Data Processing Notice

Effective: 14 May 2026 · v1.0 · GDPR Art. 13

1. Data Controller

Gökhan Camcı (sole trader operating under the SOU brand) — Istanbul, Türkiye
Contact: kvkk@souprivate.com

Operating model: SOU does not store special-category personal data (biometric templates, criminal-record documents) on its own systems. Identity and background checks are carried out by authorised third parties (Persona KYC, the Turkish Ministry of Justice E-Devlet QR system); SOU only retains the verification outcome ("verified / not verified"). Should the storage model change, this notice will be updated accordingly.

2. Personal Data Processed

CategoryData TypeLegal Basis
IdentityFull name, date of birthGDPR Art. 6(1)(b) · contract
ContactE-mail address, phone numberGDPR Art. 6(1)(b) · contract
Location (approximate)City, neighbourhood (user-declared); plus your device's approximate location used by the nearby-members / automatic check-in features. The precise GPS coordinate is not stored on the server; it is rounded to ~111 m precision and held only transiently (at most 5 min). The location you enter when adding a venue is sent to OpenStreetMap Nominatim (EU) for address lookup.GDPR Art. 6(1)(a) · consent
VisualProfile photographs (EXIF stripped)GDPR Art. 6(1)(a) · consent
Identity verification resultPersona KYC output: verified=true/false flag. The identity document, government ID number and biometric selfie are not stored on SOU systems — processed by Persona and the result is returned.GDPR Art. 6(1)(b) · contract
Criminal record verification resultThe user uploads an E-Devlet QR-coded document; the Turkish Ministry of Justice QR system performs the verification. SOU only retains the clean=true/false outcome; the document itself is not stored.GDPR Art. 6(1)(b) · contract
Intent preferencesIntent (acquaintance / friendship / professional / conversation), prompt answersGDPR Art. 6(1)(a) · consent
BehaviouralDrop reactions, reliability metrics, vouch graphGDPR Art. 6(1)(f) · legitimate interests
Inferred / profilingCategories (values, interests, communication style) inferred from your profile text and in-app preferences, plus a reliability indicator computed from your drop decisions — used only for matching; a human editor is in the loop (not a solely-automated decision).GDPR Art. 6(1)(f) · legitimate interests
TransactionalApple subscription metadata, payment status (card data not stored)GDPR Art. 6(1)(b) · contract
TechnicalDevice type, OS version, app version, IP, push tokenGDPR Art. 6(1)(f) · legitimate interests

Note: SOU does not store identity documents, biometric templates, criminal-record documents, or other special-category raw data. Verification is performed with user consent by authorised third-party processors (Persona, Turkish Ministry of Justice QR); SOU only processes the resulting flag. Legal basis: GDPR Art. 13.

3. Purposes of Processing

4. International Transfers (GDPR Chapter V)

We use the following third-party service providers as international data processors. Transfers are made on the basis of explicit consent and Standard Contractual Clauses (SCC):

ProviderLocationDataBasis
Firebase / Google Cloudeurope-west3 (Frankfurt)All Firestore + StorageSCC + EU residency
OpenAIUSAMessage content (safety moderation + conversation health analysis), profile bio/prompt text (matching embedding), voice intro recording (Whisper transcript), bucketed profile categories (Drop editorial text)Explicit consent (AI Consent Sheet) + DPA/SCC
Google Cloud VisionUSA / globalUploaded photographs (inappropriate-content / NSFW safety scan + face detection)Explicit consent + DPA/SCC
OpenStreetMap NominatimEULocation/search text you enter when adding a venue (coordinate→address lookup)Legitimate interests + public API terms of use
Persona (KYC)USAIdentity document, biometric selfieExplicit consent + SOC 2 Type II + DPA
RevenueCatUSAUID, subscription metadataSCC + contract
Resend (email)EUContact e-mail addressEU DPA
SentryEU (sentry.io DE region)Error logs (PII redacted)EU DPA
Apple App StoreUSA/EUApple ID, purchase receiptsApple Developer Agreement
Twilio (SMS, optional)EU/UKPhone OTPDPA + SCC

5. Retention Periods (GDPR Art. 5(1)(e))

6. Your Rights (GDPR Art. 15–22)

You may exercise the following rights by writing to kvkk@souprivate.com or via Settings → Data Request within the app:

  1. Right to know whether your personal data is being processed
  2. Right to access information about that processing
  3. Right to know the purposes for which your data is processed
  4. Right to know which domestic and international recipients have received your data
  5. Right to rectification of inaccurate or incomplete data
  6. Right to erasure / right to be forgotten (Settings → Close Account)
  7. Right to data portability in machine-readable format (Settings → Download My Data, GDPR Art. 20)
  8. Right to object to automated decision-making (GDPR Art. 22 — to object to the Drop selection logic: kvkk@souprivate.com)

We will respond to your request within 30 days.

7. Use of Artificial Intelligence

Our primary AI provider is OpenAI (USA). The following data is processed to keep the service safe and to improve matching quality:

Data Processing Agreements (DPA) and Standard Contractual Clauses (SCC) apply with these providers. The final matching decision is taken by a human editor (House Council); AI does not produce an automated decision on its own (GDPR Art. 22 compliant). You may decline AI processing from the in-app AI Consent screen.

8. Security Measures (GDPR Art. 32)

9. Child Protection

SOU is intended for users aged 21 and over. Age verification is mandatory via Persona KYC. Applications from users identified as under 21 are rejected and their data deleted.

10. Contact and Complaints

Data protection enquiries: kvkk@souprivate.com · 30-day response time
If you do not receive a response, you have the right to lodge a complaint with the relevant supervisory authority (e.g. the ICO or your local DPA) (GDPR Art. 77).

© 2026 SOU · Data Controller: Gökhan Camcı (Sole Trader) · Istanbul