POVL — Privacy Policy

⚠️ Important Legal Disclaimer

POVL is not a medical device.

The personality analyses, archetypes, social comparisons, and results provided through this application are intended solely for entertainment, social interaction, and personal awareness purposes. The application's content does not substitute for professional psychological counseling, clinical diagnosis, treatment, or medical advice and should not be used for such purposes.

POVL is a platform where users share their subjective opinions about people in their social circles and engage in "social discovery" through algorithmic patterns.

1. Introduction

POVL ("Application", "we", "us", "our") is a social discovery and interaction platform developed by Barış Altın, designed to help people discover the characteristics they are curious about regarding people in their social circles, share their impressions of each other, and transform relationship dynamics into an entertaining, viral experience. This Privacy Policy explains how your personal data is collected, processed, stored, shared, and protected when you use the Application.

This Privacy Policy has been prepared in compliance with the Turkish Personal Data Protection Law No. 6698 (KVKK), the principles of the European Union General Data Protection Regulation (GDPR), Apple App Store Review Guidelines (Section 5.1), and Google Play Developer Policy (User Data policy) requirements.

By using the Application, you represent that you have read, understood, and accepted this Privacy Policy.

2. Data Controller

Data Controller: Barış Altın
📧 Email: hello@povl.app
📍 Country: Turkey

You may contact us using the information above for any questions, requests, or complaints regarding the processing of your personal data.

3. Data Collected

3.1 Data Collected Directly from You

Data Category	Data Collected	Purpose
Account Information	Name/surname, email address, profile photo (via Google or Apple Sign-In)	Account creation and authentication
Profile Information	Display name, profile photo (optional change), friend code	In-app profile and social features
Personality Analysis Data	Analysis Subject Label: A symbolic nickname or label assigned by the User in their own mind to identify the analysis account (This data is not based on a real person's identity verification). Trait Ratings: Subjective evaluation scores ranging from 1-20.	Creating personality analysis reports and profile differentiation
Circle Data	Circle connections, friend code sharing, mutual/transparent analysis preferences	Social connection and circle features
Partner Matching Data	Invitation codes, invitation statuses, matching information	Partner matching feature
Discovery Data	Answers to daily discovery questions, streak tracking	Enriching analysis profiles
Notification Preferences	Push notification permission, notification token	Notification services
Reporting Data	Reported content, report reason, description	Content moderation and user safety
Purchase Data	Credit purchase history, transaction records	Credit system management

3.2 Automatically Collected Data

Data Category	Data Collected	Purpose
Device Identifiers	IDFV (iOS) or Android ID, platform information (iOS/Android)	Preventing welcome bonus abuse
Application Usage Data	Session duration, feature usage frequency, error logs	Improving service quality
IP Address	Connection IP address (in server logs)	Security and abuse prevention

3.3 Data We Do Not Collect

For the sake of transparency, we do not collect the following data:

❌ Location data (GPS, Wi-Fi location detection, etc.)
❌ Contacts/address book information
❌ Call history or message contents
❌ Health data
❌ Financial information (credit card numbers, etc. — payment processing is managed by Apple/Google)
❌ Medical and Biometric Data: Fingerprints, face scans, genetic data, or clinical health records are not collected. Personality analysis data is processed under the "User Content" category without any medical diagnostic purpose.
❌ Political, Philosophical, and Religious Data: Special categories of personal data such as race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, attire, association, foundation, or union membership are not collected. Analysis results do not profile based on these categories.
❌ Third-Party SDKs for Advertising Purposes: The Application does not contain SDKs for ad display, behavioral tracking, or ad targeting (e.g., AdMob, Facebook Ads, Unity Ads). (Note: Services used for authentication, database, and technical infrastructure — Supabase, Expo, Google/Apple Auth — are excluded from this scope and are listed in the "Service Providers" section).

4. Purposes and Legal Bases for Data Processing

4.1 Processing Purposes

We process your personal data for the following purposes:

Purpose	Description	Legal Basis
Service Provision	Creating personality analysis reports, circle features, partner matching	Performance of contract
Account Management	Account creation, authentication, profile management	Performance of contract
Security	Detecting fake accounts, preventing welcome bonus abuse, blocking system	Legitimate interest
Content Moderation	Reviewing reported content, ensuring compliance with community rules	Legitimate interest / Legal obligation
Notifications	Mutual analysis results, circle requests, achievement notifications	Explicit consent
Improvement	Improving service quality and user experience (analysis with anonymized data)	Legitimate interest
Legal Obligations	Legal regulations and requests from authorized bodies	Legal obligation

4.2 Algorithmic Data Processing

POVL processes the rating data entered by Users to create personality analysis reports. In this process:

Input data: Personality trait ratings containing the User's (the rater's) own subjective opinions, individual judgments, and personal evaluations of the analyzed person.
Output: Algorithmically generated personality analysis report (patterns, overall score, grade, archetype).
Algorithm Method: Analysis results are produced by a pattern recognition system based on predefined algorithms and rules.
Data sharing: Rating data is not sent to third-party artificial intelligence systems. All analysis operations are securely performed on our own servers.
Automated Decision-Making: The data processing procedure is fully automated, and there is no human intervention or manual review of the results.

Important: Analysis results generated by algorithmic systems are for entertainment purposes and do not constitute a scientific assessment.

5. Data Sharing

5.1 When Data Is Shared

We do not share your personal data with third parties except in the following circumstances:

Sharing Scenario	Description
In-App Sharing	Mutual or transparent analysis results are shared only with the relevant Circle members. This sharing depends on your preferences (transparent/mutual mode selection).
Infrastructure and Server Services	Supabase (Database) and Expo (Notification Service). To ensure uninterrupted service delivery on a global scale, your data may be stored in encrypted form on secure cloud servers located abroad (EU or US) that maintain high security standards. By using the Application, you are deemed to have consented to this technical transfer.
Authentication Providers	Google Sign-In and Apple Sign-In are used for authentication purposes. Only the minimum necessary information (authentication token) is shared with these providers.
Legal Requirement	We may be required to share your data pursuant to applicable laws, court orders, or requests from authorized bodies.
Transfer of Rights	In the event of a company merger, acquisition, or asset sale, your personal data may be transferred to the acquiring party. Prior notice will be provided in such cases.

5.2 What We Never Share

❌ We do not sell your data to third-party advertisers or data brokers.
❌ We do not share your data with third parties for marketing purposes.
❌ We do not provide your data to third-party AI or data sets.
❌ We do not publicly publish your profile data without your explicit consent.

6. Data Retention

6.1 Retention Periods

Data Type	Retention Period
Account Data	For as long as the account exists. (Data is retained for service continuity unless the User requests account deletion).
Analysis Data	For as long as the account exists. (Immediately destroyed when the User deletes the report or account).
Circle Data	For as long as the connection is active (deleted when the connection or account is deleted)
Device Fingerprints	For as long as the account exists and, in cases of suspected fraud, for the duration of the legal statute of limitations (10 years).
Reporting Data	For as long as the account is active and for the duration of the legal dispute statute of limitations (10 years)
Transaction Records	10 years pursuant to legal requirements and tax regulations
Server Logs	90 days

6.2 Post-Retention

Data that has exceeded its retention period is permanently deleted automatically or within 30 days at the latest, or anonymized in an irreversible manner.

7. Data Security

We implement the following technical and administrative measures to ensure the security of your personal data:

7.1 Technical Measures

Encryption: All data communication is encrypted with TLS 1.2+ (HTTPS). Sensitive data is encrypted server-side with AES-256.
Authentication: Secure session management based on JWT (JSON Web Token).
Access Control: Row Level Security (RLS) ensures each User can only access their own data.
API Security: All API requests are subject to authentication.

7.2 Administrative Measures

Data access is limited to personnel who require it for their duties.
Regular security audits and updates are conducted.
In the event of a data breach, affected Users and authorized bodies are notified within the time period required by law.

7.3 Data Breach Notification

In the event that a security breach affecting your personal data is detected:

The relevant data protection authority will be notified within 72 hours of discovering the breach.
Affected Users will be notified as soon as possible via email and/or in-app notification.
The scope of the breach, measures taken, and recommended protective steps will be communicated.

8. User Rights

8.1 Your Rights Under KVKK

You have the following rights pursuant to Article 11 of the Turkish Personal Data Protection Law No. 6698 (KVKK):

Right to Information: To learn whether your personal data is being processed.
Right of Access: To request information regarding the processing of your personal data.
Right to Rectification: To request the correction of personal data if it has been processed incompletely or inaccurately.
Right to Erasure/Destruction: To request the deletion or destruction of your personal data when the purpose for processing no longer exists.
Right to Object: To object to results that arise against you through the exclusive analysis of processed data via automated systems.
Right to Compensation: To seek compensation for damages arising from the unlawful processing of personal data.
Right to Data Portability: To receive your personal data in a structured, commonly used, and machine-readable format.

8.2 Additional Rights Under GDPR (EU/EEA Users)

Additional rights for users residing in the European Union or European Economic Area:

Right to Restrict Processing: To restrict the processing of your data under certain conditions.
Right to Object: To object to data processing based on legitimate interests.
Right to Object to Profiling: To object to automated decision-making and profiling.
Right to Lodge a Complaint: To file a complaint with the data protection authority in your country.

8.3 How to Exercise Your Rights

To exercise the rights listed above:

In-App: You can permanently delete your account and all your data through Settings > Account > "Delete My Account."
Email: You may apply to hello@povl.app. Your application will be responded to within 30 days at the latest.

We may request additional information for identity verification purposes.

9. Account Deletion and Data Removal

9.1 Account Deletion

You can delete your account at any time from within the Application:

Settings > Account > Delete My Account

9.2 Scope of Deletion

When you delete your account, the following data is permanently deleted:

✅ Your profile information (name, photo, friend code)
✅ All personality analyses and ratings you have created
✅ Your Circle connections and Circle analysis data
✅ Your discovery answers and streak data
✅ Your achievement progress
✅ Your notification history
✅ Your credit balance

9.3 Data Retained After Deletion

The following data may be retained for a limited period for legitimate purposes:

Device fingerprint: To prevent bonus abuse (anonymous device identifier only).
Transaction records: Due to legal requirements (financial audit).
Reporting data: Until active reviews are completed.

9.4 Deletion Timeline

Your data will be permanently deleted within 30 days after receiving your account deletion request. If you wish to recover your account within this period, you can contact us via email.

10. Children's Privacy

10.1 Age Restriction

POVL is designed for users over the age of 13. We do not knowingly collect personal data from children under the age of 13.

10.2 Detection of Child Data

If we discover that we have collected personal data from a user under the age of 13:

The relevant account will be immediately suspended.
All collected data will be deleted as soon as possible.
The legal guardian or custodian will be notified if available.

10.3 Parent/Guardian Notification

If you believe your child is under the age of 13 and is using the Application, please immediately contact us at hello@povl.app.

11. International Data Transfers

11.1 Data Processing Location

Your data is processed through the Supabase infrastructure. Supabase servers may be located in different regions. When your data is processed outside of Turkey, we ensure that appropriate security measures are in place.

11.2 Security Measures

For international data transfers:

Implementation of Standard Contractual Clauses (SCCs)
Ensuring an adequate level of data protection
Compliance with KVKK and applicable data protection legislation

12. Cookies and Tracking Technologies

12.1 Mobile Application

POVL is a mobile application and does not use traditional web cookies. However, we may use the following similar technologies:

Device Identifiers: IDFV (iOS) or Android ID — to prevent welcome bonus abuse.
Push Token: Expo push notification token — to send notifications.
Session Tokens: JWT-based secure session management. (These tokens are mandatory technical identifiers solely for the Application's operation and your security; they do not serve tracking or advertising purposes). — for secure authentication.

12.2 Third-Party Tracking

POVL does not use third-party ad tracking SDKs (Facebook SDK, Google Ads SDK, etc.). We do not track your user behavior for advertising purposes and do not collect your advertising identifier (IDFA/GAID).

13. Push Notifications

13.1 Notification Types

POVL may send push notifications in the following situations:

When someone sends you a Circle request
When mutual analysis results are revealed
When your transparent analysis result is ready
When a new discovery question is available
Streak reminders

13.2 Notification Control

You can manage push notification permissions at any time from your device settings:

iOS: Settings > Notifications > POVL
Android: Settings > Apps > POVL > Notifications

Disabling notifications does not affect the core functionality of the Application.

14. Apple and Google Specific Privacy Requirements

14.1 Apple App Tracking Transparency (ATT)

POVL does not engage in tracking under Apple's ATT framework. We do not access your device's advertising identifier (IDFA) and do not perform cross-app/website tracking.

14.2 Apple Privacy Nutrition Label

Our privacy label on the App Store reflects the following data collection categories:

Data Linked to You: Contact information (email), user content (analyses), identifiers (user ID)
Data Not Linked to You: Device identifiers (abuse prevention), usage data (anonymous error reports)

14.3 Google Play Data Safety

Our data safety section on the Google Play Store includes the following information:

Data Collection: Yes — account information, user content, device information
Data Sharing: No — data is not shared with third parties for marketing purposes
Data Deletion: Yes — users can delete their accounts and data from within the app
Encryption: Yes — encryption in transit (TLS)

15. Third-Party Service Providers

We work with the following third-party service providers, and these providers may interact with your data:

Provider	Purpose	Data Processed	Privacy Policy
Supabase	Database, authentication, server functions	Account information, analysis data, application data	supabase.com/privacy
Google Sign-In	Authentication	Google account token, name, email	policies.google.com/privacy
Apple Sign-In	Authentication	Apple ID token, name, email (hiding option available)	apple.com/legal/privacy
Expo	Push notifications, application distribution	Push token, device information	expo.dev/privacy

These providers process your data solely for the stated purposes and are subject to their own privacy policies.

Note: The service providers listed above act as Data Processors and process your data solely in accordance with our instructions, under contractual data protection safeguards (DPA).

16. Data Protection Impact Assessment

When adding new features or data processing activities, we conduct a Data Protection Impact Assessment (DPIA) to evaluate potential privacy risks. This assessment covers:

New data collection requirements
Data processing purposes and proportionality
Potential impacts on user rights
Risk mitigation measures

17. Request Response Time

Response times for personal data requests:

Request Type	Response Time
Information / Access	Within 30 days at the latest
Rectification	Within 30 days at the latest
Deletion (in-app)	Immediate (permanent deletion within 30 days)
Deletion (email request)	Within 30 days at the latest
Objection	Within 30 days at the latest
Data portability	Within 30 days at the latest

In the case of complex or numerous requests, we may extend this period up to 60 days, provided we inform you.

18. Policy Changes

We may update this Privacy Policy from time to time. In the event of significant changes:

We will send an in-app notification.
We will specify the effective date of the updated policy.
We will highlight and explain significant changes.

Your continued use of the Application after the changes constitutes acceptance of the updated Privacy Policy.

19. Complaints and Applications

19.1 Contact Us

For all complaints and applications regarding the processing of your personal data:

📧 Email: hello@povl.app

All applications will be responded to within 30 days at the latest.

19.2 Supervisory Authority

If the outcome of your application is not satisfactory, you may apply to the following authorities:

Turkey: Personal Data Protection Authority (KVKK) — kvkk.gov.tr
EU/EEA: The Data Protection Authority in your country

20. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy:

Barış Altın
📧 Email: hello@povl.app
📍 Country: Turkey