Privacy Policy
Last updated: May 15, 2026
This Privacy Policy explains what personal data we collect when you use the DersTakip mobile app and the derstakip.app website (together, "DersTakip"), why we collect it, who we share it with, and the rights you have. The policy is designed to satisfy the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and Turkey's KVKK Law No. 6698. Turkish users may also refer to our Aydınlatma Metni, which mirrors the same content in the KVKK-required format.
1. Who we are
The data controller for DersTakip is Ataberk Köroğlu, a Turkish sole proprietor (şahıs şirketi).
- Tax ID (VKN): 5860710646
- Registered address: Armağanevler Mah, Ümraniye, Istanbul 34760, Turkey
- Contact: info@derstakip.app
2. What we collect
The categories of personal data we may process:
| Category | Examples |
|---|---|
| Identity | First and last name, date of birth, gender |
| Contact | Email address, phone number |
| Education | School/institution, grade, target exam (LGS, YKS, etc.) |
| Profile media | Profile picture, images you upload to stories/posts |
| Subscription & billing | Premium status, in-app purchase records, in-app coin balance and transactions |
| Device & connection | Device model, OS version, push notification tokens (FCM), IP address (per-session) |
| Usage & performance | Study session start/end and duration, questions solved, per-lesson progress, streaks, league standings, weekly recap statistics |
| Social content | Groups you join, posts and comments you write, stories you publish, messages |
| AI interactions | Messages you send in AI coaching chats, and the context we send with them |
| Marketing | Notification preferences, referral codes, campaign engagement metrics |
Cookies and similar technologies on our website are described in the Cookie Policy. The mobile app does not use cookies.
3. Why we process it
We use your personal data to:
- Create your account, verify your identity, and keep your session secure
- Provide core app features — study tracking, daily targets, statistics, streaks
- Offer social features — groups, leagues, stories, leaderboards, messaging
- Power AI-based coaching and content recommendations
- Sell and manage Premium subscriptions and fulfill tax/accounting obligations
- Send engagement notifications (streak reminders, league updates, weekly recap)
- Provide customer support and handle complaints
- Improve the product, debug errors, and measure performance
- Moderate content and prevent abuse
- Comply with legal obligations and respond to lawful requests from authorities
4. Legal basis (GDPR Art. 6)
- Performance of a contract (Art. 6(1)(b)): creating your account, providing the app's core features, processing subscriptions.
- Legal obligation (Art. 6(1)(c)): retaining sale and tax records (10 years under Turkish Tax Procedure Law Art. 253) and responding to lawful requests from authorities.
- Legitimate interests (Art. 6(1)(f)): service security, fraud prevention, product analytics, content moderation, improving AI coaching.
- Consent (Art. 6(1)(a)): marketing notifications, optional third-party integrations, analytics cookies on the website.
5. Service providers we use
We don't run DersTakip alone — for things like sign-in, push notifications, AI chat, and subscription billing we rely on the infrastructure of other companies. This means your data inevitably passes through their systems too. We do not sell your data and we do not share it for marketing purposes;the providers below are operational tools we depend on to run the Service. Each is bound by contractual data-protection obligations and may only process your data for the purposes we instruct.
| Provider | Purpose | Location |
|---|---|---|
| Google Firebase (Authentication, Cloud Messaging, Analytics, Crashlytics) | Sign-in, push notifications, usage analytics, crash reporting | United States |
| OpenAI | AI coaching chats; content moderation for image uploads | United States |
| Microsoft Azure OpenAI | Curriculum embeddings and content generation infrastructure | United States |
| Apple Sign-In, Google Sign-In, Facebook Login | Third-party sign-in | United States |
| RevenueCat | Subscription and in-app purchase management | United States |
| Google AdMob, Google User Messaging Platform | Advertising; EU consent management for ads | United States |
| MailerSend | Transactional emails (account verification, password reset) | United States |
| MailerLite | Newsletter/marketing list management | United States |
| Hostinger (hosting provider) | Operates our servers in Frankfurt, Germany, where all primary data is stored | Germany (EU) |
Beyond these providers, we may share data with authorities when legally required (court orders, regulatory requests, criminal investigations).
6. International transfers
DersTakip's primary servers and file storage are located in Germany (EU). For users inside the EU/EEA, this is intra-EU processing.
However, several sub-processors listed above operate from the United States. When we transfer personal data to a country outside the EU/EEA that has not been deemed "adequate" by the European Commission, we rely on:
- Standard Contractual Clauses (SCCs) provided by the sub-processor under their data processing addendum, or
- Your explicit consent for optional integrations (e.g., Facebook Login), or
- Contractual necessity, where the transfer is required to provide a service you requested (e.g., Apple Sign-In).
7. How long we keep data
| Category | Retention |
|---|---|
| Profile, study sessions, recaps, chats, group activity, stories, streaks, league and notification records | For as long as your account is active — the app's core features (historical statistics, streak history, leaderboard rankings) require it. |
| When you delete your account — profile fields | Name, surname, email, phone number, date of birth, profile picture, and push tokens are anonymized; your Firebase Authentication account is deleted. |
| When you delete your account — content records (chats, group posts, stories, session history) | These records are not automatically removed as part of the deletion flow. To have them deleted or unlinked from your user identifier, email info@derstakip.app; we will process the request manually. |
| Apache server access and error logs | Approximately 14 days (automatic logrotate) |
| Application (Node.js / PM2) and system logs | No defined retention; held in line with system disk capacity. systemd journal defaults to 7 days. |
| Database backups | 2 weeks (weekly snapshots stored in the EU — Lithuania) |
| Purchase / billing records | 10 years, as required by Turkish Commercial Code Art. 82 (commercial bookkeeping obligation). |
8. Security
We apply industry-standard technical and organizational measures:
- TLS encryption for all network traffic
- Passwords are stored by Firebase Authentication using one-way hashing (scrypt + HMAC) on Google Cloud infrastructure; we never see your password
- Role-based access controls; restricted admin access
- Rate limiting, HTTP security headers (helmet), CORS controls
- Content moderation (image and text) on user-generated content
- Weekly backups stored within the EU
9. Children
DersTakip is not directed at children under 13, and we do not knowingly collect personal data from anyone under 13. For users aged 13–18, we recommend that a parent or guardian review this Privacy Policy and the app's features. If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take steps to remove that data as soon as possible.
10. Your rights
Depending on where you live, you have the following rights regarding your personal data. Under GDPR (Art. 15–22) and KVKK Art. 11:
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate or incomplete data
- Erasure: ask us to delete your data (subject to legal exceptions such as tax retention)
- Restriction: ask us to limit how we process your data
- Portability: receive your data in a structured, machine-readable format
- Object: object to processing based on legitimate interests, including direct marketing
- Withdraw consent: where processing is based on consent, you may withdraw it at any time
- Lodge a complaint: with the data protection authority of your country
To exercise any of these rights, email us at info@derstakip.app. To delete your account, the fastest path is the Account Removal page.
We respond to requests within 30 days. EU/EEA users may also lodge a complaint with their national supervisory authority. Turkish users may lodge a complaint with the Personal Data Protection Authority (KVKK Kurulu) after first contacting us.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the latest version. If we make material changes, we will notify registered users by email or in-app notification.
12. Contact
Questions, requests, or complaints? info@derstakip.app