Privacy Policy

Version: v2026.02.27

Effective Date: February 27, 2026

Last Updated: February 27, 2026

1. Data Controller and Contact

This policy explains how personal data is processed for the Integrio Network mobile application (iOS/Android), website, and web admin panel.

Data Controller: İntegrio Network Teknoloji ve Yazılım Limited Şirketi
Country: Türkiye
Support Email: support@integrio.me
Data Rights Requests (KVKK/GDPR): support@integrio.me

2. Product Reality (Important Statement)

IO and other coin units in the app are not real money.
These units are not crypto assets, securities, or investment products.
No cash-out/withdrawal is provided; conversion to fiat or crypto is not supported.
Coin units function only as in-app ecosystem value and reputation units.
No content in the service constitutes financial advice.

3. Data Inventory / Data Map

Data Category	Source	Purpose	Legal Basis (KVKK/GDPR)	Retention	Recipients	Transfer Regions	Security Controls
Account identity (UID, email, username, email verification, legal consent logs)	User registration, Firebase Auth, `provisionUser`	Account lifecycle, login session, legal proof records	KVKK 5/2-c, 5/2-ç, 5/2-f; GDPR 6(1)(b), 6(1)(c), 6(1)(f)	While account is active; deleted after account closure except required legal/technical logs	Firebase Auth, Firestore	Firebase / Google Cloud infrastructure (production functions in us-central1)	App Check, access controls, server-side profile provisioning
Authentication data (Google/Apple OAuth, auth_time, nonce)	Google Sign-In, Sign in with Apple, Firebase Auth	Secure authentication and account takeover prevention	KVKK 5/2-c, 5/2-f; GDPR 6(1)(b), 6(1)(f)	For account lifetime plus security logging windows	Google, Apple, Firebase	Google/Apple/Firebase provider infrastructure (global + regional processing)	Token validation, recent re-auth checks for critical actions
Profile data (photo URL, blue tick fields: full name, phone, email, country)	User profile inputs and uploads	Profile rendering and verification review operations	KVKK 5/2-c, 5/2-f; GDPR 6(1)(b), 6(1)(f)	Until account deletion	Firebase Storage, Firestore, admin review surfaces	Firebase / Google Cloud infrastructure (production functions in us-central1)	Bucket URL validation, rule-based path restrictions
Device and notification data (FCM token, platform, notification/sound prefs, installId derivative)	App SDKs and device state	Push delivery and anti-abuse device integrity signals	KVKK 5/2-f; GDPR 6(1)(f), plus consent where required by local privacy/ePrivacy rules	Until account deletion; refreshed when tokens rotate	Firebase Messaging, Firestore	Firebase / Google Cloud infrastructure (production functions in us-central1)	Token-device mapping, user-scoped subcollections, permission checks
Security data (IP hash/prefix, user-agent, security clusters, daily earning signals, security logs)	Cloud Functions request metadata and processing logs	Fraud/multi-account detection, abuse prevention, security audit	KVKK 5/2-f, 5/2-ç; GDPR 6(1)(f), 6(1)(c)	No global TTL set in code; retained based on operational/legal need	Firestore security collections, admin-limited access	Firebase / Google Cloud infrastructure (production functions in us-central1)	HMAC hashing, rate limiting, idempotency, admin authorization checks
UGC and social data (token name/symbol/description/logo, comments, likes, messages, reports, appeals)	User-generated content	Community features, moderation, dispute and appeal handling	KVKK 5/2-c, 5/2-f; GDPR 6(1)(b), 6(1)(f)	Until deletion policy event; some moderation records may be retained for legal reasons	Firestore, admin panel	Firebase / Google Cloud infrastructure (production functions in us-central1)	Callable-only writes, rate limits, admin audit logs
Wallet and transaction data (IO balances, token balances, transfer/swap/reward logs)	Server-side transaction processing in Cloud Functions	Balance consistency, accounting integrity, transaction history	KVKK 5/2-c, 5/2-f; GDPR 6(1)(b), 6(1)(f)	Until account deletion; certain audit traces may remain for legal/operational requirements	Firestore	Firebase / Google Cloud infrastructure (production functions in us-central1)	Transactional atomic writes, replay/idempotency protections
Rewarded ad verification data (transaction_id, nonce/custom_data, daily counters)	Google AdMob SSV callbacks	Reward verification and anti-fraud enforcement	KVKK 5/2-f; GDPR 6(1)(f), 6(1)(b)	No automatic deletion TTL currently defined in code	Google AdMob, Firestore	Google AdMob + Firebase processing infrastructure (global + us-central1 callback flow)	Signature validation, nonce checks, transaction idempotency
Survey verification data (CPX transaction id, status, secure_hash, ext_user_id token, payout mappings)	CPX Research callback postbacks	Survey completion verification, crediting, and reversal flow	KVKK 5/2-f; GDPR 6(1)(b), 6(1)(f)	No automatic deletion TTL currently defined in code	CPX Research, Firestore	CPX infrastructure + Firebase us-central1 callback handling	Postback token validation, secure_hash validation, transactional write safeguards
Web telemetry / cookie-like data (Firebase Analytics on web, if measurementId is configured)	Website instrumentation	Optional traffic and usage analytics	Consent where required, plus legitimate interest where legally applicable	Provider-level retention settings	Firebase Analytics	Firebase / Google analytics infrastructure (global processing)	Configuration-controlled trigger behavior; disabled if measurementId is empty

4. Collection Methods

Directly from users (registration, profile, content, report/appeal forms).
From app and server technical logs (session, security, transaction records).
From third parties (Google/Apple auth, AdMob rewarded verification, CPX callbacks).

5. Processing Purposes

Account creation, session management, and authentication.
In-app economy and transaction history management.
UGC moderation, reporting, appeal handling, and community safety.
Fraud/multi-account/bot detection and security operations.
Notification delivery and preference management.
Legal compliance, auditability, and incident response.

6. Legal Bases (KVKK + GDPR)

Contract performance: account services and core product operations.
Legitimate interest: security, fraud prevention, abuse controls, service reliability.
Legal obligation: compliance with lawful requests and recordkeeping obligations.
Consent-based flows: notifications/analytics where local law requires consent.

7. SDKs, Cookies, and Mobile Identifiers

Mobile SDK stack includes Firebase Core/Auth/Firestore/Functions/Storage/App Check/Messaging, Google Mobile Ads, Google Sign-In, and Sign in with Apple.
Push notification tokens are stored under users/{uid}/devices/{token}.
Rewarded ad credits are granted only after server-side verification.
Web analytics execution depends on measurement configuration.
Local storage is used for product preferences and session convenience.

8. Sharing, Recipient Groups, and Cross-Border Transfers

Personal data is not sold. Data is shared only with service providers required to operate the platform, including Google Firebase/GCP, Google AdMob, Google/Apple authentication services, and CPX Research.

Cross-border transfers may occur in accordance with applicable legal safeguards. Production Cloud Functions and callback endpoints primarily run in us-central1. Provider infrastructure may process additional data in regional/global environments.

9. Retention Periods

Account data: retained while account is active.
Wallet daily net summary: code-level retention of 45 days (WALLET_STATS_DAILY_RETENTION_DAYS=45).
Account deletion lock record: 15-minute lock during deletion flow.
Moderation/security/audit logs: no automatic global TTL; retained as required by law or operations.
Ad/survey verification records: no automatic global TTL currently configured.

10. Account Deletion and Data Deletion Flow

In-app path: Profile → Settings → Delete Account. This flow enforces email verification and recent re-authentication checks for account safety.

Primary deletion targets include: users/{uid} (including subcollections), public_users/{uid}, usernames/{USERNAME_KEY}, and Firebase Auth user credentials. User-owned token ownership references may be orphan-marked (e.g., ownerId: null).

Some restricted audit/security records may remain where required for legal, fraud-prevention, or service integrity reasons. Alternative deletion channel: support@integrio.me. Detailed steps: Delete Account.

11. User Rights

Right to access, rectify, erase, restrict, object, and portability where legally applicable.
Requests are handled through support@integrio.me.
Additional identity verification may be required for account-sensitive actions.

12. Security Measures

App Check protection on callable endpoints (configuration-dependent).
Rate limit and idempotency protections.
Server-side validation for rewarded ads and surveys (signature/hash verification).
Firestore/Storage rules and admin authorization boundaries.
Audit logging for sensitive admin operations.

13. Children's Privacy

The service is not directed to children under 13. If such usage is identified, account restrictions or deletion may be applied.

14. Policy Updates

Updates are published on this page. For material changes, in-app notices and/or email notifications may be used.

15. In-App Short Summary

IO/coin units are ecosystem units only, not fiat or crypto money.
No cash-out and no investment return guarantee.
Email verification and re-auth may be required for sensitive operations.
Ad and survey rewards are posted only after backend verification.
Report/appeal moderation flows are available.
Notification and permission-based features can be controlled at device level.
You can delete your account in-app.
For legal detail, review this Privacy Policy and the Terms of Service.

This policy is aligned with observed runtime behavior in the current production-oriented codebase. Update legal metadata and jurisdiction-specific disclosures if your compliance counsel requires additional localization before broad rollout.