Legal Documents

Explicit Consent

v2.0.0Last updated: 2026-05-11

EXPLICIT CONSENT

Last Updated: 2026-05-11

This document has been prepared by Huma Yazılım Anonim Şirketi ("Company", "NUR") for the purpose of obtaining your consent for the processing of your personal data based on your explicit consent, in accordance with Law No. 6698 on the Protection of Personal Data ("KVKK") and the Personal Data Protection Board's principle decisions No. 2018/90 dated 26/07/2018 and No. 2026/347. This document is presented as a document separate from and independent of the KVKK Information Notice.

Important Notice: The consents you provide under this Explicit Consent document are NOT a prerequisite for benefiting from the NUR application. Even if you do not provide consent, you may continue to benefit from the core services; however, certain personalized features may be restricted. You may withdraw the explicit consent you have provided at any time via the in-app "Profile > Privacy & My Permissions" menu or by deleting your account.

1. DATA TO BE PROCESSED UNDER EXPLICIT CONSENT AND PURPOSES

Apart from the exceptions set out in KVKK Art. 5/2 (performance of contract, legal obligation, legitimate interest, etc.), the following data processing activities are subject to your explicit consent:

1.1. Transfer of Data Abroad (KVKK Art. 9)

The cloud infrastructure, authentication, data storage, push notification delivery, analytics, crash reporting, and payment management processes of the NUR application are conducted on the following service providers established abroad:

  • Google LLC (United States of America): Firebase Authentication, Cloud Firestore, Cloud Functions, Firebase Cloud Messaging (FCM), Firebase Analytics, Firebase Crashlytics, Google AdMob, Google Geocoding/Maps API
  • Apple Inc. (United States of America): Sign in with Apple, App Attest, App Tracking Transparency (IDFA)
  • RevenueCat Inc. (United States of America): Subscription management and store integration

These transfers are secured by standard contracts (SCC) under the Personal Data Protection Authority's "Regulation on the Transfer of Personal Data Abroad" dated 10 July 2024. In cases where the standard contract cannot be applied or is insufficient, your explicit consent shall be relied upon pursuant to KVKK Art. 9/6.

1.2. Ad Personalization and Interest-Based Advertising (IDFA / AAID)

The NUR application displays advertisements to free-tier users via Google AdMob. Within the scope of your explicit consent for ad personalization:

  • On iOS devices, through IDFA (Advertising Identifier) within the App Tracking Transparency (ATT) framework,
  • On Android devices, through Google Advertising ID (AAID), advertisements suited to your interests are displayed. If you do not provide consent, you will only be shown non-personalized (NPA mode) advertisements; application functions are not affected.

1.3. Analytics and Usage Data Processing (Firebase Analytics)

Interaction events generated during your use of the application (which hymn you listen to, your dhikr session durations, how long you stay on which screens, playback completion rates, your likes) may be processed via Firebase Analytics. This data is used to measure application performance, make product development decisions, and improve content. If you do not provide consent, analytics data collection will be disabled; the core functions of the application will not be affected.

1.4. PII Sharing under the Invite System

When you invite another user to the application via NUR's invite code system:

  • Your name, email address, and profile photo may be displayed in the "Person who invited me" view of the person you invited;
  • Likewise, the user who invited you may see your name, email address, and profile photo as part of the invitation process. If you do not provide consent, the invite system operates only through an anonymous invite code; PII is not shared.

1.5. Location Data (Precise Location)

For prayer times, qibla direction, and geographic content personalization, your device's precise location (latitude-longitude) information is processed. This data is obtained only through the operating system's permission dialog; you may withdraw your location permission at any time from your device settings. Location information is processed only during the provision of the service; it is not retained for permanent marketing purposes.

2. DATA PROCESSED OUTSIDE THE SCOPE OF EXPLICIT CONSENT

The following data is processed based on the exceptions under KVKK Art. 5/2 and does not require explicit consent:

  • Mandatory identity and contact data required for account creation (performance of contract — Art. 5/2(c))
  • Security logs, IP address, session information (legal obligation — Law No. 5651, Art. 5/2(ç))
  • Crash reports collected via Crashlytics (legitimate interest — application stabilization, Art. 5/2(f))
  • Payment/subscription data and store transaction records (performance of contract — Art. 5/2(c))
  • Device integrity data collected by AppCheck / FreeRASP (legitimate interest — abuse prevention)

Detailed information regarding these data processing activities is provided in the KVKK Information Notice.

3. RIGHT TO DETERMINE THE SCOPE OF EXPLICIT CONSENT

Pursuant to KVKK and the KVK Board's principle decision No. 2026/347, it is essential that explicit consent be given freely, with respect to a specific matter, and based on information. Therefore:

  • You have the right to grant or withhold consent separately or jointly for each of the data processing activities listed above.
  • You have the right to withdraw your consent at any time without showing any reason.
  • Your consent withdrawal request shall be processed prospectively, not retroactively; processing activities prior to the withdrawal date shall be deemed lawful.

4. GRANTING AND WITHDRAWING EXPLICIT CONSENT

4.1. Channels for Granting Explicit Consent

  • At the time of registration: By checking the explicit consent checkbox on the registration form;
  • In-application: Through the categorical toggles in the "Profile > Privacy & My Permissions" menu;
  • After a version update: Through the re-consent modal displayed when the version of the Explicit Consent document is updated.

4.2. Channels for Withdrawing Explicit Consent

  • Commercial communication permission: Instantly via the toggle in the "Profile > Privacy & My Permissions > Communication Preferences" menu;
  • Other consent categories: By deleting your account via the "Profile > Delete My Account" menu (KVKK Art. 11/e);
  • Written application: By applying to destek@huma.ist or in writing to the Company's address.

Your requests shall be finalized free of charge within a maximum of 30 (thirty) days pursuant to KVKK Art. 13/2.

5. CONSENT RECORDING AND AUDITING

Each explicit consent transaction you provide or withdraw is retained for a period of 5 (five) years in our audit log collection together with the following information, pursuant to KVKK Art. 4 (compliance with law and the rule of good faith, accuracy and being up to date where necessary) and our burden of proof:

  • Consent category (advertising, analytics, invitation, commercial communication, transfer abroad)
  • Transaction timestamp (UTC)
  • Consent version and your language
  • Source of the request (registration, settings, re-consent)
  • SHA-256 hash of your IP address (KVKK Art. 4 data minimization)
  • User-Agent (device type)

You may access your entire consent history at any time via the "Profile > Privacy & My Permissions > View My Consent History" menu (KVKK Art. 11/d).

6. EXPLICIT CONSENT MANAGEMENT SYSTEM

This section transparently explains how your explicit consents are obtained, recorded, audited, and withdrawn.

6.1. Consent Categories (7 categories)

Mandatory Approvals (Service Condition — performance of contract):

CategoryDescriptionWithdrawal
Privacy PolicyAcceptance of privacy rulesAccount deletion
Terms of ServiceAcceptance of service usage termsAccount deletion
KVKK Information NoticeConfirmation that the notice has been readAccount deletion

Explicit Consent Categories:

CategoryDescriptionWithdrawal
Ad Personalization (ads)IDFA/AAID + AdMob personalizedAccount deletion — if turned off, NPA mode
Analytics (analytics)Firebase Analytics event loggingAccount deletion — if turned off, analytics disabled
Invite PII Sharing (inviteSharing)Name/email/photo sharingAccount deletion — if turned off, anonymous invite code
Commercial Communication (marketing)Push/email/SMS marketing (Law No. 6563)Instant toggle from Settings

Why does only Commercial Communication have a separate toggle? Law No. 6563 recognizes the refusal of commercial electronic messages as a special right, and withdrawal must be processed instantly. The other explicit consent categories are obtained through a single atomic approval; the account deletion route is offered for withdrawal (KVKK Art. 11/e is satisfied).

6.2. Where is Consent Collected?

At the Time of Registration (2 checkboxes):

  1. (MANDATORY) "I have read and accept the Privacy Policy, Terms of Service, KVKK Information Notice, and Explicit Consent document"
  2. (OPTIONAL) "I accept the sending of commercial electronic messages to me"

When the first box is checked, 6 consent categories (privacy, terms, kvkk, ads, analytics, inviteSharing) become active through a single atomic record. The second box corresponds to the marketing category.

In-Application (Profile > Privacy & My Permissions):

  • You can turn the commercial communication toggle on and off
  • You can view your consent history
  • You can create a data download request
  • You can delete your account

After a Version Update: When any of the legal documents undergoes a material update, a re-consent modal is displayed when you open the application.

6.3. Enforcement (Consent Application)

ConsentEffect
ads = falseAdMob runs in NPA (non-personalized) mode; IDFA/AAID is not collected
analytics = falseFirebase Analytics setAnalyticsCollectionEnabled(false)
marketing = falseNo push/email/SMS marketing message is sent
inviteSharing = falseOnly anonymous code in the invite system; name/email/photo is not shared

Transactional messages (security alert, payment receipt, account deletion process) are outside this control; they are always sent.

6.4. Multi-Device Synchronization

The consent you provide is automatically synchronized across all your devices. Withdrawal of permission from one device is also valid on the other devices.

Offline Behavior: If you change the permission status while your device is offline, the change is saved locally and is automatically sent to the server when the device comes back online.

7. DECLARATION OF CONSENT

I declare that I have read and understood this Explicit Consent document, and that I hereby express my EXPLICIT CONSENT freely, on an informed basis, and with respect to a specific matter, for the processing of my personal data within the purposes specified above and for the periods specified, and for its transfer abroad.

Data Controller: Title: Huma Yazılım Anonim Şirketi Address: Sarıdemir Mah. Ragıp Gümüşpala Cad. Ahenk Han İş Merkezi No: 29 İç Kapı No: 103 Fatih / İstanbul Tax Identification No: 4641985523 Mersis No: 0464198552300001 E-mail: destek@huma.ist / info@huma.ist