Skip to content
CardWho
Download the app

Legal

Privacy Policy

CardWho is built with respect for your privacy. This policy explains, in plain terms, what data we collect, why, how, and what your rights are.

Last updated:

1. Who does this policy cover?

This policy covers visitors of the cardwho.com website, players of the CardWho mobile app (iOS / Android), and anyone who reaches us through our contact channels.

2. Data controller

"We" / "CardWho" refers to Erik Medya, the entity that operates the service.

  • Legal name: Erik Medya
  • Registered address: Kuştepe Mahallesi, Mecidiyeköy Yolu Caddesi No: 12, Trump Tower Floor: 4, Office No: 405, Şişli / İstanbul, Postal code: 34381, Türkiye
  • Email: [email protected]

3. What we collect

3.1. Use without an account

CardWho can be played without creating an account. In that mode no personal data is collected; game progress is stored only on your device.

3.2. Optional account

If you want multi-device sync, cloud backup, or to use purchases across devices, you can create an account. In that case the data we collect is:

  • Email address (sign-in + contact)
  • Display name (optional)
  • Device type and app version (debugging + compatibility)
  • Game stats (total games played, category-level preferences) — only tied to your account

3.3. Purchase data

If you buy PRO content, the payment is processed by Apple App Store or Google Play. We do not see or store your card details. We only process the tokens the store returns to us so we can verify the purchase.

3.4. Contact data

When you use the contact form, your name, email address, message, and chosen topic are sent to us. We process this data to answer your request and to follow up if needed.

3.5. Website usage data

The site is served via Cloudflare. Standard server logs (IP address, user agent, requested URL, timestamp) are kept short-term for security and diagnostics.

3.6. Security and audit logs

To protect your account and to meet our legal obligations, we keep an internal audit log of security-significant events: sign-in attempts (successful and failed), account changes (registration, profile updates, account deletion), subscription events (purchase, renewal, cancellation, transfer, refund), administrator actions on your account, and system jobs (such as scheduled retention runs). Each entry stores the action name, the actor type (user / admin / system), the actor and target identifiers, the timestamp, the IP address, the user agent, and a redacted payload.

Sensitive values are never written to the payload in clear text. Passwords, full authentication tokens, payment card details, raw email addresses, and other personal data are filtered through a redaction whitelist before the entry is written. Only what is needed to prove that the event happened — not the underlying secret — is kept.

4. Why we process the data

Our processing purposes and legal bases:

  • Service delivery: keeping your account working, verifying purchases, syncing data (performance of contract).
  • Support: responding to contact requests (legitimate interest).
  • Security: attack detection, fraud prevention, system integrity (legitimate interest and legal obligation).
  • Accountability and audit log: security-significant events are recorded in an internal audit log so we can detect attacks, prove that critical actions happened (account deletion, administrator interventions), and meet our KVKK and GDPR record-keeping duties (legal obligation and legitimate interest).
  • Legal obligations: records required by tax and consumer law (legal obligation).
  • Product improvement: aggregated, non-personalized usage patterns (legitimate interest). We do not profile users at the individual level.

5. Who we share data with

We do not sell your data. We share it only with processors that are required to deliver the service, bound by contractual and legal obligations:

  • Apple App Store / Google Play: purchase processing.
  • OVH (European Union): server hosting. Your data stays inside the European Union.
  • Cloudflare: CDN, bot protection, Turnstile.
  • RevenueCat (United States): in-app purchase orchestration, subscription validation, and store webhooks. Email, display name, birth date, city, and country code are passed to identify the customer record.
  • Google (Firebase Authentication, Firebase Cloud Messaging): account authentication and push notification delivery. When you use Apple or Google sign-in, the corresponding identity provider also processes the credential.
  • Sentry (Germany — EU): application error and performance telemetry. Device type, app version, anonymous user identifier, and stack traces are processed.
  • PostHog (European Union): product analytics. An anonymous device/installation identifier, app version, and in-app usage events are processed; session recording and IP-based location enrichment are disabled.
  • Authorities: only when legally compelled, and where possible after notifying you in advance.

6. Data retention

  • Account data: as long as your account is active. After a deletion request, all data is removed within 30 days.
  • Contact messages: 12 months after your case is closed.
  • Server logs: 30 days, then anonymized or deleted.
  • Billing records: 10 years, as required by tax law.

The audit log keeps four separate retention buckets, automatically purged by a scheduled job:

  • User account-deletion proof: 36 months. Account-deletion events are kept (in anonymized form) as evidence that the deletion was carried out — KVKK Article 5/2-ç and GDPR Article 6(1)(c).
  • Other user events: 12 months. Sign-ins, profile updates, subscription events, and similar entries — minimization principle plus a fraud-investigation window.
  • Administrator events: 24 months. Internal audit and team handover window for actions taken by administrators on user accounts.
  • System events: 6 months. Scheduled job runs, retention cron output, and similar operational records.

7. Your rights (KVKK + GDPR)

Under Türkiye's Personal Data Protection Law (KVKK) and the European Union's General Data Protection Regulation (GDPR), you have the following rights:

  • Confirm whether your data is being processed.
  • If it is, learn what data, how, and why it is processed.
  • Ask for incorrect data to be corrected.
  • Ask for your data to be deleted, outside legal exceptions ("right to be forgotten").
  • Ask for your data in a machine-readable format, or have it transferred to another controller (portability).
  • Object to certain types of processing.
  • Stay outside automated decision-making.
  • File a complaint with a supervisory authority (KVKK Authority in Türkiye, the local data protection authority in the EU).

To exercise these rights, send a "Legal / privacy" message via the contact form. We respond within 30 days at the latest.

How to delete your data inside the app: CardWho offers two in-app paths depending on whether you are signed in. If you cannot reach these screens, send a "Legal / privacy" message via the contact form as the web fallback.

  • Signed-in members — open Profile → Delete Account. Your backend account row, Firebase user record, RevenueCat customer profile, and Sentry user reference are removed atomically; any audit-log entries that reference you are anonymized in the same transaction as described below.
  • Guests (no account) — open Profile → Delete Guest Data. Favorites, stats, badges, the notification inbox, and the FCM push token tied to this device are wiped, and the app continues as a fresh guest. Device preferences (language, theme, sound) remain because they are not personal data.

How deletion interacts with the audit log: when you delete your account from inside the app, or when an administrator anonymizes your account on your behalf under KVKK Article 17, your account row and personal data are removed and any existing audit-log entries that reference you are anonymized in the same atomic transaction — actor and target identifiers are nulled and the payload is emptied. The action name and timestamp are retained as legal proof, in line with the retention duty. The proof entry itself is purged after 36 months by the scheduled retention job described in section 6.

8. Your California privacy rights (CCPA / CPRA)

If you reside in California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

  • Right to know: what personal information we collect, the purposes, and the categories of recipients.
  • Right to delete: ask us to delete personal information we hold about you.
  • Right to correct: ask us to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing": we do not sell your personal information and we do not share it for cross-context behavioral advertising.
  • Right to non-discrimination: we will not deny service or charge a different price because you exercised a right.

To exercise these rights, send a "Legal / privacy" message via the contact form. We may need to verify your identity before fulfilling certain requests.

9. Children's privacy

CardWho does not target children under 13. If you are under 13, you should not use this app without the consent of a parent or legal guardian. If we learn that we have collected personal information from a child under 13, we delete that information without delay.

10. International data transfers

Our servers are located in the European Union (France); the primary database and file hosting stay within the EU. Transfers to the following processors take data outside the EU and are handled under GDPR Articles 44–49 (appropriate safeguards and Standard Contractual Clauses): RevenueCat (United States), Firebase Authentication and Firebase Cloud Messaging (Google, United States), Apple App Store (United States), Google Play (United States). Sentry (Germany) and PostHog (European Union) stay inside the EU. These transfers take place under each provider's published Data Processing Agreement (DPA) and the EU Standard Contractual Clauses (SCC).

11. Security

We apply industry-standard measures to protect your data against unauthorized access, loss, and alteration: HTTPS-only traffic, password hashing (Argon2id or equivalent), role separation, restricted log access, and regular backups. No system is 100% secure; if a confirmed data breach occurs, we notify you and the relevant authorities within the timelines required by law.

12. Changes

We update this policy when laws or the service materially change. For significant changes, we show a clear notice on the homepage or inside the app.

13. Contact

For questions about this policy, reach us via the contact form or write directly to [email protected].