Privacy Policy — Cotidie

1. INTRODUCTION AND IDENTITY OF THE DATA CONTROLLER

This Privacy Policy describes how Emre Ömer Yıldız and Aydın Türe ("we," "us," "our," or "Service Provider") collect, use, process, store, and protect your personal data when you use the Cotidie mobile application ("Application" or "App") available on the Apple App Store and Google Play Store.

We are committed to protecting your privacy and complying with applicable data protection laws, including:

Turkish Personal Data Protection Law No. 6698 ("KVKK")
EU General Data Protection Regulation (EU) 2016/679 ("GDPR")
California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA")
Japanese Act on the Protection of Personal Information ("APPI")
Korean Personal Information Protection Act ("PIPA")
Taiwan's Personal Data Protection Act ("PDPA")

Data Controllers: Emre Ömer Yıldız & Aydın Türe (Individual developers, jointly)
Address: İstasyon Mahallesi, 1440 Sokak, Bizim Mahalle Sitesi, 1. Etap, 2. Kısım, H Blok, Daire: 27, Küçükçekmece, İstanbul, Türkiye
Email: privacy.cotidie@outlook.com
Phone: +90 533 031 60 35

2. PERSONAL DATA WE COLLECT

2.1 Data You Provide Directly

Account data: Email address, password (hashed) — Purpose: Account creation and authentication
Journal entries: Text content, titles, dates — Purpose: Core journaling functionality
Media content: Photos and images attached to entries — Purpose: Enriched journal entries
Drawings & sketches: Canvas drawings, stickers, and text overlays attached to entries — Purpose: Creative expression within journal entries
Voice recordings: Audio input for speech-to-text — Purpose: Voice dictation feature
Profile information: Display name, preferences, AI persona selection — Purpose: Personalization
Habit tracking data: Custom and preset habits, completion status, numeric values, ratings — Purpose: Habit tracking feature
Time capsule messages: Messages to your future self with scheduled reveal dates — Purpose: Time capsule feature
Goals & plans: Personal goals and plans you set within the app — Purpose: Goal tracking and AI-powered recommendations

2.2 Data Generated Automatically

Usage data: Feature usage, session duration, tap patterns — Purpose: Analytics and improvement
Device data: OS version, device model, app version — Purpose: Compatibility and debugging
Crash reports: Error logs, stack traces — Purpose: Bug fixing via Sentry
Subscription data: Purchase history, plan type — Purpose: Payment management via RevenueCat
Achievement & streak data: Writing streaks, milestones, XP and level progression — Purpose: Gamification features
Search history: Queries within the app — Purpose: Smart search functionality
AI chat history: Conversations with AI companion — Purpose: AI feature delivery
AI embeddings: Vector representations of your journal entries generated for semantic search and contextual AI responses — Purpose: Smart search and AI long-term memory
Feature discovery data: Records of which app features you have explored — Purpose: Onboarding and feature guidance
Notification tokens: Device push notification identifiers — Purpose: Delivering reminders and notifications

2.3 Sensitive Data

Your journal entries may contain sensitive personal information (health data, emotional states, beliefs, relationships). We apply additional safeguards to this content and do not use it for advertising or share it with third parties for commercial purposes.

The Application's emotion analysis feature processes the emotional content of your journal entries to provide insights. This constitutes processing of data revealing emotional states, which we treat with heightened care.

2.4 Data We Do NOT Collect

We do not collect payment card details (handled entirely by Apple/Google)
We do not collect precise GPS location
We do not collect contacts or call logs
We do not build advertising profiles
We do not track you across other apps or websites

3. HOW WE USE YOUR PERSONAL DATA

Providing core journaling features — Legal basis GDPR: Contract performance (Art. 6(1)(b)) — Legal basis KVKK: Art. 5(2)(c)
User authentication & account security — Legal basis GDPR: Contract performance (Art. 6(1)(b)) — Legal basis KVKK: Art. 5(2)(c)
AI-powered features (chat, analysis, insights, semantic search) — Legal basis GDPR: Contract performance / Consent (Art. 6(1)(a)(b)) — Legal basis KVKK: Explicit consent (Art. 5(1))
Improving the Application — Legal basis GDPR: Legitimate interests (Art. 6(1)(f)) — Legal basis KVKK: Art. 5(2)(f)
Error monitoring and debugging — Legal basis GDPR: Legitimate interests (Art. 6(1)(f)) — Legal basis KVKK: Art. 5(2)(f)
Subscription and payment management — Legal basis GDPR: Contract performance (Art. 6(1)(b)) — Legal basis KVKK: Art. 5(2)(c)
Compliance with legal obligations — Legal basis GDPR: Legal obligation (Art. 6(1)(c)) — Legal basis KVKK: Art. 5(2)(a)
Responding to support requests — Legal basis GDPR: Legitimate interests (Art. 6(1)(f)) — Legal basis KVKK: Art. 5(2)(f)
Sending service notifications and reminders — Legal basis GDPR: Contract performance / Consent — Legal basis KVKK: Consent (Art. 5(1))
Habit tracking and goal management — Legal basis GDPR: Contract performance (Art. 6(1)(b)) — Legal basis KVKK: Art. 5(2)(c)

4. ARTIFICIAL INTELLIGENCE DATA PROCESSING

4.1 What the AI Processes

The text content of your journal entries (when you use AI Chat, Entry Analysis, or Smart Search)
The context of your AI chat conversations
Vector embeddings of your journal entries for semantic search and retrieval-augmented generation (RAG), enabling the AI to recall relevant past entries when providing responses
Aggregated patterns from your journaling history (for weekly/monthly insights and personalized recommendations)

4.2 AI Transparency (EU AI Act Compliance)

You are always interacting with an AI system, not a human. All AI chat responses, emotion analyses, and insights are generated by artificial intelligence.

AI-generated content is clearly labeled within the Application
The emotion detection feature uses AI inference — results are approximations, not clinical assessments
The AI features in Cotidie are not classified as high-risk AI systems under the EU AI Act

4.3 AI Data Safeguards

Your personal data is NOT used to train Google's Gemini AI models
AI processing occurs on Google's secure servers in the United States
Journal content sent to the AI is processed in transit under encryption
AI chat conversations are stored on our servers to enable conversation continuity and are retained until account deletion or manual clearing by you (see Section 7)

4.4 Mental Health Disclaimer

CRITICAL: Cotidie is NOT a medical device, therapeutic service, or mental health treatment. AI responses and emotion tracking are for personal reflection only — not clinical diagnosis or professional advice.

In an emergency:

Turkey: 112 (Emergency), 182 (ALO Psikiyatri Hattı)
EU: 112 (Emergency), 116 123 (Emotional Support)
USA: 911 (Emergency), 988 (Suicide & Crisis Lifeline)
UK: 999 (Emergency), 116 123 (Samaritans)

5. DATA SHARING AND THIRD-PARTY PROCESSORS

We do not sell your personal data. We do not share your personal data for advertising purposes. We share data only with the following processors, strictly for delivering the Application's features:

Supabase (AWS) — Purpose: Database, authentication, file storage — Data shared: Journal entries, account data, images, drawings, habits, AI embeddings — Location: United States
Google Gemini AI — Purpose: AI chat, analysis, insights, embeddings — Data shared: Journal text, chat messages — Location: United States
Sentry — Purpose: Error monitoring and crash reports — Data shared: Error logs, device info (anonymized) — Location: United States
Mixpanel — Purpose: Usage analytics — Data shared: App usage events (pseudonymized) — Location: European Union
RevenueCat — Purpose: Subscription & payment management — Data shared: Subscription status, purchase events — Location: United States
Expo (Expo Application Services) — Purpose: Push notifications delivery and app updates — Data shared: Push notification tokens, device identifiers — Location: United States
Google Fonts — Purpose: Font delivery — Data shared: IP address, browser/device information (via font loading requests) — Location: United States
Apple App Store — Purpose: App distribution and payment processing — Data shared: Purchase transactions — Location: United States
Google Play Store — Purpose: App distribution and payment processing — Data shared: Purchase transactions — Location: United States

Each of these providers is bound by data processing agreements and is required to handle your data in compliance with applicable data protection laws. We may disclose personal data if required by law, court order, or governmental authority. We will notify you of such disclosures where legally permitted.

6. SECRET VAULT — ENHANCED PRIVACY FEATURE

Vault entries are stored locally on your device and protected by PIN and/or biometric authentication. They are NOT transmitted to our servers or processed by AI. They cannot be accessed without your biometric authentication (fingerprint or face recognition) or PIN. Even we cannot access Vault content.

Vault content never leaves your device
No server-side backup of Vault entries
Screen capture is automatically blocked within the Vault
Vault access requires biometric authentication or PIN on every session
Your Vault PIN is stored as a salted, iterated cryptographic hash — we cannot recover it
Progressive lockout protects against brute-force attempts

7. DATA RETENTION

Journal entries & media: Retained until account deletion
Account data (email, profile): Retained until account deletion
AI chat history: Retained until account deletion or manual clearing
AI embeddings: Retained until account deletion
Achievement & streak data: Retained until account deletion
Habit tracking data: Retained until account deletion
Time capsule messages: Retained until account deletion
Drawings & sketches: Retained until account deletion
Search history: Retained until account deletion
Analytics data (Mixpanel): Up to 36 months (pseudonymized), then automatic expiry
Error logs (Sentry): Up to 90 days, then automatic expiry
Subscription records (RevenueCat): As required by financial law (up to 10 years)
Secret Vault entries: On-device only; deleted with app uninstall or account deletion

Upon account deletion, all your data — including journal entries, profile information, achievements, AI chat history, AI embeddings, search history, habits, time capsules, drawings, and uploaded images — is permanently deleted from our servers within 30 days. This action is irreversible.

8. DATA SECURITY

All data transmitted between the Application and our servers is encrypted using TLS 1.2 or higher
Data at rest in our Supabase (AWS) infrastructure is encrypted using AES-256
Secret Vault entries are stored locally on your device and protected by PIN/biometric authentication
Row-Level Security (RLS) is enforced on all database tables, ensuring users can only access their own data
Server-side rate limiting protects against abuse
Access to production data is restricted to authorized personnel only
All personnel with data access are bound by confidentiality obligations
We conduct regular security reviews and vulnerability assessments
Passwords are stored as cryptographic hashes — we cannot read your password

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR and applicable law.

9. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to and processed in the United States and the European Union, where our third-party service providers operate.

9.1 For EU/EEA Users (GDPR)

Transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission
Where applicable, we rely on adequacy decisions
Analytics data (Mixpanel) is processed within the European Union
You may obtain a copy of the relevant transfer safeguards by contacting us at privacy.cotidie@outlook.com

9.2 For Turkish Users (KVKK)

Cross-border transfers are conducted in compliance with KVKK Article 9
Transfers are based on explicit consent and/or verified data protection measures in destination countries
Data processors in destination countries are contractually required to maintain adequate protection levels

9.3 For Users in Other Jurisdictions

For Japanese users (APPI): Transfers comply with Japan's APPI cross-border transfer requirements
For Korean users (PIPA): Transfers comply with Korea's PIPA cross-border transfer requirements, including required notifications
For Taiwan users (PDPA): Transfers comply with Taiwan's PDPA international transfer provisions

10. YOUR PRIVACY RIGHTS

10.1 Rights Under GDPR (EU/EEA Users)

Right to access — obtain a copy of your personal data
Right to rectification — correct inaccurate or incomplete data
Right to erasure ("right to be forgotten") — request deletion of your data
Right to restriction of processing — limit how we use your data
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interests
Right not to be subject to solely automated decision-making
Right to withdraw consent — at any time, without affecting prior processing
Right to lodge a complaint with your national data protection supervisory authority

10.2 Rights Under KVKK (Turkish Users)

(a) Learn whether your personal data is being processed
(b) Request information about processing activities
(c) Learn the purpose and whether data is used in accordance with its purpose
(d) Know third parties to whom your data has been transferred
(e) Request rectification of incomplete or inaccurate data
(f) Request deletion or destruction of your data (KVKK Art. 7)
(g) Request notification of rectification/deletion to third parties
(h) Object to automated processing outcomes
(i) Claim compensation for damages from unlawful processing

10.3 Rights Under CCPA/CPRA (California Users)

Right to know what personal information is collected
Right to delete personal information
Right to correct inaccurate personal information
Right to opt out of the sale or sharing of personal information
Right to limit use of sensitive personal information
Right to non-discrimination for exercising your rights

We do not sell or share your personal information. We do not use your data for targeted advertising.

10.4 Rights Under APPI (Japanese Users)

Right to request disclosure of retained personal information
Right to request correction, addition, or deletion
Right to request cessation of use or erasure
Right to request cessation of third-party provision

10.5 Rights Under PIPA (Korean Users)

Right to access personal information
Right to correct or delete personal information
Right to suspend processing of personal information
Right to withdraw consent

10.6 Rights Under PDPA (Taiwan Users)

Right to inquire about and review personal data
Right to request a copy of personal data
Right to supplement or correct personal data
Right to cease processing or use of personal data
Right to request deletion of personal data

10.7 How to Exercise Your Rights

Email: privacy.cotidie@outlook.com
Subject line: "Privacy Request" / "KVKK Talebi" / "GDPR Request" / "Data Rights Request"
Response time: Within 30 days

You may also exercise many rights directly within the Application through the Profile / Settings menu, including data export in JSON, HTML, CSV, or PDF formats. If we are unable to fulfill your request, we will explain the reason. You always have the right to lodge a complaint with the relevant supervisory authority.

11. CHILDREN'S PRIVACY

Cotidie is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13.

Users between 13 and 18 years of age may only use the Application with the consent and supervision of a parent or legal guardian.

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at privacy.cotidie@outlook.com. We will take prompt steps to delete such data.

12. COOKIES, TRACKING, AND ANALYTICS

As a mobile application, Cotidie does not use browser cookies. However, we use the following tracking and analytics technologies:

Mixpanel (Analytics SDK) — Purpose: Usage analytics and feature performance — Opt-out: Contact us
Sentry (Crash reporting SDK) — Purpose: Error detection and debugging — Opt-out: Cannot opt out (essential for stability)
Internal in-app identifiers — Purpose: Session management and authentication — Opt-out: Cannot opt out (essential)

We do not use tracking pixels, web beacons, or cross-app tracking technologies for advertising purposes.

13. LIMITED PERSONNEL ACCESS TO USER CONTENT

In limited and exceptional circumstances, authorized personnel may access user content (including journal entries and images) strictly for:

Investigating technical issues, bugs, or service errors
Responding to user support requests (only with user permission)
Ensuring compliance with these Terms and applicable laws
Preventing abuse, fraud, or security threats
Maintaining, debugging, and improving Application security

We do not routinely monitor, review, or read user journal entries. Access occurs only when strictly necessary and is limited to the minimum required. All personnel with such access are bound by confidentiality obligations and internal data protection policies.

14. CONTACT AND COMPLAINTS

14.1 Contact Us

Email: privacy.cotidie@outlook.com
Phone: +90 533 031 60 35
Address: İstasyon Mahallesi, 1440 Sokak, Bizim Mahalle Sitesi, 1. Etap, 2. Kısım, H Blok, Daire: 27, Küçükçekmece, İstanbul, Türkiye

14.2 Supervisory Authorities

Turkey: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
EU/EEA: Your national data protection authority — edpb.europa.eu
Germany: Bundesbeauftragte für den Datenschutz (BfDI) — bfdi.bund.de
France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
Italy: Garante per la Protezione dei Dati Personali — garanteprivacy.it
Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
Poland: Urząd Ochrony Danych Osobowych (UODO) — uodo.gov.pl
Korea: Personal Information Protection Commission (PIPC) — pipc.go.kr
Japan: Personal Information Protection Commission (PPC) — ppc.go.jp
Taiwan: Personal Data Protection Commission (PDPC) — pdpc.gov.tw

For EU/EEA consumers, you may also use the European Commission's Online Dispute Resolution platform at ec.europa.eu/consumers/odr.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will:

Post the updated Privacy Policy within the Application
Send a notification to the email address associated with your account
Update the "Last updated" date at the top of this document
Provide at least 30 days' prior notice for significant changes

Your continued use of the Application after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

16. GOVERNING LAW

This Privacy Policy is governed by the laws of the Republic of Turkey. For EU/EEA users, mandatory provisions of your country of residence also apply and are not affected by this choice of law. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of İstanbul, Turkey, without prejudice to mandatory consumer protection forums available under applicable law.