Privacy Policy

Last updated: 30 May 2026 · Version 1.0

Applies to: Masalım iOS application (Bundle ID studio.dasyatis.masalim) and the masalim.app website.

1. Introduction

This Privacy Policy describes how Dasyatis Studio ("Dasyatis Studio", "we", "us", or "our") collects, uses, discloses, and protects personal data when you (the "User", "you", or "your" — typically a parent or legal guardian) install, register for, or use Masalım, our iOS application for personalized bedtime stories and parent-narrated voice cloning (the "Service").

Masalım is intentionally designed to minimize data collection. We do not run third-party advertising trackers, we do not sell personal data, and we do not profile users for advertising. The only personalization performed is the one you explicitly create: a child profile, optional voice clone reference, and the stories generated for your household.

This document is written to satisfy the transparency requirements of the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the EU General Data Protection Regulation 2016/679 ("GDPR") including its provisions on children (Article 8) and biometric data (Article 9), the U.S. Children's Online Privacy Protection Act ("COPPA"), the UK GDPR, and the Apple App Store Review Guidelines (notably §5.1.1 and §5.1.4). Where local law grants stronger rights than those summarized here, those local rights prevail.

By creating an account, signing in as a guest, or otherwise using Masalım, you confirm that you have read this Privacy Policy and understand the data handling practices it describes. If you do not agree, please do not use the Service and delete the application from your device.

2. Identity of the Data Controller

For the purposes of KVKK Article 3(1)(ı) and GDPR Article 4(7), the data controller is:

Dasyatis Studio

Independent software studio, registered in Türkiye

General contact: info@dasyatisstudio.com

Privacy / data-protection requests: info@dasyatisstudio.com (subject line: "Privacy Request")

KVKK / GDPR matters: info@dasyatisstudio.com

Dasyatis Studio has not appointed a separate Data Protection Officer (DPO) because we do not meet the mandatory thresholds set out in GDPR Article 37(1) or the equivalent KVKK provisions. Privacy responsibilities are owned directly by the studio's founder, who can be reached at the address above.

For Users located in the European Economic Area or the United Kingdom, this policy serves as our Article 13/14 information notice. For Users in Türkiye, it serves as our KVKK aydınlatma metni (information disclosure text).

3. Personal Data We Collect

We collect only what is necessary to operate the Service. The categories below describe everything Masalım stores or transmits. Anything not listed here is not collected.

3.1 Account & authentication data

Authentication provider identifier. If you sign in with Apple, we store the opaque Apple user identifier and the private relay email (when you choose to hide your email). If you sign in with Google, we store the Google sub-claim and the email address you grant access to. Apple/Google passwords are never seen by us.
Guest device identifier. If you continue without signing in, we generate a random UUID v4 on your device. It contains no information about you and exists only so the same device sees its own library on relaunch.
Locale, time zone, and country code. Derived from iOS device settings so we can deliver content in the correct language and adjust quiet-hours notifications.
App version and iOS version. Stored alongside the account for support and compatibility diagnostics.
Hashed IP address. Whenever your device contacts our backend, we record a SHA-256 hash of the source IP for rate limiting and abuse detection. The raw IP address is never written to a database; it exists only in volatile memory long enough to compute the hash, then is discarded.

3.2 Child profile data

You may create one or more child profiles inside the app to personalize stories. The information attached to a child profile is strictly limited to:

First name or nickname (optional).Used inside stories as the protagonist's name. You may leave this blank or use a placeholder.
Age band, not date of birth.One of "2–4", "5–7", or "8–10". We deliberately do not collect or compute precise birthdates.
Favorite themes / emotion chips.Selections you make from a curated list (e.g., "animals", "courage") to steer story generation.

Child profile data is never shared with advertisers, never used to build cross-app profiles, and never sold. It exists only to render the stories you ask for.

3.3 Voice biometric data (special category)

If you choose to create a voice clone (a feature offered on paid tiers), you record approximately sixty seconds of your own speech inside the application. This recording, together with the voice model artifacts derived from it, constitutes biometric data within the meaning of GDPR Article 9(1) and KVKK Article 6, and is handled with the additional safeguards described in section 4 and section 12.

The raw recording file is uploaded over TLS to our storage bucket (Amazon S3, region eu-central-1 Frankfurt, encrypted at rest with AWS KMS server-side encryption) and is auto-deleted after twenty-four hours by an immutable S3 lifecycle rule. The derived voice model (the artifact actually used to synthesize speech) is retained only for as long as your subscription is active plus a seven-day grace period — see section 8.

3.4 Subscription & purchase data

RevenueCat anonymized customer identifier. A pseudonymous ID linking your purchase entitlement to your account without exposing your Apple ID.
Subscription tier, renewal status, and period. So we can unlock the features you paid for.
Apple In-App Purchase transaction receipts. Validated against Apple's servers; we do not see your credit card or bank details at any point.
Free-trial eligibility flag.Apple's introductory offer for the Plus Yearly plan (three-day free trial) is granted by Apple, not by us. We only read the resulting eligibility flag.

3.5 Usage data

Story creation timestamps and the parameters you chose (theme, age band, narrator).
Narrator selections and voice catalog interactions (which voice you previewed, which you used).
Sleep timer usage, playback completion, favorite/like toggles, and library size — used to power features like the weekly report PDF and the "Bahçem" (My Garden) summary.
In-app navigation events — used at the app level only, never shared with a third-party analytics vendor.

3.6 Device & push-notification data

APNs / FCM push token. A device-specific identifier issued by Apple Push Notification service and routed through Firebase Cloud Messaging so we can send the notifications you have opted into (e.g., bedtime reminders, subscription status).
User agent and app build number. Used in error triage.

3.7 Diagnostic & crash data

When the application crashes or encounters an unrecoverable error, we collect a crash report through Firebase Crashlytics. Reports contain a stack trace, the device model, iOS version, app version, and a non-identifying user UUID. Email addresses, names, child names, phone numbers, voice recordings, and story contents are scrubbed by our logging layer and never reach Crashlytics.

4. Special Categories of Personal Data

Under GDPR Article 9(1) and KVKK Article 6(1), biometric data processed for the purpose of uniquely identifying a natural person is a "special category" that requires heightened protection and a specific lawful basis.

Masalım's voice clone feature processes voice recordings as biometric data. We rely on your explicit consent (GDPR Article 9(2)(a); KVKK Article 6(2)) collected through a dedicated in-app consent screen before any recording is captured. Depending on your subscription tier, between one and three separate consent statements are presented (see the consent records described in section 13). You may withdraw consent at any time, which triggers the immediate-deletion path described in section 8.

We do not process any other special-category data: we do not ask about health, religion, political opinions, sexual orientation, ethnic origin, trade-union membership, or genetic data, and our systems are not designed to derive such inferences from the data we hold.

5. Legal Bases for Processing (GDPR Article 6 / KVKK Article 5)

We rely on the following legal bases:

Processing activity	Legal basis
Account creation, story generation, narrator synthesis, library sync, subscription management	Performance of a contract (Art. 6(1)(b) GDPR; Art. 5(2)(c) KVKK)
Voice clone recording, derived voice model, marketing emails, optional analytics events	Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR; Art. 5(1) & 6(2) KVKK)
Rate limiting, fraud and abuse detection, security audit logs, hashed IP retention, crash diagnostics	Legitimate interests in operating a safe Service (Art. 6(1)(f) GDPR; Art. 5(2)(f) KVKK)
Retention of consent records and tax / accounting records	Compliance with a legal obligation (Art. 6(1)(c) GDPR; Art. 5(2)(a) KVKK)
Handling parental requests on behalf of a minor; protecting vital interests in safety-critical edge cases	Vital interests / public interest where applicable (Art. 6(1)(d–e) GDPR)

Where we rely on legitimate interests, we have performed a balancing test and concluded that our interest does not override your fundamental rights. You may object at any time using the mechanism in section 11.

6. How We Use Your Data

Each data category is processed for a defined, limited purpose:

Deliver the Service. Generate stories from your child profile prompts, synthesize narrator audio in your chosen language (one of nine V1 launch locales: Turkish, English, Italian, German, Spanish, French, Portuguese, Russian, Japanese), render cover art, and keep your library in sync across your devices and Apple Family Sharing.
Personalize narration. If you opted in, use your voice clone reference to synthesize stories in your own voice.
Manage your subscription. Confirm your entitlement with RevenueCat and Apple, gate paid features, and honor the three-day free-trial flow attached to Plus Yearly.
Send the notifications you asked for. Bedtime reminders, subscription status changes, and infrequent product announcements (only if you opted in to marketing notifications).
Keep the Service safe. Detect abusive request patterns, throttle suspicious behavior, and investigate security incidents using hashed IPs and short-lived audit logs.
Fix bugs. Triage crashes and errors using PII- scrubbed diagnostic reports.
Improve the product. Aggregate, non-identifying metrics (e.g., distribution of preferred narrator language) inform our roadmap. We do not run A/B tests that pair you with identifiable behavioral data.
Comply with the law. Respond to lawful requests, maintain tax records, and demonstrate consent when challenged.

We do not use your data for: behavioral advertising, profiling for marketing purposes, training third-party foundation models on your recordings or stories, selling to data brokers, or any form of credit / insurance / employment scoring.

7. Automated Decision-Making and AI

Masalım uses large language models and text-to-speech systems to generate stories and audio. These automated systems produce creative content; they do not make decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22. Our content-safety filter — which screens generated stories for unsafe themes in seven languages — is fully human-reviewable: if a story is blocked you can contact us for review, and you may at any time refuse further AI-generated content by canceling your subscription and deleting the application.

Your prompts, child profile, and voice recordings are not used to train any third-party model. Our agreements with the LLM, TTS, and image-generation providers listed in section 9 explicitly prohibit training on customer input.

8. Data Retention Periods

We keep each category of data only as long as needed for the purpose it was collected, plus any period required by law. Specific timers are enforced by automated jobs and storage lifecycle rules:

Data category	Retention	Why
Account & child profile	Until you delete + 30-day grace	Grace period to recover from accidental deletion; you may request immediate deletion in writing.
Raw voice recording (S3 upload)	24 hours	S3 lifecycle rule auto-deletes the original file after the voice model is derived.
Derived voice model (reference artifact)	Subscription active + 7-day grace	Allows seamless resume on renewal; revoking consent or canceling triggers immediate deletion.
Generated stories & audio	Until you delete (account-bound)	They are your library; deleting the story deletes the artifact.
Consent records	10 years	KVKK Art. 7 imposes a burden of proof on the controller; consent records survive account deletion (CASCADE-exempt) and contain only timestamp, locale, version, and user UUID.
Hashed IP addresses	1 year	Abuse detection and incident response.
Crash & diagnostic reports	90 days	Default Firebase Crashlytics retention; we do not extend it.
Push tokens	Up to 1 year since last activity	Stale tokens are pruned automatically.
Subscription & tax records	Up to 10 years	Turkish Tax Procedure Law (Vergi Usul Kanunu) art. 253; only invoice metadata is retained, not behavioral data.
Marketing-email subscribers	Until you unsubscribe	Every email contains a one-click unsubscribe link.

9. Third-Party Processors (Sub-Processors)

We engage the following processors to operate the Service. Each is bound by a written data-processing agreement (DPA) that includes confidentiality, security, and (where data leaves the EEA) the European Commission's Standard Contractual Clauses (SCCs, 2021/914). None of these processors is permitted to use your data for its own purposes or to train its own foundation models on it.

Processor	Purpose	Region	Transfer mechanism
Apple Inc.	Sign in with Apple, In-App Purchase, Apple Push Notification service, App Store distribution	United States & Ireland	SCCs; Apple Data Processing Addendum
Google LLC (Google Cloud, Firebase)	Sign in with Google, Chirp 3 HD text-to-speech, Imagen 4 cover-art generation, Firebase Cloud Messaging, Firebase Crashlytics	United States & EU	SCCs; Google Cloud DPA
Anthropic PBC	Claude large-language-model story generation	United States	SCCs; Anthropic Commercial Terms (no-training clause)
RunPod, Inc.	GPU compute for the Chatterbox Multilingual voice-clone model	Frankfurt (preferred) or United States (fallback)	SCCs; ephemeral pods, no persistent customer storage
RevenueCat, Inc.	Subscription entitlement management	United States	SCCs; RevenueCat DPA
Amazon Web Services EMEA SARL	Application hosting (Lightsail), database, object storage (S3 `masalim-voice-clones-eu`), KMS encryption	Frankfurt `eu-central-1`	EU data residency; AWS GDPR DPA

If we engage a new sub-processor in the future, we will update this policy and, where required, notify you in-app before the new processor begins processing your data.

10. International Transfers

Our primary infrastructure is hosted in Frankfurt (eu-central-1) inside the European Economic Area. Voice recordings remain in Frankfurt under KMS-encrypted S3 storage for the twenty-four-hour processing window described above.

Some processing necessarily involves a transfer outside the EEA / Türkiye:

Story-generation prompts are transmitted to Anthropic's Claude API in the United States.
Text-to-speech synthesis runs on Google Cloud regions that may include the United States or other Google Cloud zones.
When the Frankfurt RunPod GPU pool is at capacity, voice synthesis (not the original recording, which never leaves Frankfurt) may temporarily route to a U.S. RunPod region.
Apple and RevenueCat process subscription metadata in the United States.

For each transfer to a country that the European Commission has not recognized as providing an adequate level of protection, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) together with supplementary technical measures (TLS 1.3 in transit, AES-256 at rest, pseudonymization, and the no-training contractual commitments described in section 9). For Turkish Users, transfers abroad are performed under KVKK Article 9 using explicit consent and the same contractual safeguards.

11. Your Rights

Subject to applicable law, you have the rights described below. Many of them can be exercised directly inside the application; the remainder are handled by email within thirty days at the latest.

Right	What it means	How to exercise it
Access (Art. 15 GDPR; Art. 11(b) KVKK)	Confirmation of whether we process your data and a copy of what we hold.	Profile → Privacy → "Request my data", or email us.
Rectification (Art. 16; Art. 11(d) KVKK)	Correct inaccurate or incomplete data.	Edit child profile in-app, or email for account-level fields.
Erasure / right to be forgotten (Art. 17; Art. 11(e) KVKK)	Delete your account and the data attached to it.	Profile → Account → "Delete my account". A 30-day grace period applies; you may shorten it on request. Consent records are retained for the legal period in section 8.
Restriction (Art. 18)	Temporarily pause processing while a complaint is being investigated.	Email us; we will flag your record and stop active processing.
Portability (Art. 20)	Receive your data in a structured, machine-readable format.	Profile → Privacy → "Export my data" (JSON archive including library, child profiles, and consent log).
Object (Art. 21)	Object to processing based on legitimate interests, including direct marketing.	Toggle off "Marketing notifications" in Profile, or email us for broader objections.
Withdraw consent (Art. 7(3); Art. 11(a) KVKK)	Revoke any consent you have given (voice clone, marketing, analytics) without affecting prior lawful processing.	Profile → Privacy → toggles for each consent. Voice-clone revocation triggers immediate deletion of the derived model.
Lodge a complaint (Art. 77)	Complain to a supervisory authority.	See section 16.
Not be subject to solely automated decisions (Art. 22)	We do not make such decisions about you — see section 7.	Not applicable.

We will respond to verified requests within thirty days. We may extend that period by a further two months for complex requests and will notify you if we do. Identity verification may consist of signing in to the account in question or, for guest UUIDs, producing the device that holds the UUID.

12. Children's Privacy

Masalım is built for parents and guardians to use with their children. The account holder must be at least sixteen years old (or the local age of digital consent under GDPR Article 8 — thirteen in the United States under COPPA; ages vary between thirteen and sixteen across the EU). We do not knowingly allow children to create their own accounts.

Information about a child appears in the Service only because you, the parent or guardian, entered it into a child profile. By creating a child profile you confirm that:

you are the parent or legal guardian of the child;
you consent to the processing of that limited child profile data for the purposes described in this policy;
if your jurisdiction requires verifiable parental consent (e.g., COPPA in the United States), you provide it by entering the child's information yourself from your adult-controlled device.

Masalım does not display third-party advertising of any kind, does not include in-story product placement, and does not run behavioral profiling on children. The content-safety filter described in section 7 is calibrated specifically for the 2–10 age range our three age bands serve.

If you believe a child has used Masalım without parental consent, please email info@dasyatisstudio.com and we will delete the relevant account promptly.

13. Security Measures

We protect your data through a layered set of technical and organizational measures, including:

TLS 1.3 for every connection between the app and our backend, with HSTS on our public web origins.
AWS KMS server-side encryption (AES-256) for all objects in masalim-voice-clones-eu; encryption keys are scoped to the studio account and rotated automatically.
JWT access tokens with a fifteen-minute lifetime and seven-day refresh tokens, plus a per-user token version counter that lets us revoke every issued token instantly (for example after a password change or compromise).
bcrypt with cost factor 12 for any password we store (currently only used in administrative tooling; the end-user app does not use passwords).
SHA-256 IP hashing at the request boundary so raw IP addresses never enter our databases.
PII scrubbing in logs. Email addresses, names, child names, phone numbers, voice recordings, and story bodies are never written to logs — only the user UUID and the request shape are retained.
Pagination cap of ten thousand pages per cursor to defeat enumeration attacks.
Twenty-four-hour S3 lifecycle on raw voice recordings — the deletion is enforced by AWS, not by application code.
Immediate deletion on consent revocation for voice clone artifacts; we do not soft-delete biometric data.
Audit logs for sensitive administrative actions, retained for ninety days for security review.
Least-privilege access within the studio: only the founder can access production data, and access is logged.
Vendor due diligence on every processor listed in section 9, with SCC-bound DPAs in place.

No system can guarantee perfect security. In the unlikely event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two hours (GDPR Article 33) and, where the risk is high, notify you directly (Article 34).

14. Cookies and Tracking Technologies

The iOS application does not use HTTP cookies, advertising identifiers (IDFA), pixel trackers, fingerprinting, or session replay tools.

On the masalim.app website (where this policy is hosted), we use a single functional cookie:

NEXT_LOCALE — stores your language preference so the site loads in the same language on your next visit. Strictly necessary; no consent banner is required under ePrivacy Directive Article 5(3).

We do not use Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, Mixpanel, Amplitude, or any other third-party web analytics or advertising vendor.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in the Service, our processors, or the law. When we make a material change, we will:

update the "Last updated" date and version number at the top of this document;
display an in-app notice on next launch summarizing what changed;
where the change concerns biometric data, marketing, or any consent-based processing, request a fresh consent before continuing.

Continued use of the Service after an update means you accept the revised policy. Earlier versions are archived and available on request.

16. Contact and Complaints

For any question, request, or complaint about this Privacy Policy or our handling of your data, please write to us:

Dasyatis Studio

Email: info@dasyatisstudio.com

Subject line: "Privacy Request", "KVKK", "GDPR", or "COPPA" as appropriate.

If you believe we have not addressed your concern adequately, you also have the right to complain to a competent supervisory authority. Depending on where you live, this may be:

Türkiye: Kişisel Verileri Koruma Kurumu (KVKK Authority), kvkk.gov.tr.
European Economic Area: the data-protection authority of the EU member state where you live, work, or where the alleged infringement occurred. A directory is available at edpb.europa.eu.
United Kingdom:Information Commissioner's Office (ICO), ico.org.uk.
United States — COPPA matters: the U.S. Federal Trade Commission, ftc.gov.

We would, however, appreciate the chance to address your concern before you contact an authority — most issues are resolved within a few business days by writing to us directly.

This Privacy Policy is published in English for our V1 launch. As we roll out localized in-app legal screens (Turkish, Italian, German, Spanish, French, Portuguese, Russian, and Japanese), the English version will remain the authoritative reference; any translation is provided for convenience only.