Türkçe

Privacy Policy

App: Sonder — Your private relationship journal Operator (Data Controller): Oğuz Kurukaya, sole proprietor, Türkiye Contact: [email protected] Effective date: 2026-05-02 Last updated: 2026-05-02

1. Introduction

This Privacy Policy explains how Sonder (“we”, “us”, “the App”) collects, uses, shares, and protects your personal data when you use the Sonder mobile application on iOS and Android. Sonder is operated as a sole proprietorship by Oğuz Kurukaya in Türkiye and is the data controller of your personal data under the Turkish Personal Data Protection Law No. 6698 (“KVKK”) and the EU General Data Protection Regulation (“GDPR”), where applicable.

By creating an account or using Sonder you confirm that you have read this Privacy Policy and agree to the practices described below. If you do not agree, please do not use the App.

This document is intentionally written in plain language. Where a clause has stricter regional requirements (KVKK, GDPR, CCPA), the stricter rule applies for users in that region.

2. Scope

This policy applies to:

It does not apply to third-party services that you may interact with through Sonder (e.g. Apple ID sign-in, Google Sign-In, the App Store, Google Play); those are governed by their own privacy policies.

3. Information We Collect

We collect only the information needed to operate Sonder. We do not sell your data and do not share it with advertisers for cross-app tracking.

3.1 Information you provide

Category Examples Required?
Account identifiers Email address (from sign-in), display name, language preference Required to create an account
Authentication tokens JWT access token, refresh token (stored locally on your device) Required for the App to function
Journal content Entry title, body text, selected mood, tags, timestamps Optional — only if you create entries
Attachments Photos or documents you attach to an entry Optional — only if you attach files
AI chat content Messages you send to the AI feature, AI responses Optional — only if you use the AI chat
Profile preferences Notification settings, daily reminder time, theme Optional
Customer support correspondence Emails you send us, support tickets Only if you contact us

3.2 Information collected automatically

Category Source Purpose
Device information iOS/Android version, app version, device model Crash diagnosis, compatibility
Crash reports Stack traces, app state at crash Fixing bugs
Usage analytics Screen views, feature interactions (~66 named events such as entry_created, ai_message_sent) Improving the product
Subscription status Active/inactive, plan, renewal date Unlocking premium features
Push notification tokens FCM token Sending you reminders/notifications you opted in to
Advertising identifier (free-tier only) IDFA (iOS) / GAID (Android) — only if you have not subscribed and only after you grant permission Showing ads via AdMob

3.3 Information from third parties

Source What we receive Why
Apple Sign-In Apple-managed email or relay email, name (only if you choose to share) Account creation
Google Sign-In Email, display name, profile photo URL Account creation
RevenueCat Subscription state, purchase events Premium gating
Apple App Store / Google Play Receipt verification, refund events Subscription management

3.4 Information we do not collect

To make our scope explicit, we do not collect:

4. How We Use Your Information

We use the data in Section 3 only for the following purposes:

  1. Provide the service — store and display your journal entries; deliver AI responses; sync across your devices
  2. Authenticate you — issue and refresh JWT tokens; verify your sign-in
  3. Process subscriptions — verify Apple/Google receipts via RevenueCat; unlock premium features
  4. Send you operational communications — magic-link sign-in emails, account-related notices, daily journaling reminders (only if you opted in)
  5. Show ads (free tier only) — request ads from AdMob when you have not subscribed
  6. Diagnose crashes and improve the product — Sentry/Crashlytics crash reports, Firebase Analytics events
  7. Customer support — respond to your support emails
  8. Legal compliance — comply with applicable laws, court orders, or KVKK/regulatory requests

We will not use your data for any new purpose materially different from the above without notifying you and, where required, asking for your consent.

5. Legal Bases for Processing (GDPR Article 6 / KVKK Article 5)

We process your data on the following legal bases:

Activity Legal basis
Creating and operating your account Performance of a contract (the Terms of Service)
Storing your journal entries Performance of a contract + your consent
AI chat (sending content to OpenAI) Your explicit consent when you start an AI conversation
Subscription processing Performance of a contract + legal obligation (tax, accounting)
Crash diagnostics Legitimate interest (operating a stable product)
Analytics Legitimate interest (improving the product), with the right to object
Advertising (free tier) Your consent via the App Tracking Transparency / Android Advertising ID prompt
KVKK-specific obligations The corresponding legal grounds in KVKK Article 5 (contract, legitimate interest, explicit consent for sensitive categories)

You can withdraw consent at any time. Withdrawal does not affect processing already carried out lawfully.

6. How We Share Your Information

We share data only with the third-party processors below, and only the minimum needed for them to perform their function. We have a data-processing relationship (or equivalent contractual safeguard) with each one.

Processor Purpose Data shared Region Safeguard
OpenAI, Inc. AI chat completions, OCR on attachments Your AI message content, OCR image content USA Standard Contractual Clauses (SCCs); we have disabled “Improve the model” / training opt-out — your content is not used to train OpenAI models. AI conversation data on OpenAI auto-deletes within 30 days per OpenAI’s API retention policy. We do not extend retention via fine-tuning or training opt-in.
Google LLC (Firebase Analytics, Crashlytics, FCM, Sign-In) Analytics, crash reports, push notifications, OAuth Pseudonymous device/event data, crash traces, FCM token, OAuth identifiers USA SCCs; Google’s Data Processing Addendum
Google LLC (AdMob) Show ads to free-tier users only Advertising identifier (IDFA/GAID) — only with your permission USA SCCs
Apple, Inc. (Sign in with Apple, App Store IAP) OAuth, in-app purchases OAuth identifier, purchase receipt USA Apple’s privacy framework
RevenueCat, Inc. Subscription state, receipt validation Anonymous app user ID, subscription events USA SCCs; DPA
Cloudflare, Inc. (R2 + DNS) Storing your entry attachments; hosting backend Attachment files, request metadata Global edge — primary storage region: EU SCCs
Resend, Inc. Sending transactional emails (magic links, receipts) Email address, email content USA SCCs
Functional Software, Inc. (Sentry) Error tracking Stack traces, app state USA SCCs
Better Stack Server log aggregation Server logs (operational, no journal content) EU DPA

We do not share your journal content, AI conversations, or attachments with anyone outside the processors above. We do not sell, rent, or trade your data to advertisers, data brokers, or any other third party.

We may disclose information to law enforcement only if compelled by a valid legal order from a competent Turkish court or, where applicable, under the Mutual Legal Assistance framework. We will challenge overbroad requests when lawful to do so.

7. International Data Transfers

Some processors above are located outside Türkiye and the EEA, primarily in the United States. For users in the EEA, UK, or Türkiye, we rely on:

You can request a copy of the SCCs we use by emailing [email protected].

8. Data Retention

Data Retention period
Active account data (entries, AI messages, profile) For as long as your account is active
Deleted account data Permanent deletion from production storage at the moment of request
Database backups 90 days, after which the deletion propagates to backups
Crash reports (Sentry, Crashlytics) 90 days
Server access logs 30 days
Customer support correspondence 2 years (for legal record-keeping)
Financial records (subscriptions, receipts) 10 years (Turkish Tax Procedure Law requirement)
Marketing emails Until you unsubscribe

After the retention period expires, data is deleted or fully anonymized. Financial records are kept in a separate archive as required by Turkish tax law and are not used for any other purpose.

9. Your Privacy Rights

Depending on your jurisdiction, you have the following rights:

9.1 Rights under GDPR (EEA, UK)

9.2 Rights under KVKK (Türkiye)

Under Article 11 of KVKK you have the right to:

You can lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu): https://www.kvkk.gov.tr

9.3 Rights under CCPA (California)

If you reside in California you have the right to know, delete, correct, and opt out of “sale/sharing” of personal information. We do not sell your personal information.

9.4 How to exercise your rights

Email [email protected] from the email address registered to your Sonder account, or use the in-app Settings → Account flow. We will respond within 30 days (KVKK) or one month (GDPR), and we may extend the period by an additional two months for complex requests after notifying you.

We may need to verify your identity before fulfilling certain requests. We will never charge a fee for the first request in any 12-month period; repeated or manifestly unfounded requests may incur a reasonable fee.

10. Account and Data Deletion

You can delete your account at any time through:

When you delete your account:

  1. Your account and all personal data are immediately and permanently deleted from production storage — this is irreversible
  2. Within 90 days, the deletion propagates to backups
  3. Records we are legally required to keep (e.g. financial records under Turkish tax law) are kept in a separate archive and are not used for any other purpose
  4. Anonymous aggregate cohort metrics (no link to your identity) are retained indefinitely for product analytics

For details, see our Account Deletion Procedure page.

11. Children’s Privacy

Sonder is rated 13+ on the App Store and Google Play. We do not knowingly collect personal data from children under 13. If we learn we have collected such data, we will delete it as soon as possible. If you are a parent or guardian and believe your child has provided us data, contact [email protected].

12. Security

We protect your data with industry-standard measures:

No system is perfectly secure. If a data breach occurs that creates a high risk to your rights, we will notify you and the relevant supervisory authority (KVKK Kurumu / your local DPA) within 72 hours of becoming aware, as required by KVKK and GDPR.

13. Cookies, Tracking, and Mobile Identifiers

The Sonder app itself does not use traditional cookies. We use:

The legal websites at sonder.oguzkurukaya.com/privacy, /terms, and /delete-my-account use only strictly-necessary cookies for delivery and do not contain advertising or analytics trackers.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

Continued use of Sonder after a change takes effect means you accept the updated policy.

15. Contact

Data Controller: Oğuz Kurukaya (sole proprietor), Türkiye Privacy contact: [email protected] Postal address: Available on request via email KVKK Veri Sorumlusu: Oğuz Kurukaya (gerçek kişi)

If you do not receive a satisfactory response from us, you have the right to lodge a complaint with the Turkish Personal Data Protection Authority (https://www.kvkk.gov.tr) or your local data protection supervisory authority in the EEA/UK.

This Privacy Policy is provided in English and Turkish. In case of conflict between language versions, the Turkish version prevails for users resident in Türkiye; the English version prevails for all other users.

© 2026 Oğuz Kurukaya. All rights reserved.