Privacy policy

ProjectMystic ("app", "we", "us", "our") is developed and operated by a company incorporated in Turkey. The company's legal name and registration details will be added to this document before store submission. We act as data controller for the personal data described in this policy.

This Privacy Policy explains what personal data we collect when you use the app or our marketing website, how we use it, who we share it with, and what rights you have. This policy is effective as of April 17, 2026.

We process your data in compliance with Turkey's Personal Data Protection Law (KVKK No. 6698), the EU General Data Protection Regulation (GDPR — applicable to EU and EEA users), and the UAE Personal Data Protection Law (PDPL — applicable to UAE users). Where these laws overlap, we apply the standard that offers you the greatest protection.

Continuing to use the app means you have read this policy and understood its contents. If you do not accept this policy, please stop using the app. You may request deletion of your data at any time.

Questions and requests can be sent to the contact address in Section 10.

Account data: When you sign up with Apple, Google, or email, we receive your email address and basic profile information passed by the authentication provider. Raw passwords are never transmitted to our systems; authentication is handled entirely by Supabase Auth.

Reading profile data: To generate personalised readings, we optionally collect your display name, date of birth, time of birth, place of birth, mother's name (for the Yıldızname and Abjad modules), and zodiac sign. None of this is mandatory; the more context you provide, the more personalised your readings become.

Media data: In the coffee-cup reading module, you upload three photographs of your cup — top, side profile, and saucer. In the palm-reading module, we capture an image of your palm. These images are used for AI inference and are not retained in our systems after the session completes; they exist only transiently during processing.

Voice and transcript data: In the dream-interpretation module, we convert your spoken narrative to text. The audio file itself is deleted after the session; the resulting transcript is stored alongside the reading record for as long as your account remains active.

Usage and device data: We record which modules you use, your daily streak count, token balance, and last-active timestamp. Technical data such as device type, OS version, and app version may be collected for error diagnostics.

Payment identifiers: All purchases are processed exclusively through Apple App Store and Google Play Billing. We never see, hold, or process your raw payment card details. Via RevenueCat, our subscription management platform, we receive only a transaction ID and subscription status.

Providing the service: We process your data to generate readings, manage your token balance, and verify account access. This processing is necessary for the performance of our contract with you (GDPR Art. 6(1)(b); KVKK Art. 5(2)(c)).

Personalisation: We use profile data — birth date, zodiac sign, mother's name — to tailor readings specifically to you. For this purpose we rely on your explicit consent (GDPR Art. 6(1)(a); KVKK Art. 5(1)), which you may withdraw at any time.

Security and fraud prevention: We process account-access history and technical log data to detect and prevent unauthorised access. This is based on our legitimate interests (GDPR Art. 6(1)(f)) and directly protects you.

Legal obligations: Where required by tax, accounting, or other applicable law, we process data on a legal-compliance basis (GDPR Art. 6(1)(c); KVKK Art. 5(2)(a)). See Section 6 for retention durations.

Service improvement: We analyse aggregated, anonymised usage statistics to improve the product. No individually identifying data is used in this process.

Special sensitivity of voice data: Voice recordings and transcripts from dream narrations may contain sensitive personal content. We use this data solely to generate your reading and never process it for advertising, profiling, or any secondary purpose.

Supabase: We use Supabase Inc. (US-headquartered; EU-region servers) for database and authentication infrastructure. All account, profile, and reading data is hosted on Supabase infrastructure. Supabase operates under a GDPR-compliant data processing agreement.

RevenueCat: We use RevenueCat Inc. (US) for subscription and token purchase management. The only data shared with RevenueCat is a transaction ID, subscription status, and an anonymous user identifier. Payment card data never reaches RevenueCat or our systems; it is processed solely by Apple and Google.

Apple and Google: All in-app purchases are processed through Apple App Store and Google Play Billing. These platforms process payment data under their own privacy policies; we have no direct access to this data.

OpenAI: We use the OpenAI, L.L.C. (US) API — including GPT-4o and related models — to generate AI-powered readings in certain modules such as tarot and dream interpretation. Data sent to OpenAI contains only the relevant reading context; direct identifiers are not included in these requests.

Anthropic: We use the Anthropic, PBC (US) API — including Claude models — to generate readings in certain modules. The same data-minimisation principle applied to OpenAI requests applies here.

fal.ai: We use fal.ai (US) infrastructure for AI-generated visual outputs, including the speculative face-ageing image in the palm-reading module and coffee-ground image analysis. Uploaded images exist on fal.ai systems only for the duration of the processing job and are deleted upon completion.

All third parties listed above act as data processors: they process personal data only within the contractual limits we set and are not permitted to use your data for their own independent purposes.

If you use the app from outside Turkey, your data may be transferred to Turkey and/or Supabase's EU-based servers. For EU/EEA users, transfers to third countries are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or by applicable adequacy decisions.

API calls to AI service providers — OpenAI, Anthropic, and fal.ai — are processed in the United States. These transfers are covered by SCCs or other applicable safeguards for cross-border data flows from the EU and other jurisdictions.

For UAE users, transfers are handled in accordance with PDPL cross-border data transfer requirements. Where an adequacy determination does not exist, we rely on SCCs or explicit consent as the transfer mechanism.

By using the app, you acknowledge the international transfers described above under the applicable legal framework in effect at the time. You may withdraw this acknowledgement by deleting your account or writing to us.

Images uploaded for the coffee-cup and palm-reading modules are permanently deleted after the session ends. These images are not linked to your reading record or profile and are not archived. Voice recordings from the dream module are similarly deleted immediately after processing; the generated transcript is retained with the reading record for as long as your account is active.

Reading records — including AI-generated narrative text — are retained until you delete your account. Upon account deletion, all reading history is permanently destroyed within 30 days, reflecting our mandatory backup-rotation cycle.

Profile data (birth information, zodiac sign, mother's name) is retained for the lifetime of your account. You can request deletion of this data as part of an account deletion request.

Token transaction records are retained for 10 years under Turkey's Tax Procedure Code and for 7 years under standard EU commercial-record-keeping practice. These records are held solely to fulfil legal obligations and are not used for any other purpose.

You can delete your account from the profile settings screen within the app or by emailing us. Deletion removes all personal data from our systems except the minimum data we are legally required to retain.

Users in Turkey have rights under KVKK Art. 11; EU/EEA users have rights under GDPR Arts. 15–22; UAE users have rights under the PDPL. The majority of these rights apply to all our users.

Right of access: You may request a copy of the personal data we hold about you. We will respond within 30 days in a readable format.

Right to rectification: You may ask us to correct inaccurate or incomplete data. Most profile fields can be corrected directly in the app's settings screen.

Right to erasure: You may request deletion of your personal data ("right to be forgotten"). We will delete all data except that which we are legally required to retain.

Right to restriction: Under certain conditions you may ask us to restrict the processing of your data. During the review period we will not process your data for other purposes.

Right to portability: You may request that data processed on the basis of contract or consent be provided to you in a structured, machine-readable format.

Right to object: You may object to processing based on our legitimate interests. Your right to object to direct-marketing processing is unconditional.

Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

To exercise any right, email the contact address in Section 10. Turkey users may also lodge a complaint with the Personal Data Protection Authority (KVKK Board); EU/EEA users may contact their national data protection authority; UAE users may contact the UAE PDPL authority.

All data is protected in transit using TLS 1.2 or higher. Data stored on Supabase infrastructure is encrypted at rest using AES-256. Row Level Security (RLS) policies in our database architecture ensure each user can access only their own data.

AI API calls are authenticated with secret API keys that are never exposed to app clients; they are used only through server-side edge functions.

If we become aware of a security breach that affects your personal data, we will notify the relevant authorities within the timeframes required by applicable law (72 hours under GDPR; as soon as possible under KVKK) and will inform you as well.

Our security measures provide reasonable protection against known threats. No internet-connected system can be guaranteed to be 100% secure. We recommend using a strong, unique password and not sharing your account credentials with anyone.

The app is directed to users aged 16 and above by default. Under GDPR, the age of consent for data processing is 16 in the EU/EEA; in Turkey, users under 18 require parental or legal guardian consent. Some jurisdictions may set a lower minimum age, but our default policy is 16+.

Paid features — VIP subscription and token purchases — are available only to users aged 18 and above.

Children under the age of 13 should not register for our app. If we learn that an account belongs to a child under 13, we will delete the account and all associated data immediately. Please notify us at the contact address below if you are aware of such a case.

We will notify you of material changes to this Privacy Policy at least 14 days before they take effect, via in-app notification or email. Minor editorial corrections will be reflected only through an updated "Last updated" date on this page.

The current version of this policy is always accessible via the link in the footer of our marketing website.

Data controller: ProjectMystic (company legal name, registered address, and tax identification number will be added before store submission). For all privacy enquiries, rights requests, or complaints: privacy@projectmystic.app. We aim to respond to requests within 30 calendar days.