CATCHA PRIVACY AND CYBER SECURITY POLICY
Last Updated: 06.06.2026 | Version: 4.0
As Catcha-app.com ("Catcha" or "Platform"), protecting the privacy, digital security, and physical safety of our users' personal data is adopted as our core operational principle.
This Privacy and Cyber Security Policy explains the scope within which personal data processed across the Catcha mobile application, website, augmented reality (“AR”) systems, event infrastructures, matching algorithms, messaging systems, and all associated digital services is collected, the legal grounds on which it is processed, how it is protected, under which conditions it may be shared, and how user rights are managed.
The Platform aims to act in compliance with: Law No. 6698 on the Protection of Personal Data (“KVKK”), Law No. 5651, Turkish Penal Code (“TCK”), GDPR (General Data Protection Regulation), App Store Review Guidelines, Google Play Developer Policy, and international data security and cyber security standards.
A. PROCESSED DATA CATEGORIES AND PURPOSES OF PROCESSING
1. Identity and Account Data
The following information may be processed to create and manage user accounts: first and last name, username, date of birth, phone number, email address, profile pictures, account verification details, and device-account mapping information.
• Purposes of Use: Account creation, user identity management, age verification (18+), prevention of fake accounts, ensuring account security, password reset operations, user support processes, community safety audits, and fraud risk mitigation.
2. Sensitive Location Data
Catcha may process sensitive location data from devices to list nearby users, display events, position AR objects, and run matching systems. Processed data may include GPS coordinates, Wi-Fi access points, Bluetooth signals, approximate distance data, regional location clusters, and device-based location signals.
• Security and Privacy Principle: The Platform does not display users' real-time precise coordinates directly to other users. To reduce risks such as stalking, location abuse, mapping user movements, or malicious physical tracking, the system processes location data in a masked, approximated, regionally clustered, and security-filtered manner. Location data is only processed to the extent necessary for the service to function and can be managed via device permissions.
3. Camera, Microphone, and Hardware Permissions
The Platform may request access to device hardware under the following conditions:
Hardware | Purpose of Use |
Camera | AR mode, profile picture upload, security verification |
Gallery | Profile image selection |
Microphone | Voice features or video processes |
Motion Sensors | AR stabilization |
Notification System | Security alerts and event notifications |
Location Services | Nearby events and user matches |
4. Verification and Account Security Processes
To mitigate catfishing, fraudulent activities, spam usage, automated bot systems, and community guideline violations, the Platform may request additional verification from users under specific circumstances. These processes are strictly limited to situations such as user complaints, security alerts, suspicious account activity, spam/bot behavior detection, child safety risks, and account security reviews. When necessary, users may be asked to provide selfie verification images, identity document images, phone number verification, or additional confirmation details to verify that the account belongs to a real person.
• Critical Assurance: The Platform does not run a continuously operating biometric recognition system and does not use user facial data for commercial profiling. Images shared for verification purposes are processed solely to execute security and account verification processes, are protected under restricted access policies, and are deleted or anonymized within a reasonable period after verification is complete. Collected data is not used or shared with third parties for ad targeting, commercial data sales, behavioral profiling, or facial recognition database building.
B. AR (AUGMENTED REALITY) AND LOCAL IMAGE PROCESSING POLICY
1. On-Device Processing
While the Catcha AR system is operating, environmental images captured from the device camera are processed on-device as much as possible. Accordingly, street views, camera streams, real-time environmental analysis, and AR surface scans are not continuously sent to servers as video streams. AR matches and environmental analysis are executed on the device's local processor to the furthest extent possible and are automatically wiped from temporary memory once the process is complete.
2. Real-World Safety and Disclaimer
The Catcha AR system is not a navigation or traffic routing system, does not guarantee a safe route, and does not ensure physical space safety. Users are solely responsible for maintaining environmental awareness while using AR features. The Platform cannot be held liable for traffic accidents, falls/collisions, unauthorized entry into private property, access to dangerous areas, physical injuries, damages stemming from user inattention, or physical disputes with third parties.
C. AI-POWERED MODERATION AND AUTOMATED DECISION SYSTEMS
The Platform may use AI-powered moderation systems to preserve community safety. These systems may be deployed in fields such as obscenity detection, spam behavior analysis, fake account detection, hate speech filtering, fraud behavior analysis, community rule violation detection, and identifying automated bot usage.
• 1. Automated Content Filtering: Profile pictures, event images, and media content may be analyzed by automated systems for compliance with community guidelines. Risky content may be automatically rejected, put under temporary review, made hidden, or routed to a manual moderation queue.
• 2. Manuel Review and Right to Appeal: Users have the right to request manual review in cases of account suspension, content removal, false spam marking, erroneous moderation decisions, or incorrect security violation detection. Appeal requests can be submitted via the info@catcha-app.com email address or the in-app support panel. Submissions are evaluated as quickly as possible.
D. TECHNICAL AND CYBER SECURITY MEASURES
Catcha implements industry-standard technical and organizational security measures to protect user data.
Data Type / Infrastructure | Protection Standard |
Data transit | SSL / TLS 1.3 |
Data stored on servers | AES-256 |
Backup data | Encrypted storage |
API access | Token-based authentication |
• Password Security: User passwords are never kept in plain text or in a reversible format. Passwords are hashed using bcrypt or Argon2 algorithms and strengthened with a salt mechanism.
• Account Security and 2FA: The Platform may implement the following security measures: SMS OTP verification, Authenticator-based 2FA, suspicious session detection, new device verification, session risk analysis, suspicious IP blocking, and abnormal access behavior detection.
• Anti-Bot and Abuse Protection: The Platform infrastructure may include protection layers against threats such as brute force attempts, scraping activities, spam activities, automated account creation attempts, API abuse, and bot attacks.
• Personnel and Access Authorization: Access to user data is limited via a role-based authorization system. Data is accessible only to personnel who require it for their duties, and all accesses are logged and regularly audited.
E. DATA BREACH RESPONSE PROTOCOL
- Emergency Response Process: The source of the breach is isolated, unauthorized access is blocked, logs are analyzed to determine the risk scope, and technical security measures are updated.
- Official Notification Process: For serious data breaches falling under KVKK or GDPR, notifications can be sent to relevant official authorities and, when necessary, to users within statutory durations.
- User Notification: For breaches posing a risk, users may be notified via email, push notifications, or in-app security screens. Notifications include the type of breach, affected data categories, actions taken, and recommended user actions.
F. DATA RETENTION, DELETION, AND ANONYMIZATION POLICY
- Retention Period Principle: Personal data is stored only as long as its processing purpose continues, statutory obligations exist, or legitimate operational necessities endure.
- Account Deletion Process: When a user deletes their account, profile data, matches, message logs, media content, and location histories are deleted, anonymized, or rendered inaccessible within a reasonable time frame.
- Statutory Log Retention Process: Traffic records under Law No. 5651 (including IP addresses, access timestamps, session logs, and transaction security records) are securely stored for the duration required by the relevant legislation.
G. INTERNATIONAL DATA TRANSFERS
Some technical service providers within the Catcha infrastructure may be located abroad. In such cases, KVKK Article 9, GDPR data transfer standards, standard contractual clauses (SCC), data processing agreements, and technical security measures are applied. The Platform aims to implement reasonable technical and administrative security measures during data transfer processes.
H. USER RIGHTS
Users may hold the following rights under applicable data protection legislation: learning whether their personal data is processed, requesting information regarding processed data, demanding the correction of incorrect or incomplete data, requesting the erasure or anonymization of data, objecting to processing activities, withdrawing explicit consent, and obtaining information regarding data security breaches. Applications can be submitted via the info@catcha-app.com email address or the in-app support system.
I. POLICY CHANGES
The Platform reserves the right to update this Privacy and Cyber Security Policy in line with legal requirements, technical infrastructure changes, security demands, and new platform features. The updated policy enters into force upon its publication within the application or on the official website.