Privacy Policy — Elaiza AI
Last updated: June 13, 2026 · Data controller: Elaiza AI — help@purpfox.com
This Privacy Policy explains how Elaiza AI (“the app”, “we”, “us”) collects,
processes, and protects the personal data gathered through our mobile
application and services, and what rights you have. This policy is aligned
with Türkiye’s Law No. 6698 on the Protection of Personal Data (KVKK) and the
European Union General Data Protection Regulation (GDPR).
1. Information We Collect
1.1 Account Data (required)
- Full name
- Email address
- Password (stored hashed — plaintext is never stored)
- Date of birth, gender, phone (optional)
1.2 Health & Mental State Data (special category)
This falls within the category of special-category personal data
under KVKK Art. 6 and GDPR Art. 9. We process this data only with your
explicit consent, and solely to provide the service.
- PHQ-9, GAD-7, WHO-5 assessment responses and scores
- Session message history (conversations with the AI)
- Journal entries
- Mood, anxiety, energy, and sleep check-in data
- AI-generated case formulation and clinical notes
1.3 Technical Data
- Device type and operating system version
- App version
- IP address (temporary, for the duration of the session)
- Error logs (crash logs — anonymized)
1.4 Payment Data
We do not store your payment details (card number, etc.)
directly. Payments are processed through PCI-DSS compliant providers such as
the Apple App Store, Google Play, and RevenueCat.
2. Purposes of Processing
- Providing the service (AI sessions, plans, progress tracking)
- Account management and authentication
- Meeting legal obligations
- Improving service quality (only on aggregated, anonymized data)
- Emergency support and crisis intervention (detection of suicidal / self-harm ideation)
- Customer support
We do not sell your data to third parties for marketing purposes.
3. Data Storage & Security
- Encryption: All traffic is encrypted with TLS 1.2+. At-rest encryption is applied to sensitive fields.
- Access control: Employees can access only the minimum data required to do their work.
- Location: Your data is kept in data centers compliant with EU and Turkish law.
- Retention:
- While your account is active: indefinitely (until you request deletion)
- When your account is deleted: all personal data is permanently deleted within 30 days
- Legal retention obligations: for the period required by the relevant legislation (e.g., invoices: 10 years)
4. Third-Party Services
- Google Gemini API: for AI message responses. Messages are transmitted to Google and processed under Google’s privacy policy. (Google Privacy Policy)
- MongoDB Atlas: database hosting.
- Sentry: error tracking (anonymized crash logs).
- Apple / Google / RevenueCat: push notifications and in-app purchases.
Each third party accesses only the minimum data needed to provide its service.
5. Your Rights (KVKK Art. 11 / GDPR Art. 15–22)
- Learn whether your personal data is being processed
- Request information about it if it has been processed
- Learn the purpose of processing and whether it is used in line with that purpose
- Know the parties to whom it is transferred, domestically or abroad
- Request correction if it has been processed incompletely or incorrectly
- Request its deletion or destruction (“right to be forgotten”)
- Request that your data be transferred to another data controller (data portability)
- Object to decisions made solely through automated processing
- Claim compensation if you suffer harm due to unlawful processing
To exercise these rights, contact help@purpfox.com.
The app also provides a Settings → Delete Account option.
6. Children’s Data
Elaiza AI is designed for users aged 18 and over. If we become
aware that a user under 18 has created an account, we will close the account
and delete the associated data.
7. Changes to This Policy
We may update this policy from time to time. For significant changes, we will
notify you via in-app notification and email.
8. Contact & Complaints
- Email: help@purpfox.com
- Data protection complaints: Türkiye — Personal Data Protection Authority (kvkk.gov.tr) · EU — your local data protection authority