Privacy Policy

Effective date: 14 May 2026 Last updated: 14 May 2026

This Privacy Policy explains how Han Yazilim Bilisim Hizmetleri (“we,” “us,” “Kinobolt”) collects, uses, and protects your personal information when you use the Kinobolt iOS application and the kinobolt.app website (collectively, the “Service”). Kinobolt is a personal wellness app that blocks selected iOS apps until you complete a daily movement goal measured by Apple Health.

We designed Kinobolt to collect as little personal data as possible. The app works fully without an account, raw health data never leaves your device, and you can delete everything at any time.

1. Who we are

The data controller for Kinobolt is:

Han Yazilim Bilisim Hizmetleri Cinar Mh, Yesiltepe Sk, No 3, Istanbul, TR, Türkiye Email: hello@kinobolt.app

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland and have questions about how your personal data is handled, you can contact us at the email above.

2. Information we collect

2.1 Information stored only on your device

The following data is created and stored entirely on your iPhone in local app storage. It never leaves your device unless you sign in with Apple to back it up:

Health and activity data read from Apple HealthKit, including step count, walking and running distance, cycling distance, swimming stroke count and workout duration, wheelchair push count, hiking workout duration, active energy burned, resting heart rate, walking speed, and sleep analysis. We read this data to calculate your daily Move Point total — we do not transmit raw HealthKit samples to our servers.
Selected apps to block. The list of apps you choose to block is stored as opaque tokens provided by Apple’s FamilyControls framework. We never see app names, bundle identifiers, or icons — Apple renders those in its own UI.
Local progress data including streaks, achievements, daily goals, and onboarding state.

Signing in with Apple is optional. If you choose to sign in to back up your progress, we collect and store on our servers:

Apple User Identifier — a stable, anonymized identifier provided by Apple. We do not receive your real Apple ID.
Display name — only the given name you provided to Apple on your very first sign-in. Apple does not send this on subsequent sign-ins.
Email address — the email Apple shares with us, which may be Apple’s private relay email (@privaterelay.appleid.com). We fully support relay emails and do not require you to share your real email.
Timezone — your device’s IANA timezone (e.g. Europe/Istanbul), used to calculate when each day resets in your local time.

2.3 Information we generate

When signed in, we store on our servers:

Daily aggregated totals — your daily Move Point total, whether you reached your goal, per-activity daily totals (e.g. total steps that day), and the timestamp at which the goal was reached.
Streak data — current streak, longest streak, last active date.
Achievements earned — the achievement key, when it was unlocked, and how many times.
Subscription and purchase state — whether you have an active Kinobolt Pro subscription, your Flex Pass balances, and a reference identifier from our payments processor.
AI coaching messages — when you are subscribed to Kinobolt Pro, we store the text of the daily nudges, weekly reviews, goal calibration suggestions, and milestone messages that have been generated for you.

2.4 Information collected automatically

When you use the app, we and our service providers automatically collect:

Analytics events — actions such as opening the app, completing onboarding, earning achievements, opening the paywall, and starting or canceling a subscription. These events are tied to a pseudonymous identifier, not your real identity.
Install attribution data — information that helps us measure whether marketing campaigns are effective, such as the campaign source of your install. We do not receive your IDFA (advertising identifier) unless you grant App Tracking Transparency permission.
Crash and error reports — technical information about bugs and crashes, such as the device model, iOS version, and a stack trace. This may include the screen you were on but never your health data or list of blocked apps.
Subscription receipts — Apple-signed receipts validating your purchases. These are processed by our payments provider.

2.5 Information we do not collect

We do not collect:

Your real name, address, phone number, or date of birth
Your real Apple ID, password, or any login credential
Raw HealthKit data, individual workouts, or biometric samples beyond aggregate daily totals
The names, bundle identifiers, or icons of the apps you block
GPS location data
Contact list, photos, or microphone data
Data about other people on your device

3. How we use your information

We process the information described above to:

Operate the app’s core function — calculating your daily Move Points and unlocking your blocked apps when you reach your goal
Sync your progress across devices when you are signed in
Provide AI-generated coaching content if you subscribe to Kinobolt Pro
Process Pro subscriptions and Flex Pass purchases through Apple
Send you push notifications related to your daily progress (only if you have granted notification permission)
Detect and diagnose bugs and crashes
Measure marketing effectiveness so we can focus on what works
Comply with legal obligations, including responding to lawful requests from authorities

4. Legal basis for processing (EEA, UK, Switzerland)

If you are in the EEA, the United Kingdom, or Switzerland, our legal bases for processing your personal data under the GDPR are:

Contract performance — to provide the Service you have requested, including syncing your progress and delivering Pro features.
Legitimate interests — to maintain the security of the Service, prevent fraud, debug technical issues, and improve the Service. We balance our interests against your rights and freedoms.
Consent — for push notifications, App Tracking Transparency, and any optional analytics where required. You can withdraw consent at any time in your device settings.
Legal obligation — to comply with applicable laws.

We do not sell your personal data. We share specific data with service providers (“sub-processors”) who help us operate the Service.

In summary:

Apple — provides Sign in with Apple, HealthKit, FamilyControls, and App Store payment processing
Supabase — hosts our database, authentication, and serverless functions.
Adapty — validates Apple subscription receipts and manages Pro and Flex Pass purchase state
OneSignal — delivers push notifications
AppsFlyer — measures install attribution
Mixpanel — processes product analytics events
Sentry — collects crash and error reports
Anthropic — generates AI coaching content from anonymized user context (Pro subscribers only)

We may also share information if required by law, to enforce our Terms of Use, to protect the rights, property, or safety of Han Yazilim Bilisim Hizmetleri or others, or in connection with a corporate transaction such as a merger or acquisition.

6. International data transfers

Han Yazilim Bilisim Hizmetleri is based in Türkiye. Our primary backend infrastructure is in Frankfurt, Germany (European Union). Some of our sub-processors are located in the United States or other jurisdictions outside the EEA, the UK, and Türkiye.

When personal data is transferred outside the EEA, the UK, or Türkiye, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms under Turkish law (KVKK).

7. How long we keep your data

Local device data — retained on your device until you delete the app or reset its data
Daily aggregated totals, streaks, achievements, coaching messages — retained for as long as your account exists, so your lifetime progress is preserved
Raw per-session activity logs — retained for 90 days, then aggregated into monthly summaries and deleted
Crash and error reports — retained for 30 days
Analytics events — retained according to each provider’s default retention period
Subscription transaction records — retained for as long as required by tax and consumer protection laws

When you delete your account (see Section 9), we schedule all your personal data for permanent deletion. Backup copies are overwritten within 30 days.

8. Children’s privacy

Kinobolt is intended for adults and is not directed at children under the age of 9 (or under the age of 16 in jurisdictions where that is the relevant threshold). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without verified parental consent, we will delete it promptly.

If you believe a child has provided us with personal data, please contact hello@kinobolt.app.

9. Your rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate or incomplete data
Deletion — request that we delete your personal data
Restriction — ask us to limit how we use your data
Objection — object to processing based on legitimate interests
Data portability — receive your data in a portable format
Withdrawal of consent — withdraw consent at any time where we rely on consent
Complaint — lodge a complaint with your local data protection authority

You can exercise most of these rights directly in the app:

Sign out — Settings → Account → Sign out
Delete account — Settings → Account → Delete account. Account deletion has a 30-day grace period during which you can restore your account; after 30 days, all data is permanently deleted.
Revoke HealthKit access — iOS Settings → Privacy & Security → Health → Kinobolt
Revoke notification access — iOS Settings → Notifications → Kinobolt
Withdraw App Tracking permission — iOS Settings → Privacy & Security → Tracking → Kinobolt

To exercise any other right or if you have questions, contact hello@kinobolt.app.

Additional rights for California residents

Under the California Consumer Privacy Act (CCPA), California residents have the right to know what categories of personal information we collect, the right to request deletion, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising these rights. We do not sell personal information.

10. Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

All data in transit is encrypted with TLS 1.2 or higher
Database access is restricted by row-level security policies — a user can only ever read or write their own data
Authentication tokens are stored in the iOS Keychain (hardware-backed)
Server-side authorization for all subscription and pass redemption decisions
Cryptographic validation of every Apple subscription receipt

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the relevant authorities in accordance with applicable law.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you within the app or by email before the changes take effect. The “Last updated” date at the top of this policy always reflects the latest version.

12. Contact

For privacy questions or to exercise your rights:

Email: hello@kinobolt.app Postal: Han Yazilim Bilisim Hizmetleri, Cinar Mh, Yesiltepe Sk, No 3, Istanbul, TR, Türkiye

If you are in the EEA or UK and believe we have not addressed your concern, you have the right to contact your local data protection supervisory authority.