Privacy Policy

SECTION 1 – INTRODUCTION, SCOPE, AND LEGAL FRAMEWORK

EDROIDA GÖRSEL TEKNOLOJİ HİZMETLERİ LTD. ŞTİ. ("EDROIDA", "we", "our", or "us"), whose registered office is located at PETROL İŞ MAH. AKGÜN SK. AHMET BEY APT NO: 46, KARTAL / İSTANBUL, TURKEY, designs, develops, and supports the Othermy mobile application, ancillary web properties, and any related services (collectively, "Othermy" or the "Platform").

This Privacy Policy explains—at a detailed, operational level—how we collect, create, receive, store, use, disclose, transfer, and safeguard information linked to natural persons in the course of providing the Platform.

The Policy is deliberately drafted in American English to satisfy Apple App Store Connect expectations and is harmonized with a broad set of regulations, including:

• European Union General Data Protection Regulation (GDPR)
• EU Artificial Intelligence Act (AI Act)
• California Consumer Privacy Act as amended by the CPRA (CCPA)
• United States AI Bill of Rights
• UK Data Protection Act 2018/UK GDPR
• Türkiye's Law on the Protection of Personal Data (KVKK No. 6698)

Nothing in this Policy diminishes mandatory protections granted by law; in case of conflict, the stricter safeguard prevails. By creating an account, downloading the application, or otherwise interacting with Othermy, you acknowledge that you have read and understood this Policy.

SECTION 2 – DEFINITIONS, ROLES, AND ACCOUNTABILITY

"User", "data subject", or "you" refers to any identified or identifiable natural person who accesses Othermy. "Personal data" means any information relating to an identified or identifiable natural person.

"Processing" covers every action performed on personal data—collecting, recording, structuring, storing, adapting, retrieving, consulting, using, transmitting, disseminating, aligning, restricting, deleting, or destroying—whether automated or manual.

"Sensitive data" encompasses special categories defined in GDPR Article 9, comparable categories under KVKK, and sensitive personal information under the CCPA (e.g., health, biometric, genetic, racial or ethnic origin, religious or philosophical beliefs, sexual orientation).

EDROIDA acts as the Data Controller under GDPR and KVKK and as a Business under the CCPA. We maintain a Data Protection Officer (privacy@othermy.com), document processing activities (Article 30 GDPR), conduct annual privacy and AI impact assessments, and employ a cross-functional Privacy & AI Governance Council.

SECTION 3 – CATEGORIES OF DATA WE COLLECT AND SOURCES

We collect information from four primary sources:

• Account & Identity Data: name, surname, username, hashed password, email address, phone number, IP-derived city, time zone, language preference, country/region, age bracket, referral codes, account creation and status timestamps
• Profile & Persona Data: avatar images, biography, conversational tone preferences, emotional style toggles, calibration questionnaire responses, scenario prompts, closing examples, reminders, and optional demographic attributes
• AI Interaction & Content Data: chat transcripts, voice recordings and transcripts, emotion labels, safety scores, memory cards, dream entries, AI-generated summaries, journaling guides, and attachments you upload
• Device, Technical & Usage Data: device model, OS version, application version, device identifiers, screen resolution, battery and network status, crash logs, stack traces, debug telemetry, timestamps, button tap sequences, dwell time, and general location (IP-derived)
• Transaction & Subscription Data: plan tier, product identifiers, purchase history, renewal dates, currency, billing region, promotional codes, receipts, refunds, and chargeback notifications
• Trust, Safety & Support Data: helpdesk tickets, troubleshooting sessions, diagnostic logs, moderated content flags, abuse reports, risk scores, and communications
• Cookies, SDKs & Similar Technologies: authentication tokens, refresh tokens, preference cookies, analytics identifiers, CSRF protection cookies, anti-abuse fingerprints, and consent logs
• Optional Integrations: data from Sign in with Apple, Sign in with Google, or other authorized third-party services

SECTION 4 – PURPOSES OF PROCESSING AND LEGAL BASES

Processing takes place only when a lawful basis exists and the purpose is clearly defined:

1. Service Provision & Account Management – creating accounts, authenticating users, syncing data, delivering AI experiences, providing support (GDPR 6(1)(b); KVKK 5(2)(c))
2. Personalization & AI Enablement – tailoring Digital Persona, preserving context, memory recall, mood preferences (GDPR 6(1)(a), 6(1)(f); AI Act transparency)
3. Safety, Security & Integrity – preventing fraud, detecting spam, mitigating harmful content, enforcing standards (GDPR 6(1)(c), 6(1)(f); KVKK 5(2)(ç))
4. Compliance & Recordkeeping – responding to lawful requests, retaining consents, fulfilling obligations (GDPR 6(1)(c); KVKK 5(2)(ç))
5. Analytics & Product Improvement – analyzing adoption, A/B tests, improving AI accuracy, optimizing onboarding (GDPR 6(1)(f), 6(1)(a))
6. Communications – onboarding, notifications, security alerts, policy updates, marketing (with consent) (GDPR 6(1)(f), 6(1)(a))
7. Research & Transparency – anonymized reports, ethical AI research, safety insights (GDPR 6(1)(f))

SECTION 5 – AI TRANSPARENCY, AUTOMATED DECISIONS, AND HUMAN OVERSIGHT

Othermy leverages OpenAI GPT-based APIs, proprietary moderation models, sentiment evaluators, and policy engines to deliver conversational experiences. Automated processing powers:

• Contextual response generation
• Memory recall and persona personalization
• Detection of high-risk content
• Delivery of supportive suggestions
• Measurement of AI alignment metrics

Important: Automated systems do not issue binding legal, medical, financial, or employment decisions. When automated assessments suggest severe risk, the conversation may be paused and a human review initiated.

You may review or delete interaction history, disable AI learning, export your data, and request an intelligible explanation of the primary logic that influenced a specific output by contacting privacy@othermy.com.

SECTION 6 – DATA SHARING, DISCLOSURE, AND PROCESSOR DUE DILIGENCE

EDROIDA does not sell personal data and does not allow advertising networks to access AI conversation content. We share personal data strictly under these circumstances:

• Service Providers: Google Firebase/Cloud (hosting, authentication, analytics), OpenAI (secure AI inference), Apple/Google sign-in SDKs, payment processors (Apple, Google, Stripe), push notification services, cloud storage vendors, and customer support platforms
• Professional Advisors: legal counsel, auditors, accountants, and insurers under fiduciary or confidentiality obligations
• Corporate Transactions: mergers, acquisitions, financing rounds, reorganization, or insolvency proceedings
• Compliance, Legal Requests, and Safety: governmental authorities, courts, or third parties when necessary to comply with law, enforce agreements, investigate violations, prevent harm, or protect rights
• Aggregated/De-identified Reports: analytics or transparency summaries that cannot reasonably re-identify individuals

SECTION 7 – INTERNATIONAL TRANSFERS AND CROSS-BORDER SAFEGUARDS

Personal data may be processed in Türkiye, EU Member States, the United States, or other countries where our trusted processors operate. We rely on:

• Standard Contractual Clauses (2021 SCCs)
• EU–US Data Privacy Framework (for eligible services)
• Supplemental safeguards: encryption, access control, data minimization, strict purpose limitation

EEA, UK, and Swiss residents may request copies of applicable safeguards by emailing privacy@othermy.com. Turkish residents are informed pursuant to KVKK Article 9.

SECTION 8 – DATA RETENTION, STORAGE PRACTICES, AND DELETION WORKFLOWS

Retention periods are tailored to the data category and legal obligations:

• Account credentials, subscription records, consent logs, security tokens: retained for account lifetime + up to 3 years for dispute resolution, audit, and compliance
• AI conversation history, persona memories, calibration responses, uploaded media: retained until you delete them or request account deletion; production systems purged within 30 days, encrypted backups within 90 days
• Support and trust/safety records: stored for up to 2 years
• Telemetry, crash analytics, performance logs: 12-18 months, then anonymized or deleted
• Legal hold or compliance records: as long as necessary to satisfy statutory requirements

To delete your account: Profile → Privacy & Cookies → Delete Account or email privacy@othermy.com

SECTION 9 – SECURITY PROGRAM, AUDITS, AND INCIDENT RESPONSE

EDROIDA maintains a layered security program comprising:

• AES-256 encryption at rest
• TLS 1.3 with HSTS for data in transit
• Hardware-backed key management and rotation
• Least-privilege IAM policies
• Mandatory multi-factor authentication for privileged accounts
• Zero-trust network segmentation
• Continuous vulnerability scanning
• Regular penetration testing by independent firms
• Secure coding practices with static and dynamic analysis
• Supply-chain risk reviews
• Logging and monitoring with anomaly detection
• Disaster recovery and business continuity plans

If a breach involving personal data is likely to result in risk to data subjects, we notify relevant supervisory authorities within 72 hours (GDPR Article 33) and affected users as soon as feasible.

SECTION 10 – USER RIGHTS, REQUEST HANDLING, AND APPEALS

Depending on your jurisdiction, you may exercise rights to:

• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection
• Consent withdrawal
• Opt-out of sale or sharing (California)
• Automated decision review
• Freedom from discrimination

To exercise your rights: Profile → Privacy & Cookies → Manage Data or email privacy@othermy.com

We respond within one (1) month (extendable by up to two months for complex cases). Upon request, we provide data in a portable, structured, machine-readable format.

SECTION 11 – SPECIAL AUDIENCES, COOKIES, AND MARKETING PREFERENCES

11.1 Minors and Protected Users

Othermy is intended for individuals aged sixteen (16) or older. We do not knowingly collect data from minors; if discovered, we suspend and delete the account. Parents or guardians may request removal by contacting privacy@othermy.com.

11.2 Sensitive Data Controls

Sensitive data is processed only with explicit consent and solely for personalization. You may delete such content at any time.

11.3 Cookies & Similar Technologies

Essential cookies maintain sessions and guard against abuse; functional cookies remember language and dial code preferences; analytics cookies assess engagement; marketing cookies operate only on public web pages and honor consent.

Manage cookies via in-app controls, the website banner, or browser settings. We recognize Global Privacy Control signals and provide granular toggles for analytics and personalization cookies.

11.4 Marketing Communications

Transactional emails, policy updates, and security notices are necessary service communications. Promotional emails or push notifications require opt-in consent and contain clear unsubscribe options.

11.5 Do Not Track & Preference Signals

We treat recognized "Do Not Track" or equivalent signals as opt-outs of targeted advertising where required. Users can adjust preferences within the app's privacy dashboard.

SECTION 12 – UPDATES, CONTACT INFORMATION, AND REGULATORY RECOURSE

We may update this Privacy Policy to reflect legal, technological, or operational changes. Material updates are announced via in-app notifications, optional email alerts, and publication on www.othermy.com/privacy.

Continued use following publication constitutes acceptance of the revised Policy. Prior versions are available on request.