Privacy Policy
Yürürlük tarihi / Effective date: 2026-06-26 — Sürüm / Version: 1.0
This Privacy Policy explains how your personal data is processed when you use the Laflai mobile application (the "App"). Laflai is a personal flirting/messaging co-pilot: you upload a screenshot of one of your own conversations from another app (such as Tinder, Bumble, Instagram, WhatsApp or iMessage), and Laflai analyzes it and suggests reply options in different styles. It is not a dating app: there is no matching with other people, no in-app chat with others, and no browsing of other people's profiles. You remain fully in control — you copy the suggestion you like and paste it into your own chat yourself; the App never sends messages on your behalf.
1. Who We Are (Data Controller)
For the purposes of this Policy, the data controller under Türkiye's Law No. 6698 on the Protection of Personal Data ("KVKK") and the "controller" under the EU General Data Protection Regulation ("GDPR") is Laflai.
- Data controller: Laflai
- Contact: info@laflai.app
- Data protection / KVKK requests: privacy@laflai.app
- Website: https://laflai.app
2. Scope
This Policy applies to all personal data processed through the App or services connected to it. Please also see our Terms of Use (including the limitations of liability for AI output and the Apple end-user license terms), our KVKK Disclosure Notice (our information obligation under KVKK), the Explicit Consent Statement for processing that requires explicit consent, and the Subscription Terms.
Adults only — strictly 18+. Because Laflai operates in a flirting/relationship context, it may not be used by anyone under 18. If we learn that you are under 18, we will close your account and delete the related data.
3. What Personal Data We Collect and How
We obtain the following data directly from you, automatically as you use the App, or from third parties such as identity providers and app stores.
3.1. Account information
Your email address; the user id assigned to you by the relevant identity provider when you sign in with Google or Apple. Authentication is handled through Supabase Auth.
3.2. Profile preferences
Information you provide to personalize suggestions, such as age band, goal (serious / casual / undecided), tone preference and language.
3.3. Uploaded chat screenshots (special-category notice)
The screenshots you upload for analysis may incidentally contain images of faces, names and message content of you and of third parties. Depending on their content (e.g. images of faces, or implications about health, religion, sex life or sexual orientation), they may qualify as special-category personal data under KVKK Art. 6 and "special categories of data" under GDPR Art. 9. For this reason, we process screenshots on the basis of your separate, explicit consent; details are in the Explicit Consent Statement.
Important — we do not keep your screenshots. A screenshot you upload is stored, sent to the AI provider for analysis once, and permanently deleted from our storage as soon as the analysis completes. Only the text-form analysis output (summary and reply suggestions) is retained; the original image is not.
When you upload screenshots that include third parties, you confirm that you are authorized to share their data with us and that you comply with applicable law.
3.4. Analysis outputs
Analysis summaries and generated reply suggestions (including tone, intent, interest %, compatibility %, strategy and red-flag findings). These outputs are text and do not contain the original screenshot. In the "People" and "Flirt Scorecard" features, some of these outputs may be saved alongside the nickname and notes you provide.
3.5. Telemetry / usage data
In-app interaction logs, the reply style you select and usage counters, processed to improve the service and to debug.
3.6. Consent records
Which consent (disclosure / image processing / cross-border transfer) you accepted, its version and a timestamp. These records are kept to meet our legal proof obligations.
3.7. Subscription status
Your Premium entitlement status, obtained through the app stores and RevenueCat. We never see your full card data; the app stores take payment (see Section 12).
3.8. Push notification token
When you enable notifications, an Expo push token so that we can deliver them.
3.9. Support correspondence
The content and contact details you share when you contact us by email.
4. Why We Use Your Data
- To provide the service: create your account, sign you in and deliver the App's core functionality.
- To generate reply suggestions: analyze your uploaded screenshot and profile context to suggest replies.
- To personalize and improve: tailor outputs to your profile preferences; improve the App using telemetry.
- Security: detect and prevent misuse, fraud and unauthorized access.
- Legal: comply with legal obligations and respond to lawful requests.
- Communications: send service notices and, only with your consent, commercial electronic messages.
5. Legal Bases for Processing
KVKK (Türkiye)
- Account data, subscription status, telemetry: necessary for the conclusion/performance of a contract (KVKK Art. 5/2-c) and our legitimate interests (Art. 5/2-f).
- Profile preferences: performance of a contract (Art. 5/2-c) and explicit consent (Art. 5/1).
- Uploaded screenshots (may be special-category): your explicit consent (KVKK Art. 6/2).
- Cross-border transfer: your explicit consent (KVKK Art. 9).
- Consent and security records: legal obligation (Art. 5/2-ç) and legitimate interest (Art. 5/2-f).
- Commercial electronic messages: explicit consent (Law No. 6563).
GDPR (EU / non-TR users)
- Performance of a contract (Art. 6/1-b): account, subscription and core service.
- Consent (Art. 6/1-a; Art. 9/2-a for special categories): processing of screenshots, cross-border transfer, marketing messages.
- Legitimate interests (Art. 6/1-f): security, fraud prevention, product improvement.
- Legal obligation (Art. 6/1-c): legal compliance and record-keeping.
6. Third Parties / Subprocessors
To provide the service we rely on the subprocessors below. Each of them processes data only on our instructions and under contractual data-protection obligations.
| Subprocessor | Country | Purpose |
|---|---|---|
| Anthropic, PBC | USA | AI language + vision model provider; screenshots and profile context are sent here for analysis |
| Groq, Inc. | USA | Fallback AI inference provider, used for resilience and cost |
| Supabase, Inc. | USA | Database, file storage and authentication infrastructure |
| RevenueCat, Inc. | USA | Subscription management (receipt validation / entitlements) |
| Expo | USA | Push notification delivery (Expo Push) and app delivery |
| Sentry | USA | Crash / error monitoring |
| PostHog | EU (eu.i.posthog.com) | Product analytics; data hosted in the EU |
| Apple App Store / Google Play | USA / global | App distribution and, for subscriptions, the merchant of record — they take payment |
We do not sell your personal data to third parties for marketing.
7. International Transfers and Safeguards
Most of the subprocessors above are located in the USA, which means your personal data is transferred outside of Türkiye/the EEA. Under KVKK Art. 9, these transfers rely on your explicit consent. Under the GDPR, transfers are carried out with appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and, where needed, supplementary technical measures. PostHog data is hosted in the EU, so no cross-border transfer arises for that item. You can find the detailed cross-border transfer consent in the Explicit Consent Statement.
8. Retention
- Uploaded screenshots: immediately and permanently deleted from our storage as soon as analysis completes; not retained.
- Analysis summaries and reply suggestions: retained during the service and until you delete your account.
- Account and profile data: for as long as your account is active; deleted or anonymized within a reasonable period after account deletion.
- Consent records: for the period required by our legal proof obligation.
- Telemetry: for a limited period, then deleted or aggregated/anonymized.
- Support correspondence: for the applicable limitation and legal-obligation periods.
When you delete your account, your data is deleted or anonymized, except for records we are legally required to keep.
9. Security Measures
To protect your data we apply administrative and technical measures including encryption in transit and at rest, access authorization and least-privilege, authentication, logging and monitoring, data-processing agreements with subprocessors, and regular security reviews. No system is 100% secure, but we commit to a level of protection consistent with KVKK Art. 12 and GDPR Art. 32 and aligned with industry standards.
10. Automated Analysis and AI Output Notice
The App automatically processes your screenshots and profile context to generate reply suggestions and analyses (interest/compatibility %, strategy, red flags, etc.). These outputs are for information and entertainment only; they are not professional (legal, psychological or relationship) advice, and their accuracy and any outcome are not guaranteed. You decide which suggestion to use and what to send in your real conversation; you are responsible for the messages you send and their consequences. Because of this, the suggestions do not constitute a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. Limitations of liability for AI output are detailed in the Terms of Use.
11. Your Rights
Your rights under KVKK Art. 11
By applying to the data controller, you have the right to:
- learn whether your personal data is processed,
- request information if it has been processed,
- learn the purpose of processing and whether it is used accordingly,
- know the third parties to whom it is transferred domestically or abroad,
- request correction if it is incomplete or inaccurate,
- request erasure or destruction within the framework of KVKK,
- request that correction/erasure/destruction be notified to the third parties to whom the data was transferred,
- object to a result against you arising from analysis solely by automated systems,
- claim compensation if you suffer damage due to unlawful processing.
Your rights under the GDPR (EU users)
You have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing, and to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
How to exercise your rights
You may send your requests to privacy@laflai.app. We will verify your identity and respond within the periods required by law (as a rule, no later than 30 days under KVKK).
Right to lodge a complaint
In Türkiye, you may lodge a complaint with the Personal Data Protection Board (Kişisel Verileri Koruma Kurulu). If you are in the EU, you have the right to lodge a complaint with the supervisory authority in your country of residence.
12. Subscriptions, Payment and Store Terms
Premium is an auto-renewing subscription sold through the Apple App Store and Google Play. The seller and merchant of record is the relevant app store; the store takes payment and we do not see your full card data. The subscription renews automatically unless cancelled at least 24 hours before the period ends, and is managed in your device's store account settings. Any free trial converts to paid unless cancelled before it ends. Refunds are governed by the relevant store's policy (Apple Media Services / Google Play refund policy); we do not directly process card refunds. As a rule, the 14-day right of withdrawal does not apply once a digital service has started with your express consent. For details, see the Subscription Terms.
13. Children
Laflai is intended solely for adults aged 18 and over and does not knowingly collect data from anyone under 18. If we become aware that we have collected a minor's data, we will delete it.
14. Cookies and Similar Technologies
For information about cookies and similar technologies used in the App and related web surfaces, please see the Cookie Policy.
15. Changes to This Policy
We may update this Policy from time to time. For material changes, we will notify you via an in-app notice or by email. The current version is always published on this page; the effective date and version number are stated above.
16. İletişim / Contact
- General questions: info@laflai.app
- Personal data / KVKK requests: privacy@laflai.app
- Website: https://laflai.app
Related documents: KVKK Disclosure Notice · Explicit Consent Statement · Terms of Use · Cookie Policy · Subscription Terms