Last Updated: 9 February 2026

Effective Date: 9 February 2026

1. Introduction

ALUMA Ltd ("we", "us", "our", "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Heats mobile application ("App", "Service").

Legal Basis: We process personal data in compliance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Applicable international data protection laws (including KVKK for Turkish users, GDPR for EU users)

By using the App, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Email address
• Password (stored in encrypted/hashed form only)
• Full name
• Date of birth (optional, for age verification)

Profile Information:

• Job title/position
• Company/organization name
• Bio/description (up to 500 characters)
• Phone number
• Social media profile links (Instagram, LinkedIn, Twitter/X, WhatsApp, TikTok, Facebook, YouTube, Website, etc.)
• Profile photo/image

User-Generated Content:

• Digital business cards you create
• QR codes generated for your cards
• Cards you scan and save from others
• Custom card designs and templates

2.2 Information Collected Automatically

Usage Data:

• Cards created, edited, and shared
• QR codes scanned
• App feature interactions (views, taps, navigation)
• Session duration and frequency
• Crash reports and error logs

Device Information:

• Device model and manufacturer
• Operating system and version (iOS/Android)
• Unique device identifiers (UDID, Advertising ID where permitted)
• Screen resolution and device settings
• IP address
• Mobile network information (carrier, connection type)

Location Data:

• Approximate location based on IP address (country/city level)
• We do NOT collect precise GPS location unless you explicitly grant permission for specific features

2.3 Information from Third Parties

Authentication Providers:

• When you sign in with Google: Google user ID, email address, profile name, and profile picture (if you consent)

Analytics Services:

• We may use analytics tools (e.g., Google Analytics, Firebase) that collect aggregated usage statistics

2.4 Cookies and Tracking Technologies

The App may use:

• Session tokens to keep you logged in
• Local storage for app preferences and offline functionality
• Analytics cookies to understand app performance (you may opt-out in settings)

We do NOT use advertising or tracking cookies in the current version.

3. How We Use Your Information

We process your personal data for the following purposes:

3.1 Service Provision (Legal Basis: Contract Performance)

• Create and manage your account
• Generate digital business cards and QR codes
• Enable card sharing and scanning functionality
• Store and display your saved card collection
• Authenticate your identity and maintain session security

3.2 Service Improvement (Legal Basis: Legitimate Interest)

• Analyze usage patterns to improve features
• Troubleshoot technical issues and bugs
• Develop new features and functionality
• Conduct user research and surveys (with consent)

3.3 Communication (Legal Basis: Contract / Legitimate Interest / Consent)

• Send service-related notifications (security alerts, account changes)
• Respond to your inquiries and support requests
• Send product updates and feature announcements (you may opt-out)
• Conduct customer satisfaction surveys (with consent)

3.4 Security and Fraud Prevention (Legal Basis: Legitimate Interest / Legal Obligation)

• Detect and prevent unauthorized access
• Investigate and respond to security incidents
• Enforce our Terms of Service
• Comply with legal obligations and law enforcement requests

3.5 Legal Compliance (Legal Basis: Legal Obligation)

• Comply with applicable laws and regulations
• Respond to lawful requests from authorities
• Protect our legal rights and interests

4. How We Share Your Information

We do NOT sell your personal data. We may share your information in the following circumstances:

4.1 Public Sharing (By Your Choice)

Digital Business Cards: When you share your card via QR code or link, the following information becomes publicly accessible:

• Name, title, company
• Contact details you've chosen to include (phone, email)
• Social media links
• Profile photo
• Bio/description

Important: Information you include in your cards is considered "publicly disclosed" once shared. Control what you share carefully.

4.2 Service Providers (Processors)

We engage trusted third-party companies to support our operations:

• Supabase (USA/EU): Database hosting, authentication, real-time data sync
• Google Cloud Platform (USA/EU): Authentication (Google Sign-In), cloud services
• Expo (USA): Mobile app development and push notifications
• Analytics providers: Usage analytics and crash reporting (if applicable)

These providers are contractually obligated to:

• Process data only on our instructions
• Implement appropriate security measures
• Not use data for their own purposes

4.3 Legal Requirements

We may disclose your information when required by law or to:

• Comply with court orders, subpoenas, or legal processes
• Respond to government or regulatory requests
• Investigate fraud, security breaches, or Terms violations
• Protect our rights, property, or safety, or that of users or the public

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. You will be notified of any such change and choices you may have.

4.5 With Your Consent

We may share information for other purposes with your explicit consent.

5. International Data Transfers

5.1 Data Storage Locations

Your data may be stored and processed in:

• United Kingdom (primary data controller location)
• European Union (Supabase, Google Cloud servers)
• United States (Supabase, Google Cloud, Expo servers)

5.2 Transfer Safeguards

For transfers outside the UK/EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the UK ICO and EU Commission
• Adequacy decisions (e.g., EU-US Data Privacy Framework for participating companies)
• Binding Corporate Rules where applicable

5.3 Country-Specific Notes

For Turkish Users (KVKK Compliance):
Your data may be transferred abroad as described above. By using the App, you consent to these transfers, which are necessary for service provision.

For EU/EEA Users:
Data transfers comply with GDPR requirements, including SCCs and appropriate safeguards.

6. Your Data Protection Rights

Depending on your location, you have the following rights:

6.1 UK GDPR / GDPR Rights (UK, EU/EEA users)

• Right to Access: Request a copy of your personal data.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data.
• Right to Restriction: Limit how we process your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time (doesn't affect prior lawful processing).
• Right to Lodge a Complaint: Contact the Information Commissioner's Office (ICO) in the UK or your local supervisory authority.

6.2 KVKK Rights (Turkish users)

• Right to Learn: Whether your personal data is being processed.
• Right to Request Information: If processed, request details about processing.
• Right to Learn Purpose: Know the purpose of processing and whether data is used in accordance with its purpose.
• Right to Know Third Parties: Identify third parties to whom data is transferred domestically or abroad.
• Right to Rectification: Request correction of incomplete or inaccurate data.
• Right to Deletion/Destruction: Request deletion or destruction of data under specific conditions.
• Right to Notification: Request that corrections, deletions, or destructions be notified to third parties.
• Right to Object: Object to adverse consequences arising from automated data processing.
• Right to Compensation: Claim compensation for damages arising from unlawful processing.

How to Exercise KVKK Rights:
Email: alumatechnology@alumatechnology.com
We will respond within 30 days as required by KVKK Article 13.

6.3 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act. Contact us for details.

6.4 How to Exercise Your Rights

In-App Options:

• Update profile information in Settings
• Delete your account via Settings > Account > Delete Account

Email Request:

Send your request to alumatechnology@alumatechnology.com with:

• Your name and email address associated with your account
• Specific right you wish to exercise
• Verification information (we may request additional proof of identity)

Response Time: We will respond to verified requests within:

• 30 days (UK GDPR, KVKK)
• 45 days (CCPA - if applicable)

7. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Active Accounts:

• Profile data: Retained while your account is active
• Usage logs: Up to 12 months
• Chat/support inquiries: Up to 2 years

Deleted Accounts:

• Personal data: Permanently deleted within 30 days of account deletion
• Backup copies: Removed within 90 days from backup systems
• Anonymized analytics: May be retained indefinitely (cannot identify you)

Legal/Regulatory Requirements:

• Financial records (if applicable): Up to 7 years as required by law
• Data subject requests: Records kept for 3 years for accountability

Exception: We may retain data longer if required by law, to resolve disputes, enforce agreements, or protect legal rights.

8. Data Security

We implement industry-standard security measures to protect your data:

8.1 Technical Measures

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Password Security: Passwords hashed using bcrypt with salt
• Secure Authentication: OAuth 2.0 for Google Sign-In
• API Security: Token-based authentication with expiration
• Regular Security Audits: Vulnerability assessments and penetration testing

8.2 Organizational Measures

• Employee access controls and confidentiality agreements
• Data minimization principles (collect only what's necessary)
• Regular staff training on data protection
• Incident response plan for data breaches

8.3 Limitations

No system is 100% secure. While we strive to protect your data:

• Internet transmission is never completely secure
• You are responsible for maintaining the confidentiality of your password
• Notify us immediately at alumatechnology@alumatechnology.com if you suspect unauthorized access

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours (UK GDPR requirement)
• We will notify you without undue delay if the breach is likely to result in high risk to you
• Notification will include: nature of the breach, likely consequences, and measures taken

10. Childrens Privacy

10.1 Age Restrictions

The App is NOT intended for children under 13 years old. We do not knowingly collect data from children under 13.

10.2 Parental Consent

Users aged 13-17 must obtain parental or guardian consent before using the App.

10.3 Discovery of Child Data

If we become aware that we have collected data from a child under 13 without parental consent, we will:

• Delete the account and data immediately
• Notify the parent/guardian if we have contact information

Parents: If you believe your child has provided us with personal data, contact us at alumatechnology@alumatechnology.com.

11. Camera and Photo Library Permissions

11.1 Camera Access (iOS: NSCameraUsageDescription / Android: CAMERA)

• Purpose: To scan QR codes from other users' digital business cards
• When Requested: When you tap "Scan QR Code" for the first time
• Data Usage: Camera feed is processed locally; images are not stored unless you save the scanned card

11.2 Photo Library Access (iOS: NSPhotoLibraryUsageDescription / Android: READ_EXTERNAL_STORAGE)

• Purpose: To select photos for your profile picture or card background
• When Requested: When you tap "Upload Photo" or "Change Profile Picture"
• Data Usage: Only selected images are uploaded to our servers; we do not access other photos

11.3 Permission Management

You can revoke these permissions at any time via your device settings:

• iOS: Settings > Heats > Photos/Camera
• Android: Settings > Apps > Heats > Permissions

12. Third-Party Links and Services

12.1 External Links

User profiles may contain links to third-party websites and social media platforms. We are not responsible for:

• Privacy practices of external sites
• Content or security of linked sites

Recommendation: Review the privacy policies of any third-party sites you visit.

12.2 Social Media Integration

When you link social media profiles (Instagram, LinkedIn, etc.):

• We only store the URL/username you provide
• We do NOT access your social media accounts or import data from them
• Clicking these links will redirect users to the respective platforms

13. Automated Decision-Making and Profiling

We do NOT engage in automated decision-making or profiling that produces legal effects or significantly affects you.

Limited Analytics: We may use automated analysis to understand usage trends (e.g., "most used features"), but this does NOT result in individual profiling or automated decisions about you.

14. Do Not Track (DNT) Signals

Our App does not currently respond to "Do Not Track" browser signals, as there is no industry consensus on how to interpret them. We follow the data practices described in this policy regardless of DNT settings.

15. Changes to This Privacy Policy

15.1 Notification of Changes

We may update this Privacy Policy from time to time. Changes will be communicated via:

• Material changes: 30-day advance notice via email and in-app notification
• Non-material changes: Effective immediately upon posting

15.2 Review and Consent

We encourage you to review this policy periodically. Continued use after changes become effective constitutes acceptance. If you do not agree, you must stop using the App and delete your account.

15.3 Version History

Previous versions of this policy are available upon request at alumatechnology@alumatechnology.com.

16. Contact Us

16.1 General Inquiries

For questions, concerns, or complaints about this Privacy Policy:

16.2 Data Protection Officer

For data protection inquiries:

16.3 Supervisory Authorities

UK Users:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113

EU/EEA Users:
Contact your local Data Protection Authority: https://edpb.europa.eu/about-edpb/board/members_en

Turkish Users (KVKK):
Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu)
Website: https://www.kvkk.gov.tr
Email: kvkk@kvkk.gov.tr

17. Cookie Policy

Currently, the Heats mobile app uses minimal cookies/local storage for:

• Essential cookies: Session authentication tokens (cannot be disabled)
• Functional cookies: User preferences and settings
• Analytics cookies: Anonymous usage statistics (can be opted out in Settings)

We do NOT use:

• Advertising cookies
• Third-party tracking cookies

Managing Cookies: To manage cookies, adjust settings in the App or clear app data in your device settings.

18. Summary of Key Points

19. KVKK Aydınlatma Metni (Turkish Users / Türkiye Kullanıcıları İçin)

6698 sayılı Kişisel Verilerin Korunması Kanunu ("KVKK") kapsamında, kişisel verileriniz aşağıdaki şekilde işlenmektedir:

Veri Sorumlusu:
ALUMA Ltd
Adres: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
E-posta: alumatechnology@alumatechnology.com

İşlenen Kişisel Veriler:
Ad, soyad, e-posta, telefon numarası, profil fotoğrafı, sosyal medya bağlantıları, şirket bilgileri

İşleme Amacı:
Dijital kartvizit hizmeti sunmak, hesap güvenliğini sağlamak, uygulama performansını iyileştirmek

Aktarım:
Verileriniz, hizmet sağlayıcılarımız (Supabase, Google Cloud) aracılığıyla İngiltere, AB ve ABD'deki sunucularda işlenmektedir. Bu aktarımlar, hizmetin gereği olarak KVKK'ya uygun şekilde gerçekleştirilmektedir.

Haklarınız:

• Kişisel verilerinizin işlenip işlenmediğini öğrenme
• İşlenmişse bilgi talep etme
• İşlenme amacını ve amacına uygun kullanılıp kullanılmadığını öğrenme
• Yurt içinde veya yurt dışında aktarıldığı üçüncü kişileri bilme
• Eksik veya yanlış işlenmişse düzeltilmesini isteme
• KVKK'nın 7. maddesinde öngörülen şartlar çerçevesinde silinmesini veya yok edilmesini isteme
• Düzeltme, silme veya yok edilme işlemlerinin kişisel verilerin aktarıldığı üçüncü kişilere bildirilmesini isteme
• Münhasıran otomatik sistemler ile analiz edilmesi nedeniyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme
• Kanuna aykırı olarak işlenmesi sebebiyle zarara uğramanız halinde zararın giderilmesini talep etme

Başvuru:
Haklarınızı kullanmak için alumatechnology@alumatechnology.com adresine yazılı olarak başvurabilirsiniz. Başvurularınız en geç 30 gün içinde ücretsiz olarak sonuçlandırılacaktır.

Acknowledgement: By using Heats, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

Last Reviewed: 9 February 2026