KVKK (PERSONAL DATA PROTECTION LAW) DISCLOSURE NOTICE
Last Updated: 2026-05-11
This Disclosure Notice has been prepared by Huma Yazılım Anonim Şirketi ("Company", "Data Controller") in order to inform data subjects about the personal data processed through the NUR mobile application (the "Application"), in accordance with Article 10 of Law No. 6698 on the Protection of Personal Data ("KVKK") and the "Communiqué on the Procedures and Principles to be Followed in the Performance of the Disclosure Obligation".
This document is separate and independent from the Explicit Consent Statement and has been drafted in compliance with the principle decisions of the Personal Data Protection Board No. 2018/90 dated 26/07/2018 and No. 2026/347.
1. IDENTITY OF THE DATA CONTROLLER
| Information | Detail |
|---|---|
| Title | Huma Yazılım Anonim Şirketi |
| Address | Sarıdemir Mah. Ragıp Gümüşpala Cad. Ahenk Han İş Merkezi No: 29 İç Kapı No: 103 Fatih / İstanbul |
| Tax Identification No | 4641985523 |
| Mersis No | 0464198552300001 |
| destek@huma.ist / info@huma.ist |
2. CATEGORIES OF PERSONAL DATA PROCESSED
The following categories of personal data are processed within the scope of the NUR application:
2.1. Identity Data
- First name, last name, username, profile photo, year of birth, Firebase user identifier (UID)
2.2. Contact Data
- E-mail address (via Google/Apple Sign-in or manual registration)
2.3. Device and Connection Data
- Device identifier (IDFV — iOS / Android ID), IDFA/AAID (with explicit consent), FCM token (for push notifications), platform (iOS/Android), application version, operating system version, IP address, language and time-zone settings
2.4. Location Data
- Precise location (latitude, longitude) to the extent permitted by the device — for prayer time and qibla direction calculation. Country and city information is derived through reverse geocoding.
2.5. Usage and Content Interaction Data
- Playback events (
play_events): the content you listen to, duration, completion rate, playback time - Dhikr sessions (
dhikr_sessions,dhikr_daily): date, session duration, counter - Likes (
inspirations/likes), favorites, dhikr rooms you created or joined - In-app navigation events, screen view times
2.6. Financial and Subscription Data
- Store transaction identifiers (App Store / Play Store), subscription status (
isPremium,premiumUntil), purchase history (via RevenueCat), subscription cancellation reasons
2.7. Social and Invitation Data
- Invitation code (
inviteCode), number of successful invites (successfulInvites), name/e-mail/photo information of those you invite or who invite you (with explicit consent)
2.8. Security and Integrity Data
- Device integrity reports (FreeRASP — jailbreak/root detection, abuse prevention)
- Firebase App Check tokens (Play Integrity / App Attest)
- Session logs, failed login attempts
2.9. Crash and Performance Data
- Firebase Crashlytics crash reports, performance metrics, error stack traces (with anonymous device identifier)
2.10. Marketing and Communication Data
- Commercial communication preferences (push/e-mail/SMS), İYS registration status
3. PURPOSES OF PROCESSING PERSONAL DATA
The above data is processed for the following purposes:
- Account creation and authentication (Art. 5/2(c) — performance of contract)
- Provision of services: hymn/du'a/Quran content streaming, prayer times, dhikr counter, offline download
- Personalization: recommended content, favorite lists, dhikr goals
- Social interaction: dhikr rooms, invitation system, likes
- Payment and subscription management: Premium membership, auto-renewal, purchase validation
- Security and abuse prevention: device integrity, session control, abuse detection, AppCheck
- Fulfillment of legal obligations: log retention pursuant to Law No. 5651, KVKK Art. 7 disposal policy, tax obligations
- Analytics and product development: usage statistics, A/B tests (with explicit consent)
- Advertising display: AdMob ads for free-tier users (personalization with explicit consent)
- Commercial electronic message delivery: campaigns, announcements (with explicit consent, Law No. 6563 + İYS)
4. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA (KVKK Art. 5)
| Legal Ground | Applied Data Categories |
|---|---|
| Art. 5/2(a) — Expressly stipulated in laws | Security logs (Law No. 5651) |
| Art. 5/2(c) — Establishment or performance of a contract | Identity, contact, financial/subscription data |
| Art. 5/2(ç) — Legal obligation | Log records, tax records, audit records |
| Art. 5/2(e) — Establishment, exercise, or protection of a right | Response to judicial/administrative requests |
| Art. 5/2(f) — Legitimate interest | Crashlytics, device integrity, fraud prevention |
| Art. 5/1 — Explicit consent | Advertising personalization, analytics, invitation PII sharing, cross-border transfer, commercial communication |
5. TRANSFER OF PERSONAL DATA
5.1. Domestic Transfer
Your personal data may be transferred to the following parties:
- Authorized public institutions and organizations and judicial/administrative authorities: when required by legal obligation
- Tax advisors and auditors: for statutory audit processes
- Service providers: message management system (İYS — for commercial communication), law firms
5.2. Cross-Border Transfer (KVKK Art. 9 + Regulation dated 10 July 2024)
This section explains, in accordance with KVKK Article 9 and the "Regulation on the Transfer of Personal Data Abroad" dated 10 July 2024, the legal grounds and safeguards applied for the transfer of personal data processed within the scope of the NUR application to data processors located abroad.
Legal Grounds for the Transfer (KVKK Art. 9):
- Primary preference: Standard Contract (KVKK Art. 9/4/b) — Standard contract signed between the data controller and the data processor and announced by the Personal Data Protection Board
- Complementary ground: Explicit consent (KVKK Art. 9/6) — For situations where the Standard Contract is insufficient or cannot be applied
5.2.1. Google LLC (United States of America)
| Information | Detail |
|---|---|
| Address | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
| Contract | Google Cloud Data Processing Addendum + KVKK Standard Contract |
| Status | Signed and in force |
| Services | Firebase Auth, Cloud Firestore, Cloud Functions, FCM, Firebase Analytics, Crashlytics, Google AdMob, Geocoding/Maps API, AppCheck (Play Integrity) |
| Transferred data | Identity, contact, device, location (precise), usage, IDFA/AAID (with explicit consent), crash/performance |
| Security | TLS 1.2+ in transit, Google Cloud KMS at-rest, ISO 27001/27017/27018, SOC 2 Type II |
5.2.2. Apple Inc. (United States of America)
| Information | Detail |
|---|---|
| Address | One Apple Park Way, Cupertino, CA 95014, USA |
| Contract | Apple Developer Program Agreement + KVKK Standard Contract |
| Status | Signed and in force |
| Services | Sign in with Apple, App Attest, App Tracking Transparency (IDFA) |
| Transferred data | Identity (e-mail, name), device, IDFA (with explicit consent) |
| Security | TLS 1.2+, Apple Hardware Security Module, ISO 27001 |
5.2.3. RevenueCat Inc. (United States of America)
| Information | Detail |
|---|---|
| Address | 870 Market St, San Francisco, CA 94102, USA |
| Contract | RevenueCat DPA + KVKK Standard Contract |
| Status | Signed and in force |
| Services | Subscription management, store integration, purchase validation |
| Transferred data | App User ID, Apple/Google transaction ID, product ID, subscription status |
| Security | TLS 1.2+, AES-256 encryption at-rest, SOC 2 Type II |
5.2.4. MP3Quran.net (Saudi Arabia)
- Service: Quran recitation content streaming (HTTP GET only)
- Transferred data: NO PERSONAL DATA IS TRANSFERRED — only anonymous content requests. The user's IP is anonymized at the CDN edge
- Legal Ground: No transfer; outside the scope of KVKK Art. 9
5.2.5. When Standard Contractual Clauses Are Insufficient
For certain processing activities (e.g., government access requests in the USA — FISA 702, CLOUD Act), the standard contract alone may not provide sufficient safeguards. In such cases:
- Complementary measures: Encryption (TLS), pseudonymization, data minimization
- Explicit Consent Ground (KVKK Art. 9/6): If the above measures are deemed insufficient, your explicit consent is obtained as an additional legal ground. The approval of the Explicit Consent Statement is evaluated within this scope.
5.2.6. Additional Safeguards for Transfers
- Standard Contracts have a duration of 5 years and renew automatically
- Our right to perform an annual audit on data processors is reserved
- The internal Cross-Border Transfer Committee performs a transfer inventory and risk assessment every 6 months
6. METHODS OF COLLECTING PERSONAL DATA
Data is collected through the following channels:
- Directly from the user: registration form, profile settings, user actions
- Automatically: in-app telemetry, cookie/local-storage-like SDK storage, system logs
- Third-party integrations: Google/Apple Sign-in (e-mail/name verification), RevenueCat (store transactions), FCM (push token)
- Via the invitation system: through data shared by another user who invited you (KVKK Art. 10 / GDPR Art. 14 equivalent)
7. PERSONAL DATA RETENTION AND DISPOSAL POLICY
This section governs, in accordance with KVKK Article 7 and the "Regulation on the Deletion, Destruction, or Anonymization of Personal Data", the retention periods, disposal triggers, and disposal methods for the personal data processed.
7.1. Retention Periods Table
| # | Data Category | Legal Ground | Retention Period |
|---|---|---|---|
| 1 | Active user data | Performance of contract | As long as the account is active |
| 2 | Logs of deleted accounts (pseudonymized) | Burden of proof | 3 years |
| 3 | Tax/financial records (store transaction ID, subscription) | VUK Art. 253 | 10 years |
| 4 | Traffic logs (IP, session, access) | Law No. 5651 | 2 years |
| 5 | Marketing permissions (İYS) | Law No. 6563 + İYS | Until permission is withdrawn + 3 years proof |
| 6 | Explicit consent audit log | KVKK burden of proof | 5 years |
| 7 | Crashlytics crash reports | Legitimate interest | 90 days |
| 8 | Firebase Analytics events | Explicit consent | 14 months |
| 9 | Precise location data | Performance of contract (prayer time) | Deletion within 24 hours after the processing purpose |
| 10 | FCM push token | Performance of contract | As long as the account is active + 30 days |
| 11 | Invitation records | Performance of contract | Until the account is deleted |
| 12 | Play events | Explicit consent (analytics) | Anonymization after 12 months |
| 13 | Dhikr counter data | Performance of contract | Until the account is deleted |
| 14 | Device integrity logs (FreeRASP, AppCheck) | Legitimate interest | 90 days |
| 15 | Complaint and moderation logs | Legitimate interest + proof | 3 years |
7.2. Account Deletion Processes
Deferred deletion (72-hour countdown): The user initiates a deletion request via "Profile > Delete My Account". The isMarkedForDeletion=true flag is set. The request can be cancelled within 72 hours; once the period elapses, the processAccountDeletions Cloud Function runs.
Immediate deletion (instant): "Delete Now" option → deleteAccountImmediately callable (AppCheck-protected).
Deleted data: users/{uid} main document + subcollections (favorites, dhikr_stats, dhikr_daily, dhikr_sessions, personal_notifications, recommendations, stats), related data (playlists, play_events, subscription_events, invites), Firebase Auth user record.
Data retained after deletion: deletion_logs (pseudonymized, 3 years), consent_audit_logs (5 years, with anonymous reference), tax records (10 years), traffic logs (2 years).
7.3. Disposal Methods
- Deletion: Removal of documents and subcollections from Firestore via
delete(); deletion of files in Storage - Destruction: Destroyed on backup media through periodic backup rotation (no later than 30 days)
- Anonymization: Data whose link to the user identity has been severed (e.g., play_events after 12 months) — SHA-256 hash + date reduced to month-year level
7.4. Periodic Disposal Process
The Company performs a personal data inventory and disposal audit every 6 months:
- Data whose retention period has expired is identified
- The applicable disposal method is applied
- A disposal report is created
- Disposal reports are retained for 3 years
7.5. Deletion Hold Exceptions
Even if an account deletion request is made, certain data may be retained in the following cases:
- Legal obligation: Law No. 5651, VUK, KVKK Art. 7/3 (deletion prohibition)
- Ongoing legal proceedings: for data subject to litigation, until the proceedings are concluded
- Company's legitimate interest: fraud hash records for prevention of repeated abuse
The user is informed in such cases.
8. RIGHTS OF THE DATA SUBJECT (KVKK Art. 11)
Pursuant to KVKK Article 11 and GDPR Articles 15-22, you have the following rights:
a) To learn whether your personal data is being processed b) To request information regarding your personal data if it has been processed c) To learn the purpose of processing of your personal data and whether it is used in accordance with such purpose ç) To know the third parties, whether in Türkiye or abroad, to whom your personal data has been transferred d) To request rectification of your personal data if it has been processed incompletely or inaccurately e) Right to be Forgotten: To request deletion or destruction of your personal data within the framework of the conditions set forth in KVKK Art. 7 f) To request notification of the operations carried out under (d) and (e) to the third parties to whom your personal data has been transferred g) To object to a result against you arising from the analysis of the processed data solely through automated systems ğ) To claim compensation for damages incurred due to unlawful processing of your personal data
In addition, pursuant to GDPR, the right to data portability (Art. 20) — to download your data in a machine-readable format — is available via the "Profile > Privacy & My Permissions > Download My Data" menu.
9. CHANNELS OF APPLICATION
You may apply through the following channels to exercise your rights:
- In-app: "Profile > Privacy & My Permissions" menu (consent history, data download, account deletion)
- E-mail:
destek@huma.istorinfo@huma.ist - Mail: Written application to the company address indicated above
Your applications are resolved within a maximum of 30 (thirty) days and free of charge, pursuant to the "Communiqué on the Procedures and Principles for Application to the Data Controller". If the transaction requires additional cost, the fee determined by the Board's tariff may be charged.
If we reject your application, you find our response insufficient, or we fail to respond within the prescribed period, you may file a complaint with the Personal Data Protection Board (KVKK Art. 14).
10. UPDATES TO THE DISCLOSURE NOTICE
This Disclosure Notice may be revised due to legislative changes or updates within the scope of the service. We will notify you separately via an in-app modal in the event of material changes. You can always access the current version through the in-app "Profile > Legal Documents" menu or at https://nurapp.web.app/legal/kvkk.
Effective Date: 2026-05-11 Version: 2.0.0