Privacy Policy
Effective Date: 2 May 2026
Last Updated: 2 May 2026
Version: 1.1
At a glance
- What we collect: the data you give us at sign-up (name, email, phone, date of birth, profile content) and limited technical/location data to make features work.
- Why: to operate the service, verify your account, show nearby users and places, and prevent abuse.
- Who we share with: only the cloud providers we strictly need (Google Firebase, Twilio, Resend, Apple/Google for billing). We never sell your data.
- Your rights: access, correction, deletion, portability, and withdrawal of consent — anytime via support@realbonds.app or in-app Settings.
1. Introduction
Welcome to Realbonds. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the “Services”).
This policy is designed to comply with the General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act, the California Consumer Privacy Act (CCPA/CPRA), the Turkish Personal Data Protection Law (KVKK No. 6698), and other applicable data-protection laws. If you do not agree with this policy, please do not use the Services.
2. Data Controller
3. Information We Collect
3.1 Information You Provide
Account information
- Identifiers: full name, email address, phone number, username
- Profile data: profile picture, bio
- Age verification: date of birth, collected during registration to verify the minimum age of 16 required to use Realbonds, in line with GDPR Article 8 and KVKK Article 5
- Verification status: phone and email verification flags
User-generated content
- Stories: photos, videos and captions you publish
- Events: events you create or join
- Reviews & ratings: place reviews and ratings
- Comments: comments on places and events
3.2 Information Collected Automatically
Location data
- GPS location: sampled once when you open the app, only with your explicit permission
- Purpose: to show nearby users, generate the heatmap, suggest places, calculate place XP
- Retention: 30 days
Device information
- Device ID, model, operating system, app version, language
- IP address, time zone
- App-feature usage and session metadata
Diagnostics
- Crash logs, error traces, performance metrics — used solely to fix bugs and improve stability
3.3 Information from Third Parties
- Twilio: phone-number verification status
- Resend: email-verification delivery status
- Apple App Store / Google Play: opaque transaction identifiers for in-app purchases (we never receive your card details)
- Google Firebase: authentication tokens, analytics
4. How We Use Your Information
- Create and manage your account; authenticate sign-ins via OTP
- Provide location-based features (nearby users, heatmap, place recommendations, XP)
- Operate events, stories, and the in-app token system
- Deliver transactional emails (sign-in OTP, security alerts)
- Detect and prevent fraud, spam, abuse, and policy violations
- Comply with legal obligations and respond to lawful requests
- Conduct internal analytics to improve the product
5. Legal Basis for Processing (GDPR & KVKK)
Realbonds processes personal data only of users aged 16 and over. We do not knowingly process the personal data of children under 16. Where local law sets a higher digital-consent age, that higher age applies.
Consent — GDPR Art. 6(1)(a) / KVKK Art. 5(1)
- Location data, marketing-style messages where applicable, optional cookies
Contract performance — GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)
- Account creation, authentication, transaction processing
Legitimate interests — GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f)
- Fraud prevention, service security, product improvement
Legal obligation — GDPR Art. 6(1)(c) / KVKK Art. 5(2)(ç)
- Tax, anti-money-laundering and law-enforcement requests
6. Data Retention
| Data category | Retention period |
|---|---|
| Location data | 30 days |
| Account information | Until account deletion + 30-day grace |
| User content (stories, reviews, comments) | Until you delete it or your account closes |
| Transaction records | Up to 10 years where required by tax law |
| Diagnostic / analytics data | 90 days |
| Security and audit logs | 180 days |
Upon account deletion, your data is permanently removed within 30 days, except where retention is required by law.
7. Sharing & Disclosure
We do not sell your personal data. We share it only with:
- Google Firebase (authentication, Firestore, Cloud Functions, Analytics)
- Google Maps (mapping & place data)
- Twilio (phone OTP delivery)
- Resend (email OTP delivery)
- Apple App Store / Google Play (in-app billing)
- Authorities when required by valid legal process
All processors are bound by data-protection contracts and process data only on our written instructions.
8. International Transfers
Some of our processors are located outside Türkiye and the EEA. For each transfer we rely on at least one of: an adequacy decision, the EU Standard Contractual Clauses (SCCs) with supplementary measures, the UK International Data Transfer Agreement (IDTA), or KVKK Article 9 explicit consent / undertaking. By using Realbonds you accept these transfers.
9. Security
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Access control: least-privilege, multi-factor authentication for staff
- Monitoring: automated threat detection and audit logging
- Updates: regular dependency patches and security reviews
No system is perfectly secure; in the unlikely event of a breach we follow the notification process in §16.
10. Your Privacy Rights
10.1 Under GDPR / UK GDPR
- Access, rectification, erasure (“right to be forgotten”), restriction, portability
- Object to processing based on legitimate interests
- Withdraw consent without affecting prior lawful processing
- Lodge a complaint with your supervisory authority (see §19)
10.2 Under CCPA / CPRA (California)
- Right to know, delete, correct, and opt out of “sale” or “sharing” of personal information (we do neither)
- Right to non-discrimination for exercising any of these rights
10.3 Under KVKK (Türkiye) — Article 11
- Learn whether your data is processed and request information about its purpose, recipients, and any automated analysis
- Request rectification, erasure or destruction; object to outcomes derived solely from automated processing; claim damages for unlawful processing
10.4 How to exercise your rights
Email support@realbonds.app or use Settings → Privacy in the app. We respond within 30 days (extendable to 60 days for complex requests). We may need to verify your identity.
11. Location Data — Detailed Notice
- Collected only with your explicit permission and only once per app session
- Used for nearby-user discovery, heatmap, place recommendations and XP
- Aggregated for the heatmap; we do not build per-user trails
- Never shared with advertisers
- You can disable Location at any time via your device settings
12. Children’s Privacy
Realbonds is intended exclusively for users aged 16 and over. We do not knowingly collect personal information from anyone under 16. Date of birth is verified at registration.
If we discover that a user is under 16, we will permanently delete the account and all associated data within 30 days. Parents or guardians who believe a child under 16 has registered may contact support@realbonds.app for immediate removal.
Where applicable local law sets a higher minimum age (e.g., GDPR Member-State derogations under Article 8), that higher age governs.
13. Cookies and Tracking
Our mobile app uses limited tracking: a session token to keep you signed in, secure local storage for app preferences, and Firebase Analytics / Crashlytics for diagnostics. No third-party advertising trackers are embedded.
14. Marketing and Communications
Realbonds does not send marketing or promotional email. The only emails we send are transactional: one-time passwords (OTP) for sign-in/verification and account-security alerts. You cannot opt out of these because they are required to operate the service securely. We do not run newsletters, promotional drips, or third-party advertising via email.
15. Third-Party Links
The app may link to third-party content. Their privacy practices are governed by their own policies; please review them before use.
16. Data Breach Notification
- Authority notification within 72 hours where a risk to individuals is likely
- Direct user notification when high risk to your rights and freedoms is identified
- Notice will describe the nature of the breach, affected data, and mitigation steps
17. Automated Decision-Making
We use limited automated processing for spam detection, fraud prevention, and content recommendations. These systems do not use sensitive personal data and have no legal or significant effects on the user beyond content moderation. Users may appeal any automated decision via support@realbonds.app.
18. Updates to This Policy
We may update this policy. Material changes will be announced in-app and via email; the “Last Updated” date will reflect each revision. Continued use after notice constitutes acceptance.
19. Supervisory Authorities
- Türkiye — KVKK Kurumu (KVKK): https://www.kvkk.gov.tr
- European Union: your national Data Protection Authority — https://edpb.europa.eu
- United Kingdom: Information Commissioner’s Office (ICO) — https://ico.org.uk
- United States: Federal Trade Commission (FTC) — https://ftc.gov
20. Contact Us
Email (all inquiries, including data protection): support@realbonds.app
Postal: Realbonds — Privacy Team, Maltepe, Istanbul, Türkiye