Privacy Policy

1. Introduction

As RutinMap (“we”, “us”, “our”, “the application”), we are committed to protecting our users’ privacy. This Privacy Policy explains how your personal information is collected, used, stored, and protected when you use the RutinMap application.

By accepting this policy, you consent to the processing of your information in accordance with this policy. If you have any questions about our policy, please contact us.

This Privacy Policy applies to all versions, platforms, and devices of the RutinMap application. The mobile application, website, and all related services are covered by this policy.

Our privacy policy has been prepared in compliance with the Turkish Personal Data Protection Law (KVKK), the General Data Protection Regulation (GDPR), and other relevant data protection laws. The security and privacy of your data are our highest priority.

We recommend that you review this policy regularly. When material changes are made, you will be notified. Continuing to use the application after changes means you accept the updated policy.

2. Information Collected

2.1. Account Information

We collect the following information to use the application:

• Email address: for account creation and communication
• Username: for profile and social features
• Password: for account security (stored encrypted)
• Profile photo: optional, for profile display

2.2. Application Usage Data

We collect the following data to provide application functionality:

• Goals and progress data
• Streak information
• Calendar and planning data
• Community interactions (likes, comments, follows)
• Messaging data

2.3. Device Information

We collect the following device information for proper application functioning:

• Device model and operating system version
• Application version
• Unique device identifiers
• Camera and photo gallery access (for profile photo and post sharing)
• Location information (only for sports activity tracking, optional)

2.4. Automatically Collected Data

The following data are automatically collected to improve application functionality and ensure security:

• Usage Statistics: Your interactions within the application, feature usage, page views, and similar analytical data. This data helps us understand which features are used most and which areas need improvement.
• Error Reports: Application errors, crash reports, and technical issues. This data is used to improve application stability and fix bugs.
• Performance Metrics: Application performance, loading times, response times, and similar technical metrics. This data is used to optimize application speed and performance.
• IP Address: IP address is collected for security and analytical purposes. IP address may be used for geographic location determination and detecting security breaches.
• Device Information: Device model, operating system version, application version, and similar technical information. This information is used to ensure the application works properly on different devices.

2.5. Third-Party Data

In some cases, we may collect data from third-party services:

• Social Media Accounts: If you log in using your social media accounts, we may access limited profile information (username, profile photo, etc.).
• Location Services: With your permission for sports activity tracking, we may access your location information.

3. Purpose of Data Use

We use the collected information for the following purposes. The use of your data is carried out in accordance with legal requirements and privacy standards:

• Service Provision: To provide core application features, goal tracking, routine creation, community features, and other application functions. Your data is used in necessary operations for the application to function properly.
• Account Management: Account creation, verification, login, password reset, and account management processes. Your data is used to ensure account security and prevent unauthorized access.
• Personalization: To provide you with personalized content and recommendations, goal suggestions, community suggestions, and a personalized experience. Your usage habits and preferences are analyzed to provide suitable content.
• Communication: To send important notifications, updates, security alerts, and marketing messages. You can set your communication preferences to determine which types of messages you wish to receive.
• Security: To ensure account security, prevent misuse, detect security breaches, and protect users. When suspicious activities are detected, security measures are taken.
• Development: To improve the application, add new features, fix bugs, and optimize user experience. Your usage data is analyzed and used in application development processes.
• Legal Obligations: To comply with legal requirements, obey court orders, fulfill tax obligations, and participate in legal processes. Your data may be stored or shared due to legal obligations.
• Analytics and Statistics: To analyze application usage, generate statistical reports, and conduct business development activities. This data is generally used in anonymized or aggregated form.

The use of your data is limited solely to the purposes stated above. Your explicit consent is required to use your data for other purposes.

4. Data Sharing

We do not share your personal information with third parties, except in the following circumstances. Data sharing is done only when necessary and in compliance with legal requirements:

• Service Providers: Trusted third-party service providers necessary for the application’s operation (e.g., cloud storage, analytics, payment processing, email services). These service providers may use your data only for service provision purposes and are required to adhere to strict privacy standards to protect your data. Our service providers cannot use or share your data for other purposes.
• Legal Requirements: Your data may be shared in the event of a legal obligation, court order, government request, or legal process. In such cases, the minimum necessary data is shared within the framework of legal requirements, and you will be notified whenever possible.
• Security: Your data may be shared in the event of a security breach, misuse, fraud, or illegal activity. When necessary to prevent or investigate security breaches, data may be shared with relevant authorities or security experts.
• Consent: Your data may be shared in cases where you have explicitly consented. For example, when you connect with your social media accounts or grant permission for specific features, your data may be shared with the relevant services.
• Business Transfer: In the event of a company merger, transfer, acquisition, or asset sale, your data may be transferred to the new owner. In this case, you will be notified, and the privacy policy will be updated.

All our service providers comply with strict privacy standards to protect your data. All third parties with whom data is shared must sign data protection agreements and may use your data only for specified purposes.

Your data is not shared with third parties for advertising purposes. RutinMap does not sell or market user data for advertising purposes.

5. Data Security

We take the following technical and administrative measures to ensure the security of your data. Data security is our highest priority:

• Encryption: We apply industry-standard security measures to protect data in transit and at rest. Passwords are stored using secure one-way hashing and are not available in plain text.
• Secure Connection: All data transfers are encrypted using the SSL/TLS protocol. All communication between the application and servers is conducted over secure connections. Insecure connections are not accepted.
• Access Control: Only authorized personnel can access data. Access is controlled by a role-based authorization system. All access is logged and monitored. Personnel receive data security training and sign confidentiality agreements.
• Regular Security Audits: Regular checks are performed to detect security vulnerabilities. Penetration tests, vulnerability scans, and code reviews are conducted regularly. Detected security vulnerabilities are closed immediately.
• Backup: Your data is backed up regularly and stored securely. Backups are stored encrypted and kept in different geographic locations. Backup processes run automatically and are tested regularly.
• Firewall and Network Security: Our servers are protected by firewalls and network security systems. Unauthorized access attempts are detected and blocked.
• Security Breach Response Plan: In the event of a security breach, the response plan is activated immediately. When a breach is detected, necessary measures are taken, users are informed, and notification is made to relevant authorities.
• Data Minimization: Only necessary data is collected and stored. Unnecessary data is regularly cleaned and deleted.

Despite our security measures, no system is 100% secure. You also have responsibilities to ensure the security of your data. Use strong passwords, do not share your password with anyone, and report suspicious activities immediately.

6. Data Retention

We retain your personal information as long as your account is active. Data retention periods may vary depending on the type of data and legal requirements.

When you delete your account, your personal information is permanently deleted within 30 days. During this period, you can restore your account or back up your data. After 30 days, your data is permanently deleted and cannot be restored.

However, some information may be retained for longer periods due to our legal obligations:

• Financial Records: Payment and financial records may be retained for a certain period (typically 5–10 years) due to tax obligations.
• Legal Disputes: In the event of a legal dispute or lawsuit, relevant data may be retained for the duration of the dispute.
• Security Records: Records of security breaches, misuse, or illegal activities may be retained for a certain period due to legal requirements.
• Anonymized Data: Anonymized data used for statistical and analytical purposes may be retained indefinitely. This data cannot be personally identified.

Data retention periods may be updated when legal requirements change. Updates are reflected in this privacy policy.

7. User Rights

Under the Turkish Personal Data Protection Law (KVKK) and the General Data Protection Regulation (GDPR), you have the following rights. You can contact us to exercise these rights:

• Right of Access: You may request access to your personal data. You can learn what data is collected, how it is used, and with whom it is shared. Your access request will generally be answered within 30 days.
• Right to Rectification: You may correct your inaccurate or incomplete data. You can update your profile information, email address, or other personal information. Your rectification request will be processed immediately, and your data will be updated.
• Right to Erasure (“Right to be Forgotten”): You may delete your account and your data. Your erasure request will be processed within the framework of our legal obligations. Some data may be retained for a certain period due to legal requirements, but your data will be deleted as much as possible.
• Right to Object: You may object to data processing. You can particularly object to data processing for marketing purposes or data processing based on legitimate interests. Your objection will be evaluated, and data processing will be stopped if necessary.
• Right to Data Portability: You may transfer your data to another service. Your data will be provided to you in a structured, commonly used format (e.g., JSON or CSV). Data transfer is usually completed within 30 days.
• Right to Restrict Processing: You may restrict data processing. Your data will be stored but not processed. This right is particularly useful when you contest the accuracy of the data.
• Automated Decision-Making and Profiling: You may object to automated decision-making processes (e.g., AI recommendations) and request human intervention.

You can send an email to support@rutinmap.com to exercise these rights. Your request will be processed after identity verification. Identity verification is required for security purposes.

Your rights requests will generally be answered within 30 days. This period may be extended to 60 days for complex requests. You will be informed in case of an extension.

Exercising your rights is free of charge. However, a fee may be charged for excessive or manifestly unfounded requests, or your request may be denied.

8. Cookies and Tracking Technologies

RutinMap uses necessary cookies and similar technologies to provide application functionality. Cookies are used to improve your website and application experience.

Types of cookies we use:

• Necessary Cookies: Cookies required for the basic functionality of the application. The application will not work properly without these cookies. For example, cookies required for session management, security, and authentication.
• Functional Cookies: Cookies used to remember your preferences and personalize your experience. For example, your language preference, theme settings, and other user preferences.
• Analytical Cookies: Cookies used to analyze application usage and make improvements. These cookies collect anonymized data and cannot be personally identified.

We do not use third-party advertising cookies and do not track our users for advertising. RutinMap does not use cookies for advertising purposes or share user data for advertising purposes.

You can manage your cookie preferences through the application settings. However, some cookies are necessary for the proper functioning of the application and cannot be disabled.

9. Children’s Privacy

RutinMap does not knowingly collect personal information from children under the age of 13. Our application is designed to comply with the Children’s Online Privacy Protection Act (COPPA) and other relevant laws.

If we become aware that we have collected information from a child under 13, we will immediately delete that information and close the account. We take special measures to protect children’s personal information.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will take necessary steps to delete your child’s data or restrict access.

For users between the ages of 13 and 18, parental or guardian consent is required. The data of users in this age group is specially protected and processed in a limited manner.

10. International Data Transfer

Your data may be stored in countries where our service providers are located. Data transfer may be necessary for cloud storage, analytics services, and other third-party services.

We take necessary measures to ensure your data is adequately protected:

• Data Protection Agreements: Data protection agreements are signed with all our service providers. These agreements guarantee the security and privacy of your data.
• Standard Contractual Clauses: GDPR-compliant standard contractual clauses are used. These clauses ensure that data transfers are legally secure.
• Encryption: In international data transfers, data is transferred and stored encrypted.
• Adequacy Decisions: Whenever possible, countries with adequacy decisions are preferred.

Your data may be stored in the European Union, the United States, and other countries. All data transfers are carried out in compliance with legal requirements.

11. Policy Changes

We may update this Privacy Policy from time to time. Updates may be necessary due to legal changes, application features, or changes in business practices.

When we make material changes, we will notify you via in-app notification or email. The effective date of the changes is indicated at the top of the page under the “Last Updated” heading.

Continuing to use the application after changes means you accept the updated policy. If you do not accept the policy, you may stop using the application and delete your account.

Material changes may include:

• Changes in the types of data collected
• Changes in data usage purposes
• Changes in data sharing policies
• Changes in user rights
• Material changes in security measures

We recommend that you review this policy regularly. The current policy is always available on the website and in the application.

12. Contact

For Privacy-Related Questions

If you have any questions about our privacy policy or data processing practices, please contact us:

• Email: support@rutinmap.com
• Website: https://rutinmap.com/en/support
• Postal Address: RutinMap, Turkey

13. Legal Compliance

This Privacy Policy has been prepared in compliance with the following legal regulations. RutinMap takes necessary measures to comply with all relevant data protection laws:

• KVKK (Law No. 6698): Turkish Personal Data Protection Law. The data of our users in Turkey is processed in compliance with KVKK. As the data controller, we fulfill all requirements of KVKK. Our data processing activities are registered under KVKK and necessary notifications are made.
• GDPR: General Data Protection Regulation (European Union). The data of our users in the European Union is processed in compliance with GDPR. We comply with all GDPR principles (lawfulness, data minimization, transparency, accountability, etc.). In case of a data breach, we will notify the relevant data protection authorities within 72 hours.
• COPPA: Children’s Online Privacy Protection Act (USA). We do not collect data from children under 13 and fully comply with COPPA requirements. Children’s data is under special protection.
• CCPA: California Consumer Privacy Act (USA). Our users in California have the rights under CCPA. We do not sell data and protect our users’ privacy rights.
• LGPD: Lei Geral de Proteção de Dados (Brazil). The data of our users in Brazil is processed in compliance with LGPD.

Regular audits are conducted for legal compliance and necessary updates are made. When legal requirements change, our privacy policy and data processing practices are updated.

13.1. Data Protection Officer

A Data Protection Officer (DPO) has been appointed and is responsible for data protection matters. You can contact the Data Protection Officer at support@rutinmap.com.

13.2. Data Protection Authorities

If you believe we have violated your data protection rights, you may file a complaint with the relevant data protection authority:

• Turkey: Personal Data Protection Authority (KVKK) — kvkk.gov.tr
• European Union: The data protection authority of the relevant member state
• USA: Federal Trade Commission (FTC) — ftc.gov

14. Data Breach Notification

In the event of a data security breach, affected users and relevant authorities will be notified immediately. The data breach notification process works as follows:

14.1. Breach Detection

When a security breach is detected, the response team is immediately activated. The scope of the breach, affected data, and potential risks are assessed.

14.2. Notification Timelines

• Notification to Authorities: Under GDPR, notification is made to data protection authorities within 72 hours. Under KVKK, notification is made as soon as possible.
• Notification to Users: Affected users are notified as soon as possible after the breach is detected (typically within 72 hours).

14.3. Notification Content

The data breach notification includes:

• Nature and scope of the breach
• Types of data affected
• Potential risks and consequences
• Measures taken and remediations
• Measures users can take
• Contact information

14.4. Measures

In the event of a data breach, the following measures are taken:

• The source of the breach is identified and closed
• Affected systems are secured
• Security vulnerabilities are closed
• Affected users are informed
• Password reset may be enforced if necessary
• Legal requirements are fulfilled

15. Legal Bases for Data Processing

The processing of your data is based on one or more of the following legal bases:

• Consent: Your data is processed with your explicit consent. You may withdraw your consent at any time. When consent is withdrawn, data processing stops (except for legal obligations).
• Contract: Your data is processed as necessary for the performance of a service contract. For example, your data is processed for account creation, goal tracking, and providing application features.
• Legal Obligation: Your data is processed due to legal requirements. For example, your data is processed for tax obligations, court orders, or legal notifications.
• Legitimate Interest: Your data is processed for our legitimate interests. For example, your data is processed for security, application development, and business development. Data processing based on legitimate interest must not violate your rights.
• Vital Interest: Your data is processed for the protection of vital interests. For example, your personal data may be processed in emergencies.
• Public Interest: Your data is processed for the public interest. For example, your data may be processed for security or other public interest purposes.

For each data processing activity, the appropriate legal basis is determined and recorded. If the legal basis changes, you will be notified.

16. Profiling and Automated Decision-Making

RutinMap may use profiling and automated decision-making technologies to improve user experience. These technologies are used in compliance with legal requirements.

16.1. Profiling

Profiling is the automated processing of your personal data to evaluate certain characteristics about you. Profiling is used for the following purposes:

• To provide you with personalized goal recommendations
• To provide personalized content and suggestions
• To optimize your application experience
• For analytical and statistical purposes

Profiling is carried out in accordance with legal bases and does not violate your user rights. You may object to profiling and request human intervention.

16.2. Automated Decision-Making

Automated decision-making is the process of making decisions automatically without human intervention. RutinMap may use automated decision-making in the following situations:

• AI-powered goal recommendations
• Personalized content recommendations
• Security and misuse detection

Automated decision-making is carried out in accordance with legal bases. You may object to automated decision-making, request human intervention, and ask for the decision to be reviewed.

16.3. Your Rights

You have the following rights regarding profiling and automated decision-making:

• Right to object to profiling
• Right to object to automated decision-making
• Right to request human intervention
• Right to ask for the decision to be reviewed
• Right to be informed about profiling and automated decision-making

17. Third-Party Links and Services

RutinMap may contain third-party links and services. These links and services are subject to their own privacy policies.

17.1. Third-Party Services

Third-party services used in our application:

• Cloud Storage: Cloud storage services are used for the secure storage of your data. These services are bound by data protection agreements.
• Analytics Services: Analytics services are used to analyze application usage. These services collect anonymized data.
• Payment Processing: Payment processing services are used for premium subscription payments. Your payment information is processed directly by the payment processing services.
• Email Services: Email services are used for sending emails.
• Push Notification Services: Notification services are used for push notifications.

17.2. Third-Party Links

Our application may contain links to third-party websites. These links are provided for your convenience. We are not responsible for the privacy practices of third-party websites. We recommend that you review the privacy policies of third-party websites before visiting them.

17.3. Social Media Integrations

Our application may integrate with social media platforms. If you log in using your social media accounts, we may access limited profile information. The privacy policies of social media platforms belong to their respective platforms.

18. Data Minimization and Purpose Limitation

RutinMap operates in accordance with the principles of data minimization and purpose limitation. Only necessary data is collected and processed.

18.1. Data Minimization

According to the data minimization principle:

• Only necessary data is collected
• Unnecessary data is not collected
• Data is limited to what is adequate for the specified purposes
• Data is retained only as long as necessary for the specified purposes
• Unnecessary data is regularly cleaned

18.2. Purpose Limitation

According to the purpose limitation principle:

• Data is collected for specified purposes
• Data is not used for purposes other than those specified
• When the purpose changes, new consent is obtained or the legal basis is changed
• Data use must be compatible with the specified purposes

18.3. Data Accuracy

According to the data accuracy principle:

• Your data is kept accurate and up to date
• Inaccurate or incomplete data is corrected
• Users can update their data
• Data validation is performed regularly

19. Special Categories of Data

RutinMap processes special categories of data (sensitive data) under special protection. Special categories of data are processed within the framework of legal requirements.

19.1. Biometric Data

Biometric data (e.g., profile photo) is used only for profile display. Your biometric data:

• Is under special protection
• Is used only for profile display
• Is not shared with third parties
• You can delete it at any time

19.2. Location Data

Location data is used only for sports activity tracking (with your permission). Your location data:

• Is used only for activity tracking
• Is stored encrypted
• Is not shared with third parties
• You can restrict access at any time

19.3. AI Coach Data

When you interact with the in-app AI coach, your message content may be sent to our AI providers to generate suggestions. Your AI coach data:

• Is processed solely to provide you with personalized recommendations and feedback.
• Is not used for advertising or marketing.
• Is not used by providers for model training and is anonymized where applicable.
• Conversation history tied to your account is deleted upon request.

20. Data Protection Impact Assessment

RutinMap conducts a Data Protection Impact Assessment (DPIA) for high-risk data processing activities. DPIA assesses the risks of data processing activities and determines necessary measures.

20.1. DPIA Requirement

DPIA is conducted in the following cases:

• Automated decision-making and profiling
• Systematic processing of special categories of data
• Large-scale monitoring of public areas
• Use of new technologies
• High-risk data processing activities

20.2. DPIA Process

The DPIA process includes the following steps:

• Description of the data processing activity
• Risk assessment
• Identification of measures
• Implementation of risk mitigation strategies
• Regular review

20.3. DPIA Results

DPIA results are used to ensure the security and compliance of data processing activities. When high risk is detected, necessary measures are taken and data protection authorities may be consulted.