What you need to know at a glance
Data Controller
The data controller responsible for your personal data is:
Atatürk KYK Erkek Yurdu, İnciraltı / Balçova / İzmir, Turkey
Email: support@candidai.art
As a sole developer, no Data Protection Officer (DPO) has been formally appointed. All data-related inquiries are handled directly by the developer at the contact above.
Introduction
This Privacy Policy explains how Candid AI ("we", "our", or "the app") collects, uses, and protects your information when you use our mobile application on iOS and Android. This policy applies to users worldwide. By using the app, you agree to the practices described in this policy.
If you do not agree with this policy, please discontinue use of the app and uninstall it from your device.
Information We Collect
Although the app does not require account registration, certain data is collected automatically or through third-party services to ensure proper functionality and improve the app experience.
Camera, Gallery Access, and On-Device AI Processing
The app requests the following permissions to provide its core features:
- Camera Permission (e.g., android.permission.CAMERA / iOS camera access): Used to allow you to take photos directly within the app for camera and pose-guidance features.
- Storage / Media Permission (platform photo-library access): Used when you choose an existing image from your gallery (for example, selecting a profile photo).
- Photo Library Add Permission: Used only when you choose to save a photo from the app to your device gallery (see Saving Photos to Your Gallery below).
How we process your photos (On-Device AI): Candid AI utilizes machine learning models to analyze your photos and suggest poses. All AI processing happens 100% locally on your device. Your photos are never uploaded, transmitted, or stored on any external cloud servers or databases. We only access the photos you explicitly select and do not scan your gallery in the background.
On-Device Face Detection and Motion Sensors
To provide real-time pose coaching, the app may analyze your live camera preview using on-device face detection. This processing:
- Runs entirely on your device and is used only to guide poses (e.g., head angle, framing, and related feedback).
- May use platform machine-learning libraries (such as Google ML Kit on Android) as part of the camera pipeline; no face data is sent to our servers or third-party clouds.
- Is not used to identify who you are, verify your identity, or create a biometric profile.
- Processes temporary frame data from the camera; it is not stored on our servers.
The app also reads device motion and orientation (e.g., accelerometer) to understand how you are holding your phone for the camera preview and pose guidance. This sensor data stays on your device and is not transmitted to us.
Data Stored Locally on Your Device
Because the app does not require an account, most information stays in the app's private storage on your phone. We do not receive or host this data on our servers. Depending on how you use the app, this may include:
- Profile information: Display name, short description, and an optional profile photo you choose.
- Photos you capture in the app: Images saved in the app's internal storage, along with related session metadata (e.g., date, template used, capture settings).
- App preferences: Theme, language, bookmarked feed items, onboarding progress, and premium status flags.
You control this data on your device. You can remove it by deleting individual content in the app, clearing the app's storage in Android settings, or uninstalling the app.
Saving Photos to Your Gallery
When you tap an option to save a photo to your gallery, the app requests permission to add that image to your device's photo library. We only write the specific photo you chose to save; we do not modify, delete, or upload your other gallery items. Once saved, that photo is stored like any other image on your device and is subject to your device's own backup and sync settings (e.g., Google Photos), which are outside our control.
Cloud Backend (Supabase)
We use Supabase as our cloud backend to deliver app content and, when you choose to contact us, to receive feedback. Supabase acts as a data processor on our behalf. This does not include your personal photos, camera captures, or live face-analysis data from pose coaching — those remain on your device as described above.
Feed content and templates: When the app loads or refreshes the pose feed, it may download from Supabase:
- Category and template metadata (titles, layout data, pose guides)
- Reference images for feed cards (curated content supplied by us, not your personal photos)
- Pose template data used for on-device coaching overlays
These downloads use your device's network connection. Supabase may log standard technical data (such as IP address and request timestamps) as part of hosting. A cached copy of feed data may be stored locally on your device to improve offline performance.
Feedback you submit voluntarily: If you use the in-app feedback form, we send the following to Supabase so we can read and respond to your message:
- Email address (required in the form so we can reply)
- Subject and message text
- A pseudonymous app instance ID (a random 8-character ID generated and stored locally on your device; it is not linked to your name unless you provide identifying information in your message)
- App language, platform (Android or iOS), and app version
We do not require you to use the feedback form. If you do not submit feedback, no email or message content is sent to Supabase. For more information about Supabase's practices, please consult the Supabase Privacy Policy.
App Framework and Telemetry (Expo / React Native)
Candid AI is built using the React Native and Expo frameworks. These framework services may process limited diagnostic data (for example, crash information, app version, and platform metadata) to help maintain app stability and fix bugs.
We do not integrate third-party advertising analytics SDKs and we do not use telemetry for ad targeting. For more information, please consult the Expo Privacy Policy.
Purchase and Subscription Data (RevenueCat)
We use RevenueCat to manage in-app purchases and subscriptions. RevenueCat may collect:
- Purchase history and subscription status
- Anonymized device identifier
- App version and platform
RevenueCat does not collect or store payment card details. RevenueCat acts as a data processor on our behalf under a Data Processing Agreement (DPA). For more information, please consult the RevenueCat Privacy Policy.
Payment Data (Platform App Stores)
In-app purchases are processed through platform billing services (such as Google Play Billing on Android and Apple's App Store billing on iOS). We never handle or store payment card information directly. We only receive confirmation of completed transactions. For more information, please consult the relevant platform privacy policy (for example, the Google Privacy Policy and Apple's privacy information).
How We Use Your Information & Legal Basis
Under the GDPR and KVKK, we process your data based on the following legal grounds:
| Data | Purpose | Legal Basis (GDPR Art. / KVKK) |
|---|---|---|
| Camera / gallery images | Core camera features, profile photo selection, and on-device processing (processed locally only) | Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)); and where required by platform permission rules, Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)) |
| On-device face detection (live camera) | Real-time pose coaching and framing guidance (processed locally only) | Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)); and where required by platform permission rules, Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)) |
| Device motion / orientation | Camera preview alignment and pose guidance | Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)); and where required by platform permission rules, Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)) |
| Local app data (profile, captures, preferences) | App functionality stored on your device only | Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)) and/or Legitimate Interest for optional preferences |
| Saving photos to gallery | Writing a photo you chose to your device library | Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)) |
| Feed content from Supabase | Delivering pose templates, categories, and reference images | Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)) and/or Legitimate Interest (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f)) |
| Feedback submitted via Supabase | Reading and responding to support messages you choose to send | Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)) — by submitting the form |
| App Telemetry (Expo) | Crash reporting, ensuring app stability | Legitimate Interest (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f)) |
| Purchase data (RevenueCat) | Managing subscriptions and premium features | Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)) |
| Purchase confirmation (platform app stores) | Granting access to paid content | Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)) |
We do not sell your data to third parties. We do not use your data for advertising purposes.
Legitimate Interest Assessment (Telemetry)
Where we rely on Legitimate Interest as our legal basis, we have assessed that:
- The data is limited to technical diagnostics and is not used for advertising profiling.
- The purpose (improving app stability and features) is proportionate to the minimal privacy impact.
- Users retain the right to object to this processing at any time (see Your Rights).
How We Obtain Your Consent
For processing activities that depend on device permissions (for example camera, photo-library access, save-to-gallery access, and motion sensors where prompted), we request permission through your operating system (Android or iOS) before access. In other cases, processing is based on providing the features you request in the app. You may withdraw permission-based consent at any time by revoking app permissions through your device settings.
International Data Transfers
While we are based in Turkey, the third-party services we use (such as Supabase, RevenueCat, Expo, and platform app-store providers) may operate servers located in the United States, the European Union, or other countries.
Such transfers are conducted in accordance with:
- KVKK Article 9 (cross-border transfers)
- GDPR Chapter V (transfers to third countries)
Where applicable, we rely on standard contractual clauses (SCCs) or the adequacy decisions of the European Commission for transfers outside the EEA.
Third-Party Services Summary
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Feed content delivery & optional feedback storage | supabase.com/privacy |
| Expo | Framework telemetry & crash reporting | expo.dev/privacy |
| RevenueCat | Subscription management | revenuecat.com/privacy |
| Platform app stores (Google Play / Apple App Store) | Payment processing | Google: policies.google.com/privacy / Apple: apple.com/legal/privacy |
Data Retention
- Feedback data (Supabase): Retained for as long as needed to respond to and manage your message, and for up to 24 months thereafter unless you request earlier deletion (see Your Rights).
- Feed cache on device: Cached feed metadata and reference image URLs may remain on your device until you clear app storage or uninstall the app. We do not retain a separate copy of feed downloads tied to your identity on our servers beyond standard hosting logs.
- Telemetry data (Expo): Retained for up to 12 months, after which it is automatically deleted or anonymized in accordance with Expo's data retention policies. You may request earlier deletion (see Your Rights).
- Purchase data (RevenueCat): Retained for as long as necessary to manage your active subscription status, and for up to 3 years thereafter for legal and accounting purposes.
- Local app data (profile, captures, preferences, on-device models): Stored only on your device and not accessible to us. Retained until you delete them in the app, clear app storage, or uninstall the app.
Your Rights
Turkish Users – KVKK (Law No. 6698)
As a Turkish resident, you have the following rights under Article 11 of the KVKK:
- Learn whether your personal data is being processed
- Request information about the processing of your data
- Learn the purpose of processing and whether it is used appropriately
- Know the third parties to whom your data is transferred
- Request correction of incomplete or inaccurate data
- Request deletion or destruction of your data
- Object to processing performed solely through automated means
- Request compensation if you suffer damage due to unlawful processing
We will respond to your requests within 30 days.
EU/EEA Users – GDPR
If you are in the EU/EEA, you have the following rights under the GDPR:
- Right of Access (Art. 15): Obtain a copy of your personal data.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
- Right to Restriction (Art. 18): Restrict how your data is processed.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interest, including framework telemetry.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
We will respond to EU/EEA requests within 30 days (extendable to 60 days for complex requests, with notice).
United States Users – California (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.
Categories we may collect (depending on features you use): identifiers (such as a pseudonymous app instance ID sent with feedback or subscription services), contact information (email address if you submit feedback), internet or app activity (feed content requests), and commercial information (subscription or purchase status). Photos, face-analysis data from the live camera, and profile content you store in the app remain on your device and are not collected by us on our servers.
We do not sell your personal information and we do not share it for cross-context behavioral advertising.
California residents may have the right to:
- Know what personal information we collect, use, and disclose.
- Delete personal information we hold about you (subject to legal exceptions).
- Correct inaccurate personal information.
- Opt out of sale or sharing — not applicable, as we do not sell or share data for targeted advertising.
- Non-discrimination for exercising your privacy rights.
To submit a request, email support@candidai.art with the subject line "California Privacy Request" and describe your request. We will verify your request and respond within the timeframes required by applicable law (typically 45 days, with a possible extension where permitted). You may use an authorized agent where allowed by law; we may require proof of authorization.
Users in Other Regions
If your country or state grants additional privacy rights, you may contact us at support@candidai.art to submit a request. We will review and handle requests in line with applicable local law.
To exercise any of these rights, contact: support@candidai.art
Right to Lodge a Complaint
You also have the right to lodge a complaint with the relevant supervisory authority:
- Turkish Users: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
- EU/EEA Users: The data protection authority in your country of residence. A list is available at edpb.europa.eu.
Data Security
We take reasonable technical and organizational measures to protect the data processed through our third-party services. These measures include:
- All AI analysis of your images is performed entirely offline on your device, ensuring maximum security for your personal media.
- Third-party services are selected based on their own security standards and certifications.
- Feedback stored in Supabase and any purchase data is accessible only to the developer.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33 / KVKK Art. 12).
- Notify affected users without undue delay if the breach is likely to result in a high risk to your rights (GDPR Art. 34).
Children's Privacy
This app is intended for a general audience and is not directed to children. We do not knowingly collect personal information from:
- Children under the age of 13 (USA / general)
- Children under the age of 16 (EU/EEA, unless a lower age applies in your member state)
If you believe a child has provided personal information through the app, please contact us at support@candidai.art and we will promptly delete such information.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. When we make significant changes, we will update the "Last Updated" date at the top of this policy. Continued use of the app after changes are posted constitutes your acceptance of the updated policy.
We encourage you to review this policy periodically.
Contact
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact:
Atatürk KYK Erkek Yurdu, İnciraltı / Balçova / İzmir, Turkey
Email: support@candidai.art
We aim to respond to all inquiries within 30 days.