferred language (locale: tr/en/es/de/pt/ja)
• Preferred currency (TRY/USD/EUR/GBP/JPY)

(c) Payment Tracking Data (Supabase PostgreSQL)

• Payment names, amounts and dates (entered by the user)
• Payment type (subscription / installment / bill / one-time)
• Category and currency
• Payment history (manual "paid" markers)
• Notification preferences

(d) Push Notification Token (Firebase Cloud Messaging)

• FCM Token (unique per device, used for notification delivery)

(e) Subscription / Purchase Data (RevenueCat)

• Premium subscription status
• Purchase history (managed by App Store / Google Play; financial information processed via RevenueCat — we DO NOT see your card details)

(f) Analytics & Diagnostics (PostHog + Sentry + Firebase Crashlytics)

• Anonymous user identifier (UUID, contains no personal information)
• In-app interaction events (page visits, button taps)
• Crash reports (version, device model, OS version, stack trace)
• Performance metrics

This data is optional. Consent is requested during onboarding and you may decline.

3. Purpose & Legal Basis of Processing

In line with KVKK Art. 5 and GDPR Art. 6, our processing purposes and legal bases:

4. Third-Party Service Providers

• Supabase (PostgreSQL backend) — Stores account, profile and payment data. Servers located in the US/EU. supabase.com/privacy
• Firebase Cloud Messaging (Google) — Push notification delivery. The FCM token is sent and notification content is delivered through Firebase. firebase.google.com/support/privacy
• Firebase Crashlytics (Google) — Crash reports (optional, opt-in). Stack traces and device model.
• Sentry — Error tracking (optional, opt-in). sentry.io/privacy
• PostHog — Product analytics (optional, opt-in). Anonymous usage events. posthog.com/privacy
• RevenueCat — Premium subscription state management. Tracks App Store and Google Play purchases via an anonymous user identifier. Card details are NOT sent to RevenueCat — those are handled directly by Apple / Google. revenuecat.com/privacy
• Apple App Store / Google Play — App distribution and in-app purchases. Card details are processed by the stores. apple.com/legal/privacy  ·  policies.google.com/privacy

5. Data Transfers

Your data may be stored on servers outside Turkey (US, EU). Our third-party service providers (Supabase, Firebase, Sentry, PostHog, RevenueCat) may process the data on their own servers. These transfers are conducted under standard contractual clauses (SCC) and GDPR-compliant frameworks.

Your explicit consent for international transfers under KVKK Art. 9 is collected during onboarding.

6. Retention Periods

• While the account is active: Account information and payment data are retained.
• After an account deletion request: Data is deleted instantly and irreversibly (delete-account.html).
• Crash reports: 90 days.
• Analytics events: 12 months.
• Legal retention requirements (tax/accounting): The relevant statutory periods apply.

7. Data Security

Your data is protected by industry-standard encryption:

• In transit: TLS 1.3 (HTTPS connections)
• At rest: AES-256 encryption (Supabase PostgreSQL)
• Passwords: bcrypt one-way hash (the original password is never stored)
• API access control: Supabase Row-Level Security (RLS) ensures every user only sees their own data
• Device level: Token storage via iOS Keychain and Android Keystore
• Root/jailbreak detection: The app refuses to launch on insecure devices

8. User Rights

Your rights under KVKK Art. 11 and GDPR Art. 15-22:

• (a) Right of access: Find out which data of yours is being processed
• (b) Right to rectification: Correct inaccurate / incomplete data (in-app)
• (c) Right to erasure: Request deletion of your data (in-app "Delete My Account" button or support@odexi.app)
• (d) Right to restrict processing
• (e) Right to data portability: Obtain your data in a machine-readable format (CSV/PDF report — in-app)
• (f) Right to object: Object to automated decisions
• (g) Right to withdraw consent: The consents you gave during onboarding can be withdrawn from Settings

To exercise these rights: support@odexi.app

9. Cookie Policy

The Ödexi mobile app does not use cookies. The odexi.app website uses Cloudflare CDN solely for essential technical purposes (loading Tailwind CSS). NO advertising or tracking cookies.

10. Children's Privacy

Ödexi is not designed for use by children under 13. We do not knowingly collect data from any user under 13. If we become aware of such data, it is deleted immediately.

11. Breach Notification

In the event of a data breach, in line with KVKK Art. 12/5 and GDPR Art. 33, the Turkish Data Protection Authority and affected users will be notified within 72 hours of detection.

12. Changes

If this Privacy Policy is updated, the "Last Updated" date will be revised and material changes will be communicated through in-app notifications.

13. Contact

For questions about this Privacy Policy:

Email: support@odexi.app

Data Controller: Ali Rıza Yüksektepe (Ankara, Turkey)