Türkçe · English

Raf — Privacy Policy

Last Updated: April 30, 2026

This Privacy Policy ("Policy") explains how personal data of users is collected, used, shared, and protected in connection with the mobile application and website operated under the name Raf (the "Service"). This Policy has been prepared in accordance with applicable laws including the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the EU General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA / CPRA"), and the U.S. Children's Online Privacy Protection Act ("COPPA").

By using the Service you confirm that you have read and understood this Policy and accept it together with our Terms of Use.

1. Data Controller

The data controller within the meaning of the KVKK and GDPR is:

Raf (Mert Günay — sole proprietorship)
Tax Office: Şile / Tax No: 4270197158
Address: Çavuş Mahallesi, Şile / Istanbul, Türkiye
E-mail: [email protected]

Any change to the data controller will be announced through an update of this Policy.

2. Personal Data We Collect

Raf only collects personal data necessary to operate, maintain, and improve the Service and to comply with legal obligations. The data we collect is categorized as follows:

2.1 Account and Identity Data
  • System-generated identifiers: User UUID, user ID
  • User-provided: username, full name, email address, password (stored only as an irreversible cryptographic hash), profile picture, biography, website, gender (optional)
  • From social sign-in: when you sign in with Apple or Google, the user identifier and email address (if you choose to share it) provided by Apple Inc. or Google LLC
2.2 Device and Technical Data
  • Device identifier: on iOS, the IDFV (Identifier for Vendors), used solely for authentication, session management, and fraud detection. The IDFA (advertising identifier) is not collected.
  • Technical information: device model, operating system version, application version, language setting, IP address, connection type
  • Push notification token: the token issued by Firebase Cloud Messaging (FCM) used to deliver notifications
2.3 Usage and Interaction Data
  • Product analytics: in-app interaction events (screen views, clicks, content opens) used to improve the user experience
  • Crash and performance data: stack traces, device model, and OS version automatically transmitted on application crashes (Firebase Crashlytics)
2.4 Content Data
  • The posts, comments, shelves, notes, photos, messages, clan content, and wishes you create on the Service
  • Ratings, likes, accounts you follow, and shelf entries
2.5 Subscription and Payment Data
  • Subscription transactions processed through the Apple App Store and Google Play Store: transaction ID, purchase date, subscription status, renewal information
  • Raf does not collect, view, or store credit card information; all payment data is processed by Apple Inc. and Google LLC.
2.6 Communication Data
  • Information shared when you contact our support (email contents, attachments, the subject of your inquiry)

3. How We Collect Data

The data described above is collected through the following channels:

  • Directly from you — during registration, profile creation, content sharing, and support requests;
  • Automatically — from your device and from your interactions within the application;
  • From third-party service providers — including Sign in with Apple, Sign in with Google, the Apple App Store, the Google Play Store, Firebase, and Cloudflare.

4. Purposes and Legal Bases for Processing

Personal data is processed for the following purposes, on the basis of the most appropriate legal ground under KVKK Article 5 and GDPR Article 6:

  • Operating the core Service (performance of contract — KVKK 5/2-c, GDPR 6/1-b): account creation and maintenance, content delivery, messaging, push notifications, subscription management.
  • Compliance with legal obligations (KVKK 5/2-ç, GDPR 6/1-c): tax, accounting, and consumer-law record-keeping.
  • Legitimate interests (KVKK 5/2-f, GDPR 6/1-f): improving the Service, security, fraud and abuse prevention, crash analysis, content moderation.
  • Explicit consent (KVKK 5/1, GDPR 6/1-a): for processing not necessary for the Service (marketing notifications, optional profile fields).

5. Third-Party Service Providers

We work with the following third-party service providers to deliver the Service. These providers process data only on Raf's behalf and on Raf's instructions:

Provider Purpose Data Processed Location
Apple Inc. Sign in with Apple, App Store subscription, push notifications (APNs) Social sign-in token, subscription transaction data, push token USA / global
Google LLC Sign in with Google, Google Play subscription Social sign-in token, subscription transaction data USA / global
Firebase / Google LLC Crashlytics (crash analysis), Analytics (usage analysis), FCM (push notification infrastructure) Device model, OS version, app version, crash stack trace, anonymized interaction events, FCM token EU (Frankfurt) / USA
Cloudflare, Inc. Content delivery network (CDN), R2 object storage (images), bot mitigation Images (profile, post photo), HTTP request data, IP address Global edge / USA

These providers operate under their own GDPR Data Processing Addenda (DPA), Standard Contractual Clauses (SCCs), and where applicable the EU-US Data Privacy Framework (DPF), providing legal safeguards for international transfers.

6. No Tracking Across Apps or Websites

Raf does not track its users across applications or websites owned by other companies. Specifically:

  • We do not use Apple's IDFA (Identifier for Advertisers); therefore the App Tracking Transparency (ATT) prompt is not shown.
  • We do not sell, share, or rent data to third-party advertising networks.
  • We do not serve behavioral advertising.
  • We do not embed third-party tracking pixels.

Our App Store "App Privacy" labels reflect the "Data Not Linked to You" and "Data Used to Track You: None" categories.

7. Data Retention Periods

  • While the account is active: personal data is retained for as long as the account remains active.
  • Inactive accounts: accounts with no sign-in activity for 24 months may be suspended; if the user does not respond to the informational notice, the account is subject to the deletion procedure.
  • After an account-deletion request: data is held in a "pending-deletion" state for 30 days (during which the user may cancel the deletion by signing in again), after which it is permanently deleted or anonymized.
  • Backups: operational backups are purged within 90 days.
  • Logs: access and error logs are retained between 30 and 90 days and then automatically deleted.
  • Legal obligations: data subject to mandatory retention under tax, payment, or consumer-law obligations is kept for the period required by law.
  • Accounts terminated for community-guideline violations: certain violation records may be kept longer to prevent the same user from re-registering.

8. International Data Transfers

Your core account data (username, profile information, text content, interaction records) is stored on our servers in a certified data center located in Türkiye. Visual content (profile photos, post photos) is distributed across a global edge network through the Cloudflare R2 object-storage service. To deliver the Service, supporting infrastructure providers (Apple, Google, Firebase, Cloudflare) process data within their respective scopes.

International transfers are carried out under Article 9 of the KVKK (as amended by Law No. 7499 published on 12.03.2024 and effective from 01.06.2024) and the Regulation on the Procedures and Principles for International Transfers of Personal Data dated 10.07.2024, following the order below:

  • Adequacy decisions: transfers may be made directly to countries, sectors or international organisations declared adequate by the Personal Data Protection Board.
  • Appropriate safeguards: transfers to countries without an adequacy decision are made on the basis of standard contracts, binding corporate rules, or written undertakings approved by the Board.
  • Derogations: in the absence of the safeguards above, transfers may only take place under the exceptional conditions set out in Article 9(6) of the KVKK.

The legal basis for transfers necessary for the core operation of the Service is performance of a contract (KVKK Art. 5/2-c, GDPR Art. 6/1-b); such processing is not based on explicit consent. Third- party providers operate under their own GDPR Data Processing Addenda (DPAs), Standard Contractual Clauses (SCCs), and the EU-US Data Privacy Framework (DPF) where applicable.

9. Your Rights under KVKK

Pursuant to KVKK Article 11, you may exercise the following rights by contacting the data controller:

  • Learn whether your personal data is being processed;
  • Request information if it is being processed;
  • Learn the purpose of processing and whether it is being used for those purposes;
  • Know any third parties to whom your data has been transferred, domestically or internationally;
  • Request correction of incomplete or inaccurate data;
  • Request deletion or destruction in accordance with KVKK Article 7;
  • Request that any correction, deletion, or destruction be communicated to third parties to whom data has been transferred;
  • Object to results derived solely from automated analysis;
  • Claim damages if you have suffered loss due to unlawful processing.

To exercise these rights, send a written request to [email protected]. Subject to the requirements set by the Personal Data Protection Authority, your request will generally be processed free of charge within 30 days.

10. Your Rights under the GDPR

For users residing in the European Union, GDPR Articles 12-22 grant the following rights:

  • Right of access (Art. 15) — request access to your data;
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data;
  • Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data;
  • Right to restriction of processing (Art. 18) — request restriction in certain circumstances;
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format;
  • Right to object (Art. 21) — object to processing based on legitimate interests;
  • Right not to be subject to automated decision-making (Art. 22);
  • Right to withdraw consent at any time for processing based on consent;
  • Right to lodge a complaint with a supervisory authority in your EU Member State.

To exercise these rights, contact [email protected].

11. Your Rights under CCPA / CPRA

For users residing in California, the CCPA — as expanded by the CPRA amendments effective from January 1, 2023 — grants the following rights:

  • The right to know what categories of personal data are collected;
  • The right to delete certain personal data;
  • The right to correct inaccurate personal data (right to correct — CPRA);
  • The right to opt out of the sale or sharing of personal data (right to opt-out of sale or sharing — CPRA);
  • The right to limit the use and disclosure of sensitive personal information (right to limit use of SPI — CPRA);
  • The right to Notice at Collection;
  • The right not to be discriminated against for exercising these rights.

Raf does not sell or "share" personal data for cross-context behavioral advertising within the meaning of the CCPA / CPRA. We do not transfer personal data to advertising networks or data brokers.

12. Children's Privacy (COPPA)

The Service is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If we discover that we have collected personal data from a child under 13, we will delete it as soon as reasonably possible.

If you believe a child under the age of 13 has registered for the Service, please contact us at [email protected].

For users between 13 and 18 years of age: this group may use the basic features of the Service, but only users 18 years of age or older may purchase a Premium subscription. Use by minors should occur with the knowledge and consent of a parent or legal guardian.

13. Cookie Policy

The website (appraf.com) uses a limited number of cookies:

  • Essential cookies: session management, language preference (e.g. site_lang), CSRF protection — these are required for the Service to function and cannot be disabled.
  • Analytics cookies: not currently used. If introduced in the future, this Policy will be updated accordingly.

You can manage or delete cookies through your browser settings.

14. Notifications and Communication Preferences

The Service may send push notifications to your device (new follower, like, message, system announcement, etc.). You may turn these off at any time through:

  • The in-app menu under Settings → Notifications;
  • Your operating system's notification settings (iOS / Android).

15. Data Security

We take reasonable technical and organizational measures to protect your data against unauthorized access, disclosure, alteration, and destruction. These include:

  • End-to-end TLS encryption for data in transit;
  • Encryption at rest for data stored on our servers;
  • Storing passwords only as irreversible cryptographic hashes — no Raf employee can ever see your password in plain text;
  • Authentication tokens stored in hashed form on the server, with their lifetime automatically renewed through active use (sliding expiry);
  • Device-session tracking with a maximum of 10 active sessions per user; once this limit is reached, signing in from a new device automatically terminates the oldest session;
  • Least-privilege access for personnel, with audit logging.

No system can guarantee absolute security. In the event of a serious data breach, the Personal Data Protection Board will be notified within 72 hours at the latest, in accordance with Decision No. 2019/10 dated 24.01.2019 of the Board, and affected users will be notified as soon as reasonably possible (consistent with GDPR Articles 33-34).

16. Account Deletion

You may close your account at any time from within the application via Settings → Account → Delete My Account. After an account-deletion request:

  • 30-day recovery window: if you sign back in within this period, the deletion is cancelled and your account is reactivated.
  • After 30 days: your account and associated personal data are permanently deleted or anonymized.
  • Operational backups: purged within 90 days.
  • Statutory retention obligations: data required to be retained by law (e.g., payment records, tax regulations) is retained for the applicable period.

For assistance with account deletion, contact [email protected].

17. Apple App Store Privacy Labels

The Apple App Store page for Raf summarises how data is collected and used in the "App Privacy" section. The App Privacy labels are a summary; in case of any conflict, this Policy controls.

18. Turkish Data Controllers' Registry (VERBİS)

Raf is exempt from registration with the Turkish Data Controllers' Registry (VERBİS) under Article 5 of the Regulation on the Data Controllers' Registry and the current decisions of the Personal Data Protection Board (Decision No. 2018/87, Decision No. 2023/1154 dated 06.07.2023, and Decision No. 2025/1572 dated 04.09.2025). The exemption applies to data controllers with fewer than 50 employees and an annual financial balance below 100 million Turkish Lira whose principal activity is not the processing of special categories of personal data.

This exemption does not relieve us of our other KVKK obligations (information notices, data security, responding to data-subject requests, data minimization), all of which this Policy is designed to fulfill.

19. Changes to This Policy

Raf may update this Policy from time to time in response to changes in applicable law, new features, or business needs. Material changes will be announced at least 30 days before they take effect, via in-app notification and/or to the email address associated with your account. The most current version of the Policy is always published on this page.

20. Contact Us

For questions or requests regarding this Policy or the processing of your personal data:

Raf (Mert Günay — sole proprietorship)
Çavuş Mahallesi, Şile / Istanbul, Türkiye
E-mail: [email protected]

Previous Versions