Candid AI · Legal Documents

Your data,
your control.

Last updated: June 19, 2026 · Contact: support@candidai.art

What you need to know at a glance

On-device AI — your photos stay on your device
Feed via Supabase; no sale of data; feedback only if you send it
No third-party analytics SDK — no ad tracking
Designed for global users with region-specific privacy rights
00

Data Controller

The data controller responsible for your personal data is:

Mehmet Mert Altuntaş (Individual Developer)
Atatürk KYK Erkek Yurdu, İnciraltı / Balçova / İzmir, Turkey
Email: support@candidai.art

As a sole developer, no Data Protection Officer (DPO) has been formally appointed. All data-related inquiries are handled directly by the developer at the contact above.

Note for EU/EEA Users: We are an individual developer based in Turkey and are not currently established in the EU/EEA. If GDPR Article 27 applies to our processing activities, we will designate an EU Representative as required. In the meantime, you may contact us directly at the email above to exercise your rights, and we aim to respond within applicable legal timeframes.
01

Introduction

This Privacy Policy explains how Candid AI ("we", "our", or "the app") collects, uses, and protects your information when you use our mobile application on iOS and Android. This policy applies to users worldwide. By using the app, you agree to the practices described in this policy.

If you do not agree with this policy, please discontinue use of the app and uninstall it from your device.

02

Information We Collect

Although the app does not require account registration, certain data is collected automatically or through third-party services to ensure proper functionality and improve the app experience.

Camera, Gallery Access, and On-Device AI Processing

The app requests the following permissions to provide its core features:

  • Camera Permission (e.g., android.permission.CAMERA / iOS camera access): Used to allow you to take photos directly within the app for camera and pose-guidance features.
  • Storage / Media Permission (platform photo-library access): Used when you choose an existing image from your gallery (for example, selecting a profile photo).
  • Photo Library Add Permission: Used only when you choose to save a photo from the app to your device gallery (see Saving Photos to Your Gallery below).

How we process your photos (On-Device AI): Candid AI utilizes machine learning models to analyze your photos and suggest poses. All AI processing happens 100% locally on your device. Your photos are never uploaded, transmitted, or stored on any external cloud servers or databases. We only access the photos you explicitly select and do not scan your gallery in the background.

On-Device Face Detection and Motion Sensors

To provide real-time pose coaching, the app may analyze your live camera preview using on-device face detection. This processing:

  • Runs entirely on your device and is used only to guide poses (e.g., head angle, framing, and related feedback).
  • May use platform machine-learning libraries (such as Google ML Kit on Android) as part of the camera pipeline; no face data is sent to our servers or third-party clouds.
  • Is not used to identify who you are, verify your identity, or create a biometric profile.
  • Processes temporary frame data from the camera; it is not stored on our servers.

The app also reads device motion and orientation (e.g., accelerometer) to understand how you are holding your phone for the camera preview and pose guidance. This sensor data stays on your device and is not transmitted to us.

Data Stored Locally on Your Device

Because the app does not require an account, most information stays in the app's private storage on your phone. We do not receive or host this data on our servers. Depending on how you use the app, this may include:

  • Profile information: Display name, short description, and an optional profile photo you choose.
  • Photos you capture in the app: Images saved in the app's internal storage, along with related session metadata (e.g., date, template used, capture settings).
  • App preferences: Theme, language, bookmarked feed items, onboarding progress, and premium status flags.

You control this data on your device. You can remove it by deleting individual content in the app, clearing the app's storage in Android settings, or uninstalling the app.

Saving Photos to Your Gallery

When you tap an option to save a photo to your gallery, the app requests permission to add that image to your device's photo library. We only write the specific photo you chose to save; we do not modify, delete, or upload your other gallery items. Once saved, that photo is stored like any other image on your device and is subject to your device's own backup and sync settings (e.g., Google Photos), which are outside our control.

Cloud Backend (Supabase)

We use Supabase as our cloud backend to deliver app content and, when you choose to contact us, to receive feedback. Supabase acts as a data processor on our behalf. This does not include your personal photos, camera captures, or live face-analysis data from pose coaching — those remain on your device as described above.

Feed content and templates: When the app loads or refreshes the pose feed, it may download from Supabase:

  • Category and template metadata (titles, layout data, pose guides)
  • Reference images for feed cards (curated content supplied by us, not your personal photos)
  • Pose template data used for on-device coaching overlays

These downloads use your device's network connection. Supabase may log standard technical data (such as IP address and request timestamps) as part of hosting. A cached copy of feed data may be stored locally on your device to improve offline performance.

Feedback you submit voluntarily: If you use the in-app feedback form, we send the following to Supabase so we can read and respond to your message:

  • Email address (required in the form so we can reply)
  • Subject and message text
  • A pseudonymous app instance ID (a random 8-character ID generated and stored locally on your device; it is not linked to your name unless you provide identifying information in your message)
  • App language, platform (Android or iOS), and app version

We do not require you to use the feedback form. If you do not submit feedback, no email or message content is sent to Supabase. For more information about Supabase's practices, please consult the Supabase Privacy Policy.

App Framework and Telemetry (Expo / React Native)

Candid AI is built using the React Native and Expo frameworks. These framework services may process limited diagnostic data (for example, crash information, app version, and platform metadata) to help maintain app stability and fix bugs.

We do not integrate third-party advertising analytics SDKs and we do not use telemetry for ad targeting. For more information, please consult the Expo Privacy Policy.

Purchase and Subscription Data (RevenueCat)

We use RevenueCat to manage in-app purchases and subscriptions. RevenueCat may collect:

  • Purchase history and subscription status
  • Anonymized device identifier
  • App version and platform

RevenueCat does not collect or store payment card details. RevenueCat acts as a data processor on our behalf under a Data Processing Agreement (DPA). For more information, please consult the RevenueCat Privacy Policy.

Payment Data (Platform App Stores)

In-app purchases are processed through platform billing services (such as Google Play Billing on Android and Apple's App Store billing on iOS). We never handle or store payment card information directly. We only receive confirmation of completed transactions. For more information, please consult the relevant platform privacy policy (for example, the Google Privacy Policy and Apple's privacy information).

03

How We Use Your Information & Legal Basis

Under the GDPR and KVKK, we process your data based on the following legal grounds:

Data Purpose Legal Basis (GDPR Art. / KVKK)
Camera / gallery images Core camera features, profile photo selection, and on-device processing (processed locally only) Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)); and where required by platform permission rules, Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1))
On-device face detection (live camera) Real-time pose coaching and framing guidance (processed locally only) Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)); and where required by platform permission rules, Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1))
Device motion / orientation Camera preview alignment and pose guidance Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)); and where required by platform permission rules, Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1))
Local app data (profile, captures, preferences) App functionality stored on your device only Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)) and/or Legitimate Interest for optional preferences
Saving photos to gallery Writing a photo you chose to your device library Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1))
Feed content from Supabase Delivering pose templates, categories, and reference images Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)) and/or Legitimate Interest (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f))
Feedback submitted via Supabase Reading and responding to support messages you choose to send Explicit Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)) — by submitting the form
App Telemetry (Expo) Crash reporting, ensuring app stability Legitimate Interest (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f))
Purchase data (RevenueCat) Managing subscriptions and premium features Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c))
Purchase confirmation (platform app stores) Granting access to paid content Performance of a Contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c))

We do not sell your data to third parties. We do not use your data for advertising purposes.

Legitimate Interest Assessment (Telemetry)

Where we rely on Legitimate Interest as our legal basis, we have assessed that:

  • The data is limited to technical diagnostics and is not used for advertising profiling.
  • The purpose (improving app stability and features) is proportionate to the minimal privacy impact.
  • Users retain the right to object to this processing at any time (see Your Rights).
04

How We Obtain Your Consent

For processing activities that depend on device permissions (for example camera, photo-library access, save-to-gallery access, and motion sensors where prompted), we request permission through your operating system (Android or iOS) before access. In other cases, processing is based on providing the features you request in the app. You may withdraw permission-based consent at any time by revoking app permissions through your device settings.

05

International Data Transfers

While we are based in Turkey, the third-party services we use (such as Supabase, RevenueCat, Expo, and platform app-store providers) may operate servers located in the United States, the European Union, or other countries.

Such transfers are conducted in accordance with:

  • KVKK Article 9 (cross-border transfers)
  • GDPR Chapter V (transfers to third countries)

Where applicable, we rely on standard contractual clauses (SCCs) or the adequacy decisions of the European Commission for transfers outside the EEA.

Your personal photos, camera captures, and live camera analysis are not uploaded to our servers. Feed reference images and pose templates are downloaded from Supabase. Feedback you voluntarily submit (including your email and message) is stored on Supabase.
06

Third-Party Services Summary

Service Purpose Privacy Policy
Supabase Feed content delivery & optional feedback storage supabase.com/privacy
Expo Framework telemetry & crash reporting expo.dev/privacy
RevenueCat Subscription management revenuecat.com/privacy
Platform app stores (Google Play / Apple App Store) Payment processing Google: policies.google.com/privacy / Apple: apple.com/legal/privacy
07

Data Retention

  • Feedback data (Supabase): Retained for as long as needed to respond to and manage your message, and for up to 24 months thereafter unless you request earlier deletion (see Your Rights).
  • Feed cache on device: Cached feed metadata and reference image URLs may remain on your device until you clear app storage or uninstall the app. We do not retain a separate copy of feed downloads tied to your identity on our servers beyond standard hosting logs.
  • Telemetry data (Expo): Retained for up to 12 months, after which it is automatically deleted or anonymized in accordance with Expo's data retention policies. You may request earlier deletion (see Your Rights).
  • Purchase data (RevenueCat): Retained for as long as necessary to manage your active subscription status, and for up to 3 years thereafter for legal and accounting purposes.
  • Local app data (profile, captures, preferences, on-device models): Stored only on your device and not accessible to us. Retained until you delete them in the app, clear app storage, or uninstall the app.
08

Your Rights

Turkish Users – KVKK (Law No. 6698)

As a Turkish resident, you have the following rights under Article 11 of the KVKK:

  • Learn whether your personal data is being processed
  • Request information about the processing of your data
  • Learn the purpose of processing and whether it is used appropriately
  • Know the third parties to whom your data is transferred
  • Request correction of incomplete or inaccurate data
  • Request deletion or destruction of your data
  • Object to processing performed solely through automated means
  • Request compensation if you suffer damage due to unlawful processing

We will respond to your requests within 30 days.

EU/EEA Users – GDPR

If you are in the EU/EEA, you have the following rights under the GDPR:

  • Right of Access (Art. 15): Obtain a copy of your personal data.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
  • Right to Restriction (Art. 18): Restrict how your data is processed.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest, including framework telemetry.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.

We will respond to EU/EEA requests within 30 days (extendable to 60 days for complex requests, with notice).

United States Users – California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

Categories we may collect (depending on features you use): identifiers (such as a pseudonymous app instance ID sent with feedback or subscription services), contact information (email address if you submit feedback), internet or app activity (feed content requests), and commercial information (subscription or purchase status). Photos, face-analysis data from the live camera, and profile content you store in the app remain on your device and are not collected by us on our servers.

We do not sell your personal information and we do not share it for cross-context behavioral advertising.

California residents may have the right to:

  • Know what personal information we collect, use, and disclose.
  • Delete personal information we hold about you (subject to legal exceptions).
  • Correct inaccurate personal information.
  • Opt out of sale or sharing — not applicable, as we do not sell or share data for targeted advertising.
  • Non-discrimination for exercising your privacy rights.

To submit a request, email support@candidai.art with the subject line "California Privacy Request" and describe your request. We will verify your request and respond within the timeframes required by applicable law (typically 45 days, with a possible extension where permitted). You may use an authorized agent where allowed by law; we may require proof of authorization.

Users in Other Regions

If your country or state grants additional privacy rights, you may contact us at support@candidai.art to submit a request. We will review and handle requests in line with applicable local law.

To exercise any of these rights, contact: support@candidai.art

Right to Lodge a Complaint

You also have the right to lodge a complaint with the relevant supervisory authority:

  • Turkish Users: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
  • EU/EEA Users: The data protection authority in your country of residence. A list is available at edpb.europa.eu.
09

Data Security

We take reasonable technical and organizational measures to protect the data processed through our third-party services. These measures include:

  • All AI analysis of your images is performed entirely offline on your device, ensuring maximum security for your personal media.
  • Third-party services are selected based on their own security standards and certifications.
  • Feedback stored in Supabase and any purchase data is accessible only to the developer.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33 / KVKK Art. 12).
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights (GDPR Art. 34).
10

Children's Privacy

This app is intended for a general audience and is not directed to children. We do not knowingly collect personal information from:

  • Children under the age of 13 (USA / general)
  • Children under the age of 16 (EU/EEA, unless a lower age applies in your member state)

If you believe a child has provided personal information through the app, please contact us at support@candidai.art and we will promptly delete such information.

11

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. When we make significant changes, we will update the "Last Updated" date at the top of this policy. Continued use of the app after changes are posted constitutes your acceptance of the updated policy.

We encourage you to review this policy periodically.

12

Contact

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact:

Mehmet Mert Altuntaş (Data Controller)
Atatürk KYK Erkek Yurdu, İnciraltı / Balçova / İzmir, Turkey
Email: support@candidai.art

We aim to respond to all inquiries within 30 days.

Terms of Use at a glance

Personal-use app license; no resale or misuse
Your photos and profile content remain yours
Subscriptions are billed by platform app stores
Global terms with rights under local laws
T01

About Candid AI

These Terms of Use ("Terms") govern your use of the Candid AI mobile application and related features. By downloading, accessing, or using the app, you agree to these Terms. If you do not agree, do not use the app.

Candid AI is provided by an individual developer and is intended for personal, non-commercial use unless we explicitly agree otherwise in writing.

T02

License Grant

Subject to your compliance with these Terms, we grant you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to install and use Candid AI on devices you own or control, for personal and lawful purposes.

You may not copy, modify, distribute, sell, lease, or reverse engineer the app except where such restrictions are prohibited by applicable law.

T03

Eligibility

You must have the legal capacity to agree to these Terms in your country or region. If you are below the age of legal majority where you live, you may use the app only with permission and supervision of a parent or legal guardian.

T04

Permissions & Privacy

Certain features require device permissions, such as camera, photo-library access, and save-to-gallery access. You can control these permissions through your device settings.

Your use of the app is also governed by our Privacy Policy, which explains how data is handled. If these Terms and the Privacy Policy conflict on data-processing details, the Privacy Policy controls for those details.

T05

Regional Privacy Rights

Depending on where you live, you may have privacy rights under local laws (for example, rights to access, delete, correct, or object to certain processing). We honor applicable legal rights and handle requests according to relevant laws.

For details about your rights and how to submit a request, see the Privacy Policy and contact information in these legal documents.

T06

User Content

You retain ownership of photos, profile details, and other content you create or store in the app ("User Content").

You grant us only the limited rights necessary to operate requested app features (for example, displaying your selected profile image in-app, saving exports you initiate, or processing content locally on your device). We do not receive a broad commercial license to your User Content under these Terms.

You are responsible for ensuring you have the rights needed for any content you use in the app.

T07

Intellectual Property

The app, including its software, interface, branding, graphics, curated template metadata, and related materials (excluding your User Content), is owned by us or our licensors and protected by applicable intellectual property laws.

These Terms do not transfer ownership of any intellectual property rights to you.

T08

No Guarantee

The app depends on device hardware, operating systems, third-party services, and network availability. We do not guarantee uninterrupted availability, specific outcomes, or compatibility with every device configuration.

T09

Subscriptions

Some features may require a paid subscription. Subscription purchases are processed by platform app stores (such as Google Play or Apple App Store), and billing terms, renewals, cancellations, and refunds are governed by those store rules and your store account settings.

We may use RevenueCat to manage subscription entitlements and restore access across supported reinstall or account states. We do not store your full payment card details.

T10

Acceptable Use

You agree not to use the app to violate laws, infringe others' rights, interfere with app operation, attempt unauthorized access, distribute malware, or abuse payment/refund systems. You also agree not to use automated tools to scrape or overload services connected to the app.

T11

Warranty Disclaimer

To the maximum extent permitted by applicable law, the app is provided "as is" and "as available," without warranties of any kind, whether express, implied, or statutory, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

T12

Liability

To the maximum extent permitted by applicable law, we are not liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, data, goodwill, or business interruption arising from or related to your use of the app.

Where liability cannot be fully excluded, our total aggregate liability is limited to the amount you paid for the app or subscriptions in the 12 months before the event giving rise to the claim, or USD 50 if you paid nothing, whichever is greater.

T13

Indemnification

To the extent permitted by applicable law, you agree to indemnify and hold us harmless from claims, liabilities, damages, losses, and reasonable expenses (including legal fees) arising out of your breach of these Terms, misuse of the app, or violation of third-party rights.

T14

Force Majeure

We are not responsible for delay or failure to perform obligations caused by events beyond our reasonable control, including natural disasters, internet outages, platform disruptions, labor disputes, government actions, or failures of third-party infrastructure.

T15

Changes

We may update these Terms from time to time to reflect feature changes, legal requirements, or operational needs. When material changes are made, we will update the "Last updated" date in these legal documents. Continued use of the app after updates become effective means you accept the revised Terms.

T16

Termination

We may suspend or terminate access to some or all app features if you materially violate these Terms or where necessary for security, legal compliance, or abuse prevention. You may stop using the app at any time by uninstalling it.

Sections that by nature should survive termination (including intellectual property, disclaimers, liability limits, indemnification, and governing law) will survive.

T17

Governing Law

These Terms are governed by and interpreted under applicable law in a manner that gives effect to mandatory consumer protections in your country or region of residence. Where local law permits contractual choice-of-law and forum provisions, disputes will be handled in a competent forum determined under applicable conflict-of-law principles and procedural rules.

T18

Severability

If any provision of these Terms is held invalid or unenforceable, that provision will be interpreted to reflect its intent as closely as possible under applicable law, and the remaining provisions will remain in full force and effect.

T19

Contact

If you have questions about these Terms, please contact:

Mehmet Mert Altuntaş
Email: support@candidai.art

We aim to respond to legal and support inquiries within 30 days.

O00

Other Legal Documents

[Add additional legal pages here]

O01

Document Slots

  • Slot 1: [Document title]
  • Slot 2: [Document title]
  • Slot 3: [Document title]
  • Slot 4: [Document title]