Privacy Policy / Gizlilik Politikası

Application: Notever - Writing Notes
Developer: Fatma Zehra ASLANTAŞ
Last Updated: July 8, 2025
GDPR Compliance Date: May 25, 2018

This Privacy Policy is available in multiple languages. The English version serves as the primary reference for GDPR compliance.

1. Introduction and Legal Basis

1.1 Overview

This Privacy Policy explains how Notever - Writing Notes (the "App") collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) 2016/679 and other applicable data protection laws.

1.2 Data Controller

Data Controller: Fatma Zehra ASLANTAŞ
Contact: [Developer Email Address]
Legal Basis: GDPR Article 6(1)(a) - Consent, Article 6(1)(b) - Contract, Article 6(1)(f) - Legitimate Interest

1.3 Scope

This policy applies to all users within the European Economic Area (EEA), United Kingdom, and Switzerland, as well as users globally who benefit from GDPR-equivalent protections.

2. Personal Data We Process

2.1 Data Stored Locally on Your Device

Legal Basis: GDPR Article 6(1)(b) - Performance of Contract

Note Content: Titles, text content, creation/modification dates
Categories and Tags: User-created organizational data
Application Preferences: Dark mode, notification settings
Reminder Data: Local notification scheduling information
User Interface Settings: Layout preferences, expanded states

Retention: Until you delete the app or individual data items
Storage Location: Exclusively on your iOS device using Apple's secure sandbox

2.2 Analytics and Performance Data

Legal Basis: GDPR Article 6(1)(f) - Legitimate Interest

Anonymous Usage Statistics: Feature usage frequency, app performance metrics
Device Information: iOS version, device model (anonymized)
Crash Reports: Technical error logs (no personal content)

Purpose: App improvement and bug fixes
Retention: 24 months maximum
Processing: Aggregated and anonymized data only

2.3 Advertising Data (Optional)

Legal Basis: GDPR Article 6(1)(a) - Explicit Consent

Advertising Identifier (IDFA): For personalized advertisements
Ad Interaction Data: Views, clicks (linked to IDFA, not personal identity)
Device Characteristics: Screen size, language for ad formatting

Purpose: Relevant advertisement delivery
Retention: As per Google Mobile Ads policy (maximum 18 months)
Third Party: Google LLC (Privacy Shield certified)

3. Legal Rights Under GDPR

3.1 Your Fundamental Rights

You have the following rights under GDPR Articles 15-22:

Right of Access (Article 15):

Request confirmation of data processing
Obtain copies of your personal data
Implementation: Export feature within the app

Right to Rectification (Article 16):

Correct inaccurate personal data
Implementation: Edit notes and settings directly in the app

Right to Erasure/"Right to be Forgotten" (Article 17):

Request deletion of your personal data
Implementation: Delete individual notes, clear all data, or uninstall app

Right to Restrict Processing (Article 18):

Limit how we process your data
Implementation: Disable analytics and advertising in app settings

Right to Data Portability (Article 20):

Receive your data in a structured, machine-readable format
Implementation: Export functionality for notes and categories

Right to Object (Article 21):

Object to processing based on legitimate interests
Implementation: Opt-out controls for analytics and advertising

Right to Withdraw Consent (Article 7(3)):

Withdraw consent at any time
Implementation: Toggle controls in Privacy Settings

3.2 Exercising Your Rights

Response Time: Within 30 days (GDPR Article 12)
Cost: Free of charge for reasonable requests
Identity Verification: May be required for security purposes
Contact Method: Email to developer with subject "GDPR Data Request"

4. Data Processing Activities

4.1 Local Data Processing

Purpose: Core app functionality
Categories of Data: Note content, user preferences
Recipients: No third parties (data remains on device)
International Transfers: None
Automated Decision Making: None

4.2 Analytics Processing

Purpose: App improvement and performance optimization
Categories of Data: Anonymous usage statistics
Recipients: Apple App Store Analytics (when enabled)
International Transfers: Apple Inc. (US) - Adequacy Decision
Retention Period: 24 months maximum

4.3 Advertising Processing

Purpose: Revenue generation through relevant ads
Categories of Data: IDFA, ad interaction data
Recipients: Google LLC and advertising partners
International Transfers: US (Privacy Shield/Standard Contractual Clauses)
Retention Period: 18 months maximum
Automated Decision Making: Ad targeting algorithms (right to explanation available)

5. Data Security and Protection

5.1 Technical Safeguards

Encryption: iOS hardware encryption for all local data
Access Control: App sandbox security model
Data Minimization: Only necessary data collected
Purpose Limitation: Data used only for stated purposes

5.2 Organizational Measures

Privacy by Design: Built-in privacy protections
Regular Security Reviews: Ongoing security assessments
Incident Response: Data breach notification procedures
Staff Training: Privacy protection awareness

5.3 Data Breach Procedures

Notification Timeline:

Supervisory Authority: Within 72 hours (GDPR Article 33)
Affected Users: Without undue delay if high risk (GDPR Article 34)
Communication Method: App notification and email (if collected)

6. Third-Party Data Sharing

6.1 Service Providers

Google Mobile Ads SDK

Purpose: Advertisement serving
Data Shared: IDFA, device characteristics (with consent)
Legal Basis: Consent (Article 6(1)(a))
Safeguards: Privacy Shield, Standard Contractual Clauses
User Control: Opt-out available in iOS Settings > Privacy & Security > Apple Advertising

6.2 Legal Disclosures

Data may be disclosed if required by:

Court orders or legal processes
Protection of rights, property, or safety
Investigation of fraud or security issues
Legal Basis: Article 6(1)(c) - Legal Obligation

6.3 No Sale of Personal Data

We do not sell, rent, or trade personal data to third parties for monetary consideration.

7. International Data Transfers

7.1 Adequacy Decisions

Transfers to countries with EU adequacy decisions are permitted without additional safeguards.

7.2 Appropriate Safeguards

For transfers to countries without adequacy decisions:

Standard Contractual Clauses (SCCs): EU-approved model clauses
Privacy Shield: For certified US companies (subject to updates)
Additional Measures: Encryption, access controls, regular audits

7.3 User Rights for International Transfers

Right to be informed about transfer destinations
Right to obtain copies of safeguards
Right to object to transfers in certain circumstances

8. Children's Privacy (GDPR Article 8)

8.1 Age Requirements

Minimum Age: 16 years (or lower age set by Member State law)
Parental Consent: Required for users under minimum age
Verification: Age verification requested during first app launch

8.2 Special Protections

Enhanced data minimization for minors
Simplified privacy notices
Easy-to-use consent withdrawal mechanisms
Regular deletion of unnecessary data

8.3 Parental Rights

Parents/guardians can:

Access their child's personal data
Request rectification or erasure
Withdraw consent on behalf of the child
File complaints with supervisory authorities

9. Data Protection Impact Assessment (DPIA)

9.1 DPIA Summary

A Data Protection Impact Assessment has been conducted for high-risk processing activities, particularly:

Systematic monitoring of app usage
Automated ad targeting decisions
Processing of children's data

9.2 Risk Mitigation Measures

Data minimization principles applied
Privacy by design implementation
Regular security assessments
Transparent consent mechanisms

10. Supervisory Authority Rights

10.1 Lead Supervisory Authority

For cross-border processing, the lead supervisory authority is determined based on the location of our main establishment or specific processing activities.

10.2 Complaint Rights

You have the right to lodge a complaint with:

Your local data protection authority
The supervisory authority where the alleged infringement occurred
The supervisory authority where you have your habitual residence

10.3 Common EU Supervisory Authorities

Germany: Federal Commissioner for Data Protection and Freedom of Information
France: Commission Nationale de l'Informatique et des Libertés (CNIL)
Ireland: Data Protection Commission
Netherlands: Autoriteit Persoonsgegevens

11. Consent Management

11.1 Consent Requirements (GDPR Article 7)

Consent must be:

Freely Given: No detriment for refusal
Specific: Clear purpose statement
Informed: Full information provided
Unambiguous: Clear affirmative action

11.2 Consent Withdrawal

Method: App settings or iOS system settings
Effect: Immediate cessation of processing
Notification: Clear confirmation of withdrawal
No Consequences: No disadvantage for withdrawal

11.3 Consent Records

We maintain records of:

When consent was given
What information was provided
How consent was obtained
When consent was withdrawn

12. Data Retention and Deletion

12.1 Retention Principles

Necessity: Data kept only as long as necessary
Purpose Limitation: Deleted when purpose fulfilled
Legal Requirements: Compliance with retention obligations
User Control: Deletion available upon request

12.2 Retention Periods

Note Data: Until user deletion or app uninstall
Analytics Data: Maximum 24 months
Advertising Data: Maximum 18 months (Google Ads policy)
Consent Records: 3 years after withdrawal

12.3 Secure Deletion

Method: Cryptographic erasure where possible
Verification: Deletion confirmation procedures
Backups: Secure deletion from all backups
Third Parties: Deletion requests to data processors

13. Privacy by Design and Default

13.1 Design Principles

Proactive not Reactive: Privacy measures built-in
Privacy as the Default: Maximum privacy settings by default
Full Functionality: Privacy without compromising functionality
End-to-End Security: Comprehensive protection
Visibility and Transparency: Clear privacy practices
Respect for User Privacy: User-centric design

13.2 Implementation Examples

Local-first data architecture
Minimal data collection
Granular consent controls
Clear privacy settings
Transparent data practices

14. Updates and Changes

14.1 Policy Updates

Notification Method:

In-app notification for material changes
App Store update notes
Email notification (if email provided)
Continued consent verification

14.2 Legal Changes

Updates may be required due to:

Changes in applicable law
Regulatory guidance updates
New processing activities
Technical infrastructure changes

14.3 User Rights During Changes

Right to withdraw consent to new processing
Right to object to material changes
Right to delete data before new policy takes effect
Right to receive clear information about changes

15. Contact Information and Complaints

15.1 Data Protection Officer (if applicable)

Note: DPO appointment required if core activities involve systematic monitoring or special category data processing.

15.2 Contact Details

Data Controller: Fatma Zehra ASLANTAŞ
Email: [Developer Email Address]
Subject Line: "GDPR Privacy Request - Notever"
Response Time: Within 30 days

15.3 Complaint Procedures

Internal Complaints:

Email privacy concern to developer
Include specific details and desired resolution
Receive acknowledgment within 72 hours
Resolution within 30 days

External Complaints:

Contact your national data protection authority
File complaint with EU supervisory authority
Seek judicial remedy in EU Member State courts

16. Governing Law and Jurisdiction

16.1 Applicable Law

This Privacy Policy is governed by:

EU General Data Protection Regulation (GDPR)
National data protection laws of relevant Member States
Turkish Personal Data Protection Law (for Turkish residents)

16.2 Jurisdiction

EU courts for EU residents
Turkish courts for Turkish residents
Jurisdiction determined by user's habitual residence

Appendices

Appendix A: Legal Basis Summary Table

Processing Activity	Legal Basis	GDPR Article	User Control
Note Storage	Contract Performance	6(1)(b)	Full control via app
App Analytics	Legitimate Interest	6(1)(f)	Opt-out available
Advertising	Consent	6(1)(a)	Withdraw anytime
Security Measures	Legal Obligation	6(1)(c)	Limited control

Appendix B: Data Flow Diagram

User Device (Local Storage)

├── Note Content [No Transfer]

├── App Preferences [No Transfer]

├── Analytics Data → Apple Inc. (US) [Adequacy]

└── Advertising Data → Google LLC (US) [Safeguards]

Appendix C: Consent Withdrawal Instructions

Advertising Consent:

iOS Settings > Privacy & Security > Apple Advertising > Personalized Ads (OFF)
App Settings > Privacy > Advertising Consent (OFF)

Analytics Consent:

App Settings > Privacy > Analytics (OFF)
iOS Settings > Privacy & Security > Analytics & Improvements (OFF)

This Privacy Policy has been prepared to ensure full compliance with GDPR and provides comprehensive protection for all users' personal data and privacy rights. Regular reviews ensure continued compliance with evolving data protection requirements.

Document Version: 2.0
GDPR Compliance Review Date: July 8, 2025
Next Review Date: January 8, 2026