Privacy Policy

Effective date: April 1, 2026

1. Overview

Quvarte Teknoloji A.Ş. ("Company," "we," or "us") values the trust you place in us. This Privacy Policy describes how we gather, handle, retain, and disclose personal data when you download, install, register for, access, or otherwise interact with our Relook: Photo Editing & Effect mobile application and its accompanying website (collectively, the "Application"), as well as any related interactions including customer support and promotional communications.

We are dedicated to handling your personal data in alignment with the fundamental principles of data protection, particularly transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability.

2. Key Highlights

Below is a brief overview of the most important aspects of this Privacy Policy. For comprehensive details, please review the full sections that follow.

What data do we gather? We may process personal data based on how you interact with our Application, the features you use, and the choices you make. This can include contact details, technical identifiers, usage patterns, uploaded content, and transaction records.
Do we handle sensitive data? We do not intentionally gather sensitive personal data. Please avoid sharing content that may contain such information.
Why do we process your data? We process data primarily to deliver and enhance our services, communicate with you, maintain platform security, prevent misuse, and meet legal requirements. Additional processing may occur with your explicit permission.
Who receives your data? We share personal data with third parties only where necessary—such as with service providers who help operate the Application, in response to legal obligations, or to safeguard our rights. All sharing is governed by strict contractual protections.
How do we secure your data? We maintain organizational and technological safeguards designed to prevent unauthorized access, alteration, disclosure, or loss of your personal data.
What rights do you have? Depending on where you reside, you may be entitled to access, rectify, erase, restrict, port, or object to the processing of your personal data, and to withdraw previously granted consent.
How can you act on your rights? Simply reach out to us using the contact details provided at the end of this document. We will process your request in compliance with the applicable legislation.

3. Data Controller

Your personal data is processed by Quvarte Teknoloji A.Ş. in the capacity of "Data Controller." We adhere to the principles set out in applicable data protection legislation, including but not limited to the Turkish Personal Data Protection Law No. 6698 ("KVKK") and other relevant regulations. Where applicable, this Policy also addresses requirements under the EU General Data Protection Regulation (GDPR). Region-specific supplementary information for individuals in the EEA, UK, Switzerland, and California is provided in Sections 11 and 12 below.

Our processing activities are guided by the following principles: lawfulness and fairness, accuracy and currency of data, processing for specified and legitimate purposes, proportionality and data minimization, and retention only for as long as necessary.

4. Categories of Personal Data We Collect

We may process the following categories of personal data in connection with the purposes outlined in this Policy:

4.1 Identity & Contact Details

When you reach out to us—whether by email, telephone, or postal mail—we may process your name, surname, phone number, email address, and the substance of your communication. Postal correspondence may also include your physical address.

4.2 Technical Data

Usage Information: Data about how you engage with the Application, including session duration, access timestamps, features accessed, content viewed, in-app searches, actions performed, error reports, and purchase history.
Log Records: Internet traffic data, IP address, device name and details, operating system version, browser type and configuration, language and time zone preferences, and similar technical metadata generated during your use of our services.
Device Details: Device model, manufacturer, operating system, region settings, device identifiers, and hardware specifications.
Approximate Location: We may determine the general geographic area of your device based on your IP address and regional device settings. We do not track precise GPS location.
Identifiers: Unique user IDs and device notification tokens (where you have permitted push notifications).

4.3 Account Data

If you register for an account, we collect your user ID, display name, username, profile image, authentication tokens, phone number, email address, and password.

Should you choose to sign up using a social media account (Google, Apple, or Facebook), we may receive your user ID, display name, username, profile picture, authentication token, phone number, and email address from the relevant platform.

4.4 User-Generated Content

We process content that you voluntarily provide through the Application, including but not limited to messages, text entries, uploaded files, images, photographs, graphics, audio recordings, and any other media you create, edit, or share within our services.

We may request permission to access your device's photo library, camera, or microphone to enable specific Application features. You may decline or later revoke such access via your device settings, though doing so may limit certain functionalities.

Important notice regarding sensitive content: Please refrain from uploading content containing financial information, government-issued identification numbers, health records, images of third parties without their consent, information pertaining to minors, or other confidential material. Should we inadvertently receive such data, we will take commercially reasonable steps to delete it promptly, except where retention is mandated by law.

4.5 Facial Feature Data

As part of our core photo enhancement functionality, the Application analyzes uploaded images to detect and process facial attributes. This section explains how we handle such data.

What we collect: Derived measurements relating to facial landmarks (such as the positioning of eyes, nose, and mouth), facial geometry, symmetry metrics, and expression characteristics ("Facial Feature Data").
How we use it: Facial Feature Data is used exclusively to power the Application's photo beautification and enhancement capabilities—generating an improved version of your uploaded image. We do not use this data for facial recognition, identity verification, behavioral profiling, user tracking, or authentication.
Retention: Facial Feature Data is temporarily transmitted to our secure servers solely for the duration required to produce the enhanced image. Once the output is generated, the Facial Feature Data is immediately discarded and is not retained in any form.
Sharing: We do not sell, license, trade, or otherwise commercially exploit Facial Feature Data, nor do we disclose it to any third party.

4.6 Transaction Records

We may obtain order-related information from you directly, from marketing partners, or from payment processors. This encompasses order dates, payment timestamps, subscription type, billing period, payment amounts, outstanding balances, payment status, and associated transaction identifiers such as billing IDs. We use this information to fulfill orders, manage subscriptions, and ensure accurate payment processing. Please note that we do not collect or store payment card details, as payment processing is handled by third-party providers.

4.7 Marketing Identifiers

With your permission, we may collect usage analytics along with advertising identifiers associated with your device—such as the Identifier for Advertisers (IDFA), the Identifier for Vendors (IDFV), the Google Advertising ID (GAID), and Firebase Analytics identifiers.

4.8 Sources of Data

We obtain the above-described data directly from you via electronic or physical channels, from your device or browser, and from third-party platforms through which you access our services, such as the Apple App Store, Google Play Store, or payment processors like Paddle. Collection occurs for the purposes of operating our product, meeting legal obligations, enhancing service quality, managing your use of the Application, and enabling a seamless user experience.

5. Why We Process Your Data

Your personal data is processed for the following purposes, on the legal grounds permitted by applicable legislation—including where processing is expressly authorized by law, necessary for the performance of a contract, justified by our legitimate interests (provided your fundamental rights are safeguarded), or required to fulfill a legal obligation:

Delivering and operating the Application's products and services
Executing contractual obligations and managing agreements
Creating and administering user accounts
Performing storage, archival, and backup operations
Facilitating communication with users
Providing post-purchase customer support
Ensuring compliance with applicable laws and regulations
Maintaining and auditing business operations
Upholding information security standards
Conducting ethical oversight and internal audits
Ensuring operational continuity
Protecting individuals' rights, privacy, and safety
Responding to requests from competent authorities and judicial bodies
Preventing fraudulent, criminal, or otherwise unlawful activity
Analyzing user preferences to improve and personalize the Application experience
Processing digital subscriptions and in-app purchases
Managing auto-renewable subscription billing
Handling financial and accounting operations
Supporting strategic planning initiatives
Addressing user inquiries and complaints

Additionally, where you have provided explicit consent, your Marketing Identifiers may be processed to conduct marketing analytics, deliver targeted advertising, and manage promotional campaigns. Your Identity and Contact Details may also be used, with your opt-in consent, to send communications about new products, services, or promotional offers. Furthermore, if you opt in for model improvement, your User-Generated Content may be utilized to refine our AI systems through model training.

6. Cookies, Tracking Technologies, and Notifications

The Application may incorporate analytics SDKs and similar tracking mechanisms to collect usage information. Cookies—small text files stored on your browser or device—help us operate our services efficiently and tailor your experience. They contain only browsing-related data and do not access personal files stored on your device. You can manage, block, or delete cookies through your browser or device settings at any time. For additional detail, please consult our Cookie Policy.

We may also send push notifications through the Application regarding service updates, new features, or promotional offers. You can manage or disable these notifications at any time through your device or Application settings.

7. External Links and Third-Party Services

The Application may contain links to websites or services operated by third parties that are not under our control. These external destinations may have their own privacy practices and terms, for which we bear no responsibility. Similarly, we are not liable for links that direct users to the Application from external sources.

If you provide information to us via third-party platforms, please be aware that your obligations under those platforms' terms remain in effect, and we assume no responsibility for third-party policies or practices.

Where our Application interacts with Google Workspace services, any use of user data obtained through Google Workspace APIs will comply with the Google User Data Policy, including its Limited Use provisions.

8. Data Retention

We retain your personal data for the duration prescribed by applicable law or for as long as the purpose of processing remains valid—whichever applies. Even after the original purpose has been fulfilled, we may continue to retain data where required by other legislation, where you have separately consented to extended retention, or where retention is necessary for the establishment, exercise, or defense of legal claims until the expiration of relevant limitation periods. Data subject to additional consent-based retention will be deleted or anonymized promptly upon expiry of the agreed period or upon withdrawal of your consent.

9. Security Measures

We implement comprehensive technical and organizational safeguards to ensure the confidentiality, integrity, and availability of your personal data. Our measures are designed to prevent unauthorized processing, access, disclosure, alteration, or destruction of data. Key security practices include:

Anti-Malware Protection: All systems within our IT infrastructure are equipped with regularly updated anti-malware software.
Firewall Infrastructure: Our data centers and disaster recovery facilities are protected by next-generation firewalls that monitor network traffic and guard against external threats.
Secure Remote Access: External service providers connect to our systems exclusively through individually assigned SSL-VPN credentials, with access restricted to authorized systems only.
Access Control: Employee system privileges are allocated based on job function and are promptly updated whenever roles or responsibilities change.
Security Event Monitoring: Events from servers and network devices are centralized in a threat and event management platform, enabling real-time alerting and rapid incident response.
Encryption: Sensitive data is protected using cryptographic methods both at rest and in transit. Cryptographic keys are maintained in secure, segregated environments.
Audit Logging: All transactions involving sensitive data are recorded in tamper-resistant logs.
Multi-Factor Authentication: Remote access to sensitive data and account creation require at least two-factor authentication.
Penetration Testing: We conduct periodic security assessments of our systems. Identified vulnerabilities are remediated and verified through follow-up testing. Automated penetration tests supplement scheduled manual assessments.
Security Governance: Our information security management framework includes regular review meetings attended by senior technology and operations leadership.
Employee Awareness: Staff receive recurring training to mitigate human-factor security risks.
Physical Security: Paper records containing personal data are stored in secured, access-controlled environments. Appropriate protections are in place against electrical failure, fire, flooding, and theft.
Backup Procedures: We perform regular data backups using both cloud provider facilities and our own supplementary backup solutions, in compliance with applicable regulations and this Policy.

In the event of a data breach resulting from an attack on our systems—despite our preventive measures—we will promptly notify affected users and, where required, the relevant data protection authority, and will take all necessary steps to mitigate the impact.

10. Age Restrictions

The Application is not intended for use by individuals under the age of 16. We do not knowingly collect or process personal data from anyone below this age. If you become aware that a person under 16 has provided us with personal information, please notify us immediately by email so that we can take appropriate action. Users between the ages of 16 and 18 must obtain permission from a parent or legal guardian before using our services.

11. Sharing Data with Third Parties

Personal data may be transferred to third parties located within or outside of Turkey, as we may utilize servers and cloud infrastructure in various jurisdictions. To safeguard such transfers, we rely on the Standard Contractual Clauses promulgated by the Turkish Personal Data Protection Authority pursuant to Article 9(4)(c) of the KVKK. The categories of data that may be transferred abroad include:

Technical Data, Identity & Contact Details, Account Data, Transaction Records, and User-Generated Content—for cloud hosting, database services, and archival operations necessary to sustain our business.
Account Data—for the purpose of authenticating user accounts.
Technical Data—for diagnosing and resolving technical issues and defects.

We may also share Marketing Identifiers with service providers, including Google, Apple, Facebook SDK, Adjust, and Firebase Analytics, for conducting marketing analysis and delivering targeted advertising or promotional campaigns.

Where legally required, we may disclose personal data to authorized public bodies, regulatory agencies, and judicial authorities.

11.1 Use of Third-Party AI Providers

Certain features of the Application rely on external artificial intelligence service providers ("AI Partners") to process and generate AI-enhanced content. When you voluntarily upload images or other content to use AI-powered features, you consent to the transmission of that content to the relevant AI Partner for the purpose of producing the enhanced output. The scope of data shared with AI Partners is strictly limited to the following:

Input Content: The photos, images, or files you voluntarily upload or select within the Application.
Anonymized Request Identifier: A technical tag used solely for processing the request and generating the result.

Together, these are referred to as "Transferred Data." No additional personal data—including usage analytics, device details, contact information, Facial Feature Data, biometric data, location data, payment information, or device identifiers—is shared with AI Partners. Only anonymized visual content is transmitted for the purpose of enabling AI-powered features.

Transferred Data is used by AI Partners exclusively to generate the enhanced output and is governed by each AI Partner's own privacy policy. AI Partners are not permitted to use Transferred Data for any other purpose.

No data is transmitted without your voluntary action. You may withdraw consent at any time by ceasing to use the relevant AI features. Please note that opting out may prevent certain AI-powered editing capabilities from functioning.

Our current AI Partners are listed below. We may update this list as business needs evolve, and any changes will be reflected in this Policy:

AI Partner	Services & Transferred Data	Privacy Policy
Replicate, Inc.	AI-generated content processing Transferred Data: Input Content, Anonymized Request Identifier	replicate.com/privacy
Google LLC	AI-generated content processing Transferred Data: Input Content, Anonymized Request Identifier	policies.google.com/privacy

Each AI Partner listed above is contractually obligated to handle data in compliance with applicable data protection laws and to maintain protections at least equivalent to those described in this Policy.

12. Your Data Subject Rights

Under Article 11 of the KVKK, you are entitled to exercise the following rights with respect to your personal data:

Ascertain whether your personal data has been processed
Request information regarding any processing that has occurred
Understand the purposes of processing and verify that data is used consistently with those purposes
Identify domestic or international third parties to whom your data has been disclosed
Request correction of incomplete or inaccurate data and notification of such corrections to relevant third parties
Request erasure, destruction, or anonymization of data whose processing grounds have ceased, and notification thereof to relevant third parties
Object to outcomes produced exclusively through automated analysis that are adverse to your interests
Seek compensation for damages arising from unlawful processing
Revoke consent previously granted for consent-based processing at any time

When submitting a request, please ensure that your communication clearly identifies you and specifies the rights you wish to exercise. If acting on behalf of another individual, appropriate documented authorization is required. We will process your request free of charge within 30 days, in accordance with Article 13 of the KVKK. Should your request be denied, we will provide a written explanation of the reasons.

13. Contact Details

For questions, comments, or requests regarding this Privacy Policy—or to exercise your data subject rights—please reach us through the following channels:

Company Name: Quvarte Teknoloji A.Ş.
Address: Çankaya, Ankara, Turkey
Email: info@quvarte.com

14. Supplementary Notice for EEA, UK, and Swiss Residents

Where the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, or the Swiss Federal Act on Data Protection applies, this section supplements the information above.

14.1 Legal Bases and Processing Purposes

In addition to the legal bases described in Section 5, certain processing activities require your consent under GDPR. You may withdraw consent at any time by contacting us or through the mechanisms described below, without affecting the lawfulness of processing that occurred prior to withdrawal:

Marketing Data: With your consent (obtained via Apple, Google, or within the Application), we may process Marketing Identifiers for analytical studies and targeted advertising. Consent may be withdrawn through your account settings.
Marketing Communications: With your opt-in consent, we may use your Identity and Contact Details to send information about services, products, and promotional offers. You can unsubscribe via the link in any such communication or by following the procedure indicated therein.
AI Model Improvement: If you opt in, your User-Generated Content may be used to train and improve our AI models. You can withdraw this consent through the Application's settings.

14.2 International Transfer Mechanisms

When transferring personal data outside the EEA, Switzerland, or the UK, we employ one or more of the following safeguards:

Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection under Article 45(1) GDPR.
Standard Contractual Clauses: For transfers to jurisdictions lacking an adequacy determination, we implement the SCCs adopted under Article 46(2)(c) GDPR, supplemented by additional technical and organizational measures where appropriate.
Binding Corporate Rules: Where applicable, we rely on BCRs approved by the competent supervisory authority under Articles 46(2)(b) and 47 GDPR.

The provisions regarding AI Partners set out in Section 11.1 apply equally in the GDPR context.

14.3 Your Rights Under GDPR

Under the GDPR, you benefit from the following rights:

Access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
Rectification (Art. 16): Request correction of inaccurate data or completion of incomplete data.
Erasure (Art. 17): Request deletion of your data, subject to legal retention obligations, public interest considerations, or the defense of legal claims.
Restriction (Art. 18): Request that processing be limited under the conditions specified by the GDPR.
Portability (Art. 20): Receive your data in a structured, machine-readable format (such as CSV or JSON), or request direct transfer to another provider where technically feasible.
Objection (Art. 21): Object to processing based on legitimate interests. Objections to direct marketing will be honored immediately; other objections will be assessed against our compelling legitimate grounds.
Automated Decisions (Art. 22): If a decision affecting you is made solely through automated means, you may request human intervention, express your perspective, and contest the decision.
Withdrawal of Consent (Art. 7(3)): Where processing is based on consent, you may revoke it at any time without affecting prior processing.

To exercise any of these rights, please submit your request by email. We will respond within one month, with the possibility of a two-month extension for complex requests, in which case we will notify you of the delay. If you believe your rights have been infringed, you may file a complaint with your local data protection authority.

15. Supplementary Notice for California Residents

If you are a California resident, you are entitled to additional rights under California privacy law. These include the right to know what personal information we collect, use, disclose, and share; the right to request deletion or correction of your data; the right to opt out of the sale or sharing of your personal information; the right to limit the use and disclosure of sensitive personal information; and the right to be free from discrimination for exercising your privacy rights.

We do not sell personal information for monetary consideration. However, we may share usage data with third-party analytics and advertising partners, which may constitute a "sale" or "sharing" under California law. We do not collect sensitive personal information (see Section 4 for details). You may opt out or adjust your preferences through privacy settings or by contacting us directly.

15.1 Categories of Information Collected

We may collect the following categories of personal information as defined under California law: identifiers (e.g., name, email, phone number, IP address); personal information described in California Civil Code Section 1798.80(e) (e.g., name, contact details, account name, billing data); inferences about your preferences derived from your use of the Application (where personalization features are enabled and you choose to participate); and internet or network activity information reflecting how you interact with our services. Please refer to Sections 4 and 5 for full details.

15.2 Third-Party Analytics Tools

We may utilize analytics and measurement tools provided by Google, Apple, Facebook SDK, Adjust, and Firebase Analytics to understand usage patterns and improve Application performance. These tools may collect identifiers and in-app event data. California residents may opt out or withdraw permission at any time through privacy settings or by contacting us.

For information on data retention, please see Section 8.

16. Updates to This Policy

We may revise this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other relevant factors. The "Effective date" at the top of this document indicates the most recent revision.

For material changes—those that significantly affect your rights or the way we handle your data—we will provide prominent advance notice through the Application interface, by email to your registered address (if applicable), or through other appropriate means. Your continued use of the Application following such changes constitutes your acknowledgment of the updated terms, except where applicable law requires a different form of acceptance such as explicit consent.