Privacy Policy

We collect the following categories of data based on our actual implementation:

• Account data: email address, normalized email (for login), full name, profile photo URL, email verification status, and account creation/update timestamps
• Authentication: one-time magic codes sent to your email for login or registration; we do not store your password
• Child profile data (provided by parents/guardians): nickname, date of birth, preferred language, and optional avatar URL, used only for age-appropriate content analysis and recommendations
• Session and device data: when you log in we may store refresh tokens, user agent, IP address, session expiry; on mobile we may store platform (e.g. iOS/Android), optional push notification token, and last-seen time for service operation and security
• Review and feedback data: when you submit a content review we store the name and email you provide, child age range (min/max) relevant to the review, rating, recommendation type, review text, and optional positive/negative aspects; expert reviews may be linked to your expert profile
• Referral data: if you sign up via a referral link we store the referral code and your email for attribution and any referral rewards
• Content analysis inputs: content type and identifier (e.g. YouTube channel, TMDB/IGDB ID) and, when you request analysis, child age and optionally gender, used only to generate and cache suitability analysis
• Support and contact: any information you send us via contact or support forms, including email and name
• Technical and operational data: server logs (including IP and request metadata) for security, debugging, and availability; we do not use third-party advertising or cross-app tracking

We use the data we collect only for the following purposes:

• To create and manage your account and to authenticate you (e.g. magic link and session management)
• To provide content suitability analysis and personalised recommendations based on child profile age/language
• To operate the review system, expert opinions, and moderation (including automated checks) and to display reviews and summaries on the platform
• To send transactional emails (e.g. magic codes, review verification, moderation-related messages) and, if applicable, optional push notifications
• To run referral programmes (attribution and rewards)
• To store and serve your profile image and child avatars (where you choose to upload them)
• To improve service quality, security, and reliability (e.g. logs, error reporting)
• To comply with legal obligations and to enforce our Terms of Service

We do not sell your personal data. We share data only as follows:

• Service providers that process data on our behalf under contract: email delivery (Resend), cloud hosting and databases (e.g. Fly.io), file storage for profile images (Tigris Storage, S3-compatible), AI analysis (Anthropic Claude and/or Google Gemini), and translation (Google Cloud Translation). These providers are required to use your data only to provide the service and to protect it appropriately.
• When required by law or to protect rights and safety (e.g. response to lawful requests, enforcement of our terms).
• If we transfer the business (e.g. merger or sale), we will ensure your data remains protected under this policy or you are notified.

We implement technical and organisational measures to protect your data:

• Encryption in transit (e.g. TLS/HTTPS) for all data between your device and our servers
• Secure authentication (magic link, no password storage); tokens stored and invalidated in a controlled way
• Access control and authentication so only authorised personnel and systems can access personal data
• Use of reputable, compliant infrastructure and storage providers with appropriate safeguards
• Regular updates and security practices; we do not retain sensitive data longer than necessary for the purposes above

We retain your data only as long as necessary for the purposes in this policy or as required by law:

You can request deletion of your Plutony account and associated data at any time. The following describes how to do so and what happens to your data.

1. In the Plutony app: Open Settings (or Profile), then tap "Delete account" or "Close account" and follow the on-screen instructions.
2. By email: Send a request to privacy@plutony.org with the subject "Account deletion" and your registered email address. We will process your request within 30 days.

After we delete your account, we remove your account and profile data, child profiles, and session data. We may retain some data as required by law (e.g. for legal claims, tax, or regulatory compliance) for up to a few years, as described in Section 5 (Data Retention).

Under KVKK, GDPR (where applicable), and similar laws, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of your data, subject to legal and operational retention needs
• Object to or restrict certain processing where legally applicable
• Request a copy of your data in a portable format (data portability)
• Withdraw consent where processing is based on consent, without affecting the lawfulness of earlier processing
• Lodge a complaint with a supervisory authority (e.g. Turkish Personal Data Protection Board, or your local data protection authority)

Our website may use cookies and similar technologies for:

• Strictly necessary cookies (e.g. session, security and routing) required for the site and apps to function
• Preference and local storage (e.g. language, theme) to improve your experience
• We do not use cookies for third-party advertising or cross-site tracking. You can control or disable non-essential cookies in your browser settings.

We use the following third-party services in our implementation; each may process data as necessary to provide the service:

• Resend: sending transactional and system emails (e.g. magic codes, review verification)
• Anthropic (Claude) and/or Google (Gemini): AI-powered content analysis and description generation; content and child age may be sent for processing in accordance with our instructions
• Google Cloud Translation: translating content descriptions and text between languages
• Tigris Storage (S3-compatible): storing and serving profile and child avatar images
• Fly.io and associated infrastructure: hosting our backend and databases (e.g. PostgreSQL)
• Apple and Google: our mobile apps are distributed via the App Store and Play Store; their respective privacy policies apply to their distribution and in-app purchase/account systems

We do not knowingly collect personal data directly from children under 13 (or the applicable age in your country). Our service is aimed at parents and guardians. Child-related data (e.g. nickname, date of birth, language) is entered by the parent or guardian and is used only to provide age-appropriate content analysis and recommendations. If you believe we have collected data from a child without parental consent, please contact us and we will delete it promptly.

Your data may be stored and processed on servers in the European Union, Turkey, or other regions where our service providers operate. When we transfer data outside your country, we rely on appropriate safeguards (e.g. standard contractual clauses, adequacy decisions) as required by applicable law.

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last Updated" date. For material changes, we may notify you via email or a notice in the app. Continued use of our services after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

For privacy-related requests, to exercise your rights, or for questions about this policy: