Under Article 10 of Turkish Personal Data Protection Law No. 6698 (KVKK)
Effective Date: 07.05.2026 · Version: 1.0
📋 About This Privacy Notice
This Privacy Notice has been prepared pursuant to Article 10 of Turkish Personal Data Protection Law No. 6698 ("KVKK") and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform. It is published to inform you about the personal data processed by us in our capacity as data controller.
This notice should be read together with our Privacy Policy; the Privacy Policy provides broader international information (GDPR, COPPA, etc.), while this Notice specifically addresses your rights and processes under KVKK.
Table of Contents
1. IDENTITY OF THE DATA CONTROLLER
Under KVKK Art. 3/1-ı, the data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system.
- Data Controller: Sevim Senacay Kadı (Baby & Me Check — Individual Developer)
- Status: Natural person — individual app developer
- MERSIS / Tax No: Provided upon request
- Service Address: Provided upon request via kvkk@babyandmecheck.com
- Email: kvkk@babyandmecheck.com
- Website: babyandmecheck.com
- VERBİS Registration No: Provided upon request
⚠️ About the Individual Developer Status
The developer currently operates as an individual natural person. Under KVKK, natural persons can also be data controllers; therefore, the legal obligations apply equally. In case of incorporation or formation of a legal entity, this notice will be updated and announced.
2. CATEGORIES OF PERSONAL DATA PROCESSED
The categories of data processed, in line with the Personal Data Categories guide published by the Turkish Personal Data Protection Authority, are listed below:
| Data Category | Data Included | Nature |
|---|---|---|
| Identity | Name, surname, nickname (optional) | Optional |
| Contact | Email address | Required |
| Customer Transaction | Account registration date, subscription status, purchase records (via RevenueCat) | Service-dependent |
| Transaction Security | IP address, session info, hashed user password (bcrypt), session timestamps | Required |
| Visual and Audio Records | Profile photo (optional), family-shared photos/videos/voice messages | Optional |
| Family Members | Baby's name, date of birth, shared family info, list of invited members | Service-dependent |
| Special Category — Health | Baby's vaccination records, illness history, allergies, medication (if entered by user) | Explicit Consent Required |
| Usage Data | In-app interactions, session durations, crash logs | Automatic |
| Device Data | Device model, OS version, language, timezone, FCM device token | Automatic |
| Voice Input Data | Voice note transcriptions (text only; audio is processed on-device and not stored) | Optional |
📌 Data We Do Not Collect
The following data is strictly not collected during the beta release:
- Credit card / debit card / payment information — processed by Apple App Store and Google Play; we never see it
- Advertising identifiers (IDFA / GAID) — no ads during beta
- Location data (GPS)
- Phone contacts / address book — the invitation system is code-based
- Audio recordings — voice input is processed on-device; no recording is stored
- Receipt / invoice images — OCR feature is disabled in beta
⚠️ Notice on Special Categories of Personal Data
Under KVKK Art. 6, health data is a special category of personal data. Health information about your baby (vaccinations, illnesses, medication) is processed only with your explicit consent and is subject to the following additional protections:
- Not used for advertising or marketing
- Not shared with third parties (except as legally required)
- Only visible to family members you invite
- You may withdraw your explicit consent at any time
3. PURPOSES OF PROCESSING
Your personal data is processed for the following purposes, in accordance with the principles set forth in KVKK Art. 4 (lawfulness, accuracy, specific and legitimate purpose, proportionality, currency, limited duration):
3.1 Purposes Related to Performance of Contract
- Creation of your account and identity verification
- Provision of core service functions (baby tracking, family group, messaging)
- Family sharing and invitation code management
- Premium subscription (via RevenueCat) management
- Push notification delivery
3.2 Purposes Based on Legitimate Interest
- Service improvement, error analysis, and performance optimization
- Provision of customer support
- System security and fraud prevention
- Beta feedback collection and assessment
3.3 Purposes Based on Legal Obligation
- Tax and financial regulations (invoice retention in production release)
- Retention of IP logs under Law No. 5651
- Reporting illegal content (especially CSAM) to competent authorities upon detection
- Providing information upon court order or prosecutor's request
3.4 Purposes Requiring Explicit Consent
- Processing of baby's special category health data (KVKK Art. 6/2)
- Transfer of data to servers abroad (KVKK Art. 9)
- Microphone access and voice input feature
- In-family messaging and media sharing
4. TRANSFER OF PERSONAL DATA
4.1 Domestic Transfers
Your personal data may be transferred to the following persons/institutions where required by applicable law:
- Authorized public institutions and agencies (where legally required)
- Independent legal counsel / financial advisor (when necessary)
- Judicial authorities upon court order or prosecutor's request
4.2 International Transfers
For the technical infrastructure of the service, data is transferred internationally under your explicit consent (KVKK Art. 9) to the following organizations:
| Recipient | Country | Purpose | Data Type |
|---|---|---|---|
| Supabase Inc. | EU — Germany, Frankfurt (AWS eu-central-1) | Backend infrastructure, database, authentication, file storage | All account, content, message and media data |
| RevenueCat Inc. | USA | Subscription management, purchase records | App User ID, subscription status, purchase identifier |
| Apple Inc. (App Store) | USA / Ireland | iOS app distribution, payment processing | Account identifier, purchase information |
| Google Ireland Ltd (Play Store) | EU / USA | Android app distribution, beta management, payments | Account identifier, device info, purchases |
| Google LLC (FCM) | USA | Push notification delivery | Device token, notification text |
| Google LLC (Crashlytics) | USA | Crash reporting (if enabled) | Device info, error logs |
🌍 Important Notice on EU Transfers
Your content data (account, baby info, messages, media) is stored in EU Frankfurt. This provides stronger legal safeguards compared to transfers to the USA:
- EU countries provide a high level of data protection under GDPR
- TLS 1.3 in transit and AES-256 at rest are applied as standard
- Only limited technical data (push notification device token, subscription identifier) traverses US infrastructure
These transfers are carried out with your explicit consent under KVKK Art. 9.
5. COLLECTION METHODS AND LEGAL BASIS
5.1 Collection Methods
Your personal data is collected via mobile app, website, email, and customer support channels, electronically through fully or partially automated means.
5.2 Legal Bases (KVKK Art. 5 and Art. 6)
| Processing Activity | Legal Basis under KVKK |
|---|---|
| Account creation, identity verification, provision of core service functions | Conclusion and performance of a contract (Art. 5/2-c) |
| Obligations under tax, financial, and security regulations | Legal obligation (Art. 5/2-ç) |
| Establishment, exercise, or protection of a right | (Art. 5/2-e) |
| Service improvement, error analysis, customer support | Legitimate interest (Art. 5/2-f) |
| Marketing, microphone use, international transfer, family sharing | Explicit consent (Art. 5/1) |
| Processing baby's health data (special category) | Explicit consent (Art. 6/2) |
6. RETENTION PERIODS
Your data is retained for the period required by the purpose of processing and in line with minimum periods stipulated by applicable legislation.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account information | Duration the account is active + 30 days after deletion request | Performance of contract |
| Baby/family content data | Duration the account is active | Performance of contract |
| Family group messages and media | Duration the group is active (unless deleted by user) | Performance of contract |
| Unused invitation codes | 30 days, then automatically deleted | Data minimization principle |
| Voice recordings (voice input) | Not stored — deleted immediately after transcription | Data minimization principle |
| FCM device token | Duration the app is installed | Performance of contract |
| RevenueCat subscription records | During active subscription + 12 months after cancellation | Contract performance, financial follow-up |
| Crash logs | 90 days | Legitimate interest |
| IP addresses (security purposes) | 6 months | Law No. 5651 |
| Tax/invoice records (in production release) | 10 years | Tax Procedure Law Art. 253 |
At the end of the retention period, personal data is securely deleted, destroyed, or anonymized pursuant to the Regulation on Deletion, Destruction or Anonymization of Personal Data published by the Personal Data Protection Authority.
7. YOUR RIGHTS UNDER KVKK ARTICLE 11
As a data subject, you have the following rights under KVKK Art. 11:
- To learn whether your personal data is processed
- To request information regarding processing if your personal data has been processed
- To learn the purpose of processing and whether the data is used in accordance with that purpose
- To know the third parties to whom your personal data is transferred domestically or abroad
- To request correction of incomplete or inaccurately processed data
- To request deletion or destruction of your personal data within the conditions set out in KVKK Art. 7
- To request notification of the actions taken under (5) and (6) to third parties to whom your data has been transferred
- To object to results that arise against you through the analysis of processed data solely by automated systems
- To claim compensation for damages suffered due to unlawful processing of your personal data
8. HOW TO SUBMIT A REQUEST TO THE DATA CONTROLLER
Pursuant to KVKK Art. 13 and the Communiqué on the Procedures and Principles of Application to the Data Controller, you may submit requests through the following channels.
8.1 Minimum Information Required in Your Request
Your request must include the following information so that it can be evaluated:
- Name, surname, and signature if the request is in writing
- Turkish ID number (for Turkish citizens)
- For foreigners: nationality, passport number, or ID number
- Service address (residence or workplace)
- Notification email address, phone, fax (if any)
- Subject of the request (clearly and understandably)
- Supporting information and documents (if any)
8.2 Application Channels
- Written (Mail): Contact kvkk@babyandmecheck.com for the service address — with a wet-signed petition
- Email registered in our system: kvkk@babyandmecheck.com (preferably from the email used at account registration)
- In-app form: Settings → Privacy → KVKK Request
8.3 Evaluation of the Request
✅ Response Time and Fees
- Your request will be concluded within 30 days at the latest from the date it reaches us
- Requests are generally free of charge; however, where the procedure requires additional cost, a fee determined by the KVK Board's tariff may be charged
- If your request is accepted, the action is taken; if rejected, the reason will be explained
9. COMPLAINT TO THE DATA PROTECTION AUTHORITY
You may file a complaint with the Personal Data Protection Board in the following cases (KVKK Art. 14):
- Your request is rejected
- You find the response insufficient
- Your request is not answered within the time limit
⏰ Complaint Deadlines
- 30 days: From the date you learn the response
- 60 days: In any case from the date of application
If you miss these deadlines, the complaint route may be closed; however, the judicial route remains open.
Contact Details of the Data Protection Authority
- Website: www.kvkk.gov.tr
- Online Application: Complaint Application
- Address: Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4, 06520 Balgat-Çankaya/ANKARA, Türkiye
- Phone: +90 (312) 216 50 50
10. CHANGES TO THIS NOTICE
This Privacy Notice may be updated from time to time due to changes in legislation, changes to the scope of the service, or decisions of the Data Protection Authority. For material changes:
- An in-app notification will be sent
- You will be notified at your registered email address
- An announcement will be published on babyandmecheck.com
- For substantial changes, your explicit consent will be requested again
The most current version is always published at babyandmecheck.com/privacy/en.
11. RELATED DOCUMENTS
12. DECLARATION
I acknowledge that I have read this Privacy Notice and have been informed about its content. For processing activities that require explicit consent, separate approval will be obtained via an Explicit Consent Statement.
Baby & Me Check — Privacy Notice (KVKK) · Under Article 10 of Law No. 6698
Version 1.0 — Beta — 07.05.2026 · © babyandmecheck.com