Privacy Policy

1. Definitions and Interpretation

In this Privacy Policy, the following terms shall have the meanings set out below unless the context requires otherwise:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Article 3(1) of the Turkish Personal Data Protection Law No. 6698 ("KVKK") and Article 4(1) of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), where applicable.
• "Processing" means any operation or set of operations performed on Personal Data, including but not limited to collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction.
• "Data Controller" means the natural or legal person that determines the purposes and means of the processing of Personal Data. For purposes of this Policy, the Data Controller is Eatie Teknoloji A.S.
• "Data Processor" means a natural or legal person that processes Personal Data on behalf of the Data Controller.
• "Sensitive Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation.
• "User," "you," or "your" refers to any natural person who accesses or uses the Service.

2. Categories of Personal Data Collected

We collect and process the following categories of Personal Data in the course of providing the Service:

2.1 Account and Identity Data

When you register for an account, we collect your full name, email address, username, profile photograph (if voluntarily provided), and authentication credentials. Where you elect to sign in through a third-party identity provider (including, without limitation, Apple ID or Google Sign-In), we receive the basic profile information that such provider makes available in accordance with its own terms and privacy practices, which typically includes your name, email address, and a unique identifier.

2.2 Location Data

Subject to your explicit, informed consent obtained through a system-level permission prompt on your device, we collect precise geolocation data (i.e., latitude and longitude coordinates) derived from your device's GPS, Wi-Fi, cellular, and/or Bluetooth signals. We also derive approximate (coarse) location from your IP address. Location data is used to display nearby food establishments, compute distances, render map features, and deliver location-relevant recommendations. You may revoke location consent at any time through your device's operating system settings; however, doing so may impair or disable certain location-dependent features of the Service.

2.3 User-Generated Content

We collect content that you voluntarily submit to the Service, including but not limited to restaurant reviews, numerical ratings, photographs of food and menus, textual comments, saved or favorited places, "What to Eat" recommendations, and any other content you publish, upload, or otherwise make available through the Service ("User Content").

2.4 Usage and Behavioral Data

We automatically collect information regarding your interactions with the Service, including pages and screens viewed, features used, searches performed, restaurants viewed or clicked, time spent on particular screens, scroll depth, tap patterns, feed interactions (likes, saves, shares), the date and time of access, and the referring URL or application.

2.5 Device and Technical Data

We automatically collect technical information about the device and environment through which you access the Service, including device manufacturer and model, operating system type and version, unique device identifiers (including, without limitation, IDFA on iOS and Advertising ID on Android), IP address, browser type and version (where applicable), screen resolution, language and locale preferences, time zone, app version, and mobile network carrier.

2.6 Communication Data

If you contact us through in-app feedback, email, or any other communication channel, we collect the content of your communications, associated metadata (date, time, channel), and any attachments you provide.

2.7 Push Notification Tokens

Where you opt in to receive push notifications, we collect your device's push notification token (e.g., Firebase Cloud Messaging token) for the sole purpose of delivering notifications you have consented to receive.

We do not intentionally collect Sensitive Personal Data. If you believe we have inadvertently collected such data, please contact us immediately using the details set out in Section 15.

3. Purposes and Legal Bases for Processing

We process your Personal Data only where we have a lawful basis to do so. The following table sets out our processing purposes and the corresponding legal bases under KVKK and, where applicable, the GDPR:

3.1 Performance of the Service

We process Account Data, Location Data, Usage Data, and User Content as necessary for the performance of the contract between you and Eatie (i.e., our Terms of Service) and to provide you with the core functionality of the Service, including account management, personalized recommendations, map rendering, feed delivery, search, and review features.

3.2 Personalization and Profiling

We analyze your taste-profile quiz answers, usage patterns, interaction history, and expressed preferences to match you with food experts ("gurmans") whose recommendations align with your palate, and to rank and curate content in your feed. The legal basis for this processing is our legitimate interest in delivering a personalized experience, balanced against your rights and freedoms (GDPR Art. 6(1)(f); KVKK Art. 5(2)(f)).

3.3 Service Improvement and Analytics

We process aggregated and pseudonymized Usage Data and Device Data to conduct internal analytics, measure feature adoption, identify performance bottlenecks, diagnose bugs, develop new features, and improve the overall quality and reliability of the Service. The legal basis is our legitimate interest (GDPR Art. 6(1)(f); KVKK Art. 5(2)(f)).

3.4 Safety, Security, and Fraud Prevention

We process Account Data, Device Data, Usage Data, and IP addresses to detect, prevent, and investigate fraud, abuse, security incidents, unauthorized access, and violations of our Terms of Service. This processing is based on our legitimate interest in safeguarding the Service and its users, and compliance with applicable legal obligations (GDPR Art. 6(1)(c) and (f); KVKK Art. 5(2)(a) and (f)).

3.5 Communications

We use your email address and push notification token to send transactional messages (e.g., account verification, security alerts, service announcements) on the basis of contractual necessity. Where we send promotional or marketing communications, we do so only with your prior explicit consent, which you may withdraw at any time (GDPR Art. 6(1)(a); KVKK Art. 5(1)).

3.6 Legal Compliance

We may process any category of Personal Data where necessary to comply with our obligations under applicable law, regulation, legal process, or enforceable governmental request, including tax, accounting, anti-money-laundering, and law-enforcement obligations (GDPR Art. 6(1)(c); KVKK Art. 5(2)(a)).

4. Automated Decision-Making and Profiling

Our taste-matching algorithm analyzes your quiz responses and behavioral data to assign you a taste profile and recommend gurmans. This constitutes profiling within the meaning of GDPR Art. 22 and KVKK Art. 6. However, the profiling does not produce legal effects concerning you nor similarly significantly affect you; it serves solely to enhance the relevance of recommendations. You have the right to object to this profiling at any time by contacting us (see Section 15), and we will cease profiling upon receipt of a valid objection, subject to any overriding legitimate grounds.

5. Data Sharing and Third-Party Disclosures

We do not sell, rent, lease, or trade your Personal Data to any third party. We share Personal Data only in the following limited circumstances:

5.1 Service Providers (Data Processors)

We engage trusted third-party service providers who process Personal Data on our behalf to support the Service. These include, without limitation:

• Supabase, Inc. — cloud database hosting, authentication, file storage, and serverless edge functions;
• Google LLC — Google Maps Platform (map tiles, geocoding, Places API), Firebase Cloud Messaging (push notifications), and Firebase Analytics;
• Apple Inc. — Apple Sign In authentication.

Each service provider is bound by a Data Processing Agreement requiring them to process Personal Data solely for the purposes we specify, to implement appropriate technical and organizational security measures, and to delete or return data upon termination of the engagement.

5.2 Legal Requirements

We may disclose Personal Data to governmental authorities, law enforcement agencies, courts, or other third parties where we are required to do so by applicable law, regulation, legal process, or enforceable governmental request, or where such disclosure is reasonably necessary to: (a) comply with a legal obligation; (b) protect and defend the rights, property, or safety of Eatie, its users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, asset sale, bankruptcy, or similar corporate transaction, your Personal Data may be transferred to the acquiring entity or successor, provided that the recipient agrees to honor the terms of this Privacy Policy. We will notify you of any such transfer and any choices you may have regarding your data.

5.4 With Your Consent

We may share Personal Data with third parties not described above where you have provided your prior explicit consent to such sharing.

6. International Data Transfers

Your Personal Data may be transferred to, stored in, and processed in countries outside the Republic of Turkey and/or the European Economic Area ("EEA"), including the United States, where our service providers maintain infrastructure. Where such transfers occur, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses ("SCCs") approved by the European Commission (Decision 2021/914);
• Adequacy decisions by the Turkish Personal Data Protection Board or the European Commission, where available;
• Binding Corporate Rules, where applicable;
• Your explicit consent to the transfer, where no other safeguard applies.

You may obtain a copy of the relevant transfer safeguards by contacting us at the address in Section 15.

7. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, regulatory, or reporting requirements. The following retention periods apply:

• Account Data: retained for the duration of your account and for 30 days following account deletion to allow for account recovery, after which it is permanently deleted or anonymized.
• User Content: retained for the duration of your account. Upon account deletion, User Content is permanently deleted within 30 days, unless retention is required to comply with legal obligations or resolve disputes.
• Location Data: processed in real-time and not stored in a personally identifiable form beyond the session in which it is collected, except as necessary to compute distances for previously viewed places.
• Usage and Device Data: retained in an aggregated, anonymized, or pseudonymized form for up to 24 months for analytics purposes.
• Communication Data: retained for up to 36 months following your last communication with us, or longer where required for legal proceedings.

Upon expiry of the applicable retention period, Personal Data is securely deleted or irreversibly anonymized. Where deletion is technically infeasible (e.g., data in backup archives), we isolate such data and protect it from further processing until deletion becomes feasible.

8. Data Security

We implement and maintain a comprehensive information-security program designed to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. Our security measures include, without limitation:

• Encryption in Transit: all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: sensitive data stored on our servers and databases is encrypted using AES-256 encryption.
• Access Controls: access to Personal Data is restricted to authorized personnel on a need-to-know basis and subject to multi-factor authentication, unique credentials, and role-based permissions.
• Infrastructure Security: our hosting infrastructure employs firewalls, intrusion detection and prevention systems, DDoS mitigation, and continuous network monitoring.
• Vulnerability Management: we conduct periodic vulnerability assessments, penetration testing, and code reviews to identify and remediate security weaknesses.
• Incident Response: we maintain a documented incident response plan. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes prescribed by applicable law (72 hours under GDPR; "as soon as possible" under KVKK).
• Employee Training: all employees and contractors with access to Personal Data receive regular security-awareness and privacy training.

Notwithstanding the foregoing, no method of electronic transmission or storage is 100% secure. While we strive to protect your Personal Data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly of any suspected unauthorized access.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or, in jurisdictions where a higher minimum age for data processing applies, under such higher age). We do not knowingly collect Personal Data from children under 13. If we become aware that we have inadvertently collected Personal Data from a child under 13, we will take prompt steps to delete such data. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us immediately at the address in Section 15.

10. Your Rights as a Data Subject

Subject to applicable law, you have the following rights regarding your Personal Data:

• Right of Access (KVKK Art. 11(b); GDPR Art. 15): You have the right to obtain confirmation as to whether your Personal Data is being processed, to access such data, and to receive information about the purposes, categories, recipients, retention periods, and safeguards applicable to the processing.
• Right to Rectification (KVKK Art. 11(c); GDPR Art. 16): You have the right to obtain the correction of inaccurate or incomplete Personal Data.
• Right to Erasure (KVKK Art. 11(e); GDPR Art. 17): You have the right to request deletion or destruction of your Personal Data where it is no longer necessary for the purposes collected, where you withdraw consent, or where processing is unlawful. This right may be subject to exceptions, including our obligation to retain data for legal compliance purposes.
• Right to Restriction of Processing (GDPR Art. 18): You have the right to request restriction of processing in certain circumstances, such as where you contest the accuracy of data or object to processing pending verification of legitimate grounds.
• Right to Data Portability (KVKK Art. 11(g); GDPR Art. 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where technically feasible.
• Right to Object (KVKK Art. 11(e); GDPR Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease such processing without exception.
• Right to Withdraw Consent (KVKK Art. 11(a); GDPR Art. 7(3)): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal shall not affect the lawfulness of processing carried out prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Turkish Personal Data Protection Authority (Kisisel Verileri Koruma Kurumu, "KVKK Board") or, where applicable, a supervisory authority in the EU Member State of your habitual residence or place of work.

To exercise any of the foregoing rights, please submit a written request to privacy@eatie.app or to the postal address in Section 15. We will verify your identity before fulfilling any request. We shall respond within thirty (30) days under KVKK and one (1) calendar month under GDPR, subject to any extensions permitted by applicable law.

11. Cookies and Similar Technologies

Our mobile application may employ local storage, device identifiers, and similar technologies to enhance your experience, remember your preferences, and analyze Service usage. Where the Service is accessed via a web browser, we may deploy cookies (small text files placed on your device).

Categories of technologies used:

• Strictly Necessary: required for core functionality (e.g., authentication tokens, session management). These cannot be disabled.
• Analytics: used to collect aggregated, anonymized usage data (e.g., Firebase Analytics) to understand how users interact with the Service and improve performance. May be disabled via device settings or in-app tracking preferences.

On iOS devices, we request consent through Apple's App Tracking Transparency framework before accessing the Identifier for Advertisers (IDFA). You may manage your preferences at any time via your device's Privacy settings.

12. Third-Party Links and Services

The Service may contain links to or integrations with third-party websites, services, or applications (including, without limitation, Google Maps, Apple Maps, and social media platforms). This Privacy Policy does not apply to the practices of such third parties. We encourage you to review the privacy policies of any third-party service before providing your Personal Data. Eatie shall not be liable for the privacy practices or content of any third-party service.

13. Changes to This Policy

We reserve the right to amend this Privacy Policy at any time. When we make material changes, we will: (a) update the "Last Revised" date at the top of this page; (b) provide prominent notice through the Service (e.g., an in-app banner or push notification); and (c) where required by applicable law, seek your renewed consent before applying any changes that expand the scope of data processing. Your continued use of the Service after the effective date of any amendment constitutes your acceptance of the revised Policy. If you do not agree with a material change, you should cease use of the Service and request account deletion.

14. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of Turkey. Any dispute arising out of or relating to this Policy shall be subject to the exclusive jurisdiction of the courts and enforcement offices located in Istanbul, Turkey, without prejudice to your right to lodge a complaint with a supervisory authority as described in Section 10.

15. Contact Information and Data Protection Officer

If you have any questions, concerns, requests, or complaints regarding this Privacy Policy or our data-processing practices, please contact us:

Eatie Teknoloji A.S.
Email: privacy@eatie.app
General Support: support@eatie.app
Location: Istanbul, Turkey

For matters concerning the Turkish Personal Data Protection Law (KVKK), you have the right to apply to the KVKK Board (www.kvkk.gov.tr) after first directing your complaint to us. For EU data subjects, you may lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.