Privacy Policy

1. Data Controller

This application is developed and operated by individual software developer Onurcan Oğul ("Developer").

The Developer acts as the data controller under the Turkish Personal Data Protection Law (KVKK) and the EU General Data Protection Regulation (GDPR).

Contact: privacy@clear-trace.app

2. Data We Collect

2.1 Data You Provide Directly

Data Category	Details	Purpose
Account Information	Email address, password (hashed), display name	Account creation and authentication
Profile Information	Skin type, skin conditions, time zone, notification preferences	Personalized experience
Skin Photos	Daily skin photos and thumbnails	AI-powered skin analysis and timeline
Health & Lifestyle Data Sensitive	Sleep duration and quality, stress level, water intake, exercise, menstrual cycle (optional), medication use (optional)	Correlation analysis to identify trigger factors
Nutrition Data	Food categories (dairy, sugar, gluten, etc.), meal type	Diet-skin relationship analysis
Skincare Products	Product name, brand, category, usage routine	Product effectiveness tracking

2.2 Data Collected Automatically

Data	Details	Purpose
Location Data	Latitude/longitude (weather integration only)	Environmental factor correlation (temp, humidity, UV)
Weather	Temperature, humidity, UV index	Environment-skin relationship analysis
Device Information	Notification token, app version	Push notifications and error tracking
AI Analysis Results	Skin score (0-100), acne, redness, texture, hydration, spots sub-metrics	Skin health assessment

3. Processing Purposes and Legal Bases

Purpose	Legal Basis (KVKK / GDPR)
Providing the service and account management	Performance of contract (KVKK Art.5/2-c / GDPR Art.6(1)(b))
AI analysis of skin photos	Explicit consent (KVKK Art.6/2 / GDPR Art.9(2)(a))
Correlation analysis of health and lifestyle data	Explicit consent (KVKK Art.6/2 / GDPR Art.9(2)(a))
Sending notifications (reminders, weekly digest)	Legitimate interest (KVKK Art.5/2-f / GDPR Art.6(1)(f))
App performance monitoring and bug fixing	Legitimate interest (KVKK Art.5/2-f / GDPR Art.6(1)(f))
Usage analytics and product development	Legitimate interest (KVKK Art.5/2-f / GDPR Art.6(1)(f))
Subscription and payment management	Performance of contract (KVKK Art.5/2-c / GDPR Art.6(1)(b))

Important note: ClearTrace is a wellness app; it does not provide medical diagnosis or treatment. AI analysis results are for informational purposes only and do not replace professional medical advice.

4. Third-Party Service Providers

Your data is shared with the following sub-processors only to the extent necessary to provide our service:

Service	Purpose	Data Processed	Location
Google Firebase	Authentication, database, notifications	Account info, app data	EU/US
Amazon Web Services (S3)	Photo storage	Skin photos	EU (eu-central-1)
Google Cloud Vision	Image analysis	Skin photos	EU/US
OpenAI	AI-powered skin analysis	Skin photos	US
RevenueCat	Subscription management	User ID, subscription status	US
Mixpanel	Usage analytics	Anonymous usage events	US
Sentry	Error tracking	Error reports, device info	US
OpenWeatherMap	Weather data	Location coordinates	EU

We never sell your data. Only the minimum data required for service delivery is shared with third-party providers.

5. International Data Transfers

Some of our service infrastructure is located outside the European Union (US). The following safeguards are in place for these transfers:

Transfers are carried out under EU Commission adequacy decisions, Standard Contractual Clauses (SCCs), and relevant service providers' data protection compliance frameworks (e.g., EU-US Data Privacy Framework).

Under KVKK, international data transfers are conducted in accordance with Data Protection Board decisions and your explicit consent.

6. Data Retention Periods

Data Type	Retention Period
Account information	Until account deletion
Skin photos and analysis results	Until account deletion (user can delete individually)
Health and lifestyle data	Until account deletion
Correlation results	Until account deletion
Analytics data (Mixpanel)	Anonymous, 24 months
Error reports (Sentry)	90 days

When you delete your account, all your personal data is permanently removed from our servers and backups within 30 days.

7. Data Security

We implement the following technical and organizational measures to protect your data:

TLS 1.2+ encryption in transit; AES-256 encryption at rest. Photos are accessed only via short-lived presigned URLs. Firebase security rules enforce user-level data isolation — each user can only access their own data. API requests are protected by rate limiting. Passwords are hashed with bcrypt/scrypt and never stored in plain text.

8. Your Rights

Under KVKK (Art.11) and GDPR (Art.15-22), you have the following rights:

To exercise your rights, email privacy@clear-trace.app or use the in-app Profile > Data Request section. We will respond within 30 days.

In-app controls: From your profile settings, you can delete individual photos, export your data in JSON format, or delete your entire account.

9. Children's Privacy

ClearTrace is not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If we learn that a child has used our services, we will promptly delete the relevant data.

10. Cookies and Tracking Technologies

ClearTrace is a mobile app and does not use browser cookies. Anonymous event data is collected via the Mixpanel SDK for usage analytics. You can disable this data collection from the app settings.

11. Policy Changes

This privacy policy may be updated from time to time. When significant changes are made, you will be notified in advance via in-app notification and/or email. The current version will always be published on this page.