Privacy Policy
Last updated: March 27, 2026 · Effective: March 27, 2026
Refairly ("we," "us," or "our") is an AI-assisted mediation platform operated by Ali Onur Can Irey, an individual developer based in Turkey. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use the Refairly mobile application and related services (collectively, the "Service").
This Privacy Policy is a transparency notice, not a contract. Your use of the Service is governed by our separate Terms of Service. By using the Service, you acknowledge that you have read and understood this Privacy Policy. The Service is available only to users aged 18 and older.
Not for Emergencies: Refairly is not an emergency service, crisis hotline, law-enforcement tool, or substitute for professional legal, medical, mental-health, or therapeutic assistance. If you or someone else is in immediate danger, contact local emergency services. If a dispute involves threats, domestic violence, child safety concerns, stalking, coercion, or criminal allegations, you should seek qualified professional help immediately.
1. Data Controller
Ali Onur Can Irey
Email: aoci@refairly.app
Website: https://refairly.app
For the purposes of GDPR (EU), KVKK (Turkey), and other applicable data protection laws, Ali Onur Can Irey is the data controller responsible for your personal data.
2. Data We Collect
2.1 Account Information
| Data | Required | Purpose |
|---|---|---|
| First name, last name | Yes | Profile identity, display to other parties |
| Email address | Yes | Authentication, transactional emails |
| Password (hashed) | Yes* | Authentication (* not required for social sign-in) |
| Date of birth | No | Age verification |
| Country, city, timezone | No | Localization (manually entered, not GPS-tracked) |
| Profile picture | No | Profile display (size-limited, stored on cloud infrastructure with server-side encryption) |
| Bio | No | Profile description |
2.2 Mediation Content
When you participate in a mediation, we collect:
- Conflict details: topic, type, desired outcome, deadline
- Perspectives: your account of what happened, how it affected you, what you need, and what you consider fair (structured text fields with length limits)
- Evidence URLs: links to files you upload to support your perspective
- Discussion messages: real-time chat messages between parties
- Option selections, objections, and comments: your responses to AI-generated solution proposals
- Agreement text and digital signatures: the final agreed solution and your signature timestamp
2.3 Sensitive & Special-Category Data
Refairly is a mediation platform for interpersonal conflicts. Because of the nature of conflict resolution, users may foreseeably include content touching on health, family matters, religious views, political opinions, sexual orientation, biometric or criminal-allegation-related matters, or other information that may constitute special-category data under GDPR Article 9 or sensitive personal data under KVKK Article 6.
Our position:
- Our structured perspective fields are designed to minimize the collection of sensitive data and to elicit only factual accounts, impact, needs, and proposed outcomes.
- Because sensitive data may nonetheless be included in dispute narratives, we present a separate, explicit acknowledgment step before each perspective submission.
- Where sensitive data is included in your submission, we process it solely to: (a) provide the mediation service; (b) maintain the integrity and safety of the Service; and (c) comply with legal obligations or defend legal claims where necessary.
- You must not include sensitive data about another person unless doing so is strictly necessary to describe the dispute and you have a lawful basis to disclose it.
- We may restrict, redact, remove, or decline to process submissions that contain obviously excessive, gratuitous, unlawful, or harassing sensitive data.
- We do not use sensitive data for advertising, profiling, behavioral marketing, or model training.
- Sensitive mediation content is encrypted at rest and subject to the retention, purge, deletion, and legal-hold rules described in this Privacy Policy.
- If you withdraw your explicit consent for sensitive-data processing (by contacting aoci@refairly.app), we may be unable to continue processing the affected mediation content.
- We strongly advise you to include only information directly relevant to the dispute.
2.4 Technical & Device Data
- Device token: for push notifications, stored server-side
- Platform: iOS or Android
- IP address: logged by our web server for security, rate limiting, and abuse prevention
- Authentication tokens: access tokens stored on your device using platform-secure storage; refresh tokens stored server-side
- Password reset codes: temporarily stored with short-lived expiry
- Notification data: notification history, preferences, and quiet hours settings
- Audit metadata: timestamps and user identifiers recorded for security auditing
2.5 Invitation Data
When you invite someone to a mediation room, we store the invitation details:
- Invited non-users: email address or phone number stored until they accept, decline, or the invitation expires
- Invitation metadata: method, status, timestamps
The invitation includes a link to this Privacy Policy so non-users are informed. Non-users' contact information is used solely to deliver the invitation and is deleted when the invitation expires, the room is deleted, or the inviting user's account is deleted.
Legal basis: legitimate interest of the inviting party (GDPR Article 6(1)(f)).
2.6 Transaction Data
- Subscription status: current tier, start/expiry dates
- Purchase transaction IDs: app store receipt identifiers
- Token usage: AI token consumption records
We do not collect or store credit card numbers, bank details, or payment credentials. All payments are processed by Apple or Google.
2.7 Data We Do Not Intend to Collect
We do not intentionally collect: phone numbers of account holders (unless voluntarily provided), GPS or precise location data, contacts or address book, browsing history outside the Service, data from other apps, or payment card details.
3. Legal Bases for Processing
| Processing Activity | Legal Basis (GDPR) | Notes |
|---|---|---|
| Account creation and authentication | Performance of contract (Art. 6(1)(b)) | Necessary to provide the Service |
| Mediation service | Performance of contract (Art. 6(1)(b)) | Core service delivery |
| AI-powered conflict analysis | Performance of contract (Art. 6(1)(b)) | Includes cross-border transfer to AI providers |
| Special-category data in perspectives | Explicit consent (Art. 9(2)(a)) | Collected via dedicated acknowledgment step |
| Sharing data between mediation parties | Performance of contract (Art. 6(1)(b)) | Core feature |
| Transactional emails | Performance of contract (Art. 6(1)(b)) | Necessary for account security |
| Push notifications | Consent (Art. 6(1)(a)) | Requires device-level opt-in |
| In-app purchase verification | Performance of contract (Art. 6(1)(b)) | Verifying purchases with Apple/Google |
| Sending invitations to non-users | Legitimate interest (Art. 6(1)(f)) | Invitee notified via email |
| Rate limiting, fraud prevention | Legitimate interest (Art. 6(1)(f)) | Security and platform integrity |
| Analytics | Legitimate interest (Art. 6(1)(f)) | Service improvement; opt-out available |
| Crash reporting | Legitimate interest (Art. 6(1)(f)) | Bug diagnosis |
| Defense of legal claims | Legitimate interest (Art. 6(1)(f)) | Retention of relevant records |
KVKK (Turkey): Under KVKK Article 5, processing is based on: necessity for performing a contract, legitimate interests (provided fundamental rights are not harmed), and explicit consent for sensitive personal data under Article 6.
We do not sell your personal data.
4. AI Processing & Automated Decisions
4.1 How AI Is Used
Refairly uses third-party AI providers to analyze conflicts and generate solution proposals. Your mediation content is processed using Refairly systems and third-party AI provider infrastructure. The AI output is stored and shown to all parties in the mediation.
4.2 AI Providers
The specific AI providers are listed in the sub-processor table in Section 5.2. The provider or model may vary by plan, feature, availability, platform, or jurisdiction.
4.3 Automated Decision-Making & Your Rights
AI generates fairness scores and solution proposals. These are algorithmic estimates, not binding decisions. No fully automated decision with legal or similarly significant effects is made without human involvement. Under GDPR Article 22 and KVKK Article 11(g), you have the right to:
- Object to outcomes produced solely by automated processing
- Request human review by contacting aoci@refairly.app
- Report harmful, biased, or incorrect AI outputs
4.4 AI Disclaimers
AI-generated mediation analysis is not legal advice. Refairly is not a law firm, licensed mediation service, or arbitration body. AI may contain errors, biases, or inappropriate content. Always use your own judgment.
5. Data Sharing & Third-Party Services
5.1 Data Shared Between Mediation Parties
By joining a mediation room, you acknowledge that the following data is shared with all other parties:
- Your first name and last name
- AI-generated analysis (which may quote or paraphrase your perspective)
- Your option selections, objections, comments, and agreement signatures
- Chat messages you send in the discussion
5.2 Sub-Processors
| Service | Provider | Location | Purpose |
|---|---|---|---|
| Hosting, database, file storage, SMS | Amazon Web Services (AWS) | EU (Frankfurt) | Infrastructure |
| AI analysis | Anthropic | United States | Conflict analysis |
| AI analysis | Google Gemini API | United States | Conflict analysis |
| Email delivery | Resend | United States | Transactional emails |
| Analytics | Google Firebase Analytics | United States | Usage statistics |
| Crash reporting | Google Firebase Crashlytics | United States | Crash diagnostics |
| Push (Android) | Firebase Cloud Messaging | United States | Push notifications |
| Push (iOS) | Apple APNs | United States | Push notifications |
| Social sign-in | Google OAuth / Apple Sign-In | United States | Authentication |
| Paywall | Superwall | United States | Subscription flow |
6. Cross-Border Data Transfers
Our primary infrastructure is in the European Union. Certain data is transferred to the United States for processing by sub-processors.
6.1 EU/EEA Users
Transfers rely on: Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework, or the provider's own adequacy mechanism.
6.2 Turkey (KVKK)
For users subject to KVKK, storage in the EU and transfers outside Turkey constitute transfers abroad under KVKK Article 9. We use transfer mechanisms recognized under applicable Turkish law.
6.3 UK Users
Transfers are governed by the UK GDPR and the IDTA or UK Addendum to EU SCCs.
7. Data Security
We use reasonable technical and organizational measures to protect your personal data, including:
- Encryption of data in transit and at rest
- Secure storage of authentication credentials and uploaded files
- Password hashing using industry-standard algorithms
- Rate limiting and abuse prevention controls
- Access controls restricting production system access
- Secure management of credentials and API keys
8. Data Retention
| Data Type | Retention Period | Notes |
|---|---|---|
| Active account data | While account is active | Deleted or anonymized on account deletion |
| Perspectives & messages | Until user leaves room or account deletion | Per-user purge when leaving a room |
| AI analyses & options | While room exists | Remain available with notice when source data is purged |
| AI usage logs | Up to ~90 days | Rolling deletion for quality assurance |
| Agreements & signatures | While room exists or account is active | Metadata may be retained for legal claims defense |
| Invitation records | Until expiry, room or account deletion | Non-user contact info deleted with invitation |
| Soft-deleted account data | ~30 days | Grace period for restoration, then permanent deletion |
| Server logs | Reasonable period | Rotated on a rolling basis |
| Billing/transaction records | As required by law | Tax and legal compliance |
8.1 Multi-Party Retention & Per-User Purge
Mediation rooms involve multiple parties. When you leave a room, your personal data is purged from that mediation. Other parties' data is not affected. When you delete your entire account, your identity is anonymized across all rooms.
9. Your Rights
Under GDPR, KVKK, and other applicable laws, you have the following rights. Contact aoci@refairly.app to exercise them. We aim to respond within 30 days.
9.1 Right to Access & Data Portability
You can request a copy of your personal data in a structured, machine-readable format.
9.2 Right to Erasure
Option A — Leave a mediation room: purges only your content from that mediation.
Option B — Delete entire account: available through the app, at refairly.app/delete-account, or by email. ~30-day grace period, then permanent deletion.
9.3 Right to Temporarily Suspend
You can deactivate your account without deleting it. Reactivate by logging back in.
9.4 Right to Rectification
You can update your profile information at any time.
9.5 Right to Object & Restrict Processing
- Push notifications: revoke through device settings
- Analytics: opt out through app settings or by contacting us
- Legitimate interest processing: contact us to object
9.7 Right to Lodge a Complaint
- Turkey: KVKK — www.kvkk.gov.tr
- EU/EEA: your local Data Protection Authority
- UK: ICO — ico.org.uk
10. Children's Privacy
Refairly is intended only for users aged 18 and older. We do not knowingly permit minors to use the Service. If you believe a minor has created an account, contact aoci@refairly.app.
11. Cookies & Tracking
The Refairly mobile app does not use browser cookies. The app may include third-party SDKs for analytics, crash reporting, and subscription flow. The website may use essential cookies for session management only — no advertising trackers or retargeting pixels.
12. Subscriptions & Payments
All payments are processed through Apple App Store or Google Play. We do not process payments directly. For refund requests, contact Apple or Google.
13. Data Breach Notification
GDPR: We will notify the relevant authority within 72 hours and affected users without undue delay if the breach is high risk.
KVKK: We will notify the KVKK Board and affected data subjects as soon as possible.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We aim to notify you of material changes through in-app notification, email, or updating the date at the top of this page.
15. Contact Us
Ali Onur Can Irey
Data Controller & Developer of Refairly
Email: aoci@refairly.app
Website: https://refairly.app
For privacy inquiries, data access requests, erasure requests, or complaints, please email us. We aim to respond within 30 calendar days.