Disclosure Notice
Vaktim App
Data Controller: Soner Yılmaz
Contact: destek@vaktim.app
Last Updated: March 2026
1. Identity of the Data Controller
Your personal data is processed by Soner Yılmaz, acting as the data controller, within the scope of the Turkish Personal Data Protection Law No. 6698.
2. Processed Personal Data and Purposes of Processing
2.1 Data Processed in All Cases
- Account and authentication data: email address, session details, OAuth identities
- Profile data: display name, avatar information
- Subscription and premium data: subscription status and related technical records
- Usage and quota data: AI usage counter and usage limit information
- Consent records: sync and related approval records
This data is processed for the purposes of account creation, login operations, profile management, providing premium services, quota management, and fulfilling legal obligations.
The main legal grounds for these categories are the establishment or performance of a contract, compliance with the data controller's legal obligations, and the establishment, exercise, or protection of a right in the event of a dispute.
2.2 Data Processed Only When Sync Is Enabled
If you enable the sync feature and provide the relevant explicit consent, the following data may be processed for cross-device synchronization:
- Quran reading progress: surah or verse references, progress status, and last action time
- Prayer reading progress: prayer references, read counts, and last action time
- Dhikr and salawat summary data: totals, daily summaries, streaks, and related achievement data
- Prayer tracking data: marked prayer time, date, marking time, whether it was performed on time, and related summary statistics
- Favorite content references
- Badges, points, and similar gamification data
2.3 Data Processed When the Spiritual Guide Feature Is Used
When you use the Spiritual Guide feature, the following data may be processed:
- The content of the messages you write
- Limited conversation context required to generate a response
- Technical usage and quota data
This data is processed to generate AI-assisted responses. Spiritual Guide message content is not included in the cross-device sync dataset; however, when you use the feature, it is transmitted to OpenAI infrastructure through Supabase Edge Functions.
The processing of message content within the Spiritual Guide feature and the related overseas transfer are based on your explicit consent for that feature.
2.4 Data That Remains Only on the Device
- Quran and prayer notes
- Local copies of in-app chat history stored on the device
- Full location history and local search history
3. Transfer of Personal Data
3.1 International Transfers
Your data may be transferred abroad through the following service providers in order to provide the service:
- Supabase Inc.: database, authentication, storage, and function infrastructure
- Amazon Web Services: hosting services used by Supabase infrastructure
- Cloudflare Inc.: network, security, and content delivery services
- RevenueCat Inc.: subscription and premium management
- Mapbox Inc.: user-initiated location search and map operations
- OpenAI LLC: response generation within the Spiritual Guide feature
Optional international data transfers made within the scope of Sync and Spiritual Guide are carried out on the basis of your explicit consent under Article 9 of the Law.
For overseas service providers used in account management, authentication, infrastructure, subscriptions, and similar processes, transfer activities are assessed within the framework of the applicable processing and transfer conditions for the relevant data category, together with contractual and technical safeguards.
3.2 Methods of Collection and Legal Grounds
Your personal data may be obtained, fully or partially through automated means, via:
- Registration and profile forms submitted directly by you
- Your in-app preferences and explicit consent selections
- Device and app usage flows
- Technical notifications from subscription and payment infrastructure
- User-initiated location search, map use, and AI feature usage
This data is processed on the legal grounds set out in Articles 5 and 6 of the Law, including contract performance, legal obligation, establishment or protection of a right, and explicit consent where applicable.
4. Retention Periods
- Account and profile data: for as long as the account relationship continues and for the operational period necessary to remove it from active systems following account closure or deletion requests
- Subscription records: 10 years under relevant tax and financial obligations
- Sync data: while the sync feature remains active and until any sync disablement and deletion request is completed
- Consent records: 3 years from the withdrawal of consent or closure of the account
Turning off the sync feature stops new data transfers. To delete data that has already been transferred to the cloud, you may submit a separate deletion request.
5. Technical and Administrative Safeguards
To protect your data, access control, encrypted communication, user-based authorization, the principle of least privilege, and security monitoring measures are applied.
6. Your Rights
Under Article 11 of the Law, by applying to the data controller, you have the right to:
- Learn whether your personal data is processed
- Request information if it has been processed
- Learn the purpose of processing and whether it is used in accordance with that purpose
- Know the third parties to whom it has been transferred domestically or abroad
- Request correction if it has been processed incompletely or inaccurately
- Request deletion or destruction under the conditions set out in the Law
- Request notification of correction, deletion, or destruction to third parties to whom the data was transferred
- Object to a result against you arising from analysis by exclusively automated systems
- Request compensation if you suffer damage due to unlawful processing
Application and Complaint Procedure
You may first submit your requests under Turkish data protection law to destek@vaktim.app. If your application is rejected, if the response is found insufficient, or if no response is provided within 30 days, you may file a complaint with the Turkish Personal Data Protection Board under Article 14 of the Law.