KVKK Information Notice
Under Law No. 6698 on Protection of Personal Data
Last updated: 11.02.2026
This notice is effective as of February 11, 2026.
1. Data Controller
In accordance with Law No. 6698 on Protection of Personal Data ("KVKK"), your personal data is processed by Furkan Hidayet Alkan ("Data Controller") within the scope explained below. The Data Controller operates the PetNexa pet health management mobile application and website.
For users in the EU, see also our GDPR Compliance page.
2. Purposes of Processing Personal Data
Your personal data is processed for the following purposes:
- Providing and managing pet health tracking services through the application
- User account creation, authentication (Google/Apple OAuth), and management
- Pet health record management, vaccination tracking, and appointment reminders
- Providing the AI Veterinarian advisory service
- Family sharing and task management features
- Push notification delivery (vaccine reminders, task assignments, appointment alerts)
- Subscription and in-app purchase management
- Analytics to improve service quality and user experience
- Application security, fraud prevention, and session management
- Fulfilling legal obligations
- Customer relations management and providing support
3. Personal Data Categories Processed
| Category | Data Types | Source |
|---|---|---|
| Identity Information | Name, surname, profile photo | User input / OAuth provider |
| Contact Information | Email address | OAuth provider (Google/Apple) |
| Account Information | User ID, authentication provider, account creation date, subscription tier | System generated / OAuth |
| Pet Information | Pet name, species, breed, date of birth, gender, weight, microchip number, photo | User input |
| Pet Health Records | Vaccination records, veterinary visits, health notes, medication history, allergy information | User input |
| AI Veterinarian Data | Questions asked, AI responses, consultation history | User input / AI system |
| Family Sharing Data | Family group membership, task assignments, shared pet access | User input |
| Subscription Data | Subscription tier, purchase history, RevenueCat customer ID | RevenueCat / App Store / Google Play |
| Device Information | Device model, operating system, app version, device ID, push notification token | Automatic collection |
| Session Information | Session ID, login timestamps, device name, platform | Automatic collection |
| Usage Data | Feature usage, screen views, interaction events | PostHog analytics SDK |
| Error and Performance Data | Crash reports, error logs, performance metrics | Sentry SDK |
| Location Data | Approximate location (city-level, from IP address only) | Automatic collection |
| Notification Preferences | Push notification settings, reminder preferences, notification opt-in status | User input |
4. Method of Collection and Legal Reasons for Personal Data
Your personal data is collected through:
- PetNexa mobile application (iOS and Android)
- PetNexa website (petnexa.app)
- OAuth authentication providers (Google, Apple)
- Third-party service providers (RevenueCat, PostHog, Sentry, OneSignal)
- Email and in-app support channels
through automatic and non-automatic methods.
Legal reasons for processing:
- Your explicit consent (KVKK Art. 5/1): Marketing communications, optional analytics, AI Veterinarian usage
- Necessary for performance of the contract (KVKK Art. 5/2-c): Account creation, service delivery, pet health tracking, push notifications
- Legal obligation of the data controller (KVKK Art. 5/2-ç): Tax records, legal authority requests, data retention requirements
- Necessary for the establishment, exercise, or protection of a right (KVKK Art. 5/2-e): Legal dispute resolution, fraud prevention
- Mandatory for the legitimate interests of the data controller (KVKK Art. 5/2-f): Service improvement, analytics, security measures, error tracking
5. Data Retention Periods
Your personal data is retained for the following periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of account + 30 days after deletion | Service provision and legal obligations |
| Pet Health Records | Duration of account + 30 days after deletion | Service provision |
| AI Veterinarian Conversations | 90 days | Service improvement and quality |
| Session and Login Data | 6 months | Security and fraud prevention |
| Analytics Data | 24 months | Service improvement |
| Error/Crash Logs | 90 days | Application stability |
| Subscription Records | 5 years after end of subscription | Tax and legal obligations |
| Push Notification Tokens | Until account deletion or token invalidation | Service delivery |
After the retention period expires, your personal data is irreversibly deleted or anonymized.
6. Transfer of Personal Data
Your personal data may be transferred to the following parties in accordance with Articles 8 and 9 of KVKK:
Domestic Transfers:
- Legal authorities and regulatory bodies (upon legal request)
International Transfers:
In accordance with the cross-border data transfer provisions of KVKK Article 9 and the Personal Data Protection Board's decisions, your data may be transferred to the following service providers abroad:
| Service Provider | Country | Purpose | Safeguard |
|---|---|---|---|
| Neon (PostgreSQL) | USA | Database hosting | Standard Contractual Clauses |
| Google Cloud (OAuth) | USA | Authentication | Standard Contractual Clauses |
| Apple (Sign in with Apple) | USA | Authentication | Standard Contractual Clauses |
| OneSignal | USA | Push notifications | Standard Contractual Clauses |
| Expo (EAS) | USA | Push notifications (fallback) | Standard Contractual Clauses |
| RevenueCat | USA | Subscription management | Standard Contractual Clauses |
| PostHog | EU/USA | Analytics | Standard Contractual Clauses |
| Sentry | USA | Error tracking | Standard Contractual Clauses |
| Google AdMob | USA | Advertising (free tier) | Standard Contractual Clauses |
| OpenAI | USA | AI Veterinarian feature | Standard Contractual Clauses |
| Resend | USA | Email delivery | Standard Contractual Clauses |
Your explicit consent is obtained where required under KVKK Article 9. For transfers based on other legal grounds, the conditions specified in Articles 5/2 and 9/2 of KVKK are fulfilled.
7. Rights of Data Subject
Under Article 11 of KVKK, you have the following rights:
- To learn whether your personal data is processed
- To request information about processing if your data has been processed
- To learn the purpose of processing and whether it is used in accordance with its purpose
- To know the third parties to whom your personal data is transferred domestically or abroad
- To request correction of personal data if processed incompletely or incorrectly
- To request deletion or destruction of personal data under the conditions stipulated in Article 7 of KVKK
- To request notification of correction, deletion, or destruction operations to third parties to whom data has been transferred
- To object to the occurrence of a result against you through the analysis of processed data exclusively by automated systems
- To claim compensation for damages arising from the unlawful processing of your personal data
8. Application Method
To exercise your rights under Article 11 of KVKK, you can submit your request through the following channels:
- Email: furkan.alkan.1293@gmail.com (with 'KVKK Request' in the subject line)
- In-app: Account Settings > My Data > Submit KVKK Request
- Mail: Written application with wet signature to the address below
Your application must include your full name, T.R. ID number (for Turkish citizens), contact details, and a clear description of the right(s) you wish to exercise.
Your application will be concluded free of charge within 30 days at the latest. If the transaction requires an additional cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board. If your request is rejected, the reasons will be communicated to you in writing or electronically.
9. Data Security Measures
The following technical and administrative measures are taken to ensure the security of your personal data:
Technical Measures:
- Data encryption in transit (TLS/SSL) and at rest
- Secure authentication via OAuth 2.0 (Google, Apple)
- Single-device session enforcement with automatic session revocation
- JWT-based token authentication with session validation
- Regular security updates and dependency monitoring
- Database access controls and query parameterization
- Push notification token validation and cleanup
Administrative Measures:
- Data minimization principle applied in data collection
- Access limited to the data controller on a need-to-know basis
- Regular review of data processing activities
- Incident response procedures for data breaches
- Third-party service provider agreements with data protection clauses
10. Contact Information
Data Controller: Furkan Hidayet Alkan
Email: furkan.alkan.1293@gmail.com
Address: Mehmet Akif Ersoy Mah. Arnavutoğlu Cad. 12_1 A/20 Merkez / Kastamonu
KVKK Requests: furkan.alkan.1293@gmail.com (Subject: KVKK Request)