Privacy Policy

Bodica — Body Language Analysis App

Last Updated: April 5, 2026

1. Introduction

Bodica ("we," "us," or "our") is a mobile application developed by Anil Burcu, an independent developer. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Bodica application (the "App").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK, Law No. 6698), and other applicable data protection laws.

Data Controller: Anil Burcu

Email: bodica@icodex.dev

2. Age Requirement

Bodica is intended for users aged 13 and older. We do not knowingly collect personal data from children under the age of 13. If we discover that a child under 13 has provided us with personal data, we will promptly delete that information. If you believe a child under 13 has shared data with us, please contact us at the email address above.

3. Data We Collect

3.1 Account Information (Provided by You)

When you create an account, we collect your email address for authentication purposes. If you sign in with Apple or Google, we may also receive your name and profile photo URL from your OAuth provider. Your password (if using email sign-up) is stored as a secure bcrypt hash and is never accessible in plain text. All account data is stored in the European Union (Ireland).

3.2 Photos and AI Analysis

When you use the body language analysis feature, photos you select from your camera or gallery are sent to Google's Gemini API through our secure server for analysis. Photos are not stored on our servers — they are forwarded in a single request and immediately discarded. Analysis results and a small thumbnail are stored only on your device (up to 20 records) and are never uploaded to our servers. We record the number of analyses you perform each day on our server for rate limiting purposes.

Google may retain API request data for up to 30 days for abuse monitoring purposes, in accordance with their API Terms of Service. Photos sent via API are not used by Google for model training.

3.3 Learning Progress and Gamification

We store your lesson progress, quiz results, experience points, level, streak data, and earned badges on our server to provide a continuous learning experience across devices. This data is stored in the European Union (Ireland).

3.4 Subscription and Payment Data

If you subscribe to Bodica Premium, we store your subscription status, product identifier, start and expiry dates, and the store type (App Store or Google Play) on our server. Payment processing is handled entirely by Apple or Google — we never receive or store your credit card number, billing address, or other financial details. RevenueCat, our subscription management provider based in the United States, processes transaction data and store receipts on our behalf.

3.5 Push Notifications

If you enable push notifications, we store your push token, device name, and a device identifier on our server to deliver notifications. Your notification preferences (messages, updates, promotions) are stored on our server and your device. You can disable notifications at any time through the App's settings or your device settings.

3.6 Analytics Data (Consent-Based)

We use PostHog (EU-hosted) for product analytics. Analytics data is collected only if you give explicit consent. You can opt out at any time in the App's settings.

When you consent, we collect app usage events (such as lessons completed, quizzes started, features used) along with an anonymized user identifier (first 8 characters of your account ID). The PostHog SDK also automatically collects basic device information: device ID, operating system, OS version, app version, and screen dimensions.

We do not collect your name, email, location, or browsing history through analytics. A full list of events we track is provided in Section 12.

3.7 Error and Crash Reporting

We use Sentry (EU-hosted, Germany) to detect and fix app errors. This is automatic and essential for app stability. Data collected includes error messages, stack traces, device model, OS version, app version, navigation breadcrumbs (screen names only, no personal content), and an anonymized user identifier (first 8 characters of your account ID).

We do not send your email, name, or authentication tokens to Sentry. Our error reporting system actively filters out authorization headers, API keys, tokens, and passwords before any data leaves your device.

3.8 Data Stored Only on Your Device

Certain data is stored only on your device and is never transmitted to our servers: app preferences (theme, language, font size), analytics consent status and timestamp, analysis history and thumbnails, and authentication session tokens (stored in encrypted local storage).

4. How We Use Your Data

We use your data for the following purposes:

• Providing the App's core features — account management, AI analysis, learning progress, and subscriptions. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
• Delivering push notifications — based on your preferences. Legal basis: consent (Art. 6(1)(a)).
• Product analytics — understanding how the App is used to improve it. Legal basis: consent (Art. 6(1)(a)).
• Error tracking and stability — identifying and fixing bugs. Legal basis: legitimate interest (Art. 6(1)(f)).
• Fraud and abuse prevention — rate limiting and security measures. Legal basis: legitimate interest (Art. 6(1)(f)).

5. Data Sharing and Third-Party Services

We do not sell your personal data. We share data only with the following service providers, each acting as a data processor on our behalf:

• Supabase (EU, Ireland) — database, authentication, and server functions. Receives account data, learning progress, and subscription data. Privacy Policy
• Google Gemini API (Google Cloud, global) — AI body language analysis. Receives photos transiently (not stored) and analysis prompts. Terms
• PostHog (EU) — product analytics, consent-based only. Receives anonymized usage events and device information. Privacy Policy
• Sentry (EU, Germany) — error tracking. Receives crash reports and anonymized device information. Privacy Policy
• RevenueCat (US) — subscription management. Receives user ID, transaction data, and store receipts. Privacy Policy
• Expo (US) — push notifications and app updates. Receives push tokens and notification content. Privacy Policy
• Apple / Google (global) — authentication and payment processing. Receives OAuth tokens (transient) and handles all payment transactions. Apple Privacy · Google Privacy

6. International Data Transfers

Your core data (account information, learning progress, subscriptions) is stored within the European Union (Ireland). Some data is transferred outside the EU to the following services:

• RevenueCat (United States) — user ID and transaction data, protected by Standard Contractual Clauses (SCCs).
• Google Gemini API (global) — photos sent transiently for analysis, protected by Google's Data Processing Terms and SCCs.
• Expo Push (United States) — push tokens and notification content, protected by SCCs.

OAuth tokens exchanged with Apple and Google during sign-in are transient and not stored by us.

7. Data Retention

• Account data, learning progress, badges, quiz results, subscriptions — retained until you delete your account.
• Push notification tokens — deactivated on logout; permanently deleted when you delete your account.
• Analytics events (PostHog) — subject to PostHog's retention settings; linked only to an anonymized 8-character identifier.
• Crash reports (Sentry) — automatically deleted after 90 days.
• Photos sent for analysis — not retained on our servers; Google may log API requests for up to 30 days for abuse monitoring.
• Analysis history on your device — up to 20 records, stored until you clear them or uninstall the App.
• Consent records on your device — stored for the lifetime of the App installation.

8. Your Rights

Under GDPR and KVKK, you have the right to:

• Access your personal data and receive a copy of it.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") — you can delete your account directly in the App under Settings → Personal Details → Delete Account.
• Restrict processing of your data.
• Port your data in a structured, machine-readable format.
• Object to processing based on legitimate interest.
• Withdraw consent for analytics (Settings → Privacy) or push notifications (Settings → Notification Preferences) at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, you may use the in-app features or contact us at bodica@icodex.dev. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Turkey: the Personal Data Protection Authority (KVKK, kvkk.gov.tr). In the EU: the Data Protection Commission of Ireland or your local supervisory authority.

9. Data Security

We implement the following measures to protect your data:

• All network communication is encrypted using HTTPS/TLS.
• Authentication session tokens are stored in encrypted local storage on your device.
• Server-side Row Level Security (RLS) ensures every database query is restricted so users can only access their own data.
• Sensitive data (API keys, tokens, passwords) is filtered from error reports before transmission.
• User passwords are stored as bcrypt hashes.
• The account deletion process uses server-side verification and cascading deletion across all data tables.

10. Cookies and Tracking Technologies

Bodica is a mobile application and does not use cookies. We do not use advertising identifiers (IDFA or GAID), fingerprinting, or cross-app tracking of any kind. Our analytics solution (PostHog) is consent-based and uses a randomly generated device identifier, not an advertising identifier.

11. Account Deletion

You can permanently delete your account at any time: Settings → Personal Details → Delete Account.

When you delete your account, all personal data on our servers is permanently removed, including your profile, learning progress, quiz results, badges, subscription records, push notification tokens, notification preferences, and AI usage history. Local data on your device is also cleared.

Data held by third-party services is subject to their retention policies: Sentry data is automatically deleted after 90 days; PostHog and RevenueCat data is linked only to an anonymized identifier (not your email or name).

If you have an active subscription, you must cancel it through the App Store or Google Play before deleting your account.

12. Analytics Event Reference

For transparency, below is the complete list of analytics events we may collect with your consent: app opened, signup started, signup completed (with sign-in method), onboarding started, onboarding completed, category viewed, lesson viewed, lesson completed (with duration), quiz started, quiz completed (with score), streak continued, analysis used (with language), paywall viewed, purchase started, purchase completed, purchase failed, purchase restored, notification tapped, consent changed, and terms accepted.

No event contains your name, email, photos, or any content you create.

13. Changes to This Policy

We reserve the right to update, modify, or replace this Privacy Policy at any time, at our sole discretion. Changes may include adding, removing, or revising any section of this policy. We will notify you of changes by updating the "Last Updated" date at the top of this page. It is your responsibility to review this page periodically for any changes. Your continued use of the App after any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you should stop using the App and delete your account.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights:

Email: bodica@icodex.dev

Developer: Anil Burcu