Harcio
TR

Privacy Policy

Effective date: 2026-05-03

This Privacy Policy explains how Harcio (“Harcio”, “we”, “us”) collects, uses, stores, and shares the personal data processed when you use our trip expense splitting service. The policy is prepared in line with the Turkish Personal Data Protection Law no. 6698 (KVKK) and the EU General Data Protection Regulation (GDPR).

1. Data Controller

Harcio acts as the data controller and operates from Turkey. For any privacy questions, requests, or complaints, please contact us at [email protected].

2. Data We Collect

When you create an account and use the service we collect:

  • Account information: email address, password hash, name, and - when signing in with Google - your profile picture URL.
  • Trip content: trip name, description, currency, participant list, expenses (amount, description, category, date), split configuration, receipt photos, and optional IBAN data for your account.
  • Notification data: push subscription endpoints and keys (p256dh, auth) for web push, or device tokens for iOS / Android native push.
  • Technical logs: IP address, user agent, and timestamp recorded during sign-in attempts and API calls. These logs are processed solely for security, abuse prevention, and audit purposes.

3. Purposes and Legal Bases

We process your data for:

  • Providing the service and maintaining your account.
  • Authentication and session management.
  • Sending notifications (push, email) according to your preferences.
  • Security, fraud and abuse detection, and meeting legal obligations.
  • Improving service quality and debugging.

Processing is based on contract performance, legitimate interest, and - for optional features such as notification preferences - your explicit consent.

4. Where We Store Data

All personal data is stored on our self-hosted Supabase (PostgreSQL + Storage) infrastructure running on our own servers in Turkey. Data is not held with any third-party cloud provider; only the Next.js application is exposed to the internet through a Cloudflare Tunnel.

5. Third-Party Services

The following third parties may receive limited data to operate the service:

  • Google OAuth: when you choose “Continue with Google” for authentication.
  • Apple Sign-In: when you choose “Continue with Apple” for authentication.
  • Yahoo Finance API: to fetch exchange rates for multi-currency expenses. No personal data is shared.
  • VAPID web push services: your browser's push provider (e.g. Mozilla, Google) for delivering web push notifications.
  • Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM): for mobile push notifications.

6. Retention

We retain your data for as long as your account remains active. When you delete your account, personally identifiable information (email, name, profile picture, IBAN) is wiped immediately. The remaining operational data (e.g. the history of trips you participated in) is permanently removed within 30 days by an automated cron job.

7. Your Rights under KVKK and GDPR

As a data subject you have the right to:

  • Request access to your personal data.
  • Have inaccurate or incomplete data corrected.
  • Request erasure of your data. You can start the deletion flow via Settings › Account › Delete Account.
  • Object to certain processing activities.
  • Request data portability.
  • Withdraw consent at any time for processing based on consent.

Send any request to [email protected]; we respond within 30 days.

8. Children's Privacy

Harcio is not designed for users under the age of 13. If we learn that data from a user under 13 has been provided, we will close the account and delete the related data.

9. Cookies and Local Storage

  • NextAuth session cookie: required for session management; set with HttpOnly, Secure, and SameSite=Lax flags.
  • Theme preference: your “Light / Dark / System” choice is stored in the browser's localStorage; it is never sent to the server.

10. Changes to This Policy

We may update this policy from time to time. Material changes are announced via email to your registered address and through an in-app banner. The “Effective date” field is refreshed on every update.

11. Contact

For any question or request regarding this policy or your personal data, contact us at [email protected].