Privacy Policy

This Privacy Policy describes how overheard ("Company," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use the overheard mobile application, website, and all related services (collectively, the "Service"). This Policy applies to all users worldwide. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service. 1. LEGAL BASIS FOR PROCESSING (GDPR, KVKK, AND OTHER REGULATIONS) 1.1. We process your personal data based on the following legal grounds: a) Contractual necessity — to provide the Service you requested (Article 6(1)(b) GDPR; Article 5(2)(c) KVKK); b) Legitimate interests — to improve our Service, ensure security, and prevent fraud (Article 6(1)(f) GDPR; Article 5(2)(f) KVKK); c) Consent — for optional data processing such as marketing communications and non-essential analytics (Article 6(1)(a) GDPR; Article 5(1) KVKK); d) Legal obligation — to comply with applicable laws and regulations (Article 6(1)(c) GDPR; Article 5(2)(ç) KVKK). 1.2. We comply with applicable data protection laws including but not limited to: - EU General Data Protection Regulation (GDPR) - Turkish Personal Data Protection Law (KVKK, Law No. 6698) - California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) - Brazilian General Data Protection Law (LGPD) - UK Data Protection Act 2018 and UK GDPR - Other applicable national and regional privacy laws 2. INFORMATION WE COLLECT 2.1. Information You Provide Directly: a) Account information: username, email address, password (hashed), gender, date of birth, phone number b) Profile information: display name, biography, avatar/profile photo c) Content: posts, travel tips, travel plans, reviews, comments, photos, and messages d) Location data: locations you voluntarily share in travel plans, tips, and profile settings e) Communication data: messages you send through the Service, support requests f) Preference data: language preference, notification settings, privacy settings 2.2. Information Collected Automatically: a) Device information: device model, operating system, unique device identifiers, mobile network information b) Usage data: features used, pages viewed, actions taken, time and date of interactions, session duration c) Log data: IP address, browser type, referring/exit pages, crash reports and diagnostics d) Approximate location: derived from IP address (not precise GPS unless you explicitly grant permission) 2.3. Information from Third Parties: a) Authentication providers: if you sign in via third-party services (e.g., Google, Apple), we receive your basic profile information as authorized by you b) Analytics providers: aggregated and anonymized usage statistics 2.4. Sensitive Data: We do not intentionally collect sensitive personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data). If you voluntarily include such information in your profile or content, you consent to its processing as described herein. 3. HOW WE USE YOUR INFORMATION 3.1. We use your information for the following purposes: a) To provide, maintain, and improve the Service b) To create and manage your account c) To personalize your experience and recommend relevant content and connections d) To facilitate travel planning, location sharing, and user matching features e) To communicate with you about your account, updates, security alerts, and support f) To detect, prevent, and address fraud, abuse, security issues, and technical problems g) To comply with legal obligations and enforce our Terms of Service h) To conduct research and analysis to improve our products and services (using anonymized or aggregated data where possible) i) To send marketing communications (only with your explicit consent, which you can withdraw at any time) 3.2. We do NOT use your personal data for: a) Selling your data to third parties for their marketing purposes b) Automated decision-making or profiling that produces legal effects without human review c) Third-party targeted advertising 4. HOW WE SHARE YOUR INFORMATION 4.1. With Other Users: Your public profile information, posts, travel tips, and travel plans may be visible to other users based on your privacy settings and the visibility level you choose. 4.2. With Service Providers: We share data with trusted third-party service providers who assist us in operating the Service, including: a) Cloud hosting and infrastructure providers b) Analytics and crash reporting services c) Push notification services d) Content delivery networks e) Customer support tools All service providers are contractually bound to protect your data and may only process it as instructed by us (as data processors under GDPR/KVKK). 4.3. For Legal Compliance: We may disclose your information when we believe in good faith that disclosure is necessary to: a) Comply with applicable law, regulation, legal process, or governmental request b) Enforce our Terms of Service or other agreements c) Protect the rights, property, or safety of the Company, our users, or the public d) Detect, prevent, or address fraud, security, or technical issues 4.4. Business Transfers: If we are involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy. 4.5. With Your Consent: We may share your information for any other purpose with your explicit consent. 4.6. We do NOT sell, rent, or trade your personal information to third parties for their commercial purposes. 5. INTERNATIONAL DATA TRANSFERS 5.1. Your data may be processed and stored in countries outside your country of residence, including countries that may not provide the same level of data protection. 5.2. For transfers from the EU/EEA/UK/Turkey, we rely on: a) EU Standard Contractual Clauses (SCCs) b) Adequacy decisions by relevant authorities c) Other appropriate safeguards as required by applicable law 5.3. By using the Service, you acknowledge and consent to the transfer of your data to countries outside your jurisdiction, subject to the safeguards described herein. 6. DATA RETENTION 6.1. We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. 6.2. Retention periods: a) Account data: retained for the duration of your account and for 30 days after deletion request, then permanently deleted b) Content data (posts, tips): retained until you delete it or your account is deleted c) Log and usage data: retained for up to 12 months, then anonymized or deleted d) Communication records: retained for up to 24 months for safety and compliance purposes e) Legal compliance records: retained as required by applicable law (e.g., tax records for 5-10 years) 6.3. After the applicable retention period, data is either securely deleted or irreversibly anonymized. 7. DATA SECURITY 7.1. We implement appropriate technical and organizational measures to protect your personal data, including: a) Encryption of data in transit (TLS/SSL) and at rest (AES-256) b) Secure password hashing (bcrypt) c) Access controls and authentication for internal systems d) Regular security audits and vulnerability assessments e) Incident response procedures for data breaches f) Employee training on data protection 7.2. No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials. 7.3. In the event of a data breach that affects your personal data, we will notify you and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR, as soon as possible under KVKK). 8. YOUR RIGHTS 8.1. Depending on your location and applicable law, you may have the following rights: a) Right of Access: Request a copy of the personal data we hold about you. b) Right to Rectification: Request correction of inaccurate or incomplete data. c) Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements. d) Right to Restriction: Request that we limit how we use your data. e) Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format. f) Right to Object: Object to certain processing of your data, including processing based on legitimate interests and direct marketing. g) Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. h) Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. i) Right to Lodge a Complaint: File a complaint with your local data protection authority. 8.2. For EU/EEA users: You may contact your national Data Protection Authority. A list is available at https://edpb.europa.eu. 8.3. For Turkish users (KVKK): You may exercise your rights under Article 11 of KVKK by contacting us. You may also file a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu). 8.4. For California users (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete, the right to opt out of "sales" (we do not sell your data), and the right to non-discrimination for exercising your rights. 8.5. To exercise any of these rights, please submit a request through the Feedback form in the overheard app (Feedback tab). Your request is routed to our team via our admin tools. We will respond within the timeframes required by applicable law (30 days under GDPR, 30 days under KVKK, 45 days under CCPA). 9. LOCATION DATA 9.1. We collect precise location data only when you explicitly grant permission through your device settings and actively use location-based features (e.g., sharing travel plans, setting current location). 9.2. You can disable location services at any time through your device settings. Disabling location services may affect some features of the Service. 9.3. We do not continuously track your location in the background. Location data is collected only during active use of location-dependent features. 10. COOKIES AND TRACKING TECHNOLOGIES 10.1. We use essential cookies and similar technologies necessary for the operation of the Service. 10.2. We use analytics tools to understand how users interact with the Service and to improve the user experience. Analytics data is aggregated and anonymized where possible. 10.3. We do not use third-party advertising cookies or tracking technologies for targeted advertising purposes. 10.4. You can manage your cookie preferences through your device or browser settings. 11. CHILDREN'S PRIVACY 11.1. The Service is not intended for children under the age of 16 (or the minimum age of digital consent in your jurisdiction, whichever is higher). 11.2. We do not knowingly collect personal data from children below this age. If we discover that we have inadvertently collected data from a child, we will promptly delete it. 11.3. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately through the Feedback form in the overheard app (Feedback tab). 12. DO NOT TRACK SIGNALS 12.1. Some browsers offer a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals, as there is no uniform industry standard for handling such signals. 13. CHANGES TO THIS PRIVACY POLICY 13.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. 13.2. Material changes will be communicated through in-app notification, push notification, or email before they take effect. 13.3. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy. 13.4. We encourage you to periodically review this Policy. 14. DATA PROTECTION OFFICER AND CONTACT 14.1. For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the Feedback form in the overheard app (Feedback tab). Messages are reviewed by our team. General information: https://overheard.xyz/support.html Website: https://overheard.xyz 15. ADDITIONAL DISCLOSURES FOR SPECIFIC JURISDICTIONS 15.1. European Economic Area (EEA) and United Kingdom: - Data controller: overheard - Legal basis: As described in Section 1 - Supervisory authority: Your local Data Protection Authority 15.2. Turkey: - Data controller: overheard, registered with VERBIS (Data Controllers Registry) - Legal basis: KVKK Article 5 - Supervisory authority: Personal Data Protection Authority (Kisisel Verileri Koruma Kurumu) 15.3. United States (California): - Categories of personal information collected: Identifiers, internet activity, geolocation, commercial information - We do not sell personal information as defined by CCPA - We do not use or disclose sensitive personal information for purposes other than those permitted by CCPA 15.4. Brazil (LGPD): - Legal basis: As applicable under LGPD Articles 7 and 11 - Supervisory authority: ANPD (Autoridade Nacional de Protecao de Dados)