Mommy & Mini — Privacy Policy

Last updated: 4 June 2026

Document structure: This document has two parts. Part A is the privacy notice / disclosure (Art. 10 KVKK; informational, no consent required). Part B is the separate Explicit Consent statement for the few processing activities that require it. Per the Turkish DPA guidelines, the privacy notice and explicit consent are kept separate, and consent is not a precondition for using the App.

1. Introduction & Scope

This Privacy Policy explains how personal data of users ("you") of the Mommy & Mini mobile app ("App") is processed under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and Türkiye's Personal Data Protection Law No. 6698 ("KVKK").

The App is offline-first: your health, menstrual cycle, pregnancy and baby tracking data is stored locally on your device by default. Data is sent to our servers only via the optional "Cloud Backup / Sync" feature that you enable with your explicit consent. Unless you enable it, this data never leaves your device.

2. Data Controller

Entity	AD MODERN TANITIM MEDYA ORGANİZASYON LİMİTED ŞİRKETİ
Address	Mustafa Kemal Mh. 2155. Cd. No:4/18 Ankara 06530 Türkiye
Email	info@app-modern.com
Website	https://app-modern.com

3. Personal Data We Process

Category	Data	Source
Identity	Display name	You / Apple-Google sign-in
Contact	Email; phone (only when posting a marketplace listing)	You / sign-in provider
Special Category — Health (GDPR Art. 9)	Period/cycle, ovulation, pregnancy week, weight, blood pressure, heart rate, medications, mood, baby growth/vaccines/feeding	You
Journal (free-text notes)	Your own diary/journal notes; being free text they may contain special-category (health/emotional) content and are protected with the same safeguards	You
Location	City (chosen by you; no device location services used)	You
Photos	Marketplace listing photos	You
User Content	Listing text, user-to-user messages	You
Security / Diagnostics	Crash logs, performance data, account ID (redacted)	Automatic
Advertising (limited)	Advertising identifier (IDFA/AAID), ad interaction. Ads are not personalized — the identifier is used only for frequency capping, fraud prevention and aggregate measurement	Automatic
Financial (limited)	Pro subscription status/transaction ID. Card/payment details are collected by Apple/Google, never by us.	App Store / Play

4. Purposes of Processing

Core tracking features and reminders (medication, appointment, vaccine, water, week transition),
Account creation, authentication and session management,
Optional cloud backup and sync (only with explicit consent),
Marketplace listings, moderation and user-to-user messaging,
Reviewing reports/unlawful content and community safety,
Error detection, security and service continuity,
Serving non-personalized ads and aggregate measurement (free tier),
Compliance with legal obligations.

5. Legal Bases (GDPR Art. 6 & 9)

Processing	Legal Basis
Health data on device	Art. 9(2)(a) — your explicit consent + provision of the core service
Health data cloud sync	Art. 9(2)(a) — separate explicit consent
Journal (free-text) notes processing/sync	Art. 9(2)(a) — explicit consent, as they may contain special-category content
Account, authentication, session	Art. 6(1)(b) — performance of a contract
Marketplace, messaging, moderation	Art. 6(1)(b) contract & Art. 6(1)(f) legitimate interests
Crash/diagnostics, security	Art. 6(1)(f) legitimate interests
Non-personalized advertising + limited identifier use	Art. 6(1)(f) legitimate interests (no personalization → no consent required)
Legal obligations	Art. 6(1)(c) legal obligation

Where we rely on consent, you may withdraw it at any time in app settings or by contacting us. Withdrawal does not affect processing carried out before withdrawal.

6. Additional Safeguards for Health Data

Local-first storage on your device,
Optional, TLS-encrypted cloud (consent only),
Row-Level Security (RLS) — each user can access only their own data,
Local data wipe on sign-out,
Data minimization and PII redaction in crash logs,
Authorized-staff access with access logging — your account and content data is accessed only for moderation, support and security purposes, via a 2FA-protected admin panel, strictly on a need-to-know basis; your health data and journal notes are never shown in the admin panel; every access (who, when, which record) is recorded in a tamper-evident audit log.
Journal (diary) notes — as they may contain special-category content, they are processed with the same safeguards as health data (local-first, encrypted cloud sync only with consent, RLS, deleted on account deletion). Journal reminder notifications are generated locally on your device; their text is generic and your note content never leaves the device.

7. International Transfers (GDPR Chapter V)

Processor	Purpose	Data
Supabase (EU / Frankfurt)	Cloud database, auth, storage (optional sync)	Account, health, content
Google AdMob	Ad serving/measurement	Advertising ID, usage
Sentry (EU/Germany)	Crash/diagnostics	Error logs, account ID (redacted)
Apple / Google	In-app purchase, notifications (APNs/FCM)	Device/subscription tokens

Under GDPR (Chapter V) and Turkey's KVKK (Art. 9, as amended by Law No. 7499 of 2/3/2024), transfers abroad are made on the basis of (i) an adequacy decision, (ii) appropriate safeguards (e.g. Standard Contractual Clauses, binding corporate rules, written undertaking), or (iii) where neither exists, on an occasional basis with your explicit consent after you are informed of the possible risks (KVKK Art. 9(6)(a); GDPR Art. 49).

⚠️ Cross-border transfer risk notice: There is currently no adequacy decision issued by the Turkish DPA for the countries where these providers operate. When transferred abroad, your data may be subject to that country's laws, which may not offer the same level of protection as the KVKK. For this reason, transfer of your special-category health data abroad (Supabase) relies solely on your explicit consent; if you do not consent, your data is not transferred abroad and stays on your device. To strengthen protection, the Supabase and Sentry servers we use are located in the European Union (Germany / Frankfurt) region.

8. Retention

Local device data: until you delete it or uninstall the App.
Cloud data: while your account is active; deleted/anonymized when you delete your account.
Security/logs: minimum period required by law.

9. Your Rights (GDPR Art. 15–22)

You have the right to access, rectify, erase, restrict and object to processing, data portability, to withdraw consent, not to be subject to solely automated decisions, and to lodge a complaint with a supervisory authority (in Türkiye, the KVKK Board). You can also use the in-app data export and account deletion features.

10. How to Contact / Request

Send requests to info@app-modern.com. We respond within 30 days.

11. Children

The App is intended for users aged 18 and over. We do not knowingly collect data from minors; such data is deleted if identified.

12. Cookies, SDKs & Automatic Collection

We use SDKs for advertising (AdMob), diagnostics (Sentry) and notifications. Ads are not personalized; your advertising identifier is not used for behavioural profiling — only for frequency capping, fraud prevention and aggregate measurement. The App works fully even if you decline the iOS App Tracking Transparency (ATT) prompt.

13. Security (GDPR Art. 32)

We apply TLS-encrypted transport, row-level access control (RLS), authorization, log redaction and regular security reviews. Where required, data breaches are reported to affected users and the relevant authority without undue delay (within 72 hours of becoming aware, per the Turkish DPA's principle decision and GDPR Art. 33).

14. Changes

We may update this policy; significant changes will be notified in the App. The current version is always published at this address.

Part B — Explicit Consent

The following are subject to your explicit consent within the meaning of KVKK Art. 3(1)(a) (specific, informed and freely given). Consent is not a precondition for using the App. You are not required to consent; if you decline, only the related feature is unavailable and core (offline) use is unaffected.

I consent to processing of my special-category health data for cloud backup/sync (Art. 9(2)(a) GDPR / KVKK m.6/3-a) and its transfer abroad via Supabase (EU/Germany; KVKK m.9/6-a), having been informed of the possible risks of cross-border transfer.

No consent is requested for advertising: ads are not personalized and are processed under legitimate interests (Art. 6(1)(f)).

You may withdraw consent at any time in Settings or via info@app-modern.com.