Privacy Policy

1. Who We Are

BuddyWolfy ("we", "our", "us") is a language learning platform operated as a sole proprietorship by Ahmet Can Turan, based in Türkiye. For the purposes of the EU General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK), we act as the data controller of your personal data.

Contact for any privacy-related matter: [email protected].

2. Scope

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal data when you use the BuddyWolfy website at buddywolfy.com, the BuddyWolfy browser extension, and any related services (collectively, the "Service"). For additional information specific to the browser extension, see our Extension Privacy Policy.

3. Information We Collect

3.1 Account Information

• Email address
• Username and display name
• Password (stored only as a salted hash; we never see it in plain text)
• Authentication provider data (e.g., Google) when you sign in via a third-party identity provider — limited to the email address, name, and provider account ID

3.2 Learning Data

• Vocabulary groups, words, and question boxes you create
• Text content you submit for deep-scan analysis
• Quiz results, study progress, and learning statistics
• Native, target, and interface language preferences

3.3 Billing Information

We do not collect or store your full payment card details. Card processing is handled by our payment provider, Lemon Squeezy (see Section 7). We receive and store only:

• Subscription status, plan, start and renewal dates
• The last four digits and brand of the card used (for receipt display)
• Billing country (for tax determination)
• An invoice/order ID issued by Lemon Squeezy

3.4 Technical Data

• IP address (for security, fraud prevention, and rate limiting)
• Browser type, device type, and operating system (from request headers)
• Server logs of requests made to the Service (for diagnostics and abuse prevention)

4. How We Use Your Information & Lawful Bases (GDPR)

Under the GDPR, we may only process your personal data when we have a lawful basis. The table below explains why we process your data and on which basis.

5. AI Processing

To generate definitions, translations, example sentences, memory stories, and deep-scan analyses, we send the relevant text you submit (and only that text — not your account or payment data) to one or more of the following AI providers:

• OpenAI, L.L.C. (United States) — under OpenAI's API data-processing addendum, which states that API inputs and outputs are not used to train their models.
• Anthropic, PBC (United States) — under Anthropic's API terms, which state that customer API inputs and outputs are not used to train their models.
• Google LLC — Gemini / Vertex AI APIs, under Google's enterprise data-processing terms.

These providers act as our processors. Your text is processed only to return the response and is not used by them to train their models. Do not submit information through deep scan or other AI features that you do not want sent to a third-party provider.

6. Payment Processing

Paid subscriptions are processed by Lemon Squeezy (Lemon Squeezy LLC), who acts as the Merchant of Record. Lemon Squeezy collects your payment method, billing address, and tax information directly and is independently responsible for that processing. See Lemon Squeezy's Privacy Policy.

We receive only the limited billing information described in Section 3.3, which we use to manage your subscription, generate receipts, and meet our tax and accounting obligations.

7. Data Sharing

We do not sell your personal data. We share limited data only with the following categories of recipients, in each case under a written agreement that requires them to protect your data:

• Hosting and infrastructure providers — to run our servers and database (located in the European Union).
• AI service providers — OpenAI, Anthropic, and Google, as described in Section 5.
• Payment provider — Lemon Squeezy, as described in Section 6.
• Email delivery providers — to send transactional emails (account verification, password reset, receipts) and, with your consent, marketing emails.
• CDN providers — to serve images and static assets efficiently.
• Authorities — when required by a valid legal request (e.g., a court order or law enforcement request that meets applicable legal standards).

We do not use third-party advertising networks or marketing trackers.

8. International Data Transfers

Our primary servers are located in the European Union. However, some of our processors — in particular AI providers (Section 5) and our payment provider (Section 6) — are based in the United States. When we transfer data outside the EU/EEA or Türkiye, we rely on:

• The EU–U.S. Data Privacy Framework, where the recipient is certified, or
• Standard Contractual Clauses approved by the European Commission, together with appropriate supplementary measures.

9. Data Retention

• Account and learning data — kept while your account is active. Deleted within 30 days after you delete your account, except where law requires us to keep it longer.
• Billing records and invoices — kept for up to 10 years to comply with tax and accounting law in Türkiye and the EU.
• Server and security logs — kept for up to 90 days, except where a longer period is required to investigate a security incident.
• Marketing consent records — kept while consent is in effect and for 3 years after withdrawal, as evidence of compliance.
• Backups — may persist for up to 35 days after deletion of the live data.

10. Your Rights

Depending on where you live, you have the following rights over your personal data:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and your personal data
• Receive a copy of your data in a portable format
• Object to or restrict certain processing
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with a supervisory authority

To exercise any of these rights, email [email protected]. We respond within 30 days. EU/EEA residents may complain to their national data-protection authority; residents of Türkiye may complain to the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK).

11. Cookies and Browser Storage

11.1 Cookies

We use the following cookies. All of them are strictly necessary or functional for the Service to operate. We do not use tracking, advertising, or third-party analytics cookies, so no consent banner is required.

• Authentication cookies (__Secure-next-auth.session-token, __Secure-next-auth.csrf-token, __Secure-next-auth.callback-url) — keep you signed in and protect against cross-site request forgery. HTTP-only and secure.
• payload-theme — stores your light/dark theme preference. Expires after 1 year.
• NEXT_LOCALE — stores your interface language preference. Expires after 1 year.
• TARGET_LANGUAGE — stores the language you are learning. Expires after 1 year.
• NATIVE_LANGUAGE — stores your native language. Expires after 1 year.

11.2 Browser Storage (localStorage)

We use your browser's local storage to remember your progress in interactive features. This data is stored only on your device and is never transmitted to our servers.

• listening-practice-progress-{id} — saves your position in a deep scan listening practice session so you can resume where you left off. Automatically expires after 3 days.
• qb-study-{groupId} — saves the remaining questions in a question box study session so you can resume after closing the page. Cleared automatically when the session is completed.

You can clear these cookies and storage entries at any time through your browser settings. Doing so may sign you out and reset your preferences.

12. Data Security

We use technical and organisational measures to protect your data, including HTTPS encryption in transit, password hashing, HTTP-only and secure session cookies, principle-of-least-privilege access controls, and regular backups. No system is 100% secure; if we become aware of a personal data breach affecting you, we will notify you and the relevant authorities within the time limits required by law (72 hours under GDPR).

13. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the new version on this page, update the "Last updated" date, and — where required by law — notify you by email or in the Service.

15. Contact

Data controller: Ahmet Can Turan, Türkiye. For any privacy question or to exercise your rights, contact [email protected].

Annex A — KVKK Aydınlatma Metni (Türkiye Kullanıcıları İçin)

Bu metin, 6698 sayılı Kişisel Verilerin Korunması Kanunu ("KVKK") kapsamında veri sorumlusu sıfatıyla, BuddyWolfy tarafından işlenen kişisel verileriniz hakkında sizi bilgilendirmek amacıyla hazırlanmıştır.

Veri Sorumlusu

Veri sorumlusu, BuddyWolfy hizmetini şahıs olarak işleten Ahmet Can Turan'dır (Türkiye). İletişim: [email protected].

İşlenen Kişisel Veriler

• Kimlik ve iletişim bilgisi: e-posta, kullanıcı adı.
• Hesap güvenliği bilgisi: şifre özeti (hash), oturum bilgileri, IP adresi.
• Kullanım bilgisi: oluşturduğunuz kelime grupları, soru kutuları, deep scan içerikleri, çalışma istatistikleri.
• Tercih bilgisi: ana dil, hedef dil, arayüz dili, tema seçimi.
• Ödeme/abonelik bilgisi: abonelik durumu, plan, kart markası ve son 4 hane (kart numarasının tamamı tarafımıza iletilmez), fatura ülkesi, sipariş numarası.

İşleme Amaçları

• Hesabınızın oluşturulması ve yönetilmesi.
• Dil öğrenme hizmetinin sunulması (kelime listeleri, quizler, deep scan, yapay zekâ destekli içerikler).
• Aboneliğinizin yönetilmesi, ödemelerin alınması, fatura düzenlenmesi.
• Sistemin güvenliğinin sağlanması, kötüye kullanımın önlenmesi.
• Yasal yükümlülüklerin (vergi, muhasebe vb.) yerine getirilmesi.
• Açık rızanız varsa, ürün güncellemesi ve pazarlama içerikli e-posta gönderilmesi.

Hukuki Sebepler (KVKK m. 5–6)

• Sözleşmenin kurulması ve ifası için veri işlemenin gerekli olması (m. 5/2-c).
• Veri sorumlusunun hukuki yükümlülüğünü yerine getirmesi (m. 5/2-ç).
• İlgili kişinin temel hak ve özgürlüklerine zarar vermemek kaydıyla, veri sorumlusunun meşru menfaati (m. 5/2-f) — güvenlik ve kötüye kullanımın önlenmesi için.
• Pazarlama amaçlı işleme için açık rıza (m. 5/1).

Aktarım

Kişisel verileriniz, hizmetin sunulabilmesi için aşağıdaki kategorilerdeki taraflara aktarılabilir:

• Sunucu ve altyapı sağlayıcıları (Avrupa Birliği içinde).
• Yapay zekâ sağlayıcıları: OpenAI, Anthropic, Google (ABD).
• Ödeme sağlayıcısı: Lemon Squeezy (ABD).
• E-posta gönderim sağlayıcıları.
• Yetkili kamu kurum ve kuruluşları, yasal bir talep olduğunda.

Yurt dışına yapılacak aktarımlar, KVKK m. 9 kapsamında, Kurul tarafından öngörülen güvenceler veya açık rıza temelinde gerçekleştirilir.

Toplama Yöntemi

Verileriniz; kayıt formları, hesap ayarları, hizmet kullanımı sırasındaki etkileşimleriniz, çerezler ve sunucu logları aracılığıyla elektronik ortamda toplanır.

Haklarınız (KVKK m. 11)

KVKK m. 11 kapsamında; kişisel verilerinizin işlenip işlenmediğini öğrenme, işlenmişse buna ilişkin bilgi talep etme, işlenme amacını ve amacına uygun kullanılıp kullanılmadığını öğrenme, yurt içinde veya yurt dışında aktarıldığı üçüncü kişileri bilme, eksik veya yanlış işlenmişse düzeltilmesini isteme, KVKK'da öngörülen şartlar çerçevesinde silinmesini veya yok edilmesini isteme, düzeltme/silme/yok etme işlemlerinin aktarıldığı üçüncü kişilere bildirilmesini isteme, münhasıran otomatik sistemlerle analiz edilmesi sonucu aleyhinize bir sonuç ortaya çıkmasına itiraz etme ve kanuna aykırı işleme nedeniyle uğradığınız zararın giderilmesini talep etme haklarına sahipsiniz.

Başvurularınızı [email protected] adresine iletebilirsiniz. Talebiniz, niteliğine göre en geç 30 gün içinde sonuçlandırılır. Şikayetlerinizi Kişisel Verileri Koruma Kurumu'na (kvkk.gov.tr) iletme hakkınız saklıdır.