Privacy Policy — Social Media Login

Effective Date: April 13, 2026  |  Last Updated: April 13, 2026

This Privacy Policy explains how Eyexapp (operated by Eyexapp Teknoloji A.Ş.) and Weblapp (a subsidiary brand of Eyexapp) collect, use, store, share, and protect your personal information when you use social media login features across our applications, websites, and services. This policy applies to authentication via Facebook, Instagram (Meta Platforms), X (formerly Twitter), LinkedIn, TikTok, Google, and any other supported social media platform.

1. Definitions

• "We," "Us," "Our" — refers to Eyexapp Teknoloji A.Ş. and its brand Weblapp.
• "You," "User" — refers to any individual who accesses or uses our services and social login features.
• "Social Login" — authentication via a third-party social media platform (OAuth 2.0 / OpenID Connect).
• "Platform" — any third-party social media service (Facebook, Instagram, X, LinkedIn, TikTok, Google, etc.).
• "Services" — all Eyexapp and Weblapp web applications, mobile applications, APIs, and related digital products.
• "Personal Data" — any information that directly or indirectly identifies you.

2. Data Controller

The data controller for information collected through social login is:

Eyexapp Teknoloji A.Ş.
Fenerbahçe Mah. İğrip Sk. No: 13
34726 Kadıköy, İstanbul, TÜRKİYE
Email: privacy@eyexapp.com
Website: eyexapp.com

3. Information We Collect Through Social Login

When you choose to sign in using a social media account, we receive specific information from the Platform. The exact data depends on which platform you use and what permissions you grant.

3.1 Facebook & Instagram (Meta Platforms)

We comply with Meta Platform Terms and Meta Privacy Policy.

3.2 X (formerly Twitter)

We comply with X Developer Policy and X Privacy Policy.

3.3 LinkedIn

We comply with LinkedIn API Terms of Use and LinkedIn Privacy Policy.

3.4 TikTok

We comply with TikTok Developer Terms and TikTok Privacy Policy.

3.5 Google

We comply with Google API Services User Data Policy and Google Privacy Policy.

3.6 Other Platforms

If we introduce social login support for additional platforms (e.g., Apple, GitHub, Discord, Snapchat), we will update this policy to include the specific data categories collected. In all cases, we follow the principle of data minimization — we only request the permissions strictly necessary for authentication and core service functionality.

4. How We Use Your Information

We use the information collected through social login for the following purposes:

1. Account Creation & Authentication: To create your user account, verify your identity, and enable secure sign-in across sessions and devices.
2. Profile Setup: To pre-populate your profile with your name and profile picture, reducing manual data entry.
3. Communication: To send account-related notifications (e.g., security alerts, password resets, service updates) using your email address.
4. Service Improvement: To analyze aggregated, anonymized usage patterns and improve authentication flows and user experience.
5. Security & Fraud Prevention: To detect, prevent, and respond to security incidents, fraud, or unauthorized access.
6. Legal Compliance: To comply with applicable laws, regulations, and legal processes.
7. Customer Support: To assist you with account-related inquiries and technical issues.

5. Legal Basis for Processing (GDPR / KVKK)

We process your personal data under the following legal bases:

6. Data Sharing & Third Parties

We may share your personal data with the following categories of recipients:

• Cloud Infrastructure Providers: Google Cloud Platform (Firebase, Cloud Run) for hosting, database, and authentication services. Data is processed in accordance with Google Cloud Data Processing Addendum.
• Analytics Providers: Aggregated, anonymized data may be shared with analytics services (e.g., Google Analytics) to understand usage patterns. No personally identifiable information is shared for analytics.
• Legal Authorities: When required by law, regulation, legal process, or enforceable governmental request.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity with equivalent privacy protections.

7. Data Retention

We retain your personal data as follows:

• Active Account: Your data is retained for as long as your account is active and you continue to use our services.
• Account Deletion: Upon account deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
• OAuth Tokens: Access tokens and refresh tokens from social platforms are stored securely and are revoked/deleted when you disconnect a social account or delete your account.
• Backup Retention: Encrypted backups containing your data may persist for up to 90 days after deletion for disaster recovery purposes, after which they are purged.
• Legal Retention: Certain data may be retained for up to 10 years where required by Turkish commercial law (TTK) or tax regulations (VUK).

8. Data Security

We implement industry-standard technical and organizational measures to protect your personal data:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Personal data stored in our databases is encrypted at rest using AES-256 encryption.
• Access Control: Strict role-based access control (RBAC) limits access to personal data to authorized personnel only.
• Token Security: OAuth tokens are stored using server-side encryption and are never exposed to client-side code.
• Regular Audits: We conduct periodic security assessments and vulnerability scanning of our infrastructure.
• Incident Response: We maintain an incident response plan and will notify affected users and authorities within 72 hours of a confirmed data breach, as required by GDPR/KVKK.

9. Your Rights

Under applicable data protection laws (including GDPR and Turkish KVKK Law No. 6698), you have the right to:

1. Access: Request a copy of the personal data we hold about you.
2. Rectification: Request correction of inaccurate or incomplete personal data.
3. Erasure: Request deletion of your personal data ("right to be forgotten").
4. Restriction: Request restriction of processing of your personal data in certain circumstances.
5. Data Portability: Request your data in a structured, commonly used, machine-readable format.
6. Object: Object to processing based on legitimate interests, including profiling.
7. Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of processing prior to withdrawal.
8. Complaint: Lodge a complaint with the Turkish Personal Data Protection Authority (KVKK) or your local supervisory authority.

To exercise any of these rights, contact us at privacy@eyexapp.com. We will respond within 30 days of receiving your request.

10. Managing Social Login Connections

You can manage or revoke social login connections at any time:

• Within Our Services: Navigate to your Account Settings to disconnect linked social accounts.
• On the Platform: Revoke our app's access directly through each platform's settings:
  • Facebook: Settings > Apps and Websites
  • Instagram: Settings > Security > Apps and Websites
  • X (Twitter): Settings > Security > Connected Apps
  • LinkedIn: Settings > Data Privacy > Permitted Services
  • TikTok: Settings > Security > Manage App Permissions
  • Google: myaccount.google.com/permissions

Revoking access will prevent future logins via that platform but will not automatically delete data already collected. To delete previously collected data, please submit a separate deletion request.

11. Cookies & Tracking Technologies

When you use social login, the following cookies and similar technologies may be used:

• Session Cookies: Essential cookies to maintain your authenticated session. These expire when you close your browser or after a set period.
• Authentication Tokens: Secure HTTP-only cookies storing encrypted session identifiers.
• Platform Cookies: The social media platform may set its own cookies during the authentication flow. These are governed by the respective platform's cookie policy.

We do not use social login data for cross-site tracking or targeted advertising.

12. Children's Privacy

Our services are not directed to individuals under the age of 13 (or the minimum digital consent age in your jurisdiction, e.g., 16 in certain EU member states). We do not knowingly collect personal data from children through social login or any other means.

If we become aware that we have inadvertently collected personal data from a child below the applicable age, we will take immediate steps to delete such information. If you believe a child has provided us with personal data, please contact us at privacy@eyexapp.com.

13. International Data Transfers

Your personal data may be transferred to and processed in countries outside of your country of residence, including but not limited to:

• Türkiye — where Eyexapp headquarters is located.
• European Economic Area (EEA) — Google Cloud data centers.
• United States — where certain cloud infrastructure and social media platforms operate.

Where data is transferred outside the EEA or Türkiye, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data Processing Agreements with all sub-processors.
• Compliance with KVKK cross-border transfer requirements (Article 9).

14. Platform-Specific Disclosures

14.1 Meta (Facebook / Instagram) — Data Deletion Callback

In compliance with Meta Platform Terms, we provide a Data Deletion Request Callback URL. When you remove our app from your Facebook or Instagram settings, Meta notifies us, and we initiate deletion of all data associated with your Meta account within 30 days.

You may also submit a manual deletion request at privacy@eyexapp.com with the subject line "Meta Data Deletion Request."

14.2 X (Twitter) — Limited Use

We adhere to the X Developer Agreement and Policy. Data obtained via X login is used solely for authentication and is not used for surveillance, monitoring, or any purpose that violates the X Developer Policy.

14.3 LinkedIn — Restricted API Use

We access LinkedIn data only through officially approved API products. We do not scrape LinkedIn data, and we do not use LinkedIn data for any purpose other than user authentication and profile setup.

14.4 TikTok — Developer Terms Compliance

We comply with TikTok's Developer Terms of Service. Login data obtained from TikTok is not used for content scraping, automated posting, or any purpose beyond authentication.

14.5 Google — Limited Use Disclosure

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via email or in-app notification if the changes significantly affect how we process your data.
• Provide a summary of key changes.

We encourage you to review this policy periodically. Your continued use of social login after changes are posted constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Eyexapp Teknoloji A.Ş. (operating Eyexapp & Weblapp brands)
Fenerbahçe Mah. İğrip Sk. No: 13, 34726 Kadıköy, İstanbul, TÜRKİYE
Email: privacy@eyexapp.com
General: hello@eyexapp.com
Phone: +90 553 597 4412
Website: eyexapp.com

For data protection inquiries in the European Union, you may also contact your local Data Protection Authority. For Türkiye, you may contact the Kişisel Verileri Koruma Kurumu (KVKK).