Gökhan Camcı (sole trader operating under the SOU brand) — Istanbul, Türkiye
Contact: kvkk@souprivate.com
Operating model: SOU does not store special-category personal data (biometric templates, criminal-record documents) on its own systems. Identity and background checks are carried out by authorised third parties (Persona KYC, the Turkish Ministry of Justice E-Devlet QR system); SOU only retains the verification outcome ("verified / not verified"). Should the storage model change, this notice will be updated accordingly.
| Category | Data Type | Legal Basis |
|---|---|---|
| Identity | Full name, date of birth | GDPR Art. 6(1)(b) · contract |
| Contact | E-mail address, phone number | GDPR Art. 6(1)(b) · contract |
| Location (approximate) | City, neighbourhood (user-declared); plus your device's approximate location used by the nearby-members / automatic check-in features. The precise GPS coordinate is not stored on the server; it is rounded to ~111 m precision and held only transiently (at most 5 min). The location you enter when adding a venue is sent to OpenStreetMap Nominatim (EU) for address lookup. | GDPR Art. 6(1)(a) · consent |
| Visual | Profile photographs (EXIF stripped) | GDPR Art. 6(1)(a) · consent |
| Identity verification result | Persona KYC output: verified=true/false flag. The identity document, government ID number and biometric selfie are not stored on SOU systems — processed by Persona and the result is returned. | GDPR Art. 6(1)(b) · contract |
| Criminal record verification result | The user uploads an E-Devlet QR-coded document; the Turkish Ministry of Justice QR system performs the verification. SOU only retains the clean=true/false outcome; the document itself is not stored. | GDPR Art. 6(1)(b) · contract |
| Intent preferences | Intent (acquaintance / friendship / professional / conversation), prompt answers | GDPR Art. 6(1)(a) · consent |
| Behavioural | Drop reactions, reliability metrics, vouch graph | GDPR Art. 6(1)(f) · legitimate interests |
| Inferred / profiling | Categories (values, interests, communication style) inferred from your profile text and in-app preferences, plus a reliability indicator computed from your drop decisions — used only for matching; a human editor is in the loop (not a solely-automated decision). | GDPR Art. 6(1)(f) · legitimate interests |
| Transactional | Apple subscription metadata, payment status (card data not stored) | GDPR Art. 6(1)(b) · contract |
| Technical | Device type, OS version, app version, IP, push token | GDPR Art. 6(1)(f) · legitimate interests |
Note: SOU does not store identity documents, biometric templates, criminal-record documents, or other special-category raw data. Verification is performed with user consent by authorised third-party processors (Persona, Turkish Ministry of Justice QR); SOU only processes the resulting flag. Legal basis: GDPR Art. 13.
We use the following third-party service providers as international data processors. Transfers are made on the basis of explicit consent and Standard Contractual Clauses (SCC):
| Provider | Location | Data | Basis |
|---|---|---|---|
| Firebase / Google Cloud | europe-west3 (Frankfurt) | All Firestore + Storage | SCC + EU residency |
| OpenAI | USA | Message content (safety moderation + conversation health analysis), profile bio/prompt text (matching embedding), voice intro recording (Whisper transcript), bucketed profile categories (Drop editorial text) | Explicit consent (AI Consent Sheet) + DPA/SCC |
| Google Cloud Vision | USA / global | Uploaded photographs (inappropriate-content / NSFW safety scan + face detection) | Explicit consent + DPA/SCC |
| OpenStreetMap Nominatim | EU | Location/search text you enter when adding a venue (coordinate→address lookup) | Legitimate interests + public API terms of use |
| Persona (KYC) | USA | Identity document, biometric selfie | Explicit consent + SOC 2 Type II + DPA |
| RevenueCat | USA | UID, subscription metadata | SCC + contract |
| Resend (email) | EU | Contact e-mail address | EU DPA |
| Sentry | EU (sentry.io DE region) | Error logs (PII redacted) | EU DPA |
| Apple App Store | USA/EU | Apple ID, purchase receipts | Apple Developer Agreement |
| Twilio (SMS, optional) | EU/UK | Phone OTP | DPA + SCC |
You may exercise the following rights by writing to kvkk@souprivate.com or via Settings → Data Request within the app:
We will respond to your request within 30 days.
Our primary AI provider is OpenAI (USA). The following data is processed to keep the service safe and to improve matching quality:
Data Processing Agreements (DPA) and Standard Contractual Clauses (SCC) apply with these providers. The final matching decision is taken by a human editor (House Council); AI does not produce an automated decision on its own (GDPR Art. 22 compliant). You may decline AI processing from the in-app AI Consent screen.
SOU is intended for users aged 21 and over. Age verification is mandatory via Persona KYC. Applications from users identified as under 21 are rejected and their data deleted.
Data protection enquiries: kvkk@souprivate.com · 30-day response time
If you do not receive a response, you have the right to lodge a complaint with the relevant supervisory authority (e.g. the ICO or your local DPA) (GDPR Art. 77).
© 2026 SOU · Data Controller: Gökhan Camcı (Sole Trader) · Istanbul