Privacy Policy

This Privacy Policy describes how Canacia ("Canacia", "we", "us", "our") collects, uses, discloses, retains, and protects personal data when you use the canacia.com website (the "Website"), the Canacia mobile application for iOS and Android (the "App"), and any associated services including the beta access waitlist (collectively, the "Service").

Where a section applies only to the Website or only to the App, this is stated explicitly. Where a section applies only to specific jurisdictions (for example, California or the European Economic Area), this is also stated explicitly.

Canacia is positioned as an intelligent cultivation operating system that provides plant stress diagnosis, feed guidance, and contextual grow tracking. Plant cultivation activity may be subject to national, regional, or local laws and regulations in your jurisdiction; you are solely responsible for verifying that your intended use is lawful where you are located. The Service is intended only for use in jurisdictions where the cultivation activity you conduct is legal, and only by individuals 18 years of age or older.

This policy does not apply to third-party websites, applications, app stores, or services to which the Service may link, even where those services are integrated with Canacia (for example, Apple App Store or Google Play). Those services are governed by their own privacy policies, and we encourage you to review them.

For purposes of the EU/UK General Data Protection Regulation ("GDPR"), the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and analogous laws, the data controller responsible for personal data processed under this policy is Bektaş Albayrak, a natural person currently resident in Berlin, Federal Republic of Germany, operating the Canacia project in his individual capacity. No separate legal entity (such as a GmbH, UG, sole-proprietorship registration, or other registered business form under German, Turkish, or any other law) has been formed at this time; Operator therefore acts as a sole natural-person controller (collectively, "Operator" or "Canacia"). If a legal entity is later formed and replaces Operator as controller, an updated controller identity, registered seat, and any commercial-register identifiers will be reflected on this page.

For privacy inquiries, requests to exercise data subject rights, or any other matter under this policy, contact privacy@canacia.com. For general product support, contact support@canacia.com. Operator's full provider identification — including a serviceable postal address (ladungsfähige Anschrift) at which Operator can be reached and served with legal correspondence — is published on the Imprint (Impressum) page at /imprint, in accordance with §5 of the German Digital Services Act (Digitale-Dienste-Gesetz, DDG, formerly §5 of the German Telemedia Act, TMG) and Article 13(1)(a) GDPR. The Imprint page is reachable from the footer of every page of the Service.

Data Protection Officer (DPO): we have not designated a DPO. Operator is a single natural person and the scale and nature of processing do not meet the thresholds for mandatory DPO designation under GDPR Article 37 or §38 BDSG. If a relevant threshold is later met, a DPO will be appointed and this policy will be updated.

EU representative — Article 27 GDPR: Operator is established in the European Economic Area (Berlin, Germany), and Article 27 GDPR (representative for non-EEA-established controllers) therefore does not apply. UK representative — Article 27 UK-GDPR: Operator is not established in the United Kingdom; if and when our processing of UK residents' personal data reaches a scale or nature that triggers Article 27 UK-GDPR, a UK representative will be designated and identified on this page.

We collect the categories of personal data described below. The exact categories that apply to you depend on whether you use the Website, the App, or both, and on the optional features you enable.

Website — Waitlist and contact: If you join the beta waitlist or use a contact form, we collect your email address, the language you selected, and limited technical metadata associated with the request (user-agent string, HTTP referrer, request timestamp, and a salted hash of your IP address used for abuse prevention). The raw IP address is not stored after the hash is generated.

App — Account: If you create an account to enable cloud synchronization, we collect your email address and authentication tokens issued by our authentication provider. We do not store account passwords; authentication is performed via passwordless magic-link or one-time-code flows. We may also collect a stable user identifier (UUID) used internally to associate your records.

App — Cultivation records ("grow data"): The App allows you to record information about plants, environments, measurements (temperature, humidity, EC, pH, light intensity), feeding and irrigation events, case notes, action plans, and follow-up tasks. By default this information is stored locally on your device. If you enable cloud synchronization (opt-in), the same information is transmitted to and stored on our servers.

App — Photographs: Photos you capture within the App for case documentation are stored as part of your case records on your device, and on our servers if cloud sync is enabled. When you submit a case for evaluation, the relevant photos are transmitted to our backend and to our AI sub-processor for analysis (see Section 6 and Section 7).

App — Voice recordings: When you use voice logging or voice chat, your audio is captured on the device and transmitted to a speech-to-text sub-processor for transcription. Raw audio is not retained by us or by the sub-processor after transcription is complete; only the resulting text becomes part of your record.

App — Conversational text: Messages you submit to the in-app cultivation assistant, together with limited context (recent measurements, plant species/cultivar/stage, and conversation history) are processed to generate a response and may be retained as part of your record.

App — Diagnostic and product analytics: With your continued use of the App, we may collect crash reports, application performance metrics (latency, error rates, frame timing), and anonymized product interaction events (screen views, feature use frequency). You can disable analytics collection in the App's privacy settings; crash reporting can be disabled separately.

App — Device and technical data: We process limited device data necessary to operate the App, including operating system version, app version, locale, time zone, and a non-resettable device identifier issued by the operating system for push notification routing.

Cookies and similar technologies (Website only): The Website uses a small number of strictly necessary cookies and local-storage entries to operate (for example, language preference). The Website does not currently use advertising cookies or third-party tracking tags. See Section 13 for further detail.

Special categories: The Service is not designed to process special categories of personal data within the meaning of GDPR Article 9 (such as health, racial or ethnic origin, religious beliefs, biometric data, or political opinions), and you should not submit such data through the Service. If photographs you submit incidentally include identifiable individuals, please obtain their consent before submission.

Where the GDPR applies, we process your personal data only where one or more of the following legal bases under Article 6(1) is satisfied:

Performance of a contract — Article 6(1)(b): to provide the Service you have requested, including account creation, cloud synchronization, case evaluation, voice transcription, and the delivery of AI-assisted guidance based on your inputs.

Consent — Article 6(1)(a): for processing that is genuinely optional, including marketing communications, optional product analytics where they exceed strictly necessary diagnostics, and any future feature requiring affirmative opt-in. You may withdraw consent at any time without affecting the lawfulness of processing already carried out.

Legitimate interests — Article 6(1)(f): to operate, secure, and improve the Service, prevent abuse and fraud, enforce our Terms of Service, and conduct internal research and analytics on aggregated or pseudonymous data. Where we rely on legitimate interests, we balance these against your rights and freedoms; you may object to such processing in accordance with Article 21 (see Section 9).

Compliance with a legal obligation — Article 6(1)(c): to respond to lawful requests from public authorities, to retain records required by tax, commercial, or product-safety law, and to comply with court orders.

Vital interests — Article 6(1)(d) and public interest — Article 6(1)(e): we do not currently rely on these bases.

Where the KVKK applies, we rely on Article 5/2 grounds (including necessity for the performance of a contract, legal obligation, and legitimate interests pursuant to Article 5/2(f)) and, where required, on explicit consent under Article 5/1. KVKK Article 6 special categories of personal data are not knowingly processed.

We process your personal data for the following purposes:

Service delivery: to operate the App and Website, authenticate you, synchronize your data across your devices when you have enabled sync, evaluate cases and generate diagnostic outputs, transcribe voice input, and surface follow-up plans and reminders.

Beta access management: to receive, prioritize, and respond to beta-access requests, communicate launch and rollout information, and understand regional demand.

Product improvement: to understand how the Service performs in real-world use, identify defects and regressions, prioritize improvements, and validate fixes. Where this purpose extends beyond strictly necessary diagnostics, processing is based on consent.

Security and abuse prevention: to detect, prevent, and respond to fraudulent or unlawful activity, abuse of the Service, technical attacks, and breaches of our Terms.

Legal and compliance: to comply with applicable laws and respond to lawful requests, to protect our rights and the rights of others, and to maintain audit and tax records.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising. We do not use your grow data, photos, voice recordings, or conversational text to train any third-party advertising system, and we do not provide your grow data to third parties for their own marketing or commercial purposes.

The Service uses third-party AI sub-processors to deliver core features. Where you submit content for these features, the relevant content is transmitted to the sub-processor under our processing instructions. We minimize the data sent to what is necessary for the requested task.

Plant diagnosis, cultivation guidance, and image analysis: Photographs, plant context (species/cultivar/stage/medium), recent measurements, recent feed and irrigation events, and the user prompt are processed by the Anthropic Claude API to generate ranked probable causes, recommendations, and follow-up plans. The model used is Claude Sonnet 4.6 (claude-sonnet-4-6).

Conversational assistance: Messages you submit to the in-app cultivation assistant, together with curated conversation history and structured plant context, are processed by the Anthropic Claude API. We additionally retrieve relevant knowledge-base passages on your behalf using the OpenAI text-embedding API to convert short queries to vectors for similarity search; the underlying knowledge content remains in our infrastructure.

Voice transcription: Audio you record in the App is transmitted to OpenAI's audio-transcription API (gpt-4o-transcribe, with gpt-4o-mini-transcribe as fallback) to obtain a text transcript. Raw audio is not retained by us once transcription is complete; the resulting text is stored as part of your record.

Content moderation: Conversational inputs are screened by the OpenAI moderation API to detect prohibited content categories before the request is forwarded to the language model. Moderation outputs (a categorical score) are processed transiently and are not used for any other purpose.

AI sub-processor data handling (default terms): Per Anthropic's Commercial Terms of Service and Usage Policy, API inputs and outputs are not used to train Anthropic's models and are retained for up to 30 days for trust-and-safety review ("Default Retention"). Per OpenAI's API data usage policy, API inputs and outputs are not used to train OpenAI's models by default and are retained for up to 30 days for abuse and misuse monitoring. These retention periods are set unilaterally by the provider; we do not have access to retained content during this window.

Zero-Data-Retention (ZDR): At the date of this policy, Canacia has not entered into a Zero-Data-Retention amendment with Anthropic or with OpenAI. If we negotiate ZDR with one or more AI sub-processors in the future, this section will be updated to reflect that arrangement and the affected processing activities.

Human review: We do not access or review individual conversations, prompts, or outputs as part of routine product operations. Limited access by authorized engineering personnel may occur on a need-to-know basis to investigate a reproducible defect, a security incident, or a confirmed abuse report, subject to internal access controls and audit logging.

We engage the following sub-processors to provide the Service. Each sub-processor is bound by a written agreement that imposes data-protection obligations consistent with GDPR Article 28 and analogous provisions of the KVKK.

Hosting (Website) — Vercel Inc., a Delaware corporation with principal place of business at 340 S Lemon Ave #4133, Walnut, California 91789, United States. Role: hosts the canacia.com website and serverless functions. Data: HTTP request metadata, waitlist submissions in transit, web logs.

Backend platform and storage — Supabase, Inc., a Delaware corporation with principal place of business in San Francisco, California, United States, providing managed PostgreSQL, Edge Functions (Deno), object storage, and authentication. Role: primary backend for the App. Data: account data, synced grow data, case records, photographs (when sync is enabled), conversation history, audit logs. Hosting region: where available, our project is configured to use Supabase regions located in the European Union; the specific region applicable to your account may be confirmed on request.

AI processing — language and vision — Anthropic, PBC, a Delaware public-benefit corporation with principal place of business at 548 Market Street, San Francisco, California 94104, United States. Role: provider of the Claude API used for cultivation guidance, plant diagnosis, conversational assistance, dashboard recommendations, and image analysis. Inputs: photographs, plant context, environmental measurements, conversational text and history. Retention: up to 30 days for trust-and-safety review, no training on API data, as described in Section 6.

AI processing — voice transcription, content moderation, and embeddings — provided through OpenAI's API. Under OpenAI's Services Agreement and Data Processing Addendum effective 1 January 2026, the OpenAI contracting entity is determined by the customer's place of establishment: customers established in the European Economic Area or Switzerland contract with OpenAI Ireland Limited, and all other customers contract with OpenAI OpCo, LLC (formerly OpenAI, L.L.C.). Because Operator is established in the European Economic Area (Berlin, Federal Republic of Germany), our direct contracting processor for these features under GDPR Article 28 is OpenAI Ireland Limited, a private company limited by shares registered in the Republic of Ireland with registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland. Although the data subject's region may affect how OpenAI internally routes processing among its affiliates, it does not change our direct contracting party under GDPR Article 28, which remains OpenAI Ireland Limited. OpenAI Ireland Limited may engage OpenAI affiliates — including OpenAI OpCo, LLC (an operating subsidiary of OpenAI, Inc., with principal place of business at 1455 3rd Street, San Francisco, California 94158, United States), in particular for certain UK and onward-transfer processing — as further sub-processors under OpenAI's DPA. Such onward processing is carried out under the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and other applicable safeguards; the international-transfer aspect is addressed at our level by Section 8. Role: provider of the audio-transcription, moderation, and text-embedding APIs used as described in Section 6. Inputs: audio recordings (transient), short text snippets for moderation, short query strings for embedding. Retention: up to 30 days for abuse monitoring, no training on API data, as described in Section 6.

Crash reporting and error monitoring — Functional Software, Inc. d/b/a Sentry, with principal place of business at 45 Fremont Street, 8th Floor, San Francisco, California 94105, United States. Role: capture and aggregate crash reports and unhandled exceptions, with personally identifying request fields scrubbed at source. Data: stack traces, application state at time of error, device class, OS version. We do not transmit your photos, voice, or grow data to Sentry.

Crash reporting (mobile, secondary) and push notifications — Google LLC (operating Firebase), with principal place of business at 1600 Amphitheatre Parkway, Mountain View, California 94043, United States. Role: Firebase Crashlytics for native crash reporting and Firebase Cloud Messaging (FCM) for push notification delivery. Data: crash signatures, device identifiers issued by the operating system, push tokens. FCM acts as a relay only and does not access notification payload content beyond what is required for delivery.

Email delivery (transactional): a transactional email provider may be engaged to deliver authentication, beta-access, and account-administration emails. The provider, when engaged, will be added to this section and the change will be communicated as a material policy update.

App store distribution: Apple Inc. (Apple App Store, when published) and Google LLC (Google Play) act as independent data controllers for store-level data they collect about your interaction with their stores, in accordance with their own privacy policies. We do not control and are not responsible for store-level data collection by Apple or Google.

We may add, remove, or substitute sub-processors as the Service evolves. Material changes to this list (the addition of a new processor handling content beyond infrastructure-level metadata) will be reflected in this section and communicated through the App or Website where required.

Operator is established in the European Economic Area (Berlin, Federal Republic of Germany). The sub-processors identified in Section 7 are established in the United States, with the partial exceptions of Supabase, whose storage region is configured to be located in the European Union, and OpenAI Ireland Limited, which is established in the Republic of Ireland and acts as the contracting party for OpenAI processing. As a result, personal data of users — including users habitually resident in the European Economic Area, the United Kingdom, Switzerland, Türkiye, or other regions — may be transferred to and processed in the United States by certain sub-processors.

Where personal data of EEA, UK, or Swiss residents is transferred to a country that has not received an adequacy decision from the European Commission (notably the United States), we rely on the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914, the "new SCCs") and, where applicable, the UK International Data Transfer Addendum or the UK International Data Transfer Agreement, in accordance with GDPR Articles 44 to 49. We assess transfer impact in line with the Schrems II judgment (Case C-311/18) and the European Data Protection Board's recommendations on supplementary measures, and we apply technical measures including encryption in transit, encryption at rest, access controls, and data minimization.

For personal data of users habitually resident in Türkiye, the cross-border transfer rules of KVKK Article 9 apply alongside GDPR. Such transfers are made on the basis of explicit consent or another ground permitted by KVKK Article 9, taking into account binding decisions of the Personal Data Protection Authority (KVKK Kurulu) including standard contract templates published and registered by the Authority where applicable.

By using the Service, you acknowledge that your personal data may be processed in the United States and other jurisdictions whose data-protection regimes may differ from those of your country of residence. Copies of the relevant transfer mechanisms are available on request to privacy@canacia.com.

Subject to applicable law, you have the rights described below in respect of personal data we process about you. We respond to verifiable requests within one month for GDPR requests (extendable by two further months for complex matters), within 30 days of confirmation for KVKK requests under Article 13, and within 45 days for CCPA/CPRA requests (extendable once by 45 days).

Right of access (GDPR Art. 15, KVKK Art. 11/1(b)-(c), CCPA §1798.110): obtain confirmation that we process personal data about you, a copy of that data, and information about the processing.

Right to rectification (GDPR Art. 16, KVKK Art. 11/1(d), CPRA §1798.106): correct inaccurate or incomplete personal data.

Right to erasure / right to be forgotten (GDPR Art. 17, KVKK Art. 11/1(e), CCPA §1798.105): request deletion of personal data, subject to lawful exceptions (for example, an ongoing legal obligation, the exercise or defence of legal claims, or technical infeasibility within reasonable backup retention windows).

Right to restriction of processing (GDPR Art. 18): require us to restrict processing in defined circumstances (for example, while accuracy is contested).

Right to data portability (GDPR Art. 20, KVKK Art. 11/1(f)): receive your personal data, where processed by automated means on the basis of consent or contract, in a structured, commonly-used, machine-readable format, and have it transmitted to another controller where technically feasible.

Right to object (GDPR Art. 21): object at any time to processing based on legitimate interests, including profiling. Where we cannot demonstrate compelling legitimate grounds that override your rights, processing will cease.

Right to withdraw consent (GDPR Art. 7(3), KVKK Art. 5/1): withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right not to be subject to solely automated decisions producing legal or similarly significant effects (GDPR Art. 22): the AI-assisted outputs of the Service are advisory and do not produce legal effects on you. We do not currently engage in automated decision-making that triggers Article 22.

Right to lodge a complaint (GDPR Art. 77, KVKK Art. 14): file a complaint with a competent supervisory authority, in particular the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. The supervisory authority competent for Operator's establishment in Berlin, Germany is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI, https://www.datenschutz-berlin.de). For Türkiye-resident data subjects, the Kişisel Verileri Koruma Kurumu (KVKK Kurumu, https://www.kvkk.gov.tr) is competent.

How to exercise your rights: most rights can be exercised directly within the App at Settings → Privacy & Data (including data export and account deletion). You may also send a written request, accompanied by sufficient information for us to identify your account, to privacy@canacia.com. We may ask for additional verification before disclosing personal data, in line with our obligation to confirm the requester's identity.

This section supplements the rest of this policy and applies if you are a California resident, in accordance with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA").

Categories of personal information collected (CCPA §1798.140(v)): identifiers (email, account UUID, device identifiers); customer records (account data); commercial information (waitlist participation, beta access status); internet or other electronic network activity (App and Website usage telemetry, crash data); audio and visual information (photographs and voice recordings you submit); geolocation information (only at the resolution of language and time-zone settings; we do not collect precise geolocation); inferences drawn from the foregoing (limited; AI outputs about plant condition are not used to build a consumer profile).

Sources of personal information: directly from you; automatically from your device when you use the Service; and indirectly from our sub-processors.

Business or commercial purposes for which information is used (CCPA §1798.140(e)): providing and securing the Service; communicating with you; debugging and improving the Service; complying with law; and the additional purposes set out in Section 5 above.

Categories of recipients to whom personal information is disclosed for a business purpose: the sub-processors identified in Section 7. We disclose personal information to these recipients only to the extent necessary to provide the Service and only under written agreements that restrict their use of the data.

Sale or sharing: We do not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioral advertising. There is therefore no opt-out of sale or sharing to provide; the Service does not display a 'Do Not Sell or Share My Personal Information' link because no such activity occurs.

Sensitive personal information (CCPA §1798.121): we do not use sensitive personal information for purposes other than those permitted under §1798.121(a) (provision of the requested service, security, fraud prevention, and analogous limited purposes). You have the right to limit such use; given our current practices, no action is required.

Consumer rights: California residents have the rights to know, to delete, to correct, to opt-out of sale or sharing (not applicable here), to limit the use of sensitive personal information, and to non-discrimination. To exercise these rights, contact privacy@canacia.com. We will not deny goods or services, charge different prices, or provide a different level of quality because you exercised any CCPA right.

Authorized agents: a California resident may use an authorized agent to submit a request, subject to verification of the agent's authority and the consumer's identity.

Retention: as described in Section 11.

We retain personal data for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are set out below.

Account data: retained for the duration of the account. Upon account deletion, account data is removed from primary systems within 30 days. Encrypted backup snapshots may persist for up to 90 days for disaster-recovery purposes before automated rotation overwrites them.

Synced cultivation data, case records, and conversational history: retained for the duration of the account; subject to the same 30-day primary deletion and 90-day backup rotation as account data.

Photographs: retained for the lifetime of the case record they belong to; deleting a case deletes its photos. Photos are deleted from the AI sub-processor within the sub-processor's default retention window (Section 6).

Voice recordings (raw audio): not retained by us. Transmitted to the transcription sub-processor and discarded after transcription. Sub-processor default retention applies as described in Section 6.

Waitlist data (Website): retained until launch communications are completed, or until you request deletion, whichever is earlier. Email addresses are pseudonymized for aggregate launch analytics after 24 months and deleted from operational systems within 36 months absent an active relationship.

Crash, performance, and product-analytics data: retained for up to 90 days, except where required for the resolution of an ongoing investigation.

Web server logs: retained for up to 30 days for security and debugging purposes.

Legal-hold and tax data: where we are required by law to retain records (for example, electronic billing or commercial-correspondence retention), the longer statutory period applies.

Canacia is engineered as a local-first application. Your cultivation records, photographs, notes, and action history are stored on your device by default and the App remains functional without an internet connection. Cloud synchronization is opt-in and can be enabled or disabled at any time.

When synchronization is enabled, data is transmitted over Transport Layer Security (TLS 1.2 or higher) to our backend, where it is stored encrypted at rest in our managed-database and object-storage tiers. Authentication tokens are issued and rotated by our authentication provider; we do not store passwords.

Guest mode: you may use the App without creating an account. In guest mode, no personal data is transmitted to our servers other than transient diagnostic data described in Section 3 (which can be disabled).

On-device data: removing the App from your device removes locally-stored cultivation data on that device. Data that has been synchronized to your account remains on our servers until you delete your account or initiate deletion of specific records.

The Website uses a minimal set of strictly-necessary cookies and HTML5 local-storage entries to operate, including a language-preference cookie that records your selected locale and a session cookie used for waitlist anti-abuse. These technologies are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC) as transposed in EEA Member States, because they are strictly necessary to provide a service explicitly requested by the user.

The Website does not currently use advertising cookies, third-party tracking pixels, social-network tags, or analytics cookies that would require consent. If we introduce any such technology in the future, we will publish a cookie banner offering an opt-in choice and update this policy accordingly.

You can configure your browser to block all cookies; this may impair certain Website functionality.

The App may send local notifications for follow-up task reminders, scheduled cultivation events, and case updates. Local notifications are scheduled and delivered on your device and do not require an internet connection.

Push notifications, where you have granted operating-system permission, are delivered through Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging on Android. Push notifications are used only for product-relevant alerts (case milestones, scheduled-task reminders, security notices) and contain only the information necessary to deliver the alert. You may disable push notifications at any time through your device settings.

The Service is intended for users 18 years of age and older. We do not knowingly collect personal data from children under 18. The Service does not include features directed at children, and we do not market the Service to children.

Where the Children's Online Privacy Protection Act (COPPA) applies, we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a person under the applicable age threshold, we will delete the data as soon as reasonably practicable.

If you are a parent or legal guardian and believe a child has provided us with personal data, please contact privacy@canacia.com so that we can investigate and take appropriate action.

We implement reasonable technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, in accordance with GDPR Article 32 and KVKK Article 12. These measures include: encryption in transit (TLS 1.2 or higher); encryption at rest in managed-database and object-storage tiers; key-based and short-lived authentication tokens for backend access; row-level security policies; the principle of least privilege for personnel access; secure software-development practices including code review and dependency monitoring; and periodic security review.

Personal data breach notification: in the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay, and where feasible within 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will inform affected users without undue delay in accordance with GDPR Article 34. KVKK Article 12/5 notification to the KVKK Kurumu and affected data subjects will be provided in line with Board Decision No. 2019/10 of 24 January 2019 (notification within 72 hours).

No security measure is perfect. We encourage you not to submit unnecessary sensitive information through the Service and to use strong account hygiene on the device(s) where the App is installed.

Apple App Privacy ('nutrition labels'): the categories of data collected by the App, as required by Apple's App Privacy disclosure framework, are consistent with Section 3 of this policy. The App's PrivacyInfo manifest declares email address, photos and videos, audio data, other user content, user identifier, crash data, performance data, other diagnostic data, and product interaction data, none of which is used for tracking under Apple's definition.

Google Play Data Safety: our Data Safety form on the Google Play store reflects the same disclosures, including the absence of data sale and the categories of data shared with sub-processors as identified in Section 7.

If you obtain the App from one of these stores, the relevant store's privacy policies and platform-level data collection apply in addition to ours.

We may update this Privacy Policy as the Service evolves. Material changes (including the addition of new sub-processors handling content data, new categories of personal data, or material changes to retention or transfer mechanisms) will be communicated through the App or Website and, where appropriate, will require renewed acknowledgment.

The 'Last updated' date at the top of this page reflects the most recent revision. Prior versions are available on request.

Privacy inquiries, data-subject-rights requests, or complaints can be sent to privacy@canacia.com. General support inquiries can be sent to support@canacia.com.

If you believe your data-protection rights have been violated, you have the right to lodge a complaint with a competent supervisory authority. The supervisory authority competent for Operator's establishment in Berlin, Germany is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI, https://www.datenschutz-berlin.de). In other parts of the European Economic Area, the United Kingdom, or Switzerland, the supervisory authority of your habitual residence, place of work, or place of the alleged infringement is also competent. In Türkiye, the Kişisel Verileri Koruma Kurumu (https://www.kvkk.gov.tr) is competent. In California, the California Privacy Protection Agency (https://cppa.ca.gov) and the California Attorney General have enforcement authority.