TravelerApp

1. Introduction

TravelerApp ("TravelerApp", "the App", "we", "us", or "our") is an iOS application operated by Reconchille Studios (hereinafter "Reconchille Studios"), based in the Republic of Türkiye.

This Privacy Policy describes how we collect, use, disclose, and safeguard personal data when you download, install, access, or use TravelerApp and any related services (collectively, the "Services"). It also explains the rights available to you under applicable data protection laws, including:

• The General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR for users in the European Economic Area and the United Kingdom;
• The Law on the Protection of Personal Data No. 6698 ("KVKK") for users in the Republic of Türkiye;
• The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), for California residents;
• Other applicable data protection and privacy laws.

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services.

2. Information We Collect

We collect information that you provide directly, information generated through your use of the Services, and information received from third parties.

2.1 Information you provide

• Account information: email address (required); first and last name (optional); date of birth (optional); avatar photo (optional, stored in Supabase Storage).
• Contact information: phone number, Instagram handle, Telegram handle (all optional, and shown to other users only if you choose to share them in community features).
• User-generated content: travel plans, routes, journey posts, landmark notes, comments, favorites, events you create or participate in, and any other content you submit through the Services.
• AI interactions: prompts you send to our AI travel assistant and the responses generated in return, together with relevant context needed to produce the response.
• Support correspondence: messages, screenshots, or attachments you send us through support channels.

2.2 Information collected automatically

• Precise location data: while you are actively using the App and have granted permission, we access your device's precise location to show nearby landmarks, local weather, and deliver AI-based suggestions. Location access is foreground-only; we do not track your location while the App is in the background.
• Device and technical data: device model, iOS version, app version, language, locale, approximate region, and crash diagnostics.
• Subscription data: purchase receipts, subscription status, renewal dates, trial eligibility, and transaction identifiers received from Apple and RevenueCat.
• Log data: authentication events, API request logs, and error traces retained for security, fraud prevention, and debugging.

2.3 Information from third parties

• Sign in with Apple: if you register using Apple ID, we receive your Apple user identifier and, if you share them, your email address and name.
• Google Sign-In: if you register with Google, we receive your Google account identifier, email address, name, and profile picture, as permitted by Google and authorized by you.
• RevenueCat: we receive subscription entitlements, purchase history, and transaction identifiers linked to your account.

3. How We Use Your Information

We use the information described above for the following purposes:

• To create and maintain your account and authenticate you;
• To deliver the Services, including landmarks, routes, maps, AI suggestions, weather, and community content;
• To process subscriptions and payments via Apple and RevenueCat and to manage trials, renewals, and refunds;
• To enable community features, displaying journeys, landmark posts, events, comments, and profiles to other users in accordance with your sharing choices;
• To generate AI responses by forwarding your prompts and relevant context to Google Gemini;
• To send transactional communications such as account verification emails, security alerts, and service updates;
• To prevent fraud, abuse, and security incidents, enforce our Terms of Service, and protect our users and the public;
• To improve and secure the Services, including diagnosing crashes and monitoring performance on an aggregated and anonymized basis where feasible;
• To comply with legal obligations and respond to lawful requests from regulatory authorities or courts.

We do not use your personal data for targeted or behavioral advertising, and we do not sell or share your personal data with third parties for cross-context behavioral advertising.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)): to operate your account, provide the Services you subscribed to, and process payments.
• Compliance with a legal obligation (Art. 6(1)(c)): to comply with tax, consumer protection, and data protection laws.
• Legitimate interests (Art. 6(1)(f)): to secure the Services, prevent abuse, and improve functionality. We balance these interests against your rights and freedoms and apply safeguards where appropriate.
• Consent (Art. 6(1)(a)): for optional features such as precise location access, push notifications, and marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

We do not engage in automated decision-making that produces legal or similarly significant effects on you. Any processing of special category data is carried out on the basis of your explicit consent or another applicable lawful basis under Article 9 GDPR.

5. Third-Party Services

TravelerApp integrates with the following third-party processors. Each processes your data under its own privacy policy and under data processing agreements with us where applicable.

External privacy policies:

• Supabase: supabase.com/privacy
• Apple: apple.com/legal/privacy/
• Google: policies.google.com/privacy
• RevenueCat: revenuecat.com/privacy/

TravelerApp does not use advertising SDKs, cross-app tracking, or device fingerprinting.

6. Data Sharing and Disclosure

We share your personal data only in the following circumstances:

• With other users, when you post content in community features. Your username, avatar, and shared content become visible to other users of the Services. Do not post information you do not want to be seen publicly.
• With service providers identified in Section 5, acting as data processors under contract and bound by confidentiality and security obligations.
• For legal reasons, where disclosure is required by a subpoena, court order, or other legally binding request, or where we believe in good faith that disclosure is necessary to investigate fraud, enforce our Terms, or protect the rights, property, or safety of Reconchille Studios, our users, or the public.
• In business transfers, such as a merger, acquisition, financing, reorganization, or sale of assets, subject to the acquiring party honoring this Privacy Policy or providing equivalent protections.

We do not sell your personal data for monetary consideration and we do not share it for cross-context behavioral advertising.

7. International Data Transfers

We store account data, user-generated content, and storage objects on Supabase servers in Frankfurt, Germany (EU). AI prompts are routed through Google services, which may process data in the United States. Subscription data is processed by RevenueCat in the United States.

Where personal data is transferred outside the European Economic Area, the United Kingdom, or Türkiye, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement, and, where applicable, supplementary technical and organizational measures such as encryption in transit and at rest.

Transfers of personal data abroad under the KVKK are carried out in accordance with Article 9 of the KVKK and related regulations of the Turkish Personal Data Protection Board.

8. Data Retention

We retain personal data only for as long as necessary to deliver the Services, fulfill the purposes set out in this Privacy Policy, and meet our legal obligations.

• Active accounts: retained for the lifetime of the account.
• After account deletion: data is removed from production systems immediately and purged from encrypted backups within thirty (30) days.
• Anonymized analytics: may be retained indefinitely because the data can no longer be linked to you.
• Legal holds: where we are required by law to retain data longer (for example, for tax or consumer protection purposes), we retain it only for the period required by that law.

You may request deletion of your account at any time from the in-app "Delete Account" option. Deletion triggers cascading removal of your user-generated content and deletion of your authentication record, subject to the backup retention window above.

9. Your Privacy Rights

9.1 GDPR and UK GDPR (EEA and United Kingdom)

Under the GDPR and UK GDPR, you have the following rights with respect to your personal data:

• Right of access — to obtain confirmation and a copy of your personal data;
• Right to rectification — to correct inaccurate or incomplete data;
• Right to erasure ("right to be forgotten");
• Right to restriction of processing;
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format;
• Right to object to processing based on legitimate interests;
• Right to withdraw consent at any time, where processing is based on consent;
• Right to lodge a complaint with your local Data Protection Authority or, in the UK, the Information Commissioner's Office.

To exercise these rights, contact us at reconchille@gmail.com. We will respond within one month, extendable by two additional months for complex or numerous requests.

9.2 KVKK (Republic of Türkiye)

Under Article 11 of the Law on the Protection of Personal Data No. 6698, you have the right to:

1. Learn whether your personal data has been processed;
2. Request information regarding processing, where processing has occurred;
3. Learn the purpose of processing and whether your data is used consistently with that purpose;
4. Know the third parties, domestic or abroad, to whom your data has been transferred;
5. Request correction of inaccurate or incomplete data;
6. Request deletion or destruction of your data in accordance with Article 7 of the KVKK;
7. Request that the correction, deletion, or destruction be notified to third parties to whom the data has been transferred;
8. Object to adverse outcomes arising from automated analysis of your data;
9. Claim compensation for damages caused by unlawful processing of your data.

You may submit requests via reconchille@gmail.com. We respond within thirty (30) days in accordance with the Communiqué on the Procedures and Principles for Applications to Data Controllers.

9.3 CCPA (California Residents)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and (if any) sell;
• Delete your personal information, subject to statutory exceptions;
• Correct inaccurate personal information;
• Opt out of the sale or sharing of personal information — we do not sell or share personal information as defined by the CCPA;
• Limit use of sensitive personal information;
• Non-discrimination — we will not discriminate against you for exercising any of these rights.

You may exercise these rights by contacting reconchille@gmail.com. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf, subject to verification.

10. Children's Privacy

TravelerApp is not directed to children under the age of thirteen (13). We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will delete such information promptly. Parents and legal guardians who believe their child has provided us with personal data may contact us at reconchille@gmail.com.

Users in the European Economic Area must be at least sixteen (16) years of age, or the minimum age permitted by applicable member state law, to provide consent for the processing of their personal data.

11. Security

We implement industry-standard technical and organizational safeguards to protect your personal data, including:

• Encryption in transit via TLS 1.2 or higher for all API traffic;
• Encryption at rest for data stored in Supabase;
• Row-Level Security (RLS) policies at the database layer to enforce per-user access;
• Service role credentials kept on the server side only and rotated periodically;
• Least-privilege access controls for engineers and administrators;
• Regular encrypted backups with defined retention windows;
• Logging and monitoring of authentication and administrative events.

No system can guarantee absolute security. If we become aware of a security breach affecting your personal data, we will notify you and the relevant supervisory authorities in accordance with applicable law.

12. Location Data

The Services request precise location access to deliver core functionality, including nearby landmarks, weather forecasts, and AI-based recommendations. Location access is foreground-only; the App does not collect location data while running in the background.

You may revoke location permission at any time via iOS Settings → Privacy & Security → Location Services → TravelerApp. Without location access, some features may be limited or unavailable.

13. Cookies and Similar Technologies

The iOS App does not use cookies or cross-app tracking technologies. Our website, if any, may use strictly necessary cookies required for site operation. We do not use advertising cookies or third-party analytics that rely on cross-site tracking.

14. Apple App Store Disclosures

Consistent with Apple's App Store privacy nutrition labels, we disclose the following data categories that may be linked to your identity:

• Contact info: email, optionally name and phone;
• User content: photos, user-generated content, support messages;
• Identifiers: Apple ID, Google ID, internal user ID;
• Purchases: subscription entitlements and purchase history;
• Location: precise, while using the App;
• Diagnostics: crash data, performance data.

We do not use any data for tracking, as defined by Apple's App Tracking Transparency framework. We do not link data to third-party data for advertising or measurement purposes and we do not share data with data brokers.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in advance through an in-app notice or by email sent to the address associated with your account. The "Effective Date" at the top of this page indicates when this Policy was last revised.

Continued use of the Services after the effective date of the revised Policy constitutes your acceptance of the changes. Where required by law, we will obtain your affirmative consent before material changes take effect.

16. Contact and Data Controller

The data controller responsible for your personal data is:

For privacy-related inquiries, requests to exercise your rights, or complaints, please write to us at the email address above. Where required by applicable law, you may also lodge a complaint with your competent supervisory authority.