Diziyle Öğren — Privacy Policy

Last updated: June 16, 2026
Effective: June 16, 2026

This Privacy Policy explains how your personal data is collected, used, shared, and protected when you use the Diziyle Öğren ("Diziyleogren") vocabulary‑learning service — including our mobile apps for iOS and Android and our website at diziyleogren.com (together, the "Services").

If you have any questions, contact us at [email protected].

0. At a Glance

This summary is provided for convenience. It does not replace the full policy below.

Who we are. Diziyle Öğren is operated by Okan Demir, a sole proprietor based in Türkiye (the "we," "us," or "Controller"). See Section 1.
What we collect. A device identifier and basic device data; your account details (email, display name, avatar, country, language settings); your learning activity (quiz answers, progress, points, streaks, study plans); social and gamification data (friends, leaderboards, badges); your purchase/subscription status; notification preferences; and limited analytics. We collect microphone audio only when you use the pronunciation feature, and it is processed by your device. See Section 2.
Why. To run the app, save your progress, personalize your learning, enable social and gamification features, send the notifications you ask for, process purchases, keep the Services secure, and improve the product. See Section 3.
No ads, no data sales. We do not show advertising, we do not use ad or advertising‑identifier (IDFA/AAID) tracking, and we do not sell or "share" your personal information for cross‑context behavioral advertising. See Section 6 and the US State Notice.
Who we share with. A small set of service providers that help us operate: analytics (Mixpanel, Google/Firebase), push notifications (OneSignal), subscriptions (RevenueCat, Apple, Google), email delivery (Resend), and web card payments (PayTR). See Section 5.
Your controls. You can edit your settings, manage notifications and marketing consent, and delete your account and data from inside the app or on the web. See Section 8 and Section 10.
Children. The Services are intended for users aged 16 and older. See Section 11.
Region‑specific rights. Additional disclosures for the United States, the EEA/UK, and Türkiye appear in the Addenda.

1. Who We Are & Scope

Data Controller:
Okan Demir (sole proprietor), operating under the brand Diziyle Öğren / Diziyleogren
Registered address: 1381091535
Privacy contact: [email protected]

This policy applies to all of the Services:

The Diziyle Öğren mobile app for iOS (Apple App Store) and Android (Google Play).
The website and web app at diziyleogren.com.
Related backend systems and APIs that power those clients.

It does not apply to third‑party services that have their own privacy policies (for example, Apple, Google, your device operating system, or a payment provider), even where you reach them through our Services. Where we name such third parties below, we link to their policies.

By using the Services, you acknowledge this policy. Where the law requires consent (for example, for marketing emails, push notifications, microphone access, or certain analytics), we ask for that consent separately.

2. Information We Collect

We collect data in three ways: (a) data you provide, (b) data collected automatically from your device, and (c) data we receive from third parties (such as Apple or Google when you sign in, or RevenueCat/PayTR when you purchase).

The table below maps each category to its source, the purpose, and — for users in the EEA/UK — the legal basis under the GDPR. Legal‑basis abbreviations: Contract = performance of our contract with you (Art. 6(1)(b)); Consent = your consent (Art. 6(1)(a)); LI = our legitimate interests (Art. 6(1)(f)); Legal = compliance with a legal obligation (Art. 6(1)(c)).

#	Data category	Examples / specific fields	Source	Purpose	Legal basis
1	Device & technical identifiers	A device identifier (on Android, the Android ID; on iOS, an app‑generated UUID stored in the device Keychain); platform (iOS/Android/web); app version; IP address (seen by our servers and our payment provider); device/OS information	Automatic	Create your account, keep you signed in, security and fraud prevention, troubleshooting	Contract, LI
2	Locale & region	Country (derived from your device locale/region settings, not GPS); time zone; device language	Automatic	Localize content, set your default languages, display country flags on profiles/leaderboards, schedule notifications in your time zone	Contract, LI
3	Account & profile	Email address (if you sign in with email, Google, or Apple); display name (optional); avatar (a random "avatar seed" string — not a photo); selected profile title; authentication method (device / Google / Apple / email)	You; Apple/Google at sign‑in	Create and manage your account, display your public profile	Contract
4	Authentication data	Google/Apple identity tokens (validated then used to obtain your email; not retained as tokens); one‑time email verification codes (valid ~10 minutes); session tokens (valid ~3 days)	You; Apple/Google	Verify your identity, secure sign‑in	Contract, LI
5	Learning settings	Native language; learning language; CEFR level per language; app theme; daily study goal	You	Personalize lessons, filter words by your level, run study plans	Contract
6	Learning activity & progress	Quiz answers and sessions (questions answered, correct/incorrect, score, hints used, hearts lost, duration); word‑by‑word progress and review schedule (spaced repetition); points earned; study plans and step progress; streaks; favorites; recent searches (stored on your device)	You (by using the app)	Track and save your progress, schedule reviews, power study plans and the dashboard	Contract
7	Gamification	Badges, medals, titles; gem balance and gem transaction history; hearts/lives; daily‑quest completion	You (by using the app)	Operate the points, rewards, and gamification systems	Contract
8	Social & competition	Friendships and friend requests; invite codes and referral relationships; public profile data (display name, avatar, country, titles, premium badge, stats, public word lists); weekly leaderboard standings (points, rank, league tier)	You; other users (e.g., a friend who adds you)	Provide friends, invites, leagues, and leaderboards	Contract, LI
9	Notification preferences	Master notification on/off; channels (push/email); quiet hours; reminder times and labels; category toggles (streak warnings, league updates, friend activity, hearts refilled, weekly report); device push token	You; Automatic (push token)	Send the reminders and alerts you choose	Consent (push/marketing), Contract
10	Purchases & subscription	Premium status and grants; subscription product/entitlement ID; subscription expiry; store transaction identifiers; hearts and content unlocked via purchase, invites, or promo codes	RevenueCat, Apple, Google; you	Process and restore purchases, grant and manage premium access	Contract, Legal
11	Web payment & billing details (website only)	For card payments on the web: your name, phone number, and billing address (required by our payment provider, PayTR); product, amount, currency, payment status, and a payment token	You	Process your web payment	Contract, Legal
12	Pronunciation audio	Microphone input only while you actively use the pronunciation feature	You	Evaluate your pronunciation in real time	Consent
13	Support & feedback	Contact‑form messages (subject, message); reports you submit about a word	You	Respond to you, fix content	Contract, LI
14	Analytics & usage events	App events (e.g., onboarding steps, quiz started/completed, content viewed, badge earned, errors) and user properties (learning language, native language, premium status, CEFR level), associated with your user ID	Automatic	Understand product usage, fix bugs, improve the Services	Consent or LI (see Section 6)
15	Security & audit logs	Limited server logs; an account‑supersession audit record created when an existing account "adopts" a device previously used anonymously (records the prior anonymous user ID, the device identifier, the email of the winning account, a timestamp, and a snapshot of the prior profile)	Automatic	Security, abuse prevention, account‑recovery integrity	LI, Legal

Important clarifications about what we do not collect:

No precise location. We do not collect GPS or precise location. Your country is inferred from your device's locale/region settings. (Our iOS app contains a location‑permission description for potential future personalization features; if we ever request precise location, the operating system will prompt you first and you can decline.)
No advertising identifiers. We do not access the iOS IDFA or Android Advertising ID and do not present an App Tracking Transparency (ATT) prompt, because we do not track you across other companies' apps or websites for advertising.
No contacts, photos, or camera. We do not read your address book, photo library, or camera.
No voice recordings stored. Pronunciation audio is processed by your device's built‑in speech recognition (see Section 4); we do not store recordings of your voice.
No card numbers. Card details entered for web payments go directly to PayTR's hosted payment form and never reach our servers (see Section 5).

3. How & Why We Use Your Information

We use personal data for the following purposes (the corresponding GDPR legal bases are shown in Section 2):

Provide and operate the Services — create your account, authenticate you, save and sync your learning progress, run quizzes and study plans, and power the dashboard. (Contract)
Personalize your learning — filter and recommend words and content by your CEFR level and chosen languages, and adjust suggested difficulty based on your performance (see Section 3.1). (Contract, LI)
Enable social and gamification features — friends, invites, leagues, leaderboards, badges, medals, titles, streaks, and gems. (Contract, LI)
Communicate with you — send the reminders, streak warnings, league/friend updates, and reports you have enabled, plus essential service messages (such as email sign‑in codes). Marketing emails are sent only with your consent. (Consent / Contract)
Process purchases and manage subscriptions — grant and restore premium access, reconcile subscription status, and keep records required for accounting/tax. (Contract, Legal)
Provide support — respond to your contact messages and word reports. (Contract, LI)
Keep the Services secure — authenticate requests, detect and prevent fraud, abuse, and unauthorized access, and maintain account integrity. (LI, Legal)
Improve the product — understand which features are used and where errors occur, using aggregated and event‑level analytics. (Consent / LI)
Comply with the law — respond to lawful requests and meet legal obligations. (Legal)

We will not use your personal data for materially different, incompatible purposes without telling you and, where required, obtaining your consent.

3.1 Automated Personalization

To keep lessons at the right difficulty, the Services may automatically adjust the difficulty level suggested to you based on your quiz performance (for example, gradually suggesting easier or harder content), and they schedule word reviews using a spaced‑repetition algorithm. Leaderboard ranks are calculated automatically from points earned.

These processes are designed to help you learn and do not produce legal or similarly significant effects about you within the meaning of GDPR Article 22. If you have questions about this personalization, contact us at [email protected].

4. Permissions We Request

We request only the device permissions needed for specific features. You can grant or revoke each one in your device settings.

Permission	Platform	When / why we ask	What happens if you decline
Notifications	iOS & Android	To send study reminders, streak warnings, league/friend updates, and "hearts refilled" alerts that you enable	You will not receive push notifications; the app still works
Microphone	iOS & Android	To let you practice speaking and check your pronunciation	The pronunciation/speaking feature is unavailable; the rest of the app works
Speech recognition	iOS	To evaluate your pronunciation as you speak	The pronunciation feature is unavailable
Location (when in use)	iOS	Reserved for potential future personalization; we do not currently collect precise location and infer your country from device locale instead	No effect on current features

How pronunciation audio is handled. When you use the speaking/pronunciation feature, your microphone audio is processed by your device's built‑in operating‑system speech recognition (Apple's on iOS, Google's on Android). Depending on your device and OS settings, that audio may be processed on‑device or by your operating‑system provider's speech service under their privacy policies. We do not record, store, or transmit your voice to our servers.

We do not sell your personal information and we do not share it for cross‑context behavioral advertising. We share data only with the service providers ("processors") that help us operate the Services, and only as needed for the purposes described above. Each provider is contractually required to protect your data and use it only on our instructions or as described in their own policy.

Recipient	Type	Data shared	Purpose	Privacy policy
Mixpanel	Analytics	App events and user properties (learning language, native language, premium status, CEFR level), associated with your user ID; configured to use Mixpanel's EU data residency	Product analytics and improvement	mixpanel.com/legal/privacy-policy
Google Firebase (Analytics)	Analytics	App/usage events and identifiers	Secondary product analytics	firebase.google.com/support/privacy
OneSignal	Push notifications	Your user ID, device push token, and notification content/metadata	Deliver push notifications	onesignal.com/privacy_policy
RevenueCat	Subscription management	Your user ID and purchase/subscription/transaction information	Process, restore, and reconcile subscriptions	revenuecat.com/privacy
Apple	Sign‑in & in‑app purchases	Sign in with Apple identity (and the relay or real email you choose to share); App Store purchase data	Authentication and iOS purchases	apple.com/legal/privacy
Google	Sign‑in, in‑app purchases & fonts	Google Sign‑In identity (email); Google Play purchase data; on the web, Google Fonts (your IP may be received when fonts load) and Google Identity Services on the login page	Authentication, Android purchases, web typography	policies.google.com/privacy
Resend	Transactional email	Your email address and the message content (e.g., a sign‑in code)	Deliver sign‑in codes and service emails	resend.com/legal/privacy-policy
PayTR	Web card payments	For web card payments: your name, phone, billing address, email/identifier, IP, amount, and order details; card data is entered directly into PayTR and never reaches our servers	Process website card payments (PCI‑DSS compliant)	paytr.com/kvkk
Multiavatar	Avatar rendering (web)	None — avatars are generated on your device from a random seed; no personal data is sent	Display profile avatars	(client‑side library; no data transmission)
Hosting / infrastructure	Hosting	All categories above, as stored in our database	Operate our servers and database (hosted in the European Union, Germany)	—

Server‑side AI for content generation (not your personal data). To generate and translate vocabulary content (words, definitions, example sentences for language pairs), our backend may use Google Gemini. This processing operates on dictionary‑style content, not on your personal data, your messages, or your voice. We do not send your personal information to a third‑party AI provider.

Other disclosures. We may also disclose personal data: (a) to comply with law, legal process, or lawful government requests; (b) to enforce our terms or protect the rights, safety, and property of users, the public, or us; (c) in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this policy or notify you of any material change.

6. Tracking, Advertising & Your Choices

No advertising. The Services contain no third‑party advertising and we earn revenue solely from subscriptions.
No cross‑app tracking / IDFA. We do not track you across other companies' apps or websites and do not access the iOS IDFA or Android Advertising ID. Accordingly, the app does not present an App Tracking Transparency prompt.
Analytics choices. We use Mixpanel and Firebase Analytics to understand usage and improve the app. Where required by law (for example, in the EEA/UK), non‑essential analytics are used on the basis of consent or your ability to object; you can also contact us at [email protected] to object to analytics processing.
Notifications. You control all reminders and alerts in the app's notification settings, and you can disable push notifications entirely in your device settings.
Marketing email. We send marketing/promotional email only if you opt in (an "email marketing consent" setting). You can withdraw consent at any time in your account settings or via the unsubscribe link.
Cookies (website). Our website uses a small number of strictly necessary cookies — a secure, HTTP‑only session cookie (dzo_session, up to 30 days), a short‑lived sign‑in cookie (dzo_pending_signin, ~15 minutes), and a language‑preference cookie (i18n_locale). We do not use advertising or third‑party tracking cookies. Because these cookies are essential to provide the site you request, they do not require consent in most jurisdictions; loading Google Fonts may cause your IP address to be received by Google.

7. International Data Transfers

We are based in Türkiye, our servers and database are hosted in the European Union (Germany), and some of our service providers (see Section 5) are located in the United States or other countries. This means your personal data may be transferred to, stored in, and processed in countries whose data‑protection laws differ from those in your country.

Where we transfer personal data out of the EEA, the UK, or Türkiye, we rely on an appropriate safeguard or legal mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss equivalent where applicable), an adequacy decision, or your explicit consent. You may request more information about these safeguards by emailing [email protected].

8. Data Retention & Deletion

8.1 How long we keep data

We retain your account and learning data for as long as your account exists, so your progress, streaks, and history are available to you.
Email sign‑in codes expire after about 10 minutes; session tokens after about 3 days.
Purchase and payment records may be retained for longer where required for accounting, tax, audit, fraud‑prevention, or legal purposes.
Security/audit logs, including account‑supersession records, are retained for a limited period for security and account‑integrity purposes.
Analytics data is retained according to our analytics providers' standard retention periods.

8.2 Deleting your account

You can delete your account at any time from within the app (Settings → Delete Account) or on the website. Deletion is intentional and irreversible: you confirm twice (and type "DELETE" to proceed). When you delete your account, we permanently delete your personal data from our active systems, including your profile, settings, authentication record, learning progress, points, streaks, gems and gem history, study plans, badges/medals/titles, favorites, quiz history, notification preferences, push token, monetization records, and any word lists you created.

Please note:

Friendship references are anonymized, not exposed. So that your friends' own data stays consistent, friendship links are retained but your identity in them is replaced with a "Deleted User" placeholder rather than your name.
Limited audit/security records may be retained for a short period as described in Section 8.1, and backups are purged on a rolling cycle.
Your subscription is separate. Deleting your account does not cancel an active App Store, Google Play, or web subscription. Cancel it in your Apple/Google account or contact us about a web subscription. A purchased subscription remains active until the end of its paid period.
Revoking third‑party access. If you signed in with Google or Apple, you may also remove this app's access in your Google Account (myaccount.google.com → Security → Third‑party access) or Apple ID (Settings → Sign in with Apple) settings.

To request deletion or ask a question about it, you can also email [email protected].

9. Security

We use reasonable technical and organizational measures designed to protect personal data, including:

Encryption in transit (HTTPS/TLS) for all communication between the apps, the website, and our servers.
Secure credential storage on your device (iOS Keychain / Android encrypted storage) for tokens and the device identifier.
Signed and authenticated API requests and time‑limited session tokens.
Access controls limiting who can access production data.
PCI‑DSS‑compliant payment processing by PayTR for web card payments — card details never touch our servers; the App Store and Google Play handle in‑app purchase payment data.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a personal‑data breach that affects you, we will notify you and the relevant authorities as required by law.

10. Your Rights

Depending on where you live, you may have some or all of the following rights regarding your personal data:

Access — obtain a copy of the personal data we hold about you.
Rectification / correction — correct inaccurate or incomplete data.
Erasure / deletion — delete your data (see Section 8.2).
Restriction / objection — restrict or object to certain processing (including processing based on legitimate interests, and direct‑marketing processing).
Portability — receive certain data in a portable format.
Withdraw consent — where processing relies on consent (e.g., marketing email, push notifications, microphone access), withdraw it at any time without affecting prior processing.
Non‑discrimination — we will not deny you service or charge you differently for exercising your privacy rights.

How to exercise your rights. You can exercise many rights directly in the app: update your profile and settings, manage notifications and marketing consent, and delete your account. For any other request, contact us at [email protected]. We will respond within the time required by applicable law (generally within 30 days, extendable where permitted). To protect your data, we may need to verify your identity before acting on a request. You may use an authorized agent where the law allows.

If you believe we have not handled your data properly, you have the right to lodge a complaint with your local data‑protection authority (see the EEA/UK and Türkiye addenda).

11. Children's Privacy

The Services are intended for users aged 16 and older and are not directed to children under 13. We do not knowingly collect personal data from children under 13 (or under the minimum age of digital consent in your country, which may be up to 16 in parts of the EEA).

If you are a parent or guardian and believe a child under the applicable age has provided us personal data without proper consent, please contact us at [email protected] and we will delete the data and close the account. Because the Services are not child‑directed, we do not knowingly engage in the practices regulated by the U.S. Children's Online Privacy Protection Act (COPPA) with respect to children under 13.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. If we make material changes, we will provide a more prominent notice (for example, an in‑app message or email) before the change takes effect, where required by law. We encourage you to review this policy periodically. The current version is always available at https://diziyleogren.com/privacy-policy and in the app's settings.

13. Contact Us / How to Submit a Request

Data Controller: Okan Demir (sole proprietor), operating as Diziyle Öğren / Diziyleogren
Address: 1381091535

You can reach us, and submit any privacy request, by at least two methods:

Email: [email protected]
In‑app: Settings → Contact / Support (or, on the web, the Contact page), and in‑app account‑deletion and settings controls.

Region‑Specific Addenda

Addendum A — United States State Privacy Notice

This addendum supplements the policy above for residents of U.S. states with comprehensive privacy laws, including California (CCPA/CPRA), as well as Virginia, Colorado, Connecticut, Texas, and other states with similar laws. To the extent of any conflict with the main policy, this addendum controls for covered U.S. residents.

Notice at Collection

We collect the categories of personal information described in Section 2. Mapped to California statutory categories, these include:

CCPA category	Do we collect it?	Examples
Identifiers	Yes	Device identifier, user ID, email, IP address
Customer records (Cal. Civ. Code §1798.80)	Yes	Name (display name; billing name for web payments), email, phone & address (web payments)
Commercial information	Yes	Subscription/purchase and transaction records
Internet/network activity	Yes	App usage events, analytics, interactions
Geolocation data	Limited	Country inferred from device locale (no precise GPS)
Audio/electronic information	Limited	Microphone input during pronunciation practice (processed on device; not stored)
Professional/employment, education, biometric, sensitive PI	No	We do not collect these

We collect this information from the sources, and for the business/commercial purposes, described in Sections 2–3. We retain it as described in Section 8.

We do not sell your personal information, and we do not "share" it for cross‑context behavioral advertising, as those terms are defined under the CCPA/CPRA (and equivalent state laws). Because we do not sell or share, we do not offer a separate opt‑out link — there is nothing to opt out of. We also do not use or disclose sensitive personal information for purposes that would require a "Limit the Use of My Sensitive Personal Information" option.

If our practices ever change, we will update this notice and provide the required opt‑out mechanisms. We honor browser‑based opt‑out preference signals such as the Global Privacy Control (GPC) where applicable.

Your U.S. State Rights

Subject to your state's law, you may have the right to: know/access the personal information we collect and how we use and disclose it; correct inaccurate information; delete your personal information; opt out of sale, sharing, or targeted advertising (not applicable to us, as noted); and to not be discriminated against for exercising your rights.

How to exercise them: use the in‑app controls (settings and account deletion) or email [email protected]. We provide at least two methods for submitting requests and will verify your identity before responding. Authorized agents may submit requests where permitted.

This addendum supplements the policy for individuals in the European Economic Area, the United Kingdom, and Switzerland.

Controller. Okan Demir (sole proprietor), Diziyle Öğren / Diziyleogren — contact [email protected]. We have not appointed a Data Protection Officer, as we are not required to; privacy questions go to the contact above.
Legal bases. We process personal data on the bases identified in the table in Section 2 — primarily performance of a contract, your consent (marketing email, push notifications, microphone, and non‑essential analytics where applicable), our legitimate interests (security, fraud prevention, social features, and product improvement), and legal obligations (accounting/tax for purchases). Where we rely on legitimate interests, we have balanced those interests against your rights, and you may object at any time.
Your rights. You have the rights described in Section 10: access, rectification, erasure, restriction, objection, portability, and the right to withdraw consent at any time.
International transfers. See Section 7. We rely on Standard Contractual Clauses or adequacy where we transfer data outside the EEA/UK.
Automated decision‑making. We do not carry out automated decision‑making that produces legal or similarly significant effects (see Section 3.1).
Right to complain. You may lodge a complaint with your local supervisory authority. A list of EEA authorities is available via the European Data Protection Board (edpb.europa.eu); in the UK, contact the Information Commissioner's Office (ico.org.uk).

Addendum C — Türkiye (KVKK) Notice

This addendum supplements the policy for individuals in Türkiye, under the Law on the Protection of Personal Data No. 6698 ("KVKK").

Data controller (Veri Sorumlusu). Okan Demir, operating as Diziyle Öğren — contact [email protected].
Processing. We process your personal data for the purposes described in Section 3, based on the lawful grounds set out in Article 5 of the KVKK (including the necessity of processing for the performance of a contract, compliance with a legal obligation, our legitimate interests, and — where applicable — your explicit consent for purposes such as marketing communications).
Transfers abroad. As described in Section 7, your data may be processed outside Türkiye (in the EU and other countries) by us and our service providers, subject to the safeguards required by the KVKK.
Your rights under Article 11 of the KVKK. You have the right to learn whether your data is processed, request information about the processing, learn its purpose and whether it is used accordingly, know the third parties to whom it is transferred, request correction or deletion, and request notification of these actions to third parties, object to results arising from automated analysis, and claim compensation for damages caused by unlawful processing.
How to exercise them. Email [email protected] or use the in‑app controls. You also have the right to lodge a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — kvkk.gov.tr).

This document describes the data practices of the Diziyle Öğren / Diziyleogren mobile apps and website. Items shown in [brackets] must be completed with the controller's registered details before publication.