Data Processing Notice

Data Controller: Caymaz TechHealth Yazılım Tic. Ltd. Şti., Istanbul / Türkiye. The Controller determines the purposes and means of processing personal data.

Data Processor: Calvion acts as both Controller and Processor depending on context. For user-submitted content (meal photos, health goals), Calvion processes data strictly to fulfill the AI analysis service.

Competent authority: Istanbul Courts and Enforcement Offices (KVKK Art. 22).

This DPA covers all personal data processed when you use the Calvion app, including account information, health metrics, nutrition logs, meal images, and device identifiers.

Processing is limited to what is strictly necessary to provide the services described in the Privacy Policy and Terms of Service.

Special category data (health and biometric data) is processed only upon explicit consent under KVKK Art. 6 and GDPR Art. 9.

Account management and authentication: performance of contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)).

AI-powered nutrition analysis: legitimate interest and explicit consent (GDPR Art. 6(1)(a)(f) / KVKK Art. 5(1), 6(2)).

Security monitoring and fraud prevention: legitimate interest (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(d)).

Compliance with legal obligations: GDPR Art. 6(1)(c) / KVKK Art. 5(2)(a).

Hetzner Online GmbH (Germany) — Infrastructure hosting. Data stored on EU-region servers. Hetzner is GDPR-compliant.

Fal Labs / fal.ai (USA) — AI model inference for meal photo analysis. Data transferred under Standard Contractual Clauses (SCC). Photos are not retained by fal.ai beyond the inference request.

Cloudflare R2 (Global) — Object storage for uploaded meal images. Cloudflare is GDPR-compliant with DPA available. Data encrypted at rest with AES-256.

Firebase (Google LLC, USA) — Authentication and push notifications. Google Cloud DPA applies. Firebase Auth stores only UID and email.

Calvion does not sell personal data to any third party or use it for advertising purposes.

Data may be transferred outside Türkiye and the EEA for AI inference (fal.ai, USA) and cloud storage (Cloudflare R2). Such transfers are made under Standard Contractual Clauses (SCC) and KVKK international transfer provisions (Art. 9).

By using AI-assisted features, you explicitly consent to cross-border transfer of meal images and related data as described in this DPA.

Users who do not consent to international transfers should not use AI-powered features. Core non-AI features remain available without image uploads.

All data in transit is protected with TLS 1.3. Data at rest is encrypted with AES-256-GCM.

Sensitive health fields (health focus, chronic conditions) are encrypted at the application level before database storage.

Access to personal data is limited to authorized personnel. Admin access is logged in an audit trail.

Row-level security is enabled on core database tables to enforce user data isolation.

Personal data is retained for as long as the account is active. Deleted accounts are hard-deleted from production systems within 30 days.

You can request immediate export of your data at any time via Settings → Export My Data.

Health data associated with deleted accounts is permanently purged. Aggregated anonymized analytics may be retained.

Backups containing personal data are overwritten within 30 days of account deletion.

Right of access: Export all your personal data at any time via the app (Settings → Export My Data).

Right to erasure: Delete your account and all associated data at any time from the app.

Right to rectification: Update your profile, health metrics, and preferences at any time.

Right to data portability: Data export is available in JSON format.

Right to object / withdrawal of consent: Withdraw consent for health data processing by deleting your account or contacting support.

To exercise KVKK Art. 11 rights contact: legal@caymaztech.com

In the event of a personal data breach, Calvion will notify affected users and the KVKK Board within 72 hours of becoming aware of the breach, as required by KVKK Art. 12 and GDPR Art. 33.

Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken.

Data Controller: Caymaz TechHealth Yazılım Tic. Ltd. Şti. — MERSİS: 0203091510500001 — Istanbul / Türkiye

For privacy, data rights, or KVKK/GDPR requests: legal@caymaztech.com

Use subject line: 'Privacy Request — [Request Type]'