**Effective date:** 2026-05-14
**Last updated:** 2026-05-09
**Data Controller:** MIROMER (Levent Yaşar — yasarrlevent@gmail.com)
────────────────
## 1. About This Policy
This Privacy Policy explains how **Dua by the Stars** ("the App") collects, uses, and protects your personal data. This policy complies with:
- **EU General Data Protection Regulation (GDPR)** for users in the European Economic Area
- **UK GDPR + Data Protection Act 2018** for users in the United Kingdom
- **California Consumer Privacy Act (CCPA)** for users in California
- **Pakistan Personal Data Protection Bill** (when enacted) and **Prevention of Electronic Crimes Act 2016 (PECA)**
- **Turkey's Personal Data Protection Law (KVKK)** — see Turkish version
- **Apple App Store Privacy Nutrition Label** + **Google Play Data Safety**
By using the App, you agree to this policy. If you do not agree, please do not use the App.
────────────────
## 2. What Data We Collect
### 2.1 Data you provide directly
• Data: Name (display only) · Required?: Optional · Purpose: In-app greeting
• Data: Date of birth · Required?: **Required** · Purpose: Sun sign calculation
• Data: Time of birth · Required?: Optional · Purpose: Rising sign calculation
• Data: City of birth · Required?: **Required** · Purpose: Time zone correction for astrological computation
**How it's used:** This data is used **once** to compute your astrological profile (sun sign, rising sign). After computation, **raw birth data is stored locally on your device** and is **not transmitted to our servers**. Only the derived zodiac sign result (e.g. "Scorpio") may be stored server-side.
### 2.2 Automatically collected data
• Data: Device model, OS version · Source: Firebase · Purpose: Crash analytics + compatibility
• Data: App version, language preference · Source: Firebase · Purpose: Usage statistics
• Data: Anonymous user ID (UUID) · Source: Firebase Analytics · Purpose: Session tracking
• Data: In-app interaction events · Source: Firebase Analytics · Purpose: Product improvement
• Data: IP address (anonymized) · Source: Firebase · Purpose: Geographic aggregation
• Data: Advertising Identifier (IDFA / GAID) · Source: OS-level · Purpose: **Only with your consent** — UA attribution
• Data: Ad delivery (banner + rewarded) · Source: Google AdMob · Purpose: In-app advertising; AdMob may use IDFA/GAID for limited ad personalisation (only for consenting users)
### 2.3 Data we do NOT collect
❌ Address, phone number, email (no account required — anonymous use)
❌ Location permission (GPS coordinates)
❌ Contacts, photos, microphone access
❌ Health data
❌ Financial data (app is free, no payments)
❌ Children's data (age gate 18+)
────────────────
## 3. How We Use Your Data
1. **Personalised content:** Your astrological profile (computed from birth data) + your selected theme → daily dua matching
2. **Product improvement:** Group-level statistics (e.g. which themes are most popular)
3. **Performance:** Crash reports, user flow analysis
4. **Ad attribution:** **Only with your consent** — measuring effectiveness of our Google Ads campaigns
5. **Ad delivery:** The app displays banner and rewarded ads via Google AdMob. AdMob may use IDFA (iOS) / GAID (Android) advertising identifiers for ad personalisation. If you decline App Tracking Transparency (ATT) on iOS, ads will be **contextual** (non-personalised). AdMob's own privacy policy: https://policies.google.com/technologies/ads
6. **Legal compliance:** Records we are legally required to retain (billing, KVKK records)
────────────────
## 4. Who We Share Your Data With
### 4.1 Service providers (Data Processors)
• Provider: **Google Firebase** · Purpose: Analytics, Crashlytics, identity · Data centre: EU + US (anonymized) · DPA signed: ✅
• Provider: **Google Ads** · Purpose: UA attribution (consenting users only) · Data centre: EU + US · DPA signed: ✅
• Provider: **Google AdMob** · Purpose: Banner + rewarded ad delivery · Data centre: EU + US · DPA signed: ✅ (Google Ads Data Processing Terms)
• Provider: **Apple App Store / Google Play** · Purpose: App distribution (acting as independent controllers) · Data centre: Global · DPA signed: Platform Developer Agreement — these entities act as independent data controllers, not processors
### 4.2 Sale to third parties: ❌ NEVER
We **never sell, rent, or share your data** with third parties for marketing purposes.
### 4.3 Legal obligation
We may share data if required by court order, regulatory authority, or law enforcement under valid legal process.
────────────────
## 5. Data Retention
• Data type: Birth date/time/city (on-device) · Retention period: While your account is active
• Data type: Derived zodiac sign (server) · Retention period: While your account is active
• Data type: Analytics events (Firebase) · Retention period: 14 months (Firebase default)
• Data type: Crash reports · Retention period: 90 days
• Data type: IP address (anonymized) · Retention period: 60 days
**When you delete your account:** All your data is deleted **within 30 days** (Firebase batch delete cycle).
────────────────
## 6. Your Rights
### Under GDPR / UK GDPR you have the right to:
- ✅ **Access:** Request a copy of your data
- ✅ **Rectification:** Correct inaccurate data
- ✅ **Erasure ("right to be forgotten"):** Delete all your data
- ✅ **Restriction:** Pause certain processing
- ✅ **Portability:** Receive your data in a structured format
- ✅ **Object:** Refuse automated decision-making
- ✅ **Withdraw consent:** At any time, with no penalty
### Under CCPA (California users) you have the right to:
- ✅ **Know** what categories of personal information are collected
- ✅ **Delete** personal information
- ✅ **Opt-out** of "sale" of personal information (we do not sell)
- ✅ **Non-discrimination:** Equal service regardless of opt-out
### How to exercise your rights:
**Email:** yasarrlevent@gmail.com
**Subject:** "Privacy Request — [Your Name]"
**Response time:** Maximum **30 days** (GDPR Art. 12)
In-app you can use **Profile → Delete My Account** for one-tap deletion. Request completes within 30 days.
────────────────
## 7. Cookies and Tracking
The App does **not use web cookies** (it is a mobile app). Advertising identifiers (IDFA/GAID) are used **only with your OS-level consent**; declining will not affect app functionality but will prevent us from measuring our ad campaigns.
────────────────
## 8. Children's Privacy
This app is intended for users **18 years and older**. We do not knowingly collect data from anyone under 18. If you believe your child has shared data with us, please contact yasarrlevent@gmail.com — we will delete it within 7 days.
For users in regions with stricter children's privacy laws (e.g. UK Age Appropriate Design Code, US COPPA), the same 18+ age gate applies.
────────────────
## 9. Data Security
- ✅ TLS 1.3 encrypted communication
- ✅ Encrypted storage on Firebase (AES-256)
- ✅ Server access protected by 2FA
- ✅ Regular security audits
- ✅ In case of data breach, notification to authorities and affected users **within 72 hours** (GDPR Art. 33)
────────────────
## 10. International Data Transfers
Your data is processed via Firebase infrastructure on **EU and US** data centres. Transfers to the US are protected by:
- **EU-US Data Privacy Framework** (Google is certified)
- **Standard Contractual Clauses (SCC)** under GDPR Art. 46
────────────────
## 11. Region-specific Notices
### Pakistan
Pakistan does not yet have a comprehensive personal data protection law in force. Once the **Personal Data Protection Act (PDPA, draft 2023)** is enacted, you will have rights of access, rectification, and erasure. In the interim, we apply **GDPR-equivalent protections** to all Pakistani users on a voluntary basis. For privacy requests: yasarrlevent@gmail.com.
### Turkey (KVKK)
See Turkish version of this policy on the privacy-policy page.
### EU/UK
You have the right to lodge a complaint with your local Data Protection Authority (e.g. ICO in UK, CNIL in France) if you believe we have not addressed your concerns.
────────────────
## 12. Policy Changes
We may update this policy from time to time. **For material changes**, we will notify you via in-app notification and/or email if available. The effective date at the top of this policy will be updated.
────────────────
## 13. Contact Us
**Data Controller:** Levent Yaşar (MIROMER)
**Email:** yasarrlevent@gmail.com
**Privacy contact:** privacy@duabythestars.com (if applicable)
**Address:** [MIROMER's commercial registry address to be added before publication — KVKK Art. 10 / GDPR Art. 13(1)(a) mandatory element]
**Right to lodge a complaint:**
- **EU:** Your local Data Protection Authority
- **UK:** Information Commissioner's Office (ICO) (https://ico.org.uk)
- **US/California:** California Attorney General (https://oag.ca.gov/privacy)
- **Pakistan:** Pakistan Telecommunication Authority (PTA) (https://www.pta.gov.pk)
────────────────
## 14. Consent and Withdrawal
### How consent is obtained
Before you enter your birth date, the app shows a consent screen with **3 separate checkboxes** that you must tick individually:
- ☐ **(Required)** I consent to my birth data being processed for astrological computation
- ☐ **(Optional)** Anonymous usage analytics (Firebase Analytics)
- ☐ **(Optional)** Personalised advertising (only when authorised — IDFA/GAID)
If only the first (required) checkbox is left unchecked, the app cannot operate. The other two are optional; declining them does not block app use, but limits personalisation.
### Withdrawing consent
You may withdraw consent **at any time**:
- **Fully:** Profile → Delete My Account (all data deleted within 30 days)
- **Partially:** Profile → Settings → Permissions → toggle off Analytics or Advertising consent (your account stays active)
────────────────
## Document Verification
**Legal pre-review date:** 2026-05-09
**Scope reviewed:** KVKK Art. 4-5-7-9-10-11-12, GDPR Art. 5/6/7/12-22/33/46, UK GDPR, CCPA, COPPA/AADC, App Store + Play Store privacy requirements, App Tracking Transparency.
**Note:** This document is the output of an AI persona advisory review (Av. Pınar Yıldız, Anadolu Garden Studios advisory panel) and **does not constitute legal advice.** Before publication, a licensed attorney specialised in KVKK and GDPR must review and sign off, MIROMER's commercial registry address must be inserted, and KVKK VERBİS registration (if applicable) must be completed.