Privacy Policy
This Privacy Policy explains what personal data the Focus Cat - Boncuk mobile application (the "App") collects from its users, how that data is processed, with whom it is shared, and how you can exercise your rights. By using the App, you agree to the terms of this policy.
1. Data Controller
- Data controller: Ahmet Asım Güç (natural person)
- Address: Istanbul, Türkiye
- Email: a.asimguc@gmail.com
2. Personal Data We Collect
2.1. Identity & Account Information
- Email address (when signing up with email/password or with Google)
- Google account identifier (when signing in with Google)
- Display name and cat name
- Avatar selection
2.2. In-App Profile & Progress
- Daily focused minutes, lifetime focused minutes
- Coin balance (in-app currency)
- Goal streak count and longest streak
- Cat configuration (body, accessory slots, name)
- Room decoration layout and wardrobe (inventory)
- App settings (notifications, sound)
- Language preference
2.3. Activity & Interaction Data
- Focus sessions you start and complete (duration, start/end timestamps, end reason)
- Group meetups you join
- Distraction events triggered during focus sessions (only that an event occurred and its duration — never which app)
- Reactions you give or receive in the group activity feed
- Group membership and your minute contributions per group
2.4. Device & Notification Data
- Push notification token (Expo Push token, delivered via Firebase Cloud Messaging)
- Operating system (Android) and app version
2.5. Usage Access Data (Android PACKAGE_USAGE_STATS)
The App requires Android's "Usage Access" permission so that it can detect when an app you have marked as a distraction comes to the foreground during a focus session. How this permission is used:
- Stays on device: Raw data about which apps you use, when, and for how long is processed exclusively on your device. The list of apps you mark as distractions (your "blocklist") is also stored only on your device. None of this data is transmitted to our servers.
- Sent to server: Specific app names are never written to our servers under any circumstances. During a group focus session, only the fact that you "switched to another app" — without identifying which app — is shared with your group members; the timestamp of the distraction is also processed temporarily to power the friend-nudge feature. In solo (non-group) focus sessions, no distraction data is sent to the server at all.
3. Purposes of Processing
- Account creation and authentication: Secure sign-in via Firebase Authentication.
- Core app functionality: Running focus sessions, operating the XP/coin economy, saving cat and room decorations, tracking goal streaks.
- Group features: Invite codes, shared house, shared goals, meetup planning, group activity feed.
- Distraction tracking: Detecting blocklisted apps coming to the foreground during a focus session, generating notifications and statistics.
- Push notifications: Friend alerts, goal reminders, pokes, meetup reminders.
- Service security: Detection of abuse, fraud, and system errors.
- Communication: Critical service announcements and responses to your support requests.
4. Legal Basis for Processing
- GDPR Article 6(1)(b): Performance of a contract (the App's Terms of Service).
- GDPR Article 6(1)(a): Your consent (for optional features such as push notifications and usage statistics access).
- GDPR Article 6(1)(f): Legitimate interests (service security, abuse prevention, aggregate analytics).
- KVKK Article 5/2(c) and 5/2(f): Equivalent legal bases under Turkish law (contract and legitimate interest).
5. Children's Data
The App is designed for users aged 13 and above. We do not knowingly collect personal data from children under 13. Under EU law (GDPR Art. 8) and Turkish KVKK guidance, processing of personal data of users below 16 typically requires parental consent; users aged 13–15 should use the App with parental permission. If you become aware that a child has provided us with personal data without consent, please contact us at the email below and the relevant data will be deleted.
6. Third Parties and Data Sharing
Your data is processed only through the following service providers, solely to deliver the App's functionality. These providers act as data processors and are subject to their own privacy policies:
| Service | Provider | Purpose |
|---|---|---|
| Authentication | Google LLC (Firebase Authentication, Google Sign-In) | Account creation, sign-in |
| Database | Google LLC (Cloud Firestore — us-central1) | Profile, group, activity data |
| Server operations | Google LLC (Cloud Functions, Cloud Tasks — us-central1) | Notification dispatch, data pruning |
| Push notification infrastructure | Google LLC (Firebase Cloud Messaging) | Notification delivery |
| Push notification broker | Expo (650 Industries, Inc.) | Device token management, delivery via Expo Push API |
Database and server operations are hosted on servers in the United States (us-central1 region). This constitutes a cross-border data transfer. For users in the EU/EEA, transfers are based on the Standard Contractual Clauses (SCCs) used by Google as the processor. For users in Türkiye, this is a transfer under KVKK Art. 9 and your use of the App constitutes explicit consent.
Privacy policies of the listed providers:
- Google / Firebase: policies.google.com/privacy · firebase.google.com/support/privacy
- Expo: expo.dev/privacy
Unless required by law (court order, lawful request from a public authority, etc.), we do not sell, rent, or share your data with third parties for marketing purposes.
7. Data Retention
| Data | Retention |
|---|---|
| Account and profile data | Until you delete your account |
| Focus session history and stats | Until you delete your account |
| Group activity feed events | 24 hours (auto-pruned) |
| Group meetup records | 7 days (auto-pruned) |
| Push notification token | Deleted when account is deleted or device changes |
| Server logs (error, security) | Per Firebase's policy, max 90 days |
8. Data Security
- All server communication is encrypted via HTTPS / TLS.
- Passwords are stored securely hashed via Firebase Authentication; we have no access to plaintext passwords.
- Firestore Security Rules ensure users can only access their own data and data of groups they belong to.
- Usage Access data never leaves the device.
That said, no internet service is 100% secure. If a data breach is detected, we will notify you and the relevant authorities in accordance with GDPR Art. 33–34 and KVKK Art. 12/5.
9. Your Rights (GDPR Ch. 3 / KVKK Art. 11)
You have the following rights regarding your personal data:
- Right of access — confirm whether we process your data and obtain a copy
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability — receive your data in a machine-readable format
- Right to object — to processing based on legitimate interest
- Right not to be subject to a decision based solely on automated processing
- Right to withdraw consent at any time (where processing is based on consent)
- Right to lodge a complaint with a supervisory authority
To exercise these rights, please contact a.asimguc@gmail.com. We respond within the periods required by GDPR and KVKK (within 30 days at the latest).
10. Account Deletion
You may delete your account at any time. In-app deletion: Settings → Delete my account. When your account is deleted, the following data is permanently removed:
- Profile, cat, room, wardrobe, and coin data
- Focus session history and statistics
- Notification token
- Your contribution records in the groups you belong to (aggregate group data may be retained)
You may also submit a deletion request by email: a.asimguc@gmail.com. Requests are processed within 30 days at the latest.
11. Cookies and Tracking Technologies
The App is a native mobile application and does not use cookies in the traditional sense. We do not collect advertising IDs, integrate third-party advertising SDKs, or use analytics SDKs that profile users.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated within the App or by email to your registered address. A change in the "Last updated" date also indicates that the policy has been revised.
13. Contact
For any questions, requests, or complaints: a.asimguc@gmail.com.
EU/EEA users have the right to lodge a complaint with their national data protection authority. Users in Türkiye may file a complaint with the Personal Data Protection Authority (KVKK): kvkk.gov.tr.