Thanxful Privacy Policy

1. At a glance

We made Thanxful so you can keep a private gratitude journal and — if you want — get AI-generated reflections on what you write. Your journal is yours. We only touch it to make the service work. We never sell your data and we never use your entries to train AI models.

Topic	Short answer
Who runs Thanxful?	Kadir Alan, a sole proprietor (şahıs şirketi) registered in Türkiye. Contact: `hello@thanxful.app`.
What do you collect?	Your email, name, journal entries, mood, device and subscription info.
Why?	To run the app, deliver subscriptions, send reminders, and — only if you opt in — generate AI insights from your entries.
Who do you share it with?	Our service providers: Google Firebase (backend), OpenAI and Google Gemini (AI), RevenueCat (subscriptions), Apple (sign-in, push, anti-abuse). We don't sell or rent your data to anyone.
Where is it stored?	Your account and journal live in the European Union (`europe-west1`, Belgium). Your entries travel to the United States only when you ask for AI insights.
How long?	We keep it until you delete your account. When you delete, your data is removed from our active systems immediately and from backups and logs within 30 days.
What rights do you have?	Access, correction, deletion, portability, objection, and consent withdrawal. Email `hello@thanxful.app` with subject `Privacy Request`. We reply within 30 days.

2. Who we are

Thanxful is a gratitude journaling app for iOS published by Kadir Alan, a sole proprietor (şahıs şirketi) operating in Türkiye.


Data controller (veri sorumlusu)	Kadir Alan — sole proprietor (şahıs şirketi), Türkiye
Contact	`hello@thanxful.app` (include `Privacy` in the subject line)

For the purposes of the EU/UK General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK), Kadir Alan is the data controller (veri sorumlusu) for personal data processed through the Thanxful iOS app and the thanxful.app website.

As a sole proprietor operating below KVKK's VERBİS threshold and the GDPR Article 37 DPO threshold, we are not required to register with VERBİS or to appoint a Data Protection Officer. If this changes, we will update this policy. If you need a postal correspondence address to serve legal notices, email hello@thanxful.app first — we will provide one promptly.

3. Scope

This policy applies to:

The Thanxful iOS app (com.aota.thanxful and beta com.aota.thanxful.beta) on the Apple App Store.
The thanxful.app website (marketing pages, these legal documents, and any supporting content).

It does not apply to third-party services you reach via outbound links (e.g., Apple's App Store, OpenAI's website, RevenueCat's platform). Those services operate under their own privacy policies.

4. Information we collect

We collect only what we need to run the service. We group it into six categories:

4.1 Identity data

When you create an account, we collect:

Email address (required).
Display name (optional; you can change or leave blank).
Profile photo (optional; stored in Firebase Storage).
A unique Firebase user ID (generated automatically; used internally).
If you use Sign in with Apple: your email (real or Apple's private relay) and, on first sign-in, your full name if you choose to share it. Apple does not share your Apple ID with us.

4.2 Journal content — special-category data

Journal entries are the heart of the app. For each entry you save, we store:

The entry text (up to 3,000 characters).
Rich-text formatting (bold, italic, lists — up to 30,000 characters, encoded).
Optional mood selection.
The prompt you responded to (if any).
The local calendar date (so you get one entry per day of your life, not one per UTC day).

Journal entries are personal and sensitive. Under GDPR Article 9 and KVKK Article 6, a journal may contain special categories of data (for example, content that reveals your health, religious beliefs, political views, sexuality, or trade-union membership). We treat all journal content as if it were special-category data and rely on your explicit consent when it is processed for AI insights (see §6).

4.3 Profile and preferences

Streaks (current and longest).
Last active timestamp and time zone (your device's IANA time zone, e.g., Europe/Istanbul).
Language preference (your chosen app language, from a list of 30).
Theme preference (Espresso, Cosmos, Oat, etc.).
Notification settings: whether reminders are on, reminder time, and time zone.
Subscription status: whether you have an active premium subscription (from RevenueCat; see §7).
AI consent record — an append-only log of your AI-consent actions (granted, declined, revoked), the source (onboarding, post-entry, post-purchase, or Settings), a timestamp, and the prompt count shown. This log is required by Apple App Store Review Guideline 5.1.2(i).

4.4 Device and usage data

When you use the app we automatically collect:

Device identifiers your device reports to Firebase Analytics: device model, OS version, app version, locale, country, time zone, and Firebase's internal app instance ID.
FCM push token — a per-install token assigned by Firebase Cloud Messaging so we can send you reminders. Stored in Firestore under your account and rotated on re-install or sign-out.
Event data: what you did in the app — which screens you viewed, whether you saved an entry, whether you opened an insight, whether you started checkout — but not the content of your entries.
Crash reports via Firebase Crashlytics (stack trace, device state at crash). Crashlytics is disabled on debug builds. It's enabled on the release build that ships to users.

We do not collect:

Your IP address inside the app (Firebase Analytics does not expose it to us).
Your Advertising Identifier (IDFA) — we use Firebase's non-AdSupport variant and disable ad-personalization signals.

4.5 Subscription data

When you buy a Thanxful subscription:

The transaction is processed by Apple (App Store). We never see your payment method or card details.
RevenueCat handles the subscription lifecycle on our behalf. We share your Firebase user ID with RevenueCat; RevenueCat shares back the product ID, status, expiry date, and renewal date.

4.6 Communications and feedback

Support emails you send to hello@thanxful.app.
Feature requests and bug reports you submit from inside the app (rate-limited to a few per day to prevent abuse). We store the text you wrote, your user ID, and the timestamp. When you delete your account, feedback is anonymized (user ID replaced with "deleted_user") rather than deleted, because it helps us build the product; the text you wrote is no longer connected to you.

4.7 Onboarding trial (before you make an account)

If you try a single AI insight before signing in, we collect:

A device UUID generated by your device (not the IDFA).
A hashed IP address (SHA-256 — we never store the raw IP).
An Apple DeviceCheck token (so Apple can tell us whether the device has already used the trial).

These are used only to rate-limit the trial (one per device per day, 20 per global IP per day) and to block abuse. They expire quickly.

4.8 Security

Your app-lock passcode (if you enable one) is stored only in the iOS Keychain on your device. It never leaves your phone. Your biometric (Face ID / Touch ID) data stays in Apple's Secure Enclave; we never receive it.

5. How and why we use your information

For each processing activity we tell you what we do and our legal basis under GDPR Article 6 and KVKK Article 5.

What we do	Why	Legal basis (GDPR Art. 6)	Legal basis (KVKK Art. 5/6)
Create and maintain your account; store your entries	We can't run the app without this	6(1)(b) Performance of a contract	5(2)(c) Directly related to contract performance
Generate AI insights from your journal entries	Only if you explicitly opt in	6(1)(a) Consent + 9(2)(a) Explicit consent for special-category data	6(2) Explicit written consent for special-category data
Send daily gratitude reminders	You turn this on in Settings	6(1)(a) Consent	5(1) Explicit consent
Process subscription purchases via Apple and RevenueCat	So we can give you what you paid for	6(1)(b) Contract	5(2)(c) Contract
Crash reporting (Crashlytics) and aggregate product analytics	To fix crashes and understand what's useful	6(1)(f) Legitimate interests — running a reliable app	5(2)(f) Legitimate interest
Anti-abuse: DeviceCheck bits, IP hashing, rate limits on trial and feedback	To stop spam and cost-abuse of AI	6(1)(f) Legitimate interests — security	5(2)(f) Legitimate interest
Keep payment-related records for tax and accounting	Legal requirement	6(1)(c) Legal obligation	5(2)(a) Legal obligation
Respond to lawful requests from authorities	We'll comply where required	6(1)(c) Legal obligation	5(2)(a) Legal obligation

We do not profile you, do not do automated decision-making that significantly affects you, and do not sell or rent your data to anyone.

6. AI processing of your journal

This section is for App Store Review Guideline 5.1.2(i) and for you — the person whose journal is involved. Read it carefully.

What happens

When you explicitly opt in to AI insights, Thanxful sends the text of selected journal entries to third-party AI providers so they can generate:

Instant insights — a short reflection on one entry.
Weekly summaries — a short summary of the last 7 days of entries.
Monthly summaries — a deeper analysis of the last 30 days of entries.

Who processes your entries

OpenAI (primary), using models gpt-4o-mini and gpt-4o. Servers in the United States.
Google Gemini (fallback, if OpenAI is unavailable). Servers in the United States / Google's global infrastructure.

What we send

The text of your entries for the period being analyzed.
Your display name (so the insight can address you by name).
Your preferred language (so the insight comes back in your language).

What we don't send

Your email address.
Your streak counts, subscription status, or any profile data.
Any other user's data.

Retention by AI providers

OpenAI retains API inputs for up to 30 days for abuse monitoring, then deletes them. OpenAI does not use API data to train models. (Source: OpenAI API Terms.)
Google Gemini does not use API data to train models by default. (Source: Google Gemini API Terms.)

Your consent

We ask for your explicit consent the first time AI could be used — during onboarding, after saving an entry, or after a premium purchase.
Your consent is recorded in a tamper-evident append-only log (users/{uid}/aiConsent).
You can withdraw your consent at any time in Settings → AI Consent. Withdrawal blocks future AI processing immediately. Past insights that have already been generated remain in your history until you delete them or delete your account.
Under GDPR Article 9(2)(a) and KVKK Article 6(2), your journal may contain special-category data. Your explicit consent is the legal basis for sending it to the AI providers.

AI insights are not medical, legal, or therapeutic advice

AI-generated insights are automatically produced text. They can be wrong, misleading, or out of context. They are not a substitute for a licensed therapist, doctor, lawyer, or other professional. If you are in distress, contact a qualified professional or, in an emergency, local emergency services.

We share personal data only with the service providers listed below, and only for the purposes shown. Each provider is contractually bound to process your data only on our instructions and to apply appropriate security measures.

Provider	Role	Data shared	Region	Their privacy policy
Google LLC (Firebase)	Backend: authentication, Firestore database, Storage, Cloud Functions, Messaging, Analytics, Crashlytics, Remote Config, App Check	All profile data, journal entries, FCM tokens, analytics events, crash reports	Firestore and Cloud Functions in `europe-west1` (Belgium, EU). Analytics and Crashlytics on Google's global infrastructure.	https://policies.google.com/privacy
OpenAI, L.L.C.	AI insight generation	Journal entry text, display name, language — only when you consent	United States	https://openai.com/policies/privacy-policy
Google LLC (Gemini API)	AI insight generation (fallback)	Same as OpenAI	United States / global	https://policies.google.com/privacy
RevenueCat, Inc.	Subscription management	Firebase user ID, product ID, subscription status, renewal date	United States	https://www.revenuecat.com/privacy
Apple Inc.	Sign in with Apple, push notifications (APNs), DeviceCheck, App Store payments	Apple ID email, push tokens, device bits, purchase records	Apple infrastructure	https://www.apple.com/legal/privacy/

Meta / Facebook: our Info.plist declares the Facebook App ID 2198469434228743 only to enable the iOS "Share to Instagram Stories" URL scheme. We do not include the Facebook SDK. We do not send any data to Meta. Meta receives only the image you choose to share, if and when you share it — exactly as with any other "Share Sheet" destination.

Law enforcement and legal requests

We will disclose personal data to public authorities only when we are required to by a valid legal process in Türkiye, or in another country with valid jurisdiction over us. Where lawfully permitted, we will notify you of such a request.

No sale of data

We do not sell your personal data. We do not "share" it for cross-context behavioral advertising (as those terms are defined under the California Consumer Privacy Act / CPRA).

8. International data transfers

Your account and journal are stored in the European Union (Google Cloud europe-west1, Belgium).

Some of our service providers are in the United States:

OpenAI and Google Gemini receive your journal entries (only when you consent) for AI processing.
RevenueCat processes your subscription status.
Some Apple and Firebase services run on global infrastructure.

We rely on the following legal mechanisms for these transfers:

GDPR: Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914) contained in our data-processing agreements (DPAs) with each provider, supplemented by technical measures (encryption in transit and at rest, per-service access controls). For providers certified under the EU–US Data Privacy Framework, we additionally rely on that adequacy decision.
UK GDPR: the UK International Data Transfer Addendum (IDTA) attached to the same SCCs.
KVKK (Türkiye): a combination of
1. your explicit consent under KVKK Art. 9(1) when you opt in to AI insights (your journal content is only transferred when you have turned AI on);
2. data-processing agreements (DPAs) signed with each provider as a contractual safeguard, applying the provider's own GDPR/KVKK-aligned terms — specifically the Google Cloud / Firebase DPA (which incorporates SCCs), the OpenAI API Data Processing Addendum, and the RevenueCat DPA;
3. technical measures listed in §11 (encryption, App Check, minimized logging) that together provide "appropriate safeguards" under the 2024–2026 KVKK reform.

We are working toward executing the Turkish Data Protection Authority's Standart Sözleşme (Standard Contract) templates with each provider that is willing to sign them, and — where signed — will file the required 5-business-day notification with the Authority. Where a provider does not accept the KVKK template and insists on its own DPA, we rely on the combined safeguards above.

You can ask us for a copy of the transfer-safeguard documents by writing to hello@thanxful.app.

9. Retention

We keep personal data only for as long as we need it.

Data	Retention
Account data (email, name, profile, preferences)	Until you delete your account.
Journal entries, moods, streaks	Until you delete them individually, reset your content (Settings → Reset Account), or delete your account.
AI consent log	Append-only for the life of your account (required by App Store Guideline 5.1.2(i)). Deleted with your account.
AI-generated insights (instant, weekly, monthly)	Until you delete them or your account.
FCM push tokens	Until your device un-registers, you sign out, or your account is deleted.
Crashlytics crash reports	90 days (Google default).
Firebase Analytics events	14 months (Google default, minimum).
Cloud Logging (server logs)	400 days (no entry content is logged; see §11).
Cloud Trace (observability)	15 days.
Feature requests / bug reports	Retained for product improvement; anonymized (user-ID stripped) within 30 days of account deletion so the content is no longer linked to you.
Payment records (via Apple and RevenueCat)	As long as applicable Turkish tax and commercial law requires — typically 10 years.

When you delete your account (Settings → Advanced → Delete Account, or by email), we purge your profile, entries, insights, achievements, AI consent log, and FCM tokens from our active systems immediately. It may take up to 30 days for the deletion to propagate through service-provider caches, backups, and logs.

10. Your rights

Depending on where you live, you have some or all of the following rights:

Right of access (GDPR Art. 15 / KVKK Art. 11 / CCPA "right to know") — a copy of the personal data we hold about you.
Right of rectification (GDPR Art. 16 / KVKK Art. 11) — correct inaccurate data.
Right to erasure (GDPR Art. 17 / KVKK Art. 7 / CCPA "right to delete") — ask us to delete your data. The app's Delete Account flow does this.
Right to restriction of processing (GDPR Art. 18 / KVKK Art. 11) — tell us to stop using your data while a dispute is resolved.
Right to data portability (GDPR Art. 20 / CCPA "right to data portability") — receive a machine-readable copy of the data you gave us. We do not yet have a self-service export button. Email us and we will send you your entries and profile as structured JSON within 30 days.
Right to object (GDPR Art. 21 / KVKK Art. 11) — object to processing based on legitimate interests (for example, analytics).
Right to withdraw consent (GDPR Art. 7 / KVKK Art. 5/6) — turn off AI insights in Settings → AI Consent; turn off reminders in Settings → Notifications. Withdrawing consent does not affect the lawfulness of processing that already happened.
CCPA / CPRA (California residents):
- Right to know what personal information we collect, the sources, purposes, and third parties.
- Right to delete and right to correct.
- Right to opt out of sale or sharing of personal information — we do not sell or share, so there is nothing to opt out of, but you can confirm this at any time.
- Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes outside those described in §5.
- Right to non-discrimination for exercising your rights.
Right to lodge a complaint:
- Türkiye: Kişisel Verileri Koruma Kurumu (KVKK Authority) — https://www.kvkk.gov.tr/
- EU/EEA: your local data-protection authority (list: https://edpb.europa.eu/about-edpb/about-edpb/members_en)
- UK: Information Commissioner's Office — https://ico.org.uk/
- California: California Privacy Protection Agency — https://cppa.ca.gov/

How to exercise your rights

Email hello@thanxful.app with the subject line Privacy Request and tell us which right you want to exercise. We may ask you to verify your identity (typically by replying from the email address on your account). We respond within 30 days as required by GDPR Article 12 and KVKK Article 13. If we need more time, we will tell you why and when to expect a response.

You can also authorize an agent (e.g., under CCPA) to act on your behalf by sending a signed authorization; we will still verify your identity directly for sensitive requests.

There is no fee for exercising these rights unless your request is manifestly unfounded or excessive (e.g., repetitive).

11. Security

We take security seriously. Our measures include:

Encryption in transit — TLS 1.2+ for all network traffic.
Encryption at rest — Google Cloud's default server-side encryption (AES-256).
Authentication — Firebase Auth; passwords are never stored in plaintext.
App Check — Apple App Attest on the production build; requests from untrusted clients are rejected.
Apple DeviceCheck — used during onboarding trial to prevent abuse.
Strict Firestore security rules — each user can only read and write their own data.
Separation of sensitive data — your app-lock passcode is stored only in the iOS Keychain; your biometric data stays in the Apple Secure Enclave and we never receive it.
PII-minimized logs — we deliberately exclude journal text from server logs. We log only metadata (user ID, event type, status) needed for operations and debugging.
Secrets management — API keys (OpenAI, RevenueCat, Apple DeviceCheck) live in Firebase Secret Manager, not in code.

No system is perfectly secure. If we ever detect a personal-data breach, we will notify the KVKK Authority within 72 hours under KVKK Art. 12(5), and you directly where the law requires it, under GDPR Art. 33–34.

12. Children

Thanxful is not directed to children under 13. You must be at least 13 years old to use the service (see Terms of Service §3). If you are between 13 and the age of digital consent in your country (14–16 in some EU member states), you may need a parent or guardian's permission under local law.

We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has given us personal information, email hello@thanxful.app and we will delete it.

The app's App Store age rating (4+) reflects that the content is appropriate for all ages (no violence, sexual content, or explicit language). It does not change the contractual minimum age of 13 for creating an account.

We rely on the written eligibility requirement in our Terms of Service to enforce the 13+ minimum. Consistent with common practice among journaling and wellness apps, we do not impose an in-app age gate. Under Turkish Civil Code (TMK) Art. 15, minors generally lack full contractual capacity; if you are under 18, a parent or legal guardian must agree to these documents on your behalf.

13. California (CCPA / CPRA) disclosures

If you are a California resident, this section applies to you in addition to the rest of this policy.

Categories of personal information collected (last 12 months)

CCPA category	Collected?	Source	Purpose	Shared with
Identifiers (email, user ID, device ID)	Yes	You; your device	Account, security, analytics	Firebase, RevenueCat
Personal information under California Customer Records (Cal. Civ. Code §1798.80)	Yes (name)	You	Account	Firebase
Protected classifications	No	—	—	—
Commercial information (subscription history)	Yes	Apple, RevenueCat	Subscription delivery	RevenueCat
Biometric information	No (Face ID stays on device)	—	—	—
Internet / network activity	Limited (app events, crash reports)	Your device	Analytics, reliability	Firebase
Geolocation	Coarse only (country / time zone from Firebase Analytics)	Your device	Content localization	Firebase
Audio / visual / thermal / olfactory	Profile photo (if you add one)	You	Profile	Firebase Storage
Professional or employment info	No	—	—	—
Education info	No	—	—	—
Inferences	No	—	—	—
Sensitive personal information	Journal content is treated as sensitive	You	AI insights (only with consent)	OpenAI, Google Gemini

Your California rights

Know / access — see §10.
Delete — see §10.
Correct — see §10.
Opt out of sale / sharing — we do not sell or share your personal information. You have nothing to opt out of.
Limit the use of sensitive personal information — we only use sensitive information (your journal content) for the purposes described in §6 and with your explicit consent.
Non-discrimination — we will not deny you service, charge a different price, or provide a different quality for exercising any CCPA right.

To exercise these rights, email hello@thanxful.app with subject California Privacy Request. We verify your identity by confirming you control the account email.

We do not offer a financial incentive in exchange for personal information.

14. Cookies and similar technologies

In the iOS app: we do not use web cookies. The app stores small amounts of data locally in UserDefaults (preferences like your theme, language override, notification flag) and in the iOS Keychain (app-lock passcode). None of this is shared with us or with third parties.

On thanxful.app: as of the effective date of this policy, the marketing site does not use cookies, web-beacons, or third-party analytics trackers. If we add any in the future, we will update this section, display a cookie consent banner on the site, and treat the change as a material update (see §15).

15. Changes to this policy

We will update this policy from time to time. For material changes (changes that affect your rights or what we do with your data), we will give you at least 30 days' notice by email and by an in-app banner before the change takes effect. For non-material changes (typo fixes, clarifications), we will update the document and bump the "Effective Date" at the top.

If you don't agree with a change, you can stop using the service and delete your account before the change takes effect.

16. Contact

For any privacy question, data-subject request, or complaint:

Email: hello@thanxful.app (subject: Privacy)
Data controller: Kadir Alan (sole proprietor, Türkiye)

If you need to serve legal notice by post, email us first at hello@thanxful.app and we will provide a correspondence address.

Supervisory authorities you can lodge a complaint with:

Türkiye: Kişisel Verileri Koruma Kurumu — https://www.kvkk.gov.tr/
EU/EEA: your local data-protection authority — https://edpb.europa.eu/about-edpb/about-edpb/members_en
UK: Information Commissioner's Office — https://ico.org.uk/
California: California Privacy Protection Agency — https://cppa.ca.gov/

17. Glossary

GDPR — Regulation (EU) 2016/679, the European Union's General Data Protection Regulation.
KVKK — Kişisel Verilerin Korunması Kanunu, Türkiye's Personal Data Protection Law No. 6698.
CCPA / CPRA — California Consumer Privacy Act as amended by the California Privacy Rights Act.
COPPA — Children's Online Privacy Protection Act (United States).
FCM — Firebase Cloud Messaging, the service we use to send push notifications.
Special-category data / sensitive data — information about health, religion, politics, sexuality, etc. Under GDPR Art. 9 and KVKK Art. 6, this category requires heightened protection.

Thank you for trusting us with your gratitude practice.

— The Thanxful team