Privacy Policy and Information Notice (Pursuant to the Turkish Personal Data Protection Law – KVKK) for HesApp101 Mobile Application
This English version of the Privacy Policy is provided for informational purposes only. In case of any inconsistency or difference in interpretation, the Turkish version (“HesApp101 Mobil Uygulaması KVKK Aydınlatma Metni ve Gizlilik Politikası”) shall prevail. Click here for Turkish version.
Data Controller & Contact
Data Controller: Medinstech Mühendislik ve Teknoloji A.Ş.
Address: Örnekköy Mah. Baş Pehlivan Karaali Cad. No:136 İç Kapı No:1 Karşıyaka / İzmir / Türkiye
E-mail: [email protected]
Purpose
This clarification text has been prepared in accordance with the Law No. 6698 on the Protection of Personal Data (the “Turkish Personal Data Protection Law” or “KVKK”) and related legislation, to inform users of the HesApp101 mobile application about the purposes for which their personal data are processed, stored, and protected, and to present information regarding their rights in a clear, understandable, and easily accessible manner. The data controller is a company located in Türkiye, and personal data is processed in accordance with the Turkish Personal Data Protection Law (Law No. 6698 - KVKK). Where applicable, similar principles under the EU General Data Protection Regulation (GDPR) are also observed.
Categories of Processed Data and Purposes
| Data Category | Description / Example | Purpose of Processing | Legal Basis | Retention Period |
|---|---|---|---|---|
| Camera image (raw photo) | Image taken through the device’s native camera application | Detect physical game elements in the image and provide digital output through an on-device model | KVKK Art.5/1 – Explicit Consent KVKK Art.5/2(f) – Legitimate Interest |
Default: Raw images are not stored; temporary files and memory data are deleted immediately after processing. If the user manually selects the “save” option, the image is stored in the device gallery under the user’s control. |
| Photo or visual file selected from the user’s device | Image from the device gallery | Detect physical game elements and provide digital output through an on-device model | KVKK Art.5/1 – Explicit Consent | Deleted from device memory after processing; never transferred to any server or third party. |
| Inferences derived from the image | Model detection results (object/type/location/parameters) | Perform calculations, display feedback, and use in recommendation algorithms | KVKK Art.5/2(c) – Performance of Service | Temporary: Stored in memory until display; automatically deleted when the app closes. |
| In-app generated visuals (screenshots) | Screenshots created for sharing | Allow sharing via device’s native sharing tools upon user request | KVKK Art.5/2(f) – Legitimate Interest | Temporarily stored on the device; deleted after sharing is complete. |
| Local preferences / cookie data | Ad watch time, game token balance, notification preferences, tutorial display status, visual info, consent variables | Maintain app workflow | KVKK Art.5/2(f) – Legitimate Interest | Stored locally until app removal. Deleted automatically upon uninstallation. |
| Advertisement data (collected by AdMob) | Impressions, clicks, advertising IDs | Show ads and generate revenue; personalized ads if consent given | KVKK Art.5/2(f) – Legitimate Interest KVKK Art.5/1 – Explicit Consent |
Subject to Google/AdMob retention policies. |
| Error / crash logs (Firebase Crashlytics) | Automatically collected data (device model, OS version, app version, error code, timestamp) | Detect app crashes and monitor performance (SDK does not collect user-identifiable data such as name or email) | KVKK Art.5/2(f) – Legitimate Interest | Retained by Firebase for up to 90 days. |
The application’s sole purpose is to detect physical game elements (such as tiles on the rack). Even if a human face is accidentally captured during camera use, such images cannot be recorded or processed; therefore, no biometric data are processed. Camera access is essential for the app’s core functionality. The user grants explicit consent, knowing that the camera will only be used for detecting game elements. All image processing occurs locally on the device and is never transferred to servers or third parties. Without camera access, the app cannot function properly.
When processing user-selected images from the gallery, the app only analyzes them to detect physical game elements. Gallery access is limited to the file selected by the user; the app cannot access, store or share other files on the device.
Any visual outputs created within the app (e.g., shared screenshots) are only shared through the user’s own device mechanisms (such as social media or messaging apps). This sharing is entirely under the user’s control; the app does not record, monitor, or share this content with third parties. Platforms used for sharing are subject to their own privacy policies.
For crash reporting, the app uses Firebase Crashlytics provided by Google LLC. Technical crash data (device model, OS version, app version, error code, timestamp) are transferred to Google LLC’s servers located in the USA and EU. This transfer is carried out under Google’s Data Processing Terms and in compliance with Article 9/2 of the KVKK, ensuring necessary security measures. The data does not contain any personally identifiable information and is used only for debugging purposes and error analysis. Crash and error logs are collected solely for application improvement purposes and do not contain information related to an identified or identifiable user. The data is processed in anonymized form, and no personally identifiable information (name, email, IP address, etc.) is recorded in our systems. While crash data may contain identifying elements such as the device's IP address, this data is used solely for technical logging purposes within Firebase systems and is not used by us for personal identification in any way.
Data Retention and Deletion Policy
Data are anonymized or irreversibly deleted once their retention period expires. All locally stored data are automatically deleted when the app is uninstalled.
Transactions Requiring Explicit Consent and Approval Mechanisms
| Process | Description | Consent Method |
|---|---|---|
| Visual Data Processing (Camera / Gallery) | Images taken or selected by the user are processed only to detect game elements. Data are processed locally and never stored or transferred externally. | The user is informed before first app launch and explicit consent is obtained. |
| Personalized Ads | Personalized ads may be displayed via Google AdMob. | Separate in-app consent checkbox. |
| Silent Notifications | App may send silent reminders. | User may disable notifications from settings. |
| Crash Reports | Collected anonymously, contain no personal identifiers. | Explained in this clarification text. |
Local Storage / Cookie Data
The app stores the following data locally on devices.
| Variable | Description |
|---|---|
| last_ad_watch_ms | Last ad watch timestamp |
| wallet_balance | Game token balance |
| daily_notifications_enabled | Notification preference |
| rackFirstTutorialShown | “How to use” tutorial shown |
| purchased_backgrounds | List of owned background image IDs |
| lastBackgroundOption | Currently active background ID |
| kvkk_acceptance | Record of KVKK & Privacy Policy acknowledgment |
| kvkk_acceptance_date | Date and time of KVKK acceptance (device time) |
| consent_camera | Record of camera access consent (accepted/rejected) |
| consent_camera_date | Date and time of camera access consent (device time) |
| consent_ads | Record of personalized ad consent (accepted/rejected, integrated with UMP SDK) |
| consent_ads_date | Date and time of personalized ad consent (device time) |
These values are stored only on the device and are not transferred to third parties. They are automatically deleted when the app is uninstalled.
Methods and Sources of Data Collection
Data are obtained either directly from the user (taking a photo with the camera, selecting an image from the device, in-app selections) or automatically (SharedPreferences records, advertising SDKs, anonymous crash reporting systems). Camera images are captured on the user’s device through the operating system’s native camera application; the app does not directly access the camera hardware, but processes the photo once it is taken. The user may also choose an existing image from the device (via the gallery or file system). These images are processed solely for the purpose of detecting physical game elements and are never transferred outside the device. The application may also temporarily generate visuals (such as canvases or screenshots) resulting from user interactions for sharing purposes. These data are transmitted only to the device’s sharing mechanisms when the user initiates a sharing action and are not stored by the application. Additionally, to improve user experience and stability, anonymous crash and error logs may be automatically collected through Firebase Crashlytics. An active internet connection is required for the core functions of the application. If the device has no internet access or the connection is later lost, the app will not operate. No data are entered manually, and the application does not process any text or audio data.
Access / Transfer / Third Parties
AdMob and Crashlytics services are provided by Google LLC, and related data are transferred to servers located in the USA and EU under Google’s Data Processing Terms and KVKK Article 9/2.
For more details: https://firebase.google.com/terms/data-processing-terms
No other personal data are transferred to any third parties.
Technical and Administrative Security Measures
Key data protection measures include:
- Camera images are never transmitted outside the device.
- Temporary files are deleted immediately after processing.
- Local data are protected under device-based security.
- Consent and acknowledgment records are securely stored.
- Transfers to Firebase and AdMob use secure HTTPS/TLS protocols.
- Data processing agreements are maintained with service providers.
User Rights Under Article 11 of KVKK
Users have the right to;
- Learn whether their personal data are being processed,
- Request information if their data have been processed,
- Learn the purpose of processing and whether it is used appropriately,
- Learn the third parties to whom data have been transferred domestically or abroad,
- Request correction of incomplete or inaccurate data,
- Request deletion or destruction of data under KVKK Article 7,
- Request notification of such actions in previous two to third parties,
- Object to results arising solely from automated processing,
- Demand compensation for damages due to unlawful processing.
Requests can be sent to [email protected] and will be concluded as soon as possible, within 30 days at the latest.
Policy Updates
This “Privacy Policy and Information Notice for HesApp101 Mobile Application” may be updated periodically. Users may always access the latest version from within the app or on the website www.medinstech.com/apps/hesapp101/kvkk/en. Updated versions take effect on the publication date.
Enforcement
This text entered into force as of the initial release date of the HesApp101 mobile application.