Privacy Policy

Version 1.0 · Effective date: April 22, 2026

Overview
Data Controller
Data We Collect
Processing Purposes and Legal Basis
Data Sharing
Retention
Data Security
Your Rights
Children's Privacy
Policy Changes
Contact

1. Overview

Capsly ("we", "the app", "the service") is a time capsule platform where users record videos ahead of time and publish them at a moment they choose. This Privacy Policy describes how your data is collected, used, and protected while you use our service.

Capsly operates in compliance with the EU General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK).

2. Data Controller

The data controller under this policy is the Capsly team. Contact: support@capsly.app

3. Data We Collect

3.1 Account Information

Email address
Username
Password (stored only as a bcrypt hash; never in plaintext)
Registration date and the policy version you accepted
If you sign in with OAuth, a basic profile identifier from the provider (Google/Facebook)

3.2 Content Data

Videos you upload, along with their titles, tags, and categories
Scheduled publish time and visibility preference (public / followers / direct)
Auto-generated thumbnails

3.3 Interaction Data

Users you follow and users who follow you
Votes you cast (+1 / -1) and predictions (will happen / won't happen)
Feed impression records (so we don't show you the same video twice)

3.4 Technical Data

FCM push notification token (optional, only if you granted permission)
App version and device type (iOS/Android) — for troubleshooting
IP address and coarse location (for security logs)

4. Processing Purposes and Legal Basis

Providing the service (performance of a contract): Account management, video upload/publishing, feed generation.
Security (legitimate interest): Abuse detection, account security, token rotation.
Notifications (explicit consent): Push notifications about followers, publishing, and prediction outcomes.
Legal obligations: Responding to law enforcement requests and legal processes.

Capsly does not sell your personal data to third parties. Data is processed with the following service providers:

Amazon Web Services (AWS): Hosting, video storage (S3), database (Aurora), CDN (CloudFront). We use the AWS Frankfurt region (eu-central-1).
Firebase Cloud Messaging (Google): Only your device token is transmitted, for push notifications.
Google / Facebook OAuth: If you choose to sign in via these providers, we receive a profile identifier from them.

In response to official requests (court orders, prosecutor warrants), data may be shared to the extent required by law.

6. Retention

Account data is retained for as long as your account is active.
After you request account deletion, a 30-day grace period applies; you may reactivate during this window.
At the end of the grace period personal data is permanently deleted (or anonymized).
Metadata for published videos may be preserved under an anonymous account after user deletion, for content integrity.
Security logs are retained for a maximum of 12 months.

7. Data Security

All data traffic is encrypted with HTTPS/TLS 1.2+.
Passwords are hashed with bcrypt (12 rounds).
JWT session tokens are generated using RS256 asymmetric signing, with refresh rotation.
Database access lives inside a private network (VPC) and is not reachable from the public internet.
Video files are stored in private S3 buckets and accessible only through signed URLs.

8. Your Rights

Under Article 15-22 of the GDPR and Article 11 of KVKK, you have the following rights:

Access to your processed data and a copy of it (data export)
Rectification of inaccurate data
Erasure of your data (the "right to be forgotten")
Withdrawal of consent where processing is based on consent
Objection to processing
Portability: receiving your data in a machine-readable format

To exercise these rights:

Data export: Use "Settings → Download My Data" in the app. A ZIP will be prepared within 24 hours.
Account deletion: Use "Settings → Delete My Account" in the app.
Other requests: Write to support@capsly.app. Responses are provided within 30 days.

9. Children's Privacy

Capsly is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you are a parent and believe your child has created an account, please contact us and the account will be deleted promptly.

10. Policy Changes

When we make material changes to this policy we notify you via in-app notice or email. Previous versions remain accessible at archive URLs such as /privacy-policy/v1.0, so you can see which version you accepted.

Current version: v1.0

11. Contact

For any privacy-related question, request, or complaint: support@capsly.app