SOU · PRIVACY POLICY · v1.0 — 14 MAY 2026
Privacy Policy
This Privacy Policy explains how the SOU application ("the App") processes personal data
on behalf of its individual data controller
Gökhan Camcı ("SOU", "we").
Data Controller contact:
HELLO@SOUPRIVATE.COM · POSTAL · ISTANBUL
§ 1. Data We Process
- Identity data (full name, date of birth, government ID — processed by Persona Inc. during KYC; SOU sees status only)
- Contact data (e-mail address, phone number)
- Application answers, profile prompts (converted into an OpenAI embedding for matching similarity — subject to explicit consent)
- Photographs (Firebase Storage, owner-only; transmitted to Google Cloud Vision for a safety scan)
- Location: when "nearby members" and automatic check-in features are enabled, your device's approximate location is used. The precise GPS coordinate is not stored on the server; the location is rounded to ~111 m precision and held only temporarily (at most 5 min). The location you enter when adding a venue is sent to OpenStreetMap Nominatim (EU) for address lookup.
- Membership and subscription status (RevenueCat ID)
- Chat messages (Firestore, restricted to current and former conversation participants; subject to OpenAI moderation and conversation health analysis for community safety)
- Behavioural metrics (response rate, no-show record, drop decisions)
- Voice intro recording (sent to OpenAI Whisper for transcription; the raw audio is deleted after 90 days)
- Categories inferred from your profile text and in-app preferences (values, interests, communication style) and a reliability indicator computed from your drop decisions — used only for matching
- Device identifiers (push token, error logging via Sentry)
§ 2. Legal Basis (GDPR Art. 6 / Art. 9)
Consent, performance of a contract, and the controller's legitimate interests. For special-category
personal data (facial photograph, identity document) explicit consent is the sole
lawful basis and is collected within the app via the AI Consent screen.
§ 3. International Transfers
The following third-party processors may be located in the United States or the EU; transfers are
made on the basis of explicit consent and Standard Contractual Clauses (SCC):
- Persona Inc. (USA) — KYC + Liveness; SOC 2 Type II
- OpenAI (USA) — Editorial text generation, message moderation and conversation health analysis, profile prompt embedding, voice intro transcription (Whisper); explicit consent + DPA/SCC
- Google Cloud Vision (USA/EU) — Safety (NSFW) scan of uploaded photographs
- OpenStreetMap Nominatim (EU) — Venue-adding address lookup (coordinate→address)
- RevenueCat (USA) — Subscription mirror
- Google / Firebase (EU — Frankfurt) — Database, Auth, Functions
- Resend (EU) — Transactional email
- Sentry (EU) — Error logging (PII redacted)
- Apple App Store (USA/EU) — App Store + IAP
§ 4. Retention Periods
Data is retained for as long as membership is active. On account deletion a 30-day soft-delete
period applies, after which permanent erasure follows. Certain data may be retained to meet legal
obligations (financial records 5 years; security incident reports for the applicable statutory period).
§ 5. Your Rights (GDPR Art. 15–22)
- Right to know whether your personal data is being processed
- Right to know the purposes for which it is processed
- Right to rectification, erasure, and anonymisation
- Right to know which third parties have received your data
- Right to object to outcomes of automated decision-making (matchmaking algorithm)
- Right to compensation for damage
To exercise your rights: kvkk@souprivate.com. To lodge a complaint
with the relevant supervisory authority (e.g. the ICO or your local DPA):
ico.org.uk.
§ 6. Children
The App does not serve users under the age of 21. Age is verified during the application process
via Persona KYC.
§ 7. AI and Automated Decision-Making
Match suggestions are partly automated: editorial text generation with OpenAI and (where explicit
consent is given) converting your profile prompts into embeddings to compute a similarity score.
In addition, your messages (OpenAI moderation + conversation health analysis), your photographs
(Google Cloud Vision) and your voice intro (OpenAI Whisper) are processed automatically for safety
and quality. The final matching decision is taken by a human editor. You have the right to decline
on the AI Consent screen; if you decline, a manual review flow is used instead.
§ 8. Security Measures
- TLS 1.3 transport encryption
- Firebase Firestore at-rest AES-256 encryption
- Auth tokens stored in iOS Keychain / Android Keystore
- Sentry PII redaction
- Firebase Security Rules deny-by-default
- Persona webhook HMAC-SHA256 + replay protection
§ 9. Updates
You will be notified in the app when this policy is updated.
Current version: v1.0 · 14·05·2026.