Privacy Policy
This policy explains how we handle your personal data and covers your rights under the GDPR (EU/EEA), UK GDPR, CCPA/CPRA (California), PIPEDA (Canada), LGPD (Brazil), the Australian Privacy Principles, KVKK (Türkiye) and other applicable laws. See also our Terms of Service.
Contents
- 1. Data Controller
- 2. Data We Collect
- 3. App Usage Permissions
- 4. AI Processing Disclosure
- 5. Who We Share Data With
- 6. International Transfers
- 7. Data Retention
- 8. Your Rights
- 9. Automated Decision-Making
- 10. Data Security
- 11. Children's Privacy
- 12. Cookies & Tracking
- 13. Changes to This Policy
- 14. Contact
01 Data Controller
Address: Bolu Merkez, Türkiye
Email: [email protected]
Website: https://odax.naromex.dev
This policy explains how we handle your personal data. It covers your rights under GDPR (EU/EEA), UK GDPR, CCPA/CPRA (California), PIPEDA (Canada), LGPD (Brazil), the Australian Privacy Principles and KVKK (Türkiye), among other applicable laws.
02 Data We Collect
2.1 Provided by You
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address | Account creation, login, communication | Contract performance |
| Name (optional) | Personalization | Consent / legitimate interest |
| Goal text | Creating your goal, generating AI image | Contract performance |
| Goal duration & settings | Puzzle mechanics, progress tracking | Contract performance |
| Selected apps to block | Operating the blocking feature | Contract performance |
| Support messages | Resolving your issues | Legitimate interest |
2.2 Collected Automatically
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Device model, OS version | Compatibility, troubleshooting | Legitimate interest |
| App version, language, country | Service delivery, localization | Contract performance |
| Anonymous usage statistics | Product improvement | Legitimate interest / consent |
| Crash reports | Fixing errors | Legitimate interest |
| Subscription status (from store) | Premium access control | Contract performance |
2.3 What We Do NOT Collect
- Payment / card details — all payments go through Google / Apple; we never see them
- Location data
- Contacts, call logs, SMS content
- Your photo library contents (only an image you explicitly select is processed)
- What you do inside blocked apps — we only know which apps you chose to block
03 Special Note on App Usage Permissions
The blocking feature requires special device permissions (Android: Usage Access / Accessibility; iOS: Screen Time / Family Controls).
We use these permissions solely to lock the apps you selected, during the hours you set.
Data obtained via these permissions:
- is processed on your device wherever technically possible;
- is never used for advertising, profiling or marketing;
- is never sold, rented or shared with data brokers;
- is not used to analyze your behaviour beyond operating the feature.
You may revoke these permissions at any time in device settings.
04 AI Processing — Important Disclosure
Your goal text is transmitted to third-party AI providers (OpenAI) to generate your image.
What you should know:
- Your text is transferred to servers located in the United States (international data transfer);
- The provider's own privacy policy and terms apply;
- We have a Data Processing Agreement (DPA) in place, and transfers rely on Standard Contractual Clauses (SCCs) and/or other approved safeguards;
- Do not include personal information (names, addresses, phone numbers, health details) in your goal text — everything you write is sent to the AI provider;
- AI outputs are machine-generated and may contain errors.
05 Who We Share Data With
| Recipient | Purpose | Location |
|---|---|---|
| Google Firebase | Authentication, storage, analytics | US / EU |
| Google Play / Apple | Payment, subscription, distribution | US |
| RevenueCat | Subscription state management | US |
| Cloudflare | Backend infrastructure | Global |
| OpenAI | AI image / text generation | US |
We never sell, rent, or share your personal data for advertising.
We may disclose data where legally required (court order, lawful request) or to protect our rights, safety, or property.
06 International Data Transfers
Your data may be processed outside your country of residence, including in the United States and the European Union. For transfers out of the EEA/UK we rely on Standard Contractual Clauses, the EU-U.S. Data Privacy Framework (where the recipient is certified), and/or other lawful transfer mechanisms. For transfers from Türkiye we rely on the mechanisms permitted under KVKK. You may request a copy of the relevant safeguards at [email protected].
07 Data Retention
| Data | Retention |
|---|---|
| Account & profile | While the account is active |
| Goals, images, progress | Active + 30 days after closure |
| Subscription records | As required by tax / accounting law |
| Crash / analytics (anonymous) | Up to 24 months |
| Support correspondence | 24 months |
After these periods, data is deleted or irreversibly anonymized.
08 Your Rights
8.1 EU / EEA / UK (GDPR & UK GDPR)
You have the right to: access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; object to processing (including profiling); withdraw consent at any time; and not be subject to solely automated decisions with legal effects. You may also lodge a complaint with your national supervisory authority (or the UK ICO). We respond within one month, extendable by two further months for complex requests.
8.2 California (CCPA / CPRA)
You have the right to: know what personal information we collect, use and disclose; delete; correct; opt out of "sale" or "sharing" (we do not sell or share personal information as defined by the CCPA); limit use of sensitive personal information; and not be discriminated against for exercising your rights. You may use an authorized agent. We respond within 45 days (extendable by 45).
8.3 Other U.S. States
Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana and others) have broadly similar rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising and profiling. We do not conduct targeted advertising. Where required, appeal mechanisms are available by contacting [email protected].
8.4 Canada (PIPEDA)
You have the right to access your personal information, challenge its accuracy, and withdraw consent subject to legal and contractual restrictions. You may complain to the Office of the Privacy Commissioner of Canada.
8.5 Brazil (LGPD)
You have the right to confirmation of processing, access, correction, anonymization/blocking/deletion of unnecessary or excessive data, portability, information about sharing, and revocation of consent. You may complain to the ANPD.
8.6 Australia (Privacy Act / APPs)
You may request access to and correction of your personal information, and complain to the Office of the Australian Information Commissioner (OAIC).
8.7 Türkiye (KVKK)
You have the rights set out in Article 11 of Law No. 6698, including learning whether your data is processed, requesting information, learning the purpose and whether it is used accordingly, knowing domestic/international recipients, requesting correction or deletion, requesting notification of such actions to recipients, objecting to adverse outcomes of automated analysis, and claiming compensation for damages. We respond within 30 days. You may complain to the KVKK Authority.
8.8 How to Exercise Your Rights
- In-app: Settings → Account → Delete My Account
- By email: [email protected]
We may need to verify your identity before acting on a request.
Deleting your account does not cancel your subscription — cancel separately via your app store.
09 Automated Decision-Making
We do not engage in automated decision-making that produces legal or similarly significant effects about you. AI is used only to generate goal images and assist with in-app text, not to evaluate, score or profile you.
10 Data Security
We apply reasonable technical and organizational measures: encryption in transit and at rest, access controls, reputable infrastructure providers, and regular updates.
However, no system is 100% secure. To the maximum extent permitted by law, we are not liable for breaches beyond our reasonable control. You are responsible for the security of your credentials.
Breach notification: Where required by law, we will notify the relevant supervisory authority (within 72 hours under GDPR) and affected users without undue delay.
11 Children's Privacy
ODAX is not intended for anyone under 18 and we do not knowingly collect their data. Under COPPA (US) we do not knowingly collect data from children under 13. If we discover such data we delete it promptly. Parents or guardians may contact [email protected].
12 Cookies & Tracking
The mobile app does not use traditional cookies. Our website (odax.naromex.dev) may use essential and anonymous analytics cookies; where required (EU/UK), a consent banner is presented before any non-essential cookie is set. We do not use advertising or cross-site tracking cookies.
We do not respond to "Do Not Track" browser signals, but we honour Global Privacy Control (GPC) signals where legally required.
13 Changes to This Policy
We may update this policy. Material changes will be announced via in-app notice or email. Please check the "Last updated" date.
14 Contact
For any privacy question or to exercise your rights: [email protected]