Türkçe sürüm: Gizlilik Politikası.
This Privacy Policy describes how the Muğla Travel Guide mobile application (the “App”) collects, uses, shares and protects personal data of its users.
1. Data Controller
For the purposes of Turkish Personal Data Protection Law No. 6698 (“KVKK”) and the EU General Data Protection Regulation (“GDPR”), the data controller is:
- Kalynda Teknoloji Havacılık ve Turizm Ltd. Şti.
- Headquarters: Şerefler Mahallesi, Dalaman / Muğla, Türkiye
- General contact: info@kalyndagroup.com
- Privacy / data subject requests: kvkk@kalyndagroup.com
2. What the App Does
Muğla Travel Guide is an offline-first, account-free mobile guide for the 13 districts of Muğla province plus Kaş and Kalkan, available in 12 languages. Places, routes, events and map data are downloaded onto the device; core features work without an internet connection.
3. Data We Collect
3.1. Account data
None. The App does not require account creation. We do not collect names, email addresses, phone numbers, dates of birth or similar registration data.
3.2. Location data
For “Near me” and current-location-on-map features, we use location only with your consent and only on-device. Location data is never sent to our servers, never shared with third parties and never stored. Permission can be revoked from your operating system settings at any time.
3.3. Device and technical data
For app performance, crash reporting and push notifications, the following technical data is processed:
- Push token (FCM): A randomly generated device identifier issued for delivering push notifications. No name or email is associated with the token. If you disable notifications, the token is deleted.
- Crash reports (Sentry): When the app crashes, device model, OS version, app version, current screen route and a technical stack trace are sent to Sentry. Any user-entered content (if present) is masked.
- Anonymous usage statistics (PostHog): Anonymous events such as which screens were visited and approximate click counts. IP address is automatically truncated (anonymised) by PostHog.
3.4. User-generated data
- Favourites and downloaded guides: Stored only in your device's local database (Drift / SQLite). No copy is kept on our servers.
- Reviews / ratings: Out of scope for v1; if enabled later, a separate notice will be issued and pseudonym + review content will only be stored with explicit consent.
4. Purposes and Legal Bases
| Data | Purpose | Legal basis (KVKK Art.5 / GDPR Art.6) |
|---|---|---|
| Push token | Send event/update notifications | Explicit consent |
| Crash reports | Diagnose and fix bugs | Legitimate interest |
| Anonymous usage stats | Improve the product | Legitimate interest (anonymous) |
| Location (on-device) | Show nearby places | Explicit consent, on-device only |
5. Third-Party Service Providers
We share data with the following processors under contract, only for limited purposes and with appropriate safeguards:
- Supabase Inc. (USA / EU Frankfurt): Backend and push-token storage. Hosted in EU (Frankfurt) region. supabase.com/privacy
- Google LLC — Firebase Cloud Messaging (USA): Push notification delivery only. firebase.google.com/support/privacy
- Functional Software Inc. — Sentry (USA): Crash report processing. Default retention 90 days. sentry.io/privacy
- PostHog Inc. (USA / EU): Anonymous product analytics. EU Cloud region preferred. posthog.com/privacy
- Apple Inc. and Google LLC: App store distribution, version updates and store-side analytics.
6. International Transfers
Transfers to the US-based processors above are carried out under KVKK Article 9 (explicit consent) and Standard Contractual Clauses (SCC) for GDPR purposes, only to the extent necessary for service delivery.
7. Retention
- Push token: While your subscription is active; deleted within 30 days of you uninstalling the app or disabling notifications.
- Crash reports: 90 days (Sentry default), then automatically deleted.
- Anonymous events (PostHog): Auto-deleted after 12 months.
- Location data: Not retained (in-memory only, on-device).
8. Children's Privacy
The App is not directed to children under 13. We do not knowingly collect data from children under 13; if discovered, such data is deleted without delay.
9. Your Rights
You have the following rights under KVKK Art.11 and GDPR Art.15-22:
- Find out whether your data is being processed.
- Receive information about that processing.
- Request rectification, erasure or destruction.
- Learn the third parties to whom data is transferred.
- Object to outcomes derived from automated processing.
- Request restriction of processing (GDPR).
- Receive your data in a structured format / data portability (GDPR).
- Withdraw your explicit consent at any time.
Send your requests to kvkk@kalyndagroup.com. We respond free of charge within 30 days under KVKK and within 1 month under GDPR.
10. Notification Preferences and Data Deletion
- Notifications:Disable from Settings → Notifications inside the app, or via your operating system. While disabled, no push token is stored on our server.
- Location permission:Revocable from OS settings. Once revoked, the “Near me” feature becomes unavailable.
- Data deletion request: Email kvkk@kalyndagroup.com to request deletion of your push token, crash reports and anonymous events linked to your device. Processed within 30 days with a written response.
- Uninstalling: Removes all local data (favourites, downloaded guides, settings) from the device.
11. Security
All traffic is encrypted in transit using TLS 1.3. Backend access (Supabase Postgres) is gated by Row Level Security (RLS) policies; the mobile app holds only the anonymous read key. Service-role keys and environment variables are stored only in trusted server environments.
12. Advertising and Third-Party Trackers
None. The App contains no in-app ads and no cross-site trackers; no functionality requires Apple App Tracking Transparency (ATT).
13. Data Breach Notification
In the case of a high-risk data breach, the Turkish Personal Data Protection Authority is notified within 72 hours under KVKK Art.12/5, the relevant EU supervisory authority within 72 hours under GDPR Art.33, and affected users are informed without undue delay through an appropriate channel.
14. Changes
This policy may be updated. Significant changes are announced via in-app notice and the “last updated” date at the top of this page. The current version is always published here.
15. Complaint Authority
You may file a complaint with the Turkish Personal Data Protection Authority (kvkk.gov.tr). If you live in the EU, you may also contact your country's data protection supervisory authority.
This policy is effective as of 24 April 2026 and reflects the data flows of app version 0.1.0+3.