Privacy Policy – EMOTİCE

Last updated: October 2, 2025 | Version 1.0

=== CRITICAL WARNING ===

EMOTICE is NOT a medical device and does not provide medical advice, diagnosis, or treatment. In emergencies, call 112 (Turkey), 911 (USA), or 988 (USA Suicide Hotline). For mental health concerns, always consult a licensed healthcare professional.

================

TL;DR (Summary)

✓ Your mood data is encrypted and never sold
✓ AI conversations are anonymous
✓ You can delete all your data anytime
✓ We don’t accept users under 16
✓ GDPR and KVKK compliant

1. Data Controller

Data Controller: Nechh Lab Robotics
Platform: emotice.com (web and mobile application)
Email: privacy@emotice.com
Data Protection Officer: dpo@emotice.com
Website: emotice.com

2. Personal Data We Process

2.1. Identity Data

Email address (required)
Name and surname (optional)
Date of birth (age verification only – 16+ check)
Username (optional)

2.2. Health and Emotional Data (Sensitive Data)

WARNING: GDPR Article 9 – Special Category Data

The following data is classified as “sensitive data”:

Daily mood records (emoji and notes)
Emotional intensity scores
AI chat history (for motivation and support)
Onboarding survey responses (WHO-5, PHQ-2, GAD-2, sleep quality)
Stress sources and triggers

2.3. Technical Data

IP address (security and fraud prevention)
Browser type and version
Device information (mobile/desktop)
Session logs
Usage statistics (anonymous)

2.4. Communication Data

Email communication history
Support requests and responses
Notification preferences

3. Purpose of Processing and Legal Basis

Data Category	Purpose	Legal Basis
Identity	Account creation, login verification	Contract (GDPR Art. 6/1-b)
Health/Emotional	Mood tracking, AI support, statistics	Explicit Consent (GDPR Art. 9/2-a)
Technical	Security, fraud prevention, analytics	Legitimate Interest (GDPR Art. 6/1-f)
Communication	Support, notifications	Contract (GDPR Art. 6/1-b)

4. Explicit Consent

We obtain explicit consent for all sensitive data (mood, emotional state, survey responses).

Your Right to Withdraw Consent:
You can withdraw all consents and delete your data via Account Settings → Delete My Data.

5. Data Retention Period

Active accounts: While your account is active
Deleted accounts: Permanently deleted within 30 days (recovery period)
Technical logs: 90 days (security purposes)
Anonymous analytics: Indefinitely (no personal connection)
Legal obligations: As required by law (e.g., billing records for 10 years)

6. Data Security

Encryption

In transit: TLS 1.3
At rest: AES-256
Database: Row-level encryption

Access Control

Multi-Factor Authentication (MFA)
Role-Based Access Control (RBAC)
Audit logs

Infrastructure

Supabase (SOC 2 Type II)
GDPR-compliant hosting (EU)
Encrypted automatic backups

Monitoring

24/7 security monitoring
Intrusion detection
Breach notification (within 72 hours)

7. Data Transfers

7.1. Third-Party Transfers

We DO NOT sell your data or share it for marketing. Limited transfers only:

Recipient	Purpose	Protected Data
Supabase (EU)	Database hosting	All data (encrypted)
OpenAI (USA)	AI chat support	Chat texts (anonymous)
Vercel (USA)	Web hosting	IP, usage logs
Email service	Notifications	Email address

7.2. International Data Transfers

OpenAI (GPT-4o-mini) is US-based, so AI chat data is transferred to the USA. For this transfer:

Standard Contractual Clauses (SCC) are used
Data is anonymized (no name, no ID)
OpenAI does NOT use your data for model training
Deleted from OpenAI systems within 30 days

7.3. Legal Requirements

Your data may only be disclosed to authorities in:

Court order or legal obligation
Emergency life safety situation (suicide risk)
Criminal activity

8. Cookies

For details, see our Cookie Policy. Cookies we use:

Essential: Session management, security
Analytics: Anonymous usage statistics (opt-out available)
Preferences: Language, theme settings

Note: We do NOT use advertising cookies or tracking pixels.

9. Your Rights (GDPR and KVKK)

You have the following rights:

1. Right to Information

Learn what data we process about you.
How: Account Settings → Download My Data

2. Right to Rectification

Correct inaccurate data.
How: Profile → Edit

3. Right to Erasure (Right to be Forgotten)

Delete all your data.
How: Account Settings → Delete Account
WARNING: This cannot be undone!

4. Right to Data Portability

Download your data in JSON format.

5. Right to Restrict Processing

Withdraw consent or freeze your account.

6. Right to Complain

Turkey: kvkk.gov.tr
EU: Your country’s Supervisory Authority

10. Children’s Privacy

EMOTICE does NOT serve individuals under 16 years old. If we discover a user is under 16, we immediately delete their account and destroy all data.

If you’re a parent and discover your child registered: privacy@emotice.com

11. Data Breach Notification

In case of a data breach:

Reported to authorities within 72 hours
Affected users notified immediately via email
Details and measures taken disclosed transparently

12. Policy Changes

Changes to this policy:

Version number and date updated (top of page)
Major changes notified via email
Announcement on Platform

13. Contact and Requests

To exercise your rights or for questions:

Data Protection Officer: emotice2025@gmail.com
General Questions: emotice2025@gmail.com
Response time: Within 30 days (GDPR Art. 12/3)

Quick Delete

Account Settings → Delete Account

All your data will be permanently deleted within 30 days.