Privacy Policy

1. Introduction

Thank you for using the Ciral application. This Privacy Policy explains our practices regarding the personal data collected, used, and protected through the Ciral mobile application ("App").

Your privacy is very important to us. This policy has been prepared in compliance with the requirements of the Turkish Personal Data Protection Law (KVKK, Law No. 6698) and the European Union General Data Protection Regulation (GDPR).

Important: By using our App, you agree to the data collection and usage practices described in this Privacy Policy.

2. Data Controller

Data Controller: Burak Turkyilmaz (Independent Developer)

Contact: support@ciral.app

Website: ciral.app

The person responsible for the processing and protection of your personal data, as the data controller under applicable data protection laws, is identified above.

3. Data We Collect

We collect the following personal data through our App:

3.1. Account Information

Sign In with Apple: When you sign in using Apple Sign In, we receive a user identifier and email address from Apple (optional, depending on Apple's privacy settings)
Display Name: The display name you use within the App
Language Preference: Your selected App language

3.2. Habit Data

Habit Information: Titles, descriptions, and steps of the habits you create
Progress Data: Habit tracking records, completion statuses, and streak data
Creation/Update Dates: Information about when habits were created and updated

3.3. AI Chat Data

Chat Messages: Contents of your conversations with Mol.AI
AI Responses: Responses generated by artificial intelligence
Request Timestamps: Times when messages are sent and received

3.4. Usage and Analytics Data

App Usage Statistics: Which features you use, screen view durations
Device Information: Device model, operating system version, app version
Interaction Data: User interactions such as button taps and screen transitions
Error Logs: Technical information related to app errors

3.5. Payment Information

Subscription Status: Your premium subscription status (free/premium)
Transaction Records: Transaction identifiers provided by Apple

Note: Your credit card or payment information is processed and stored by Apple. We do not have access to this information.

4. How We Use Your Data

The personal data we collect is used for the following purposes:

Service Delivery: Operating App features, habit tracking, and creating AI-powered plans
Personalization: Personalizing your user experience and providing tailored recommendations
AI Processing: Sending messages to and receiving responses from the OpenAI API for the Mol.AI chat feature
Synchronization: Syncing your data across multiple devices
Analysis and Improvement: Monitoring App performance, understanding user behavior, and improving our service
Subscription Management: Controlling access to premium features and tracking subscription status
Security: Fraud prevention and ensuring account security
Legal Obligations: Complying with legal requirements

5. Third-Party Services

Our App uses the following third-party service providers:

5.1. Supabase (Database and Authentication)

Purpose: Database hosting, user authentication, data synchronization
Data Location: European Union (Frankfurt, Germany - eu-central-1 region)
Data Processed: Account information, habit data, chat messages
Privacy Policy: supabase.com/privacy

5.2. OpenAI (Artificial Intelligence Processing)

Purpose: Creating AI-powered habit plans and chat features (GPT-4.1 models)
Data Processed: User messages, habit information (for plan generation)
Data Retention: OpenAI temporarily processes API requests and deletes them within 30 days (per OpenAI policy)
Privacy Policy: openai.com/privacy

5.3. Mixpanel (Analytics)

Purpose: Usage statistics and App performance analysis
Data Processed: Device information, usage data, interaction events
Personal Identifiers: Anonymous user ID (direct identifiers such as email or name are not sent)
Privacy Policy: mixpanel.com/legal/privacy-policy

5.4. Apple (Authentication and Payments)

Purpose: Apple Sign In authentication and StoreKit 2 subscription payments
Data Processed: Apple ID information, payment transactions
Privacy Policy: apple.com/legal/privacy

GDPR Compliance: All of our third-party service providers comply with GDPR and data protection standards. Your data is hosted within the EU region (Supabase in Frankfurt).

6. AI Data Sharing Consent

Ciral includes AI-powered features (habit plan generation and Mol.AI chat) that require sending data to OpenAI for processing. Before any data is sent to OpenAI, the App will ask for your explicit consent.

6.1. What Requires Consent

Plan Generation: When you use the "Generate Plan" feature, your habit description is sent to OpenAI to create a personalized step-by-step plan
Mol.AI Chat: When you send messages in the Mol.AI chat, your messages are sent to OpenAI to generate coaching responses

6.2. How Consent Works

The first time you use an AI feature, a consent dialog will appear explaining what data is shared and how it is processed
You can choose "Allow" to enable AI features, or "Don't Allow" to decline
If you decline, AI features will be disabled but all other App features (habit tracking, streaks, reminders) continue to work normally

6.3. Changing Your Preference

You can enable or disable AI data sharing at any time via Settings > Preferences > AI Data Sharing
Turning off AI Data Sharing immediately stops all data transmission to OpenAI
Previously sent data is handled according to OpenAI's retention policy (deleted within 30 days)

Your Control: AI data sharing is entirely optional. You are always in control of whether your data is sent to OpenAI, and you can change your preference at any time in Settings.

7. Data Storage and Security

7.1. Data Storage Location

All user data is stored within the European Union (Frankfurt, Germany) on Supabase infrastructure. This ensures full compliance with GDPR and international data transfer requirements.

7.2. Data Retention Period

Account Information: Retained as long as your account is active
Habit Data: Retained until you delete it or close your account
Chat Messages: Automatically deleted after 90 days
Analytics Data: Retained as anonymous statistics for up to 2 years
After Account Deletion: All personal data is permanently deleted within 30 days

7.3. Security Measures

Encryption: All data is encrypted during transit (TLS/SSL) and at rest
Access Control: Database access is protected by Row-Level Security (RLS) policies
Authentication: Secure authentication via Apple Sign In
Regular Backups: Automatic backups to prevent data loss
Security Audits: Regular security testing and updates

8. Your Rights Under Data Protection Laws

Under applicable data protection regulations (including GDPR), you have the following rights:

Right to Information: The right to know whether your personal data is being processed
Right of Access: The right to request information about your processed personal data
Right to Know the Purpose: The right to learn the purpose of data processing and whether it is being used in accordance with its purpose
Right to Know Third Parties: The right to know which third parties your personal data has been transferred to, domestically or internationally
Right to Rectification: The right to request correction of incomplete or inaccurate personal data
Right to Erasure: The right to request deletion or destruction of your personal data
Right to Notification: The right to request that rectification, deletion, or destruction operations be communicated to third parties to whom your data has been transferred
Right to Object: The right to object to outcomes arising from automated analysis of your processed data
Right to Compensation: The right to claim compensation for damages arising from unlawful processing of your personal data

How to Exercise Your Rights

To exercise your data protection rights:

Email: You can send a written request to support@ciral.app
In-App: You can delete your data via Settings > Account Settings > "Delete Account"
Response Time: Your requests will be responded to within 30 days

9. GDPR Compliance

For European Union citizens, GDPR (General Data Protection Regulation) rights include:

Right of Access: You may request access to your personal data
Right to Rectification: You may request correction of inaccurate data
Right to Erasure ("Right to Be Forgotten"): You may request deletion of your data
Data Portability: You may receive your data in a structured, commonly used format
Right to Object: You may object to data processing activities
Automated Decision-Making: You may request an explanation regarding automated decisions

Data Protection Contact: support@ciral.app

10. Children's Privacy

Our App is designed for users aged 13 and older. We do not knowingly collect personal data from children under 13.

If you become aware that we have collected data from a child under 13, please contact us immediately at support@ciral.app. We will promptly delete the relevant data.

11. Cookies and Tracking Technologies

Our App is a mobile iOS application and does not use traditional web cookies. However, the following local storage and tracking technologies are used:

Local Storage: We store habit data locally on your device using SwiftData (for offline use)
Analytics SDKs: We collect anonymous usage statistics using the Mixpanel SDK
Device Identifiers: An anonymous device identifier (IDFV) is used for analytics purposes

To disable these tracking technologies, you can enable "Limit Ad Tracking" in your iOS settings.

12. Data Breach Notification

In the event of a security incident that may compromise the security of your personal data:

We will notify the relevant regulatory authorities within 72 hours in compliance with GDPR requirements
We will immediately inform affected users via email or in-app notification
We will take all necessary measures to resolve the breach and prevent similar incidents in the future

13. International Data Transfers

Your data is primarily stored in the EU region (Frankfurt). However, some third-party services (such as OpenAI) may be US-based companies. In such cases:

Data transfers are protected by "Standard Contractual Clauses" pursuant to Articles 44-50 of the GDPR
All service providers have data protection measures compliant with GDPR
OpenAI deletes API requests within 30 days and does not use them for training

14. Policy Changes

We may update this Privacy Policy from time to time. When significant changes are made:

An in-app notification will be displayed
You will be notified via email (if you have shared your email address)
Changes will be published on this page
The "Last Updated" date will be updated

Your continued use of the App after updates are published means you accept the new policy.

15. Contact

If you have questions, concerns, or wish to exercise your data protection rights regarding this Privacy Policy:

Email: support@ciral.app

Response Time: Within 30 days (legal requirement)

Complaints: If you are not satisfied with our response, you may file a complaint with the relevant data protection authority in your jurisdiction.

Disclaimer: This privacy policy is for informational purposes and does not constitute legal advice. You are advised to consult a lawyer for your specific circumstances.