🔒 Privacy Policy

Last updated: April 27, 2026

1. Introduction & Data Controller

At Evlek ("we", "our"), we take the protection of your personal data seriously. This Privacy Policy explains what data we collect when you use the evlek.app platform, how we use it, and how we protect it. We operate in accordance with the TRNC Personal Data Protection Law (89/2007) and international best practices. Data Controller: Entity: Evlek — Sole Proprietorship Address: Meşale Sok. Karaoğlanoğlu No:9, Kyrenia, TRNC Phone: +90 533 833 88 98 Email: hello@evlek.app Platform: evlek.app

2. Data We Collect

We collect the following data when you use our platform: • Account information: Email address, full name, password (stored encrypted) • Listing information: Property details, photos, price, location, contact details (phone, WhatsApp, Telegram) • Usage data: Page visits, search queries, favorites lists • Technical data: IP address, browser type, device info, cookies • Communication data: Messages sent through the contact form • Identity verification data (KYC): Government ID photo (front), selfie photo — collected only from users who voluntarily request verification, with explicit consent • Phone verification data: Phone number (E.164 format), WhatsApp number — for SMS/WhatsApp OTP verification • Subscription data: Apple IAP/Google Play purchase records, plan information, subscription status

3. How We Use Your Data & Legal Basis

We process your personal data based on the following legal grounds: • Consent: Account creation, listing publishing, AI chatbot usage • Contractual obligation: Providing subscription services, payment processing • Legitimate interest: Platform security, fraud prevention, service improvement, anonymous statistics • Legal obligation: Tax and accounting records, regulatory compliance Purposes of use: • Creating and managing your account • Providing listing publishing and management services • Personalizing your experience (language preference, favorites) • Assisting you via AI assistant (see AI Disclosure section below) • Security and fraud prevention • Fulfilling legal obligations • Analyzing and improving platform performance

4. Artificial Intelligence (AI) Assistant & Third-Party AI Services

The Evlek platform uses third-party AI services to provide AI-powered features. This section contains mandatory disclosure per Apple App Store Guideline 5.1.2(i). AI Service Used: • Google Gemini 2.0 Flash — Large Language Model (LLM) provided by Google LLC • Service endpoint: generativelanguage.googleapis.com • Google's AI Privacy Policy: https://ai.google/responsibility/privacy/ Data Sent to AI Service: • ✅ Text content of your chat message (your question) • ✅ Your selected language preference (TR/EN/RU/DE/AR) • ❌ Name, surname, email, phone number are NOT SENT • ❌ Location data, IP address, device info are NOT SENT • ❌ Listing data, photos, payment info are NOT SENT AI Data Processing Principles: • Message content is not permanently stored by Evlek • Per Google's data processing policy: Gemini API data is not used for model training • Explicit user consent (consent popup) is obtained before in-app usage • The AI assistant is for general information only and does not constitute legal or financial advice • Content moderation: Google Gemini Safety Settings (4-category BLOCK) + 8 prompt injection protections active

4b. Identity Verification (KYC) & Personal Data Processing

The Evlek platform offers an optional identity verification (KYC) service to enhance the credibility of property professionals. This service is entirely voluntary and user-initiated. KYC Data Collected: • Government ID photo (national ID card, driver's license, or passport front page) • Selfie photo (for live verification) KYC Data Processing: • ID documents are stored encrypted in Supabase Storage • Reviewed only by authorized admin personnel manually • AI-assisted pre-check: Google Gemini Vision API verifies document format and facial matching • Images sent to AI service are not permanently stored and are not used for model training KYC Data Retention & Deletion: • ID document photos are automatically deleted within 90 days after verification is complete • Selfie photos are processed at the time of verification and immediately deleted • Users may request immediate deletion of their KYC data at any time by emailing hello@evlek.app • Retained information: Only verification status (kyc_tier: 'verified' / 'unverified') — document images are not retained Legal Basis: Explicit consent (TRNC PDPL Art.5/1-a). The user provides explicit consent by initiating the verification process.

4c. Phone & WhatsApp Verification

Phone number and WhatsApp verification services are provided for platform security and contact accuracy. Service Provider: • Twilio Inc. — Twilio Verify API • Twilio Privacy Policy: https://www.twilio.com/legal/privacy Data Processed: • Phone number (E.164 format, e.g., +905338338898) • WhatsApp number (separate verification) • Verification code (6-digit OTP — single use) Data Processing Principles: • OTP codes are single-use and automatically expire after 10 minutes • Twilio processes phone numbers solely for verification purposes and does not use them for marketing • Verification result (success/failure) is stored in the Evlek database • Users can update their verified number from profile settings Legal Basis: Legitimate interest (platform security) and contractual obligation.

4d. In-App Purchases & Subscriptions

The Evlek mobile app offers subscription services through the Apple App Store and Google Play Store. Payment Processing: • All payment transactions are processed by Apple/Google • Evlek does not see or store your credit card number, bank account details, or payment specifics • Subscription management is provided through RevenueCat Inc. • RevenueCat Privacy Policy: https://www.revenuecat.com/privacy Subscription Data Retained: • Plan type (Explore, Plus, Pro, Brokerage/Corporate, Operator, Developer) • Subscription status (active, cancelled, expired) • Subscription source (Apple IAP, Google Play, admin gift, application approval) • Start and end dates Plan-Specific Notes: • Developer plan: No IAP — application form (/apply/developer) required, contractor license + company registration mandatory, activates after admin approval. • Brokerage (Corporate) and Operator plans: Open IAP, however subscription activation pending admin manual review if the relevant license (KTEB membership or TRNC Ministry of Education dormitory permit) is not uploaded. Legal Basis: Contractual obligation and legitimate interest.

4e. Life (Match) Feature — Mutual Consent and Privacy

The Life tab is a secure platform designed for users seeking roommates or co-tenants in TRNC. This feature is not for romantic relationship purposes (see Terms of Service). Life Profile Data: • First name + last initial (e.g., "Aylin Y.") — full name not shared before mutual match • Profile photo (blurred before mutual consent, revealed after acceptance) • Bio (user-provided) • City / district (TRNC-based) • Hard filters (gender, age range, smoking, religious sensitivity — opt-in) • Soft filters (lifestyle, sleep schedule, hobbies — opt-in) • Practical filters (budget, room count, contract length — opt-in) Mutual Consent Flow: Phone number, full name, and direct contact channels (WhatsApp/Telegram) are shared only after both parties give explicit consent: 1. Profile discovery: Photo blurred + first name only 2. Interest mark: "Interested" tag (no notification sent to counterparty) 3. Mutual interest: Both parties tap → in-chat (10 messages free, unlimited Plus+) 4. Reveal request: One party sends a reveal request 5. Acceptance: If counterparty accepts → full name + phone + contact info revealed 6. Audit log: All reveal actions are recorded with timestamps in the `contact_reveals` table Revocation: • Users may revoke a granted reveal at any time → counterparty's visibility is immediately closed • Profile archival or deletion: All matches and reveals are automatically purged (cascade with account deletion) 18+ Age Verification: • During KYC, the date of birth (DOB) is read from the ID document by AI Vision • Users under 18 are automatically prevented from accessing the Life tab and Match features • DOB is used solely for age verification, not displayed in profile (shown: optional age range bracket) • Stored: Only `age_verified: boolean` flag — DOB exact value in encrypted field Reporting and Blocking: • Users may report any profile (harassment, fake profile, romantic intent, etc.) • Reported profiles are automatically temporarily suspended pending admin manual review • Users may block each other — blocking is one-sided, no notification sent to counterparty Legal Basis: Explicit consent (TRNC PDPL Art.5/1-a). Users who activate the Life tab and accept filter usage provide explicit consent to processing of related personal data. No contact data is shared with third parties without mutual consent. Data Retention: • Match data (interest, reveal): Retained as long as the user account is active • In-chat messages: Auto-deleted after 365 days (message history) • Account deletion: All match, interest, reveal, and chat data deleted immediately and irreversibly

5. Data Storage and Security

Your data is securely stored using the following infrastructure: • Database: Supabase (PostgreSQL) — encrypted connections, row-level security (RLS) • File storage: Supabase Storage — secure access controls • Web hosting: Vercel — automatic SSL/TLS encryption, DDoS protection • Passwords: Hashed using bcrypt, never stored in plain text • Auth tokens: JWT-based, session-level security

6. Data Retention Periods

We retain your personal data only for as long as necessary for the purposes for which it was processed: • Account data: While your account is active + 30 days after deletion • Listing data: While listing is active + 90 days after deletion • Payment records: 5 years (legal obligation) • Log data (IP, browser): 1 year • Chat history (AI): Duration of session only, automatically deleted after session ends Data that has exceeded its retention period is automatically destroyed or anonymized.

7. Data Sharing

We do not sell your personal data. It may be shared in the following limited cases: • Service providers: Supabase (database), Vercel (hosting), Google (analytics, OAuth) — solely for service delivery • Legal requirements: Court orders or legal regulations • Listing visibility: Contact info in your listings (phone/WhatsApp/Telegram) is visible to other users — you choose to share this info

8. International Data Transfers

Your data may be processed on servers outside TRNC through our service providers (Supabase, Vercel). These providers comply with international security standards (SOC 2 Type II, ISO 27001). We act in accordance with procedures established by the TRNC Personal Data Protection Board.

9. Cookies

Our platform uses the following cookies: • Essential cookies: Session management, language preference — required for platform functionality • Analytics cookies: Vercel Analytics — anonymous usage statistics (does not collect personal data) You can disable cookies through your browser settings, but some features may not work properly.

10. Your Rights

Under the TRNC Personal Data Protection Law, you have the following rights: • Request access to your personal data • Request correction of inaccurate data • Request deletion of your data • Object to data processing • Request data portability To exercise these rights, email us at hello@evlek.app.

11. Children's Privacy

Our platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors.

12. Policy Changes

We may update this policy from time to time. When significant changes occur, we will notify you through platform announcements or email.

13. Contact

For questions about our privacy policy: Email: hello@evlek.app Web: evlek.app/contact