Privacy Policy

Vobbly ("we", "the app") respects your privacy. This policy explains what data we collect through our mobile app and the vobbly.app website, why we collect it, how we use it, and your rights.

Vobbly operates in line with KVKK (Turkish data protection law) and GDPR principles.

1. Data We Collect

1.1 Account data

We do not collect email, phone number, or real name. When you create an account we store only:

• Anonymous user ID (auto-generated by Firebase Authentication)
• Username (a pseudonym you choose; no real-name requirement)
• Avatar emoji (your shop selection)
• Device language (sets app content to TR or EN)

1.2 Battle / gameplay data

• Voice recordings: 10-second battle clips. Stored in Cloud Storage so other users can listen and vote during the voting window. Deleted within 30 days when you delete your account.
• Battle stats: wins, losses, draws, total battles, XP, rank, badges, current and best streak, daily counters.
• Votes you cast: which battles you voted on.
• Reports: when you report a user — reason, battle ID, timestamp.
• Moderation state: how many times you've been reported, ban duration, ban reason (if any).
• Bonus balance: extra free battles earned from ads or admin grants, coin balance.
• Read announcements: which in-app announcements you've opened (drives the bell badge).

1.3 Device and technical data

• FCM Token: a Firebase Cloud Messaging device address used to deliver push notifications. You can disable push at any time from app Settings.
• Apple DeviceCheck token (iOS only): retrieved from Apple's DeviceCheck service so we can prevent permanently-banned users from creating new accounts after a reinstall. It's a 2-bit per-device flag — no device fingerprint, no personal data.
• Last seen timestamp: updated when you open the app. The "online now" indicator queries the last 2 minutes.
• Locale: TR/EN content selection.

1.4 Purchase data

When you buy a coin pack we process the Apple App Store / Google Play receipt:

• Product ID (`coins_100`, `coins_550`, etc.)
• Transaction ID (issued by the platform)
• Platform (ios / android)

We never see your payment card details — payment is fully handled by Apple/Google. The receipt is used only to credit your account with coins.

2. Why We Collect This Data

• Running the app: matchmaking, voting, coin economy, leaderboard.
• Notifications: battle results, new votes, admin announcements (you can opt out).
• Community safety: report system + auto-ban (3 reports → warning, 5 → 24h, 8 → 7d, 12 → permanent).
• Legal obligations: tax records, payment disputes, responding to lawful requests.

3. Data Retention

• While your account is active: username, stats, badges, coin balance, recordings retained indefinitely.
• When you delete your account: profile + recordings are removed within 30 days; references in past battle records are anonymized to "(deleted user)".
• Coin transactions: kept for tax + refund auditing for an extended period, even after account deletion.
• Reports + audit log: retained indefinitely for moderation history (anonymized).
• DeviceCheck flags: Apple stores 2 bits per device; even uninstalling or factory reset doesn't clear them. To appeal a permanent ban, write to support@vobbly.app.

4. Third Parties

Vobbly relies on these services:

• Firebase (Google LLC): authentication, Firestore database, Cloud Storage (recordings), Cloud Functions, Cloud Messaging (push). Processed on Google's global infrastructure.
• Apple DeviceCheck (iOS only): used to enforce permanent bans at the device level. Apple binds a 2-bit flag to the Apple ID + device pair; no fingerprint or user data is shared.
• Google AdMob: rewarded ads (only when you tap "Watch ad"). App Tracking Transparency (ATT) is not requested; ads are served as non-personalized.
• Apple App Store / Google Play: in-app purchases. Payment data is handled exclusively by these platforms; Vobbly does not see card details.
• Cloudflare: vobbly.app domain DNS, website hosting (Cloudflare Pages), and email routing.

Each service has its own privacy policy. We do not share your data with third parties for advertising, sales, or analytics.

5. Children

App Store age rating: 12+. We don't knowingly collect data from children under 13. If you discover we've collected a child's information, please email privacy@vobbly.app; the account and data will be deleted within 30 days.

6. Your Rights (KVKK + GDPR)

You have the right to:

• Access: learn what data we hold about you
• Rectification: have inaccurate data corrected
• Erasure ("right to be forgotten"): delete your account and data — done immediately from inside the app via Profile → Delete My Account with a confirmation step. Coins, recordings, and battle history are removed permanently.
• Portability: receive your data in JSON format
• Object: object to specific kinds of processing

To exercise these rights, email privacy@vobbly.app — we respond within 30 days. Account deletion doesn't require any waiting; do it from the app whenever you want.

7. Data Security

• All data transfer is encrypted via HTTPS / TLS.
• Firestore Security Rules ensure users can only see/modify their own data; sensitive operations (coin grants, battle results, bans) run through authorized server-side Cloud Functions.
• Voice recordings live in per-user isolated folders in Cloud Storage.
• Admin access is logged through audit trails.

8. Policy Updates

If we change this policy, the "Last updated" date moves with it. Material changes get an in-app announcement or push notification.

9. Contact

For privacy questions:

• Email: privacy@vobbly.app
• Operator: Veysi Yiğit · Diyarbakır, Türkiye
• General support: support@vobbly.app