Privacy Policy

This Privacy Policy governs processing of personal data by Caymaz TechHealth Yazilim Tic. Ltd. Sti. ("Caymaz TechHealth", "we", "us") in connection with our public website (caymaztech.com), marketing pages, business communications, and every mobile or web software product we publish or operate as identified on our homepage or in app stores. You do not need a separate website per app; this Policy covers our entire product ecosystem unless a product-specific supplement says otherwise.

By accessing the website, sending us a message, or using our services where this Policy is referenced, you acknowledge that you have read this notice. If you disagree with essential processing required to provide a service, you should stop using that service.

If you download our apps from the Apple App Store or Google Play, the Apple Licensed Application End User License Agreement (EULA) (https://www.apple.com/legal/internet-services/itunes/dev/stdeula/) and the Google Play Terms of Service (https://play.google.com/intl/en_us/about/play-terms/) apply to your use of the respective platform and store services, in addition to this Policy and our Terms of Service.

Data controller: Caymaz TechHealth Yazilim Tic. Ltd. Sti. MERSIS: 0203091510500001 Tax office: Başakşehir | Tax ID: 2030915105 Address: Istanbul, Turkey

Primary contact for privacy requests (access, correction, deletion, objection, portability, Consent Audit export, and account-deletion assistance): the contact form at caymaztech.com/#contact. Select the request type that matches your need and name the app involved. We verify identity before disclosing or changing data.

We respond within timelines required by applicable law, including the Turkish Personal Data Protection Law No. 6698 ("KVKK") and, where applicable, the EU/EEA General Data Protection Regulation ("GDPR"), UK GDPR, Brazil's LGPD, and California privacy laws.

We do not publish a general marketing email on this website; email addresses appear only where a specific legal obligation requires direct contact.

VERBİS status: As a micro-enterprise with fewer than 50 employees and annual balance below 25 million TRY, we currently qualify for the general VERBİS registration exemption under KVKK Board Decision 2018/87. Given our health-adjacent portfolio, we actively monitor Board guidance and will register if required. KVKK representative: We are a Turkish-registered entity; no domestic KVKK representative appointment is required.

Depending on how you interact with us, we may process:

• Identity and contact data (name, email, organization, phone if provided) • Account and authentication data (user IDs, tokens managed by Firebase Auth or Supabase Auth, depending on the app) • Subscription and purchase metadata (entitlements, product IDs, renewal status via Adapty and app stores—we do not receive full payment card numbers from Apple/Google) • Technical data (IP address, device type, OS, app version, language, approximate location from IP, crash/diagnostic logs) • Usage and analytics data (feature usage, session events where Firebase Analytics or similar is enabled for that app) • User-generated content you submit to operate features (e.g., images, text, audio for AI or simulation features) • Communications you send via our contact form or support channels • Consent records (timestamps, choices, policy version, and, where available, Consent Audit exports you download in-app)

Health-adjacent apps may process information you choose to upload (e.g., photos for visualization or simulation). Such data may qualify as special category data under KVKK/GDPR when it relates to health; we process it only to provide the feature you request and with appropriate legal bases (often explicit consent for cross-border AI processing—see below).

We process personal data to:

• Operate, maintain, secure, and improve our website and apps • Provide AI, simulation, and core product features you request • Authenticate users, deliver push notifications (FCM), and manage subscriptions (Adapty, app stores) • Respond to inquiries, KVKK/GDPR requests, and Consent Audit requests • Detect abuse, fraud, and security incidents • Comply with law and enforce our Terms • Send essential transactional notices

We do not sell your personal data and do not share it for cross-context behavioral advertising as a "sale" under CCPA/CPRA.

Legal bases (where GDPR or similar laws apply): performance of a contract; legitimate interests (security, service improvement, fraud prevention); legal obligation; and consent where required (non-essential cookies, marketing if opted in, and explicit consent for cross-border AI processing where mandated). Under KVKK, processing may rely on explicit consent, contract, legal obligation, or other grounds listed in law. You may withdraw consent without affecting prior lawful processing.

Our website uses cookies and local storage as described in our Cookie Policy (caymaztech.com/cookies). Strictly necessary technologies support security and remembering your cookie preferences. Optional analytics cookies load only after you consent via our cookie banner.

You can change preferences anytime using "Manage cookies" in the footer or your browser settings.

We do not sell personal data. We disclose data to:

• Infrastructure, hosting, and storage providers • AI inference providers (when you use AI features) • App stores and subscription platforms (Apple, Google, Adapty) • Authentication, analytics, crash, and messaging providers (Firebase, Supabase—per app) • Email and support tools (e.g., Resend for contact form delivery) • Professional advisers and authorities when required by law

A detailed subprocessor list is in section "Infrastructure & subprocessors" below. Subprocessors process data only on our instructions and subject to contractual confidentiality and security obligations.

Personal data may be processed in Turkey, the EEA, the UK, the United States, Brazil, and other countries where our providers operate. Transfers from the EEA/UK/Switzerland to countries without an adequacy decision rely on appropriate safeguards such as EU Standard Contractual Clauses (2021/914) and supplementary measures where required.

SCC status: Major providers — Google (Firebase, FCM, Analytics, Crashlytics), Cloudflare (R2, Turnstile, CDN), Supabase, Adapty, Resend, and Hetzner — maintain Standard Contractual Clauses (SCCs, 2021/914) and data processing agreements. For transfers from the UK, we rely on UK International Data Transfer Agreements (IDTA) or the UK Addendum to EU SCCs where applicable. For cross-border AI processing (fal.ai, Eachlabs.ai), we rely on your explicit in-app consent under GDPR Art. 49(1)(a) and KVKK Art. 9.

AI features commonly involve transfer to the United States or other non-EEA locations (e.g., fal.ai, Eachlabs.ai, Cloudflare, Google). You must give explicit consent before using those features where required (see "Cross-border AI processing & explicit consent").

We retain personal data only as long as necessary for the purposes described, unless law requires longer retention (e.g., tax or accounting records).

• Account data: while your account is active; deleted or anonymized after you delete your account in-app, subject to backup cycles (typically up to 30–90 days) • AI/simulation inputs: up to seven (7) days after output generation for troubleshooting and abuse prevention, then deleted or anonymized unless a product notice states otherwise • Contact form and privacy requests: typically up to 24 months after resolution • Security logs: shorter rolling windows as technically appropriate • Legal/tax records: as required by applicable law

When retention ends, we delete or anonymize data where feasible.

Subject to applicable law, you may have the right to:

• Access and obtain a copy of your data • Rectify inaccurate data • Erase data ("right to be forgotten") • Restrict or object to certain processing • Data portability (structured, machine-readable format where applicable) • Withdraw consent • Lodge a complaint with a supervisory authority

Turkey (KVKK): apply via our contact form; you may also contact the Personal Data Protection Authority (KVKK Kurumu).

How to exercise rights: use in-app account deletion where available; download Consent Audit in-app where available; or submit a request via caymaztech.com/#contact with request type "Privacy / KVKK / GDPR request" or "Consent Audit / data export".

We do not use fully automated decision-making with legal or similarly significant effects without appropriate safeguards and notice.

We implement technical and organizational measures including TLS in transit, access controls, authentication, least privilege, logging, and vulnerability management. No system is 100% secure—protect your credentials and devices. If a breach likely affects your rights, we will notify regulators and users as required by law (e.g., KVKK and GDPR 72-hour rules where applicable).

Our services are not directed to children under 16 (or higher age where local law requires). We do not knowingly collect children's data for marketing. Health-adjacent apps are intended for adults or use with parental/guardian supervision. If you believe a child provided data without appropriate consent, contact us via the contact form and we will take appropriate steps.

COPPA: Our minimum age is 16, which exceeds the US COPPA threshold of 13. We do not knowingly collect data from users under 13. If we discover such data was collected, we will delete it promptly upon notification. US users aged 13–15 require parental or guardian consent prior to using our services. Parents or guardians who believe a minor used our services should contact us via the contact form.

We may update this Policy for legal, technical, or business changes. Material updates are indicated by revising the "Last updated" date and, where appropriate, in-app or website notice. External links and app store pages have their own policies. Where translations are provided for convenience, the English version governs interpretation unless mandatory local law requires the local language to prevail—for Turkish data subjects, the Turkish KVKK Aydınlatma Metni on our KVKK Disclosure page takes precedence for KVKK-specific obligations.

This Policy applies to all apps listed on caymaztech.com, including current and future releases in the same ecosystem.

• Account deletion: where supported, you can delete your account in the app settings; this triggers deletion or anonymization of associated personal data subject to legal retention and backup cycles.

• Consent Audit: where supported, you can download a record of consent choices from within the app.

• AI/simulation inputs: processed only to deliver the feature; retained up to seven (7) days as described above; not used to train generalized models for other users unless we clearly state otherwise in writing or in-app.

• Push notifications: require device permission; you can disable them in OS settings.

Product-specific supplements in an app may add detail but will not reduce rights granted here unless permitted by law and with your consent.

In short: we process data to run our website and apps; we do not sell personal data; we use listed subprocessors including international AI providers; cross-border AI requires explicit consent where required; you can delete your account in-app where available and request rights via our contact form; we retain data only as long as needed or legally required.

The following categories of providers may process personal data on our behalf. Exact providers vary by app version; see in-app disclosures and app store privacy labels for the product you use.

| Category | Provider (examples) | Purpose | |----------|---------------------|--------| | AI inference | fal.ai, Eachlabs.ai | Image/video/text AI processing (often outside Turkey/EEA) | | Object storage | Cloudflare R2 | Media and file storage | | Hosting | Hetzner | Servers and self-hosted infrastructure | | App distribution & billing | Apple App Store, Google Play | Downloads, IAP, refunds per platform rules | | Subscriptions | Adapty | Subscription status and entitlements | | Auth & backend | Firebase (Auth), Supabase (Auth) | Account sign-in (per app) | | Messaging & diagnostics | Firebase (FCM, Crashlytics, Analytics where enabled) | Push, crashes, usage analytics | | Email | Resend (contact form) | Deliver website inquiries | | Security | Cloudflare (Turnstile, if enabled) | Bot protection on forms | | Error monitoring | Sentry (if enabled for a product) | Crash/error reports |

We maintain data processing agreements or equivalent terms with processors where required. DPA/SCC coverage: Google (Firebase, FCM, Analytics, Crashlytics) — Google Cloud DPA with SCCs; Cloudflare (R2, Turnstile, CDN) — Cloudflare DPA with SCCs; Apple/Google stores — platform-level terms; Adapty — Adapty DPA; Supabase — Supabase DPA with SCCs; Resend — Resend DPA; fal.ai — fal.ai DPA with SCCs; Eachlabs.ai — covered by in-app explicit consent (KVKK Art. 9, GDPR Art. 49); Hetzner — Hetzner DPA with EU SCCs. We update this list when processors change.

When you use AI-assisted analysis, simulation, or media generation features, content you submit (which may include photos, video, text, or other personal data) is sent to our servers and/or subprocessors such as fal.ai and Eachlabs.ai, which may process data in the United States or other countries outside your residence.

Before you first use such features in an app, you must review and accept a clear in-app consent that explains:

• What data is sent and why • That processing may occur abroad • Retention (including the up to seven (7) day window where applicable) • That outputs are not medical advice where relevant • How to withdraw consent (stop using the feature or delete your account)

Under KVKK Article 9, transfer of personal data abroad may require explicit consent or another lawful mechanism — we implement explicit consent in-app where required.

KVKK transfer framework: Under KVKK Art. 9 and the Board's cross-border transfer framework (including Board Resolution 2021/1182), personal data may be transferred abroad via: (1) KVKK Board adequacy decision — none issued as of this Policy's effective date; (2) your explicit consent; or (3) binding transfer undertakings approved by the Board. We rely primarily on your explicit in-app consent for AI-related cross-border transfers, supplemented by contractual DPAs with providers where available. The in-app consent text identifies: the recipient provider, destination country, purpose, retention period, and withdrawal mechanism.

If you do not accept, do not use AI features; other non-AI features may still work where technically possible.

European Economic Area / UK / Switzerland (GDPR / UK GDPR / FADP): rights in section 8; supervisory authority in your country of residence; transfer safeguards in section 6.

Turkey (KVKK): rights to learn whether data is processed, request information, access, rectification, erasure, object, and claim compensation per law; apply to KVKK Kurumu after exhausting our response. See also our dedicated KVKK Disclosure page.

Brazil (LGPD): confirmation of processing; access; correction; anonymization, blocking, or deletion; portability; information on shared use; revocation of consent; review of automated decisions where applicable; complaint to ANPD.

California (CCPA/CPRA): right to know, delete, correct, and opt out of sale/share (we do not sell or share for cross-context behavioral advertising as defined); right to limit use of sensitive personal information where applicable; non-discrimination for exercising rights.

Other US states with comprehensive privacy laws may grant similar rights—we honor applicable requests submitted via our contact form.

To submit a regional request, use caymaztech.com/#contact and state your jurisdiction and the app involved.