Skip to content

Privacy Policy

Last updated: April 29, 2026 · Effective: April 29, 2026

Refairly ("we," "us," or "our") is an AI-assisted mediation platform operated by Ali Onur Can Irey, an individual developer based in Turkey. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use the Refairly mobile application and related services (collectively, the "Service").

This Privacy Policy is a transparency notice, not a contract. Your use of the Service is governed by our separate Terms of Service. By using the Service, you acknowledge that you have read and understood this Privacy Policy. The Service is available only to users aged 18 and older.

Not for Emergencies: Refairly is not an emergency service, crisis hotline, law-enforcement tool, or substitute for professional legal, medical, mental-health, or therapeutic assistance. If you or someone else is in immediate danger, contact local emergency services. If a dispute involves threats, domestic violence, child safety concerns, stalking, coercion, or criminal allegations, you should seek qualified professional help immediately.

1. Data Controller

Ali Onur Can Irey
Email: aoci@refairly.app
Website: https://refairly.app

For the purposes of GDPR (EU), KVKK (Turkey), and other applicable data protection laws, Ali Onur Can Irey is the data controller responsible for your personal data.

2. Data We Collect

2.1 Account Information

DataRequiredPurpose
First name, last nameYesProfile identity, display to other parties
Email addressYesAuthentication, transactional emails
Password (hashed)Yes*Authentication (* not required for social sign-in)
Date of birthNoAge verification
Country, city, timezoneNoLocalization. You can enter these manually or use the optional one-time "Auto-detect" feature during onboarding, which uses your device's location services once to fill in your city and country (see Section 2.8). Only the resulting city and country names are saved to your profile — not your coordinates.
Profile pictureNoProfile display (size-limited, stored on cloud infrastructure with server-side encryption)
BioNoProfile description

2.2 Mediation Content

When you participate in a mediation, we collect:

  • Conflict details: topic, type, desired outcome, deadline
  • Perspectives: your account of what happened, how it affected you, what you need, and what you consider fair (structured text fields with length limits)
  • Evidence URLs: links to files you upload to support your perspective
  • Discussion messages: real-time chat messages between parties
  • Option selections, objections, and comments: your responses to AI-generated solution proposals
  • Agreement text and digital signatures: the final agreed solution and your signature timestamp

2.3 Sensitive & Special-Category Data

Refairly is a mediation platform for interpersonal conflicts. Because of the nature of conflict resolution, users may foreseeably include content touching on health, family matters, religious views, political opinions, sexual orientation, biometric or criminal-allegation-related matters, or other information that may constitute special-category data under GDPR Article 9 or sensitive personal data under KVKK Article 6.

Our position:

  • Our structured perspective fields are designed to minimize the collection of sensitive data and to elicit only factual accounts, impact, needs, and proposed outcomes.
  • Because sensitive data may nonetheless be included in dispute narratives, we present a separate, explicit acknowledgment step before each perspective submission. That acknowledgment informs you that any sensitive data you choose to include may be processed by Refairly, may be analyzed by AI, and may be reflected in summarized form to the other parties in the mediation.
  • Where sensitive data is included in your submission, we process it solely to: (a) provide the mediation service requested by the parties; (b) maintain the integrity and safety of the Service; and (c) comply with legal obligations or defend legal claims where necessary.
  • You must not include sensitive data about another person unless doing so is strictly necessary to describe the dispute and you have a lawful basis to disclose it. You remain responsible for the legality of any third-party sensitive data you choose to submit.
  • We may restrict, redact, remove, or decline to process submissions that contain obviously excessive, gratuitous, unlawful, or harassing sensitive data, especially where such content appears unnecessary to the dispute or is used to intimidate, shame, defame, or expose another person.
  • We do not use sensitive data for advertising, profiling, behavioral marketing, or model training. Sensitive data is used only for delivering the mediation workflow, safety review, abuse prevention, and related legal or compliance purposes where applicable.
  • Sensitive mediation content is encrypted at rest and subject to the retention, purge, deletion, and legal-hold rules described in this Privacy Policy.
  • If you withdraw your explicit consent for sensitive-data processing (by contacting aoci@refairly.app), we may be unable to continue processing the affected mediation content or providing certain features of the Service. Withdrawal does not affect processing already carried out before withdrawal, nor any retention required by law or reasonably necessary for the establishment, exercise, or defense of legal claims.
  • We strongly advise you to include only information directly relevant to the dispute. Do not submit government ID numbers, financial account numbers, passwords, access credentials, or detailed medical records unless strictly required by law and clearly necessary.

2.4 Technical & Device Data

  • Device token: for push notifications, stored server-side
  • Platform: iOS or Android
  • IP address: logged by our web server for security, rate limiting, and abuse prevention
  • Authentication tokens: access tokens are stored on your device using platform-secure storage; refresh tokens are stored server-side to enable session management
  • Password reset codes: temporarily stored on-device and server-side with short-lived expiry
  • Notification data: notification history (type, title, body, read/unread status, timestamps), notification preferences (per-type toggles for push, email, and SMS), and quiet hours settings
  • Audit metadata: timestamps (created, updated) and user identifiers are recorded on data entities for security auditing

2.5 Invitation Data

When you invite someone to a mediation room, we store the invitation details:

  • Invited non-users: if the invitee does not have a Refairly account, their email address or phone number (depending on the invitation method) is stored until they accept, decline, or the invitation expires
  • Invitation metadata: method (email, SMS, username, code, link), status, timestamps

The invitation email or SMS includes a link to this Privacy Policy so that non-users are informed of how their data is processed. Non-users' contact information (email address or phone number) is used solely to deliver the invitation and is deleted when the invitation expires, the room is deleted, or the inviting user's account is deleted.

Legal basis for non-user invitations: legitimate interest of the inviting party to involve the other party in mediation (GDPR Article 6(1)(f)). The inviting user represents that they have a legitimate reason to contact the invitee.

Invitee protections:

  • We limit invitations to prevent repeated contact with the same person for the same mediation.
  • Any non-user who receives an invitation may reply to the invitation email or contact aoci@refairly.app to request suppression of further invitations. We aim to honor such requests promptly and block further invitations to that contact address.
  • Misuse of the invitation feature to harass, intimidate, or repeatedly contact an unwilling person is a violation of our Terms of Service and may result in account suspension.

2.6 Transaction Data

  • Subscription status: current tier, start/expiry dates
  • Purchase transaction IDs: app store receipt identifiers
  • Token usage: AI token consumption records

We do not collect or store credit card numbers, bank details, or payment credentials. All payments are processed by Apple or Google.

2.7 Data We Do Not Intend to Collect

We do not intentionally collect:

  • Phone numbers of account holders (unless voluntarily provided in profile or when needed for an optional SMS-based feature you choose to enable). Note: if you invite a non-user to a mediation room via SMS, we store the invitee's phone number solely to deliver that invitation; see Section 2.5 (Invitation Data) for retention details.
  • Continuous or background location data. We do not track your location. The optional "Auto-detect" feature in onboarding reads your device location once, on demand, only if you opt in — see Section 2.8.
  • Contacts or address book
  • Browsing history outside the Service
  • Data from other apps on your device
  • Payment card details (payments are handled by Apple or Google)

If such information is provided to us incidentally, we process it only as necessary to operate the Service, protect users, or comply with law.

2.8 Device Permissions

The Refairly app may request the following device-level permissions. Each permission is requested in context, requires your explicit consent, and can be denied or revoked at any time through your device settings. None of these permissions enable background data collection or tracking.

Camera

We access your device camera only when you choose to take a profile photo. Camera access requires your explicit permission and is used solely for capturing a profile picture. The captured image is uploaded to our servers and processed as described in Section 2.1 (profile picture). We do not access the camera at any other time, do not record video, and do not store raw camera output on your device beyond what your operating system retains for the duration of the capture flow.

Location (one-time, optional)

During profile setup you may optionally use the "Auto-detect" feature to fill in your city and country. If you opt in, the app reads your device's location once at the moment you tap the button and uses reverse geocoding to determine your approximate city and country. We do not store your coordinates, do not track your location over time, and do not read your location in the background. Only the resulting city and country names are saved to your profile (see Section 2.1). Location access requires your explicit permission and the entire feature can be skipped — you can simply type your city and country manually with no impact on the Service.

3. Legal Bases for Processing

We process your data under the following legal bases. Where we serve users in different jurisdictions, the applicable basis may vary.

Processing ActivityLegal Basis (GDPR)Notes
Account creation and authenticationPerformance of contract (Art. 6(1)(b))Necessary to provide the Service
Mediation service (perspectives, analysis, chat, agreements)Performance of contract (Art. 6(1)(b))Core service delivery
AI-powered conflict analysisPerformance of contract (Art. 6(1)(b))Includes cross-border transfer to AI providers
Processing of special-category data in perspectivesExplicit consent (Art. 9(2)(a))Collected via a dedicated acknowledgment step before each perspective submission, separate from general terms acceptance. Consent may be withdrawn; see Section 2.3.
Sharing data between mediation partiesPerformance of contract (Art. 6(1)(b))Core feature; users are informed before joining a room
Transactional emails (confirmations, password resets)Performance of contract (Art. 6(1)(b))Necessary for account security
Push notifications about mediation progressConsent (Art. 6(1)(a)) via device permissionRequires device-level opt-in. You can customize, disable, or revoke push permissions through app or device settings at any time.
In-app purchase verification and subscription managementPerformance of contract (Art. 6(1)(b))Verifying purchases with Apple/Google
Sending invitations to non-usersLegitimate interest (Art. 6(1)(f))Interest of the inviting party; invitee notified via email with privacy notice link
Rate limiting, fraud prevention, abuse detectionLegitimate interest (Art. 6(1)(f))Security and platform integrity; IP logging, request throttling
App analyticsLegitimate interest (Art. 6(1)(f))Service improvement; may be linked to user identifiers. You can opt out through app settings or by contacting us.
Crash reportingLegitimate interest (Art. 6(1)(f))Bug diagnosis; may include device info and user identifiers
Subscription flow optimizationLegitimate interest (Art. 6(1)(f))Paywall presentation and subscription management
Server logs and IP addressesLegitimate interest (Art. 6(1)(f))Security monitoring, incident investigation
Defense of legal claimsLegitimate interest (Art. 6(1)(f))Retention of relevant records for potential legal proceedings

KVKK (Turkey): Under KVKK Article 5, our processing is based on: necessity for performing a contract to which the data subject is party, legitimate interests of the data controller (provided fundamental rights are not harmed), and explicit consent for sensitive personal data under Article 6.

We do not sell your personal data. Monetization is currently through subscriptions and token packs. We do not currently display third-party advertisements.

4. AI Processing & Automated Decisions

4.1 How AI Is Used

Refairly uses one or more third-party AI providers to analyze conflicts and generate solution proposals. Your mediation content is processed using Refairly systems and third-party AI provider infrastructure as needed to provide the Service. The AI output is stored and shown to all parties in the mediation.

4.2 AI Providers

The specific AI providers we use are listed in the sub-processor table in Section 5.2. The provider or model used may vary by plan, feature, availability, platform, or jurisdiction, and may change over time.

  • Your mediation content is sent to AI providers solely for generating analysis as part of the Service.
  • AI providers have their own terms and privacy practices, which govern their handling of data received through their APIs. We encourage you to review the privacy policies of our current AI providers for the most current information on their data practices.

4.3 Automated Decision-Making & Your Rights

The AI generates fairness scores and solution proposals. These are algorithmic estimates, not binding decisions. No fully automated decision with legal or similarly significant effects is made without human involvement — all parties must voluntarily agree to any proposed solution.

Under GDPR Article 22 and KVKK Article 11(g), you have the right to:

  • Object to outcomes produced solely by automated processing
  • Request human review by contacting us at aoci@refairly.app
  • Object to any AI output during the mediation process by submitting an objection
  • Report harmful, biased, or incorrect AI outputs to us for review

There is currently no routine human review of AI outputs. If you report an issue, we aim to review the relevant analysis and respond.

4.4 AI Disclaimers

AI-generated mediation analysis is not legal advice. Refairly is not a law firm, licensed mediation service, or arbitration body. AI analysis may contain errors, biases, or inappropriate content. Fairness scores are algorithmic estimates and do not constitute professional assessments. Always use your own judgment. See our Terms of Service for full disclaimers.

5. Data Sharing & Third-Party Services

5.1 Data Shared Between Mediation Parties

By joining a mediation room, you acknowledge that the following data is shared with all other parties in the same room as a necessary part of the mediation service:

  • Your first name and last name
  • AI-generated analysis, which may quote or closely paraphrase portions of your perspective
  • Your option selections, objections, comments, and agreement signatures
  • Chat messages you send in the discussion

Your raw perspective text is processed by the AI, which produces a summary. The AI may reflect the substance of what you wrote, and other parties may infer your positions from it. This sharing is inherent to the mediation service and is based on performance of contract, not separate consent.

5.2 Sub-Processors

ServiceProviderLocationPurposeData InvolvedTransfer Mechanism
Hosting, database, file storage, SMSAmazon Web Services (AWS)EU (Frankfurt)InfrastructureAll application data; uploaded files with server-side encryptionNo transfer outside EU for EU/EEA users; cross-border transfer under KVKK for Turkish users (see Section 6.2)
AI analysisAnthropicUnited StatesConflict analysisMediation perspectives, conflict metadataAnthropic API Terms (DPA available)
AI analysisGoogle Gemini APIUnited StatesConflict analysisMediation perspectives, conflict metadataGoogle Cloud Data Processing Terms
Email deliveryResendUnited StatesTransactional emailsRecipient email, email contentResend DPA / SCCs
AnalyticsGoogle Firebase AnalyticsUnited StatesUsage statisticsUsage events, device type; may include user identifiersGoogle Cloud Data Processing Terms
Crash reportingGoogle Firebase CrashlyticsUnited StatesCrash diagnosticsCrash logs, device info; may include user identifiersGoogle Cloud Data Processing Terms
Push (Android)Firebase Cloud MessagingUnited StatesPush notificationsDevice token, notification payloadGoogle Cloud Data Processing Terms
Push (iOS)Apple APNsUnited StatesPush notificationsDevice token, notification payloadApple Developer Agreement
Social sign-inGoogle OAuth / Apple Sign-InUnited StatesAuthenticationEmail, name, provider user IDProvider terms
PaywallSuperwallUnited StatesSubscription flowDevice identifiers, subscription status, paywall events, localeSuperwall DPA / SCCs

We may change service providers, infrastructure, hosting regions, or technical methods over time. Where we do so, we aim to update this Privacy Policy accordingly. A change in provider, model, SDK, or underlying technical implementation does not by itself change the purposes for which we process your data.

6. Cross-Border Data Transfers

Our primary infrastructure is currently in the European Union. Certain data is transferred to the United States for processing by sub-processors listed above.

6.1 EU/EEA Users

Transfers to US-based sub-processors rely on one or more of: (a) Standard Contractual Clauses (SCCs) adopted by the European Commission; (b) the EU-U.S. Data Privacy Framework, where the recipient is certified; (c) the provider's own adequacy mechanism as documented in their data processing agreements.

6.2 Turkey (KVKK)

For users whose personal data is subject to KVKK, storage of data in the European Union and transfers to service providers located outside Turkey constitute transfers abroad under KVKK Article 9.

We seek to structure such transfers using the transfer mechanisms recognized under applicable Turkish law, including where appropriate:

  • An adequacy decision issued by the competent authority, where available.
  • Appropriate safeguards, including the Board-published standard contracts for transfers abroad (controller-to-controller and controller-to-processor variants), executed in the form applicable to the relevant relationship.
  • Other transfer mechanisms expressly permitted by KVKK and the applicable secondary legislation.
  • In limited and exceptional cases where a regular safeguard mechanism cannot reasonably be used and the transfer is incidental: explicit consent or another derogation permitted by law.

Where a Board-published standard contract is the mechanism used for a recurring vendor transfer, we aim to execute the relevant form and complete any notification or filing steps required by the applicable legislation. Where another lawful transfer mechanism is used, we document that mechanism in our vendor compliance records.

Our sub-processors include providers located in the European Union and the United States for cloud hosting, AI processing, email delivery, authentication, analytics, crash reporting, push notifications, and subscription/paywall functionality. The specific providers, locations, and categories of data involved are listed in the sub-processor table in Section 5.2 above.

If Turkish law, secondary legislation, or Board guidance changes, we may update our transfer mechanisms, vendor arrangements, and this section accordingly.

6.3 UK Users

For users in the United Kingdom, transfers are governed by the UK GDPR and the International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, as applicable.

7. Data Security

We use reasonable technical and organizational measures designed to protect your personal data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security, but we take data protection seriously and aim to reduce risk through layered safeguards.

Our measures include, but are not limited to:

  • Encryption of data in transit and at rest using industry-standard methods
  • Secure storage of authentication credentials and uploaded files
  • Password hashing using industry-standard one-way algorithms
  • Rate limiting and abuse prevention controls
  • Access controls restricting production system access
  • Secure management of credentials and API keys
  • Selection of sub-processors based on their security practices and data protection commitments

Our security measures may evolve over time as our systems, vendors, and industry practices change. We do not guarantee that any particular technical configuration will remain the same, and we aim to maintain or improve our security posture over time.

8. Data Retention

Data TypeRetention PeriodCriteria / Notes
Active account dataWhile account is activeDeleted or anonymized on account deletion
Perspectives & messagesUntil user leaves the room or account deletionAutomatically purged when the user leaves the mediation room (per-user purge). Also deleted on account deletion.
AI analyses & optionsWhile room existsAI analyses are platform-derived content and remain available to other parties even after a user leaves. A notice banner is added when a party's source data has been purged.
AI usage logsReasonable period (currently up to approximately 90 days)Usage metadata (token counts, timestamps) used for quality assurance, abuse detection, and cost tracking. Deleted on a rolling basis.
Agreements & signaturesWhile room exists or account is activeMetadata (dates, status) may be retained for legal claims defense as permitted by applicable law
Notification historyWhile account is activeDeleted on account deletion
Bonus tokensAs displayed at time of purchaseToken packs have a limited validity period. Expired tokens are forfeited and non-refundable.
Invitation recordsUntil expiry, room deletion, or account deletionNon-user contact info deleted with invitation
Soft-deleted account dataApproximately 30 daysPII is removed from public-facing views immediately. Underlying account data is retained in a restricted state for a limited grace period to allow restoration upon request. After the grace period, data is permanently deleted from primary systems. Backup copies are removed in the ordinary backup rotation cycle.
Crash logsAs managed by providerManaged by third-party crash-reporting provider per their retention policies
Server logsReasonable periodRotated on a rolling basis
Billing/transaction recordsAs required by applicable lawRetained for tax and legal compliance obligations
Legal hold / fraud preventionAs required by law or investigationData relevant to ongoing legal proceedings or fraud investigation may be retained beyond normal periods

8.1 Multi-Party Retention & Per-User Purge

Mediation rooms involve multiple parties. Refairly uses a per-user purge model so that one party's erasure request does not destroy another party's data.

  • Leaving a room (per-user purge): When you leave a mediation room, your personal data is generally purged from that mediation. Specifically:
    • Your perspectives, messages, objection explanations, and signature notes are replaced with anonymized or deletion markers
    • The fact that you signed an agreement and the timestamp are preserved
    • AI analyses remain intact with a notice indicating that source data from one or more parties is no longer available
    • Other parties' data is not affected
    This action is permanent and may not be recoverable. Your name may remain visible on certain shared records (such as agreement signatures) because you still have an account.
  • Account deletion: If you delete your entire account, your identity is anonymized across all rooms. Your data is removed from public-facing views promptly and permanently deleted after a limited grace period.
  • Room deletion: When the last remaining member leaves a room, the room is automatically deleted. If the room owner leaves while other members are present, ownership is automatically transferred to another active member.

Minimal metadata (dates, room identifiers, participation records) may be retained after purge where reasonably necessary for security, audit integrity, abuse prevention, enforcement of our Terms, billing reconciliation, or the establishment, exercise, or defense of legal claims.

Preservation holds: We reserve the right to delay, suspend, or decline deletion or purge requests where we have a reasonable basis to believe that data preservation is necessary for: pending or anticipated legal claims; fraud or abuse investigations; law-enforcement or regulatory requests; child-safety concerns; threats of harm; or compliance with legal obligations. Data subject to a preservation hold may be retained beyond normal retention periods until the hold is resolved.

Copies remaining in encrypted backups are deleted or overwritten in the ordinary backup rotation cycle and are not restored back into production except where necessary for disaster recovery or legal compliance.

8.2 Backups

Database backups are maintained for disaster recovery. Backups follow the same retention schedule as the primary data. When data is deleted from the primary database, it is removed from backups within the next backup rotation cycle.

9. Your Rights

Under GDPR, KVKK, and other applicable data protection laws, you have the following rights. To exercise any right, use in-app controls where available or contact aoci@refairly.app. We aim to respond within the time required by applicable law, and in most cases within approximately 30 days.

KVKK-specific rights (Turkey): Under KVKK Article 11, you also have the right to: learn whether your personal data is processed; request information about processing purposes and whether data is used in accordance with its purpose; learn the domestic or foreign third parties to whom your data is transferred; request correction of incomplete or inaccurate data; request deletion or destruction where processing conditions no longer exist; request notification of corrections or deletions to third parties; and object to results produced by automated analysis that are to your detriment.

9.1 Right to Access & Data Portability

You can request a copy of the personal data we hold about you. Where available, you can also export your data through in-app controls or by contacting us.

The self-service export, where available, includes your core personal data in a structured, machine-readable format. Certain derived data (such as AI analyses) may not be included in the self-service export but can be provided upon request.

9.2 Right to Erasure (Right to be Forgotten)

You have two erasure options:

Option A — Leave a mediation room (per-user purge, keep account):

  • Available at any time by leaving the room through the app
  • Purges only your personal content (perspectives, messages, objection explanations, signature notes) from that mediation
  • Other parties' data and AI analyses remain intact
  • This action is permanent and may not be recoverable

Option B — Delete entire account:

  • Available through the app, through our website at refairly.app/delete-account, or by contacting aoci@refairly.app
  • Personal data is removed from public-facing views promptly
  • Underlying account data is retained in a restricted state for a limited grace period, during which restoration may be possible by contacting us
  • After the grace period, data is permanently deleted from primary systems. Backup copies are removed in the ordinary backup rotation cycle.

Exceptions: We may retain certain data beyond the normal deletion schedule where required by law, where needed for fraud prevention or safety, or where data has been anonymized and no longer identifies you.

9.3 Right to Temporarily Suspend Your Account

You can deactivate your account without deleting it. While deactivated, your profile is hidden, notifications are paused, and your data is retained. You can reactivate by logging back in.

9.4 Right to Rectification

You can update your profile information at any time. During the mediation process, you can submit revised perspectives when the mediation status allows it. Note that rectification of historical mediation records may be limited where the record serves as a dispute record shared with other parties.

9.5 Right to Object & Restrict Processing

  • Push notifications: You can revoke push notification permission through your device settings or customize notification preferences through the app.
  • Analytics: You can opt out of non-essential analytics through app settings or by contacting us.
  • Legitimate interest processing: You have the right to object to any processing based on legitimate interest. Contact us at aoci@refairly.app and we aim to assess whether our legitimate interests override your rights and freedoms in your specific situation.

9.6 Right Regarding Automated Decisions

Under KVKK Article 11(g) and GDPR Article 22, you have the right to object to decisions based solely on automated processing. See Section 4.3 for details on how to challenge AI outputs.

9.7 Right to Lodge a Complaint

If you believe your data protection rights have been violated:

  • Turkey: KVKK (Kisisel Verileri Koruma Kurumu) — www.kvkk.gov.tr
  • EU/EEA: your local Data Protection Authority
  • UK: the Information Commissioner's Office (ICO) — ico.org.uk

9.8 Jurisdiction-Specific Rights

If a mandatory data protection law in your jurisdiction grants you additional rights or imposes stricter requirements than those described in this Privacy Policy, those mandatory rules apply to the extent required by law. Nothing in this Privacy Policy is intended to limit any rights that cannot be limited under applicable mandatory law.

10. Children's Privacy

Refairly is intended only for users aged 18 and older. We do not knowingly permit minors to use the Service. If we learn that an under-18 user has created an account, we may suspend or terminate the account and delete associated personal data, subject to lawful retention requirements. If you believe a minor has created an account, please contact us at aoci@refairly.app.

11. Cookies & Tracking

11.1 Mobile Application

The Refairly mobile app does not use browser cookies. The app may include third-party SDKs for the following purposes:

  • Analytics: usage events, screen views, session duration, device type. Events may be linked to user identifiers for service improvement. You can opt out through app settings.
  • Crash reporting: crash reports, stack traces, device model, OS version. May be linked to user identifiers for debugging.
  • Subscription flow: device identifiers, subscription status, paywall interaction events for subscription optimization.

The specific third-party providers used for these purposes are listed in the sub-processor table in Section 5.2. Providers may change over time.

11.2 Website (refairly.app)

The refairly.app website may use essential cookies for basic functionality (session management). We do not use advertising trackers, retargeting pixels, social media tracking pixels, or third-party analytics on the website beyond what is strictly necessary.

12. Subscriptions & Payments

Subscriptions and token packs are purchased through Apple App Store or Google Play. We do not process payments directly. We receive only transaction identifiers and subscription status from these platforms. For refund requests, contact Apple or Google through their respective platforms. Subscription management (cancellation, renewal) is handled through your device's store settings.

13. Data Breach Notification

13.1 GDPR (EU/EEA)

In the event of a personal data breach likely to result in a risk to the rights and freedoms of EU/EEA users, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Article 33). If the breach is likely to result in a high risk to individuals, we will also notify affected users without undue delay (GDPR Article 34).

13.2 KVKK (Turkey)

We will notify the KVKK Board and affected data subjects as soon as possible upon learning of a breach, in accordance with KVKK Article 12 and relevant Board decisions.

13.3 General

Not every security incident constitutes a notifiable breach. We assess each incident on a case-by-case basis considering the nature, scope, context, and likely consequences. We document all incidents and our assessment of notification obligations.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We aim to notify you of material changes through one or more of the following:

  • An in-app notification
  • An email to your registered email address
  • Updating the "Last updated" date at the top of this page

If changes materially affect how we process your data, we aim to provide notice through reasonable means before or when the changes take effect. Your continued use of the Service after the effective date of an updated Privacy Policy constitutes acknowledgment of the updated notice.

15. Contact Us

Ali Onur Can Irey

Data Controller & Developer of Refairly

Email: aoci@refairly.app
Website: https://refairly.app

For privacy inquiries, data access requests, erasure requests, or complaints, please email us. We aim to respond within 30 calendar days.