# PERSONAL DATA PROTECTION AND PROCESSING POLICY
**Effective Date:** 23.02.2026
**Last Update:** 08.03.2026
**Version:** 1.0
---
## 1. PURPOSE AND SCOPE
This Personal Data Protection and Processing Policy ("Policy") regulates the procedures and principles regarding the processing of personal data collected from users through the **AstroKey** application ("Application") developed and operated by **Turan Dinç** ("TD").
This Policy has been prepared within the framework of the **Personal Data Protection Law No. 6698** ("KVKK"), which entered into force on April 7, 2016, the right to privacy guaranteed under **Article 20 of the Constitution of the Republic of Türkiye**, and the relevant secondary legislation.
This Policy covers TD's mobile application, web application, and all associated digital platforms (iOS, Android, Web, Windows, Linux, macOS).
---
## 2. DEFINITIONS
| Term | Description |
|-------|----------|
| **Personal Data** | Any information relating to an identified or identifiable natural person (KVKK Article 3/d) |
| **Special Category Personal Data** | Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometrics and genetics |
| **Data Controller** | The person who determines the purposes and means of processing personal data — **Turan Dinç (TD)** within the scope of this Policy |
| **Data Processor** | The natural or legal person who processes personal data on behalf of the data controller |
| **Data Subject** | The natural person whose personal data is processed (Application user) |
| **Explicit Consent** | Freely given, specific and informed consent |
| **Data Processing** | Any operation performed upon personal data |
| **Anonymization** | Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data |
| **Application** | The AstroKey astrology and numerology application developed by Turan Dinç |
---
## 3. IDENTITY AND CONTACT INFORMATION OF THE DATA CONTROLLER
Within the framework of the obligation to inform under Article 10 of KVKK, the information belonging to the data controller is as follows:
| Field | Information |
|------|-------|
| **Data Controller** | Turan Dinç |
| **Short Name** | TD |
| **Application Name** | AstroKey |
| **E-mail** | nilay@aldebaranakademi.com |
| **Contact Form** | "Contact Us" section within the Application |
You can submit your requests within the scope of KVKK to TD via the communication channels above.
---
## 4. CONSTITUTIONAL AND LEGAL BASIS
### 4.1. Constitutional Guarantee
Pursuant to the **third paragraph of Article 20** of the Constitution of the Republic of Türkiye; everyone has the right to request the protection of their personal data. This right includes being informed of, having access to, and requesting the correction and deletion of their personal data, and to be informed whether these are used in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person's explicit consent.
### 4.2. Legal Basis
All data processing activities of TD, primarily this Policy, are carried out in accordance with the provisions of the following legislation:
- **Personal Data Protection Law No. 6698 (KVKK)** — Primary legal framework
- **Law on the Regulation of Electronic Commerce No. 6563** — Electronic commerce provisions
- **Law on the Regulation of Publications on the Internet No. 5651** — Provisions regarding the internet environment
- **Turkish Commercial Code No. 6102** — Commercial registration obligations
- **Tax Procedure Law No. 213** — Financial registration obligations
- **Regulation on the Deletion, Destruction, or Anonymization of Personal Data**
- **Regulation on the Registry of Data Controllers**
- **Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform**
- **Personal Data Security Guide (Personal Data Protection Authority)**
---
## 5. BASIC PRINCIPLES FOLLOWED IN THE PROCESSING OF PERSONAL DATA
Pursuant to Article 4 of KVKK, TD complies with the following basic principles in the processing of personal data:
1. **Lawfulness and fairness:** Personal data is processed only when there is a legal basis and within the framework of the principle of fairness.
2. **Being accurate and kept up to date where necessary:** The accuracy and currency of processed personal data are ensured; necessary mechanisms are established for the correction of erroneous data.
3. **Being processed for specified, explicit, and legitimate purposes:** Personal data is not processed outside of predetermined, explicit, and legitimate purposes.
4. **Being relevant, limited, and proportionate to the purposes for which they are processed:** Data is collected only at the minimum level necessary for the service purpose; data is not collected for purposes other than the intended one.
5. **Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed:** Data is securely deleted or anonymized at the end of the required retention period.
---
## 6. PROCESSED PERSONAL DATA CATEGORIES
### 6.1. Identity Data
| Data | Description | Obligation |
|------|----------|------------|
| Name | User's name | Mandatory |
| Surname | User's surname | Mandatory |
| Gender | User's gender | Mandatory |
**Description:** Name and surname information are used in birth chart calculations, numerology analyses, and the name simulator feature. Gender information contributes to the personalization of astrological interpretations.
### 6.2. Contact Data
| Data | Description | Obligation |
|------|----------|------------|
| E-mail Address | For authentication and account management | Mandatory |
**Description:** The e-mail address is obtained solely through the Google or Facebook OAuth authentication system; it is not independently collected by TD.
### 6.3. Demographic and Birth Information
| Data | Description | Obligation |
|------|----------|------------|
| Date of Birth (Day/Month/Year) | Astrological calculations and numerology analysis | Mandatory |
| Time of Birth (Hour/Minute) | Precise birth chart calculation | Mandatory |
| Place of Birth Name | Reference for calculations | Mandatory |
| Place of Birth Coordinates (Lat/Long) | Precise planetary calculation with Swiss Ephemeris | Mandatory |
| Marital Status | For personalized analysis | Optional |
| Education Level | For personalized analysis | Optional |
| Profession | For personalized analysis | Optional |
| Working Sector | For personalized analysis | Optional |
**Description:** Date, time, and place of birth are technical necessities for calculating precise planetary and house positions via the Swiss Ephemeris astronomical calculation engine and constitute the core function of the Application. Coordinate data is used exclusively for timezone calculation and astrological analysis; users' real-time locations are never tracked.
### 6.4. Visual Data
| Data | Description | Source |
|------|----------|--------|
| Profile Photo URL | Display on the account screen | Google/Facebook OAuth |
**Description:** The profile photo is not uploaded or stored by TD; only the URL reference provided by the Google or Facebook OAuth provider is used within the Application.
### 6.5. Financial Data
| Data | Description |
|------|----------|
| Token Purchase History | Purchased package, amount, bonus token information |
| Subscription Information | Plan type (monthly/annual), start/end date |
| Token Transaction Log | Transaction type, amount, pre/post-transaction balance, timestamp |
| Total Purchase Amount | Statistical totals |
**Description:** Payment transactions are carried out over the App Store (App Store/Google Play) infrastructure. TD does not process or store users' credit card, debit card, or payment instrument information under any circumstances. Financial records are kept solely for token balance management and usage statistics.
### 6.6. Usage and Transaction Data
| Data | Description |
|------|----------|
| Saved Birth Charts | Up to 2 for free users, up to 10 for premium users |
| Numerology Analysis History | Calculated numerology values and analysis dates |
| Name Simulator History | Analyzed names, results, interpretations |
| Prediction History | Questions asked, category, timestamps |
| Daily Bonus Claim Date | Last bonus claim time |
| Referral Code Usage Info | Referrer/referred user pairing |
| Last Login Time | Security and account management |
| Account Creation Time | System records |
### 6.7. Derived Astrological Data
| Data | Description |
|------|----------|
| Planetary Positions | Sun sign, Moon sign, ascendant, Venus, Mars, and all planetary degrees |
| House Cusps | Positions of the 12 astrological houses |
| Aspect Data | Interplanetary aspect calculations |
| Transit Prediction Data | Active planetary transit effects |
| Numerology Numbers | Life path, soul urge, expression number, destiny number, karmic lessons |
**Description:** This data is obtained through mathematical calculation from the birth information provided by the user. It does not constitute health advice or medical diagnosis and is for personal development and entertainment purposes only.
---
## 7. PURPOSES OF PROCESSING PERSONAL DATA
TD processes the collected personal data for the following purposes:
### 7.1. Contractual Purposes
- Creation and management of the user account
- Calculation and storage of the birth chart
- Performing astrology, numerology, esma, and prediction analyses
- Executing name simulator analyses and keeping their history
- Creating lunar calendar and biorhythm recommendations
- Performing synastry (compatibility) analyses
- Managing the token balance and tracking token transactions
- Providing premium subscription services
- Generating AI-supported personalized astrological interpretations
### 7.2. Purposes Within the Scope of Legitimate Interest
- Improving service quality and troubleshooting
- Ensuring application security and preventing fraud
- Audit trail and internal control of token transactions
- Referral system management
- Conducting aggregate and anonymous statistical analyses
### 7.3. Purposes Within the Scope of Legal Obligation
- Keeping financial records in accordance with tax and accounting legislation
- Providing information and documents in line with the requests of authorized public institutions and organizations
---
## 8. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
Within the scope of Article 5 and Article 6 of KVKK, personal data is processed within the framework of the following legal grounds:
| Processing Activity | Legal Ground |
|-----------------|----------------|
| Account creation and management | KVKK Art.5/2-c — Establishment or performance of the contract |
| Birth chart calculation | KVKK Art.5/2-c — Establishment or performance of the contract |
| Numerology analysis | KVKK Art.5/2-c — Establishment or performance of the contract |
| Token management | KVKK Art.5/2-c — Establishment or performance of the contract |
| Financial records | KVKK Art.5/2-ç — Legal obligation of the data controller |
| Notification to public institutions | KVKK Art.5/2-ç — Legal obligation of the data controller |
| AI analysis services | KVKK Art.5/1 — Explicit consent |
| Personalized recommendations | KVKK Art.5/1 — Explicit consent |
| Security and fraud prevention | KVKK Art.5/2-f — Legitimate interest of the data controller |
| Service development and improvement | KVKK Art.5/2-f — Legitimate interest of the data controller |
> **Important Note:** For operations requiring explicit consent, users are informed clearly and comprehensibly during their initial registration to the Application; consent is obtained. Users can withdraw their explicit consent at any time.
---
## 9. SPECIAL CATEGORY PERSONAL DATA
Within the scope of Article 6 of KVKK, data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometrics and genetics are deemed special category personal data.
There is no area where TD consciously collects data of this nature. However, we are aware of the following points:
- **Health recommendations:** The Medical Astrology and Chakra Healing features offered within the scope of the Application contain general wellness recommendations and under no circumstances constitute medical diagnosis or treatment.
- **Religious/philosophical data:** The Esma Analysis feature contains Islamic numerology calculations. This feature is optional and is activated only if actively preferred by the user. Explicit consent is obtained within the scope of Article 6/2 of KVKK for the use of this feature.
---
## 10. PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED
### 10.1. Domestic Transfer
TD does not share user personal data with any third party domestically for commercial purposes. Data may only be shared with authorized public institutions and organizations in case of legal obligation.
### 10.2. International Transfer
Within the scope of Article 9 of KVKK, personal data may be transferred abroad to the following service providers. These transfers are carried out solely for the purpose of fulfilling the technical functions of the Application, and each of the service providers in question provides data protection within the scope of binding corporate rules, standard contractual clauses, or an adequacy decision:
| Service Provider | Transferred Data | Purpose | Country/Region |
|------------------|----------------|-------|------------|
| **Google LLC (Firebase)** | User account data, birth charts, transaction history | Authentication, database services (Firestore) | USA |
| **Google LLC (OAuth)** | E-mail, display name, profile photo URL | Sign in with Google | USA |
| **Meta Platforms, Inc. (Facebook)** | E-mail, display name, profile photo URL | Sign in with Facebook | USA |
| **RevenueCat, Inc. — Subscription and in-app purchase management
| **OpenAI, LLC** | Birth chart data, analysis parameters | AI-supported astrological interpretation generation | USA |
| **Google LLC (Gemini)** | Birth chart data, analysis parameters | AI-supported interpretation generation | USA |
| **Anthropic, PBC** | Birth chart data, analysis parameters | AI-supported advanced analysis | USA |
> **Important Disclosure:** The data transmitted to artificial intelligence service providers (OpenAI, Gemini, Anthropic) is used during the analysis process; it is processed within the scope of these providers' privacy policies and terms of service. TD enables API-level opt-out options wherever possible so that these providers do not use your data to train their own models.
> To obtain detailed information regarding international transfers or to object to these transfers, you may apply to the communication channels specified in section 15.
### 10.3. Sharing with Authorized Authorities
TD may share personal data with the following authorities in the event of a legal obligation:
- Courts and judicial bodies of the Republic of Türkiye
- General Directorate of Security and law enforcement agencies
- Information and Communication Technologies Authority (BTK)
- Personal Data Protection Authority (KVKK)
- Tax offices and other financial audit bodies
---
## 11. RETENTION PERIODS OF PERSONAL DATA
TD retains personal data only for the period required by the purpose of processing and the minimum retention periods stipulated by the relevant legislation.
| Data Category | Retention Period | Basis |
|----------------|----------------|---------|
| User account data | As long as the account is active + 30 days from the account deletion request | KVKK Art.7 |
| Birth charts | Until deleted by the user or the account is closed | Contract |
| Analysis history (numerology, name, prediction) | As long as the account is active; 30 days from account deletion | Contract |
| Token transaction logs | 5 years | TPL Art.253 (commercial records) |
| Purchase records | 10 years | TCC Art.82, TPL Art.253 |
| Security logs (login/logout records) | 2 years | Law No. 5651 |
| Data within the scope of legal obligation | The period stipulated in the relevant legislation | Relevant legislation |
> When retention periods expire, personal data is securely deleted, destroyed, or anonymized.
---
## 12. SECURITY OF PERSONAL DATA
TD implements the technical and administrative security measures within the scope of Article 12 of KVKK:
### 12.1. Technical Measures
- **Authentication:** Industry-standard OAuth 2.0 protocol (Google/Facebook); no passwords are stored
- **Database Security:** Firebase Firestore is secured with role-based access control (RBAC) for each user
- **Transmission Security:** All network communication is encrypted with TLS/HTTPS
- **API Security:** Rate limiting and input validation are applied
- **API Key Management:** Third-party service API keys are stored in environment variables on the server side; they are not exposed to client applications
- **Access Control:** Every user can only access their own data; server-side authentication is mandatory
- **Vulnerability Management:** Dependencies are updated regularly
### 12.2. Administrative Measures
- Access to personal data is restricted exclusively on a "need-to-know" basis
- Data processing activities are documented within the scope of this Policy
- Data processing agreements of third-party service providers have been reviewed
- In the event of data breach incidents, notification will be made within 72 hours pursuant to Article 12 of KVKK
### 12.3. Data Breach Notification
In the event of a breach of personal data security, TD will inform the relevant data subjects and the Personal Data Protection Authority within a reasonable time pursuant to Article 12/5 of KVKK.
---
## 13. COOKIES AND SIMILAR TRACKING TECHNOLOGIES
### 13.1. Mobile Application
The AstroKey mobile application (iOS/Android) does not use cookies. Session management is provided by Firebase Authentication via secure token mechanisms.
### 13.2. Web Application
When accessing the AstroKey web application, technical cookies may be used by Firebase for session and authentication purposes. These cookies are mandatory for the core functions of the application and are not used to track user behavior. Third-party advertising or analytical cookies are not used.
---
## 14. PERSONAL DATA OF CHILDREN
AstroKey is not designed for or marketed to **individuals under the age of 18**.
TD does not knowingly collect personal data from persons under the age of 18. If you notice that a user who you believe is under the age of 18 has registered, please contact TD via the communication channels in section 15. The said data will be immediately deleted upon verification.
---
## 15. RIGHTS OF THE DATA SUBJECT
Pursuant to Article 11 of KVKK, you have the following rights over your personal data:
| Right | Description |
|-----|----------|
| **Right to Information (Art.11/1-a)** | To learn whether your personal data is being processed |
| **Right to Access (Art.11/1-b)** | To request information if processed |
| **Learning the Purpose of Processing (Art.11/1-c)** | To learn the purpose of the processing and whether they are used in accordance with their purpose |
| **Transfer Information (Art.11/1-ç)** | To know the third parties to whom data is transferred domestically/abroad |
| **Right to Rectification (Art.11/1-d)** | To request the correction of incomplete or inaccurately processed data |
| **Right to Deletion/Destruction (Art.11/1-e)** | To request deletion or destruction in the event that the reasons requiring its processing disappear |
| **Right to Notification (Art.11/1-f)** | To request that the correction/deletion process be notified to the third parties to whom it was transferred |
| **Right to Object (Art.11/1-g)** | To object to a result arising via automated systems |
| **Right to Claim Compensation (Art.11/1-h)** | To claim compensation for damages arising due to unlawful processing under KVKK |
### 15.1. Account and Data Deletion
If you wish to stop using the Application, you can delete your account and data through the following ways:
1. **From Within the Application:** Settings → Account → Delete My Account
2. **Request by E-mail:** Written request via the e-mail address of the data controller
Your personal data will be deleted or anonymized from our systems within 30 days of receiving the account deletion request. Only records falling under legal retention obligations (such as financial transaction records) will continue to be retained for the period stipulated in the relevant legislation.
### 15.2. Application Method
You can submit your requests within the scope of Article 11 of KVKK to TD via one of the following methods:
- **E-mail:** nilay@aldebaranakademi.com — Please include information verifying your identity in your application
- **In-App Support Form:** Settings → Help → Data Request
TD will conclude your applications free of charge no later than **30 (thirty) days** in accordance with Article 13 of KVKK. If the request requires an additional cost, the tariff determined by the Personal Data Protection Board may be applied.
### 15.3. Application to the Personal Data Protection Board
If your request is rejected, if you find the response insufficient, or if you do not receive a response within the prescribed time, you reserve the right to file a complaint with the **Personal Data Protection Board** (KVKK) pursuant to Article 14 of KVKK.
**Personal Data Protection Authority (KVKK)**
Address: Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No:4 06520 Balgat, Ankara
Tel: 0 (312) 216 50 50
Web: www.kvkk.gov.tr
---
## 16. EXPLICIT CONSENT AND ITS WITHDRAWAL
Your approval is obtained during initial registration and the use of the relevant feature for transactions requiring your explicit consent. You can withdraw your explicit consent via the following methods:
- In-app Settings → Privacy → Consent Management
- Written notification via TD's communication channels
Withdrawing your explicit consent does not affect the legal validity of the transactions carried out based on your consent in the period prior to the withdrawal. However, the data processing activities in question will be stopped after the consent is withdrawn. Since the use of some features necessitates the processing of the relevant data due to the nature of the transaction, the withdrawal of consent may lead to the inability to use these features.
---
## 17. DATABASE AND DATA STORAGE INFRASTRUCTURE
Your personal data is stored in the **Firebase Firestore** NoSQL database operated by Google LLC. Firebase services are subject to Google's Privacy Policy and Firebase Privacy and Security documents, and these documents are shared with the public on Google's official website.
Firebase data centers are located in Europe and the USA, and data can be processed in these regions. Google LLC is certified under the EU-U.S. Data Privacy Framework.
---
## 18. SPECIAL PROVISIONS REGARDING ARTIFICIAL INTELLIGENCE SERVICES
The Application utilizes multiple artificial intelligence service providers (OpenAI, Google Gemini, Anthropic) to generate personalized interpretations.
### 18.1. Data Transmitted to Artificial Intelligence Services
The data transmitted to AI APIs consists of the date, time, and place of birth and the resulting astrological calculations. These services do not receive direct identifiers such as name and e-mail.
### 18.2. User's Rights
You have the right to choose not to use artificial intelligence analyses; this choice does not affect the basic calculation features of the Application. Contact TD to object to the data transfer intended for AI services.
### 18.3. Limitations of Artificial Intelligence Decisions
Interpretations generated by artificial intelligence are for entertainment and personal development purposes; they do not constitute medical, legal, or financial advice. Automated decision-making processes do not produce results that affect the user's life in legal or similarly significant ways.
---
## 19. IN-APP PURCHASE AND SUBSCRIPTION NOTICE
Token packages and premium subscriptions are purchased over the Apple App Store (iOS) or Google Play Store (Android) infrastructure, depending on the user's platform.
**Within the scope of these services:**
- Payment processing information is managed directly by Apple or Google
- TD does not process or store credit card, debit card, or payment instrument information
- Purchase cancellation and refund requests are carried out via the relevant store within the scope of App Store/Google Play policies
---
## 20. POLICY CHANGES
TD may update this Policy from time to time. Changes are notified to users via the following ways:
- In-app notification
- Uploading the updated policy text to the Application
In the event of significant changes, new explicit consent will be obtained when necessary. Continuing to use the Application after the effective date of the change means that you accept the updated Policy.
---
## 21. APPLICABLE LAW AND COMPETENT COURT
The **laws of the Republic of Türkiye** apply to disputes arising from this Policy. For disputes that cannot be resolved between the Parties, the courts and enforcement offices in the data controller's place of residence are authorized.
---
## 22. SUMMARY OF REFERENCE PROVISIONS
The main legal provisions referred to in the preparation of this Policy are summarized below:
| Provision | Content |
|-------|--------|
| **Constitution of the Rep. of Türkiye Art.20/3** | Fundamental right to protection of personal data |
| **KVKK Art.3** | Definitions |
| **KVKK Art.4** | General principles |
| **KVKK Art.5** | Conditions for processing personal data |
| **KVKK Art.6** | Conditions for processing special category personal data |
| **KVKK Art.7** | Deletion, destruction, or anonymization of personal data |
| **KVKK Art.9** | Transfer of personal data abroad |
| **KVKK Art.10** | Obligation to inform |
| **KVKK Art.11** | Rights of the data subject |
| **KVKK Art.12** | Obligations regarding data security |
| **KVKK Art.13** | Application procedure |
| **KVKK Art.14** | Complaint to the Board |
| **TPL Art.253** | Retention periods for books and documents (5-10 years) |
| **TCC Art.82** | Retention of commercial books and documents |
| **Law No. 5651** | Provisions regarding the internet environment |
---
## 23. ENTRY INTO FORCE
This Policy entered into force on **23.02.2026**.
---
*This policy has been prepared by **Turan Dinç (TD)** for the users of the AstroKey application within the framework of relevant legislation, primarily the Constitution of the Republic of Türkiye and the Personal Data Protection Law No. 6698.*
*Version: 1.1 | Effective Date: 23.02.2026 | Last Update: 08.03.2026*