# Privacy Policy

### 1. Introduction

This Privacy Policy describes how MetuMail ("App", "we", "us", or "our") collects, uses, stores, and protects your information when you use our mobile application. MetuMail is an unofficial, third-party email client for Middle East Technical University (METU) email accounts. The App acts solely as an intermediary that establishes communication between METU's mail servers and your device to enable you to view and interact with your emails. MetuMail is not affiliated with, endorsed by, or officially associated with METU, and has no ownership, control, or authority over your METU email account or its contents.

**Data Controller:** Gurkan Ciloglu Ankara, Turkey <gurkan.ciloglu@metu.edu.tr>

We are committed to protecting your privacy. Please read this policy carefully to understand our practices regarding your personal data.

### 2. Information We Collect

#### 2.1 Information You Provide

* **Authentication Information:** Credentials entered by the user are used solely for authentication with METU mail servers and are never stored or transmitted to our servers in plain text.
* **Email Address:** Your METU email address, obtained during authentication.
* **Display Name:** An optional custom sender name you may set for outgoing emails.

#### 2.2 Information Collected Automatically

* **Secure Session Tokens:** Encrypted authentication keys generated upon successful login, used to maintain your session securely.
* **Push Notification Identifiers:** Device-specific identifiers used for delivering push notifications.
* **Login Timestamps:** The date and time of your last login.
* **Notification Preferences:** Whether you have enabled or disabled push notifications, and your preferred mail fetch interval.

#### 2.3 Information We Do NOT Collect

* We do **not** read, store, or analyze the content of your emails on our servers. Emails are fetched directly from METU's mail servers and displayed on your device.
* We do **not** collect your location data.
* We do **not** collect device identifiers for advertising purposes.
* We do **not** use analytics or tracking tools.

### 3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the Turkish Personal Data Protection Law (KVKK) and the EU General Data Protection Regulation (GDPR):

| Data Processing Activity              | Legal Basis                                     |
| ------------------------------------- | ----------------------------------------------- |
| Authentication with METU mail servers | Performance of a contract / Legitimate interest |
| Maintaining your login session        | Performance of a contract / Legitimate interest |
| Sending push notifications            | Your explicit consent                           |
| Storing your preferences              | Your explicit consent                           |
| Login timestamps for reliability      | Legitimate interest                             |

You may withdraw your consent at any time for consent-based processing (e.g., push notifications) without affecting the lawfulness of processing carried out before withdrawal.

### 4. How We Use Your Information

We use the collected information solely for the following purposes:

| Purpose                                   | Data Used                                           |
| ----------------------------------------- | --------------------------------------------------- |
| Authenticate you with METU's mail servers | Account credentials                                 |
| Maintain your login session               | Secure session token                                |
| Send push notifications for new emails    | Push notification identifier                        |
| Store your preferences                    | Display name, notification settings, fetch interval |
| Improve app reliability                   | Login timestamps                                    |

### 5. Data Storage and Security

#### 5.1 Local Storage (On Your Device)

* **Credentials and session tokens** are stored using the platform's native secure storage:
  * **iOS:** Keychain Services (hardware-encrypted)
  * **Android:** Encrypted storage with industry-standard encryption
* Your credentials are never stored in plain text on the device.

#### 5.2 Remote Storage

* **Cloud Database:** Stores your user ID, email address, encrypted session token, push notification identifier, notification preferences, display name, and last login timestamp.
* **Data transmission** between the App and our servers is encrypted using HTTPS/TLS.
* **Mail server connections** to METU's servers use TLS encryption.

#### 5.3 Security Measures

* All communications between the App and our servers are encrypted.
* Authentication uses secure, encrypted session tokens.
* Push notification identifiers are encrypted before storage.
* Automatic session invalidation on unauthorized access detection.

### 6. Third-Party Services

The App uses the following third-party services, each with their own privacy policies:

| Service               | Purpose                               | Privacy Policy                                                                     |
| --------------------- | ------------------------------------- | ---------------------------------------------------------------------------------- |
| **Supabase**          | User metadata and preferences storage | [supabase.com/privacy](https://supabase.com/privacy)                               |
| **Expo**              | Push notifications, app updates       | [expo.dev/privacy](https://expo.dev/privacy)                                       |
| **Firebase (Google)** | Android push notification delivery    | [firebase.google.com/support/privacy](https://firebase.google.com/support/privacy) |
| **Render**            | Backend API hosting                   | [render.com/privacy](https://render.com/privacy)                                   |

We do not sell, trade, or share your personal information with any third parties for marketing or advertising purposes.

### 7. International Data Transfers

Some of the third-party services we use (Supabase, Firebase, Expo, Render) may process and store data on servers located outside of Turkey and the European Economic Area (EEA), including in the United States.

When your data is transferred internationally, we ensure appropriate safeguards are in place, including:

* Use of services that comply with industry-standard security certifications
* Encryption of all data in transit (HTTPS/TLS) and at rest
* Reliance on the third-party providers' data processing agreements and standard contractual clauses (SCCs) where applicable

By using the App, you acknowledge and consent to the transfer of your data to countries outside Turkey and the EEA as described above.

### 8. Data Retention and Data Deletion

* **Local data** is retained on your device until you log out or uninstall the App.
* **Remote data** (Supabase) is retained as long as you actively use the App.
* **Upon logout**, local credentials and tokens are immediately deleted from your device.
* **Data Deletion:** You may delete all data that MetuMail stores about you at any time through the App's settings screen by selecting the "Delete My Data" option. All data stored on MetuMail's servers (including your user profile, session tokens, push notification identifiers, and preferences) will be permanently and irreversibly removed within 30 days of the request. **You will not be able to recover this data after deletion.**
* Alternatively, you may request data deletion by contacting us at the email address provided below.
* **Important:** Deleting your MetuMail data does **not** affect your METU email account or its contents. Your METU email account is managed solely by METU, and MetuMail has no authority to create, modify, or delete METU email accounts.

### 9. Your Rights

Under KVKK and GDPR, you have the right to:

* **Access:** Request a copy of the personal data we hold about you.
* **Correction:** Request correction of inaccurate personal data.
* **Deletion:** Delete all data MetuMail stores about you through the App's settings, or request deletion by contacting us. This action is permanent and irreversible.
* **Restriction:** Request restriction of processing of your personal data.
* **Objection:** Object to processing of your personal data based on legitimate interest.
* **Withdraw Consent:** Disable push notifications or stop using the App at any time, without affecting the lawfulness of prior processing.
* **Data Portability:** Your emails remain on METU's servers and are accessible through any standard email client.

To exercise any of these rights, you may use the in-app settings or contact us at the email address provided below.

### 10. Right to Lodge a Complaint

If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with:

* **In Turkey:** The Personal Data Protection Authority (KVKK) — [www.kvkk.gov.tr](https://www.kvkk.gov.tr)
* **In the EU:** Your local data protection supervisory authority

### 11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

* Notify the relevant supervisory authority (KVKK and/or applicable EU authority) within 72 hours of becoming aware of the breach
* Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
* Document the breach and the remedial actions taken

### 12. Children's Privacy

The App is intended for METU students and staff. We do not knowingly collect personal information from children under 13 years of age. If we discover that we have collected data from a child under 13, we will delete it promptly.

### 13. Push Notifications

* Push notifications are **optional** and can be enabled or disabled at any time through the App settings.
* When enabled, we store your device's push notification identifier to deliver new email alerts.
* Notification identifiers are deleted from our servers when you disable notifications or delete your MetuMail data.

### 14. Device Permissions

The App may request the following permissions:

| Permission                      | Purpose                                |
| ------------------------------- | -------------------------------------- |
| **Notifications** (Android/iOS) | Deliver new email alerts               |
| **Photo Library** (iOS)         | Save email attachments to your gallery |
| **Storage** (Android)           | Save email attachments to your device  |
| **Internet Access**             | Connect to mail servers and our API    |

All permissions are optional (except internet access) and can be managed through your device settings.

### 15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted within the App or on our website. We encourage you to review this policy periodically. Your continued use of the App after changes constitutes acceptance of the updated policy.

### 16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

* **Developer:** Gurkan Ciloglu
* **Address:** Ankara, Turkey
* **Email:** <gurkan.ciloglu@metu.edu.tr>
* **Website:** <https://mail.grkn.dev/contact>
* **Bug Reports:** <https://mail.grkn.dev/report-bug>