Privacy Policy

This Privacy Policy explains how Pacecraft ("we," "our," or "the app") collects, uses, and protects your personal data. We are committed to transparency and to complying with Turkey's Personal Data Protection Law (KVKK, Law No. 6698) and the European Union General Data Protection Regulation (GDPR). By using Pacecraft, you agree to the practices described in this policy. This policy was last updated on June 1, 2026.

1. Data Controller

The data controller responsible for your personal data is:

• Name: Ali Demirci (individual developer)
• Email: alidemirci2307@gmail.com
• Website: pacecraft.cloud

Pacecraft is currently operated by an individual developer and does not have a registered legal entity. Ali Demirci acts as the sole data controller for all personal data processed through the application.

2. Personal Data We Collect

We collect only the data necessary to provide the Pacecraft service. Below is a description of each category.

2.1 Account and Identity Data

When you sign in to Pacecraft using Sign in with Apple or Sign in with Google, we receive from the OAuth provider your name, email address, and profile photo. You may also choose a username and add additional profile information directly within the app. This data is used to create and manage your account.

2.2 Health and Fitness Data

Your daily step count is the primary metric in Pacecraft. On iOS, we read step data from Apple HealthKit; on Android, we read from Google Health Connect. We may also request an activity recognition permission and, optionally, read distance and calorie data. Steps may be read periodically in the background to keep your progress current. Your step count is re-validated server-side as part of our anti-cheat system.

2.3 Location Data (Optional)

Location access is entirely optional and is requested only for "when-in-use" use (while the app is open). If you grant permission, we use your location to show nearby races and to display your city on the in-app map. If you decline location permission, all core features — step counting and racing — continue to work without restriction.

2.4 Push Notification Data

If you enable push notifications, we store a Firebase Cloud Messaging (FCM) device token to deliver race updates, social notifications, and other in-app alerts. Your notification preferences are stored so you can control what you receive.

2.5 Device and Technical Data

To protect the integrity of our leaderboards, we collect device attestation signals: Apple DeviceCheck/App Attest on iOS and Google Play Integrity on Android. We also collect your device model, operating system version, app version, language/locale setting, IP address, and crash or diagnostic logs. This data is used exclusively for security, anti-cheat, and service improvement purposes.

2.6 Social and In-App Content

Pacecraft is a social fitness app. We store content you create or generate through your use of the service, including your public profile, posts, comments, likes, race participations, race chat messages, follow and friend relationships, city-building progress, energy transactions, and achievement records.

3. Purposes of Processing

• Account creation and management: to register you, authenticate your identity, and maintain your profile.
• Core fitness features: to count your steps, convert them into in-app energy, and power the city-building mechanic.
• Racing, leaderboards, and leagues: to run races, calculate rankings, manage monthly global leagues, and distribute in-app rewards.
• Social features: to enable the social feed, race chat, comments, likes, and friend/follow relationships.
• Anti-cheat and security: to detect and prevent manipulation of step counts, fake device signals, automation, and fraudulent activity.
• Push notifications: to send you race alerts, social updates, and important service communications.
• Customer support: to respond to your questions and resolve issues.
• Legal compliance: to meet our obligations under applicable laws.

4. Legal Bases for Processing

We process your personal data based on the following legal grounds under GDPR Article 6 and KVKK Article 5:

• Performance of a contract: processing your account data, step data, race data, and social content is necessary to deliver the Pacecraft service you have signed up for.
• Explicit consent: health and fitness data (HealthKit / Health Connect), location data, and push notification tokens are processed only with your explicit consent, which you may withdraw at any time without affecting other features.
• Legitimate interests: device attestation, anti-cheat measures, fraud prevention, and crash diagnostics are processed on the basis of our legitimate interest in maintaining a fair and secure service, provided that this interest is not overridden by your rights.
• Legal obligation: certain data may be retained or disclosed where required by Turkish or EU law.

5. Special Protection of Health and Fitness Data

Health and fitness data — including all data read from Apple HealthKit and Google Health Connect — is treated with the highest level of protection. We make the following explicit commitments:

• Health and fitness data is used solely to provide and improve Pacecraft's core features (step tracking, energy conversion, race participation).
• Health and fitness data is never used for advertising or marketing purposes of any kind.
• Health and fitness data is never sold to any third party.
• Health and fitness data is never shared with third-party advertising networks.
• Data obtained from Apple HealthKit is not shared with any third party for marketing or advertising purposes, in compliance with Apple's HealthKit guidelines.
• No advertising SDKs have access to your health or fitness data at any time.

6. Third-Party Service Providers

We work with a limited number of trusted service providers who process data on our behalf and under our instructions only. They may not use your data for their own purposes.

• Supabase — authentication, database storage, and real-time infrastructure. Servers are located in the EU (Frankfurt region).
• Google Firebase Cloud Messaging (FCM) — delivery of push notifications to your device.
• Apple and Google — OAuth authentication via Sign in with Apple and Sign in with Google.
• Hostinger — web hosting for the pacecraft.cloud website.

We do not use any third-party advertising SDKs, analytics platforms that profile users for advertising, or data brokers.

7. Data Retention

We retain your personal data for as long as your account is active. If you request deletion of your account or your data, we will delete or anonymize it within a reasonable period, subject to any retention obligations imposed by applicable law (for example, legal, tax, or fraud-prevention requirements). Crash logs and diagnostic data are retained only for as long as necessary to resolve the issue they relate to.

8. International Data Transfers

Your data is primarily processed on Supabase servers located in the EU (Frankfurt, Germany), which provides a high level of data protection equivalent to GDPR standards. Where data is transferred outside the European Economic Area or Turkey, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or other mechanisms recognized under applicable law. By using Pacecraft, you acknowledge that your data may be processed in these jurisdictions.

9. Your Rights

Under KVKK Article 11 and GDPR, you have the following rights regarding your personal data:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): you may request that we delete your personal data.
• Right to restriction of processing: you may ask us to limit how we use your data in certain circumstances.
• Right to data portability: you may request your data in a structured, commonly used, machine-readable format.
• Right to object: you may object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on your consent (for example, health data, location, or notifications), you may withdraw that consent at any time through your device settings or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: you have the right to lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu) at www.kvkk.gov.tr, or with the supervisory authority in your EU member state.

To exercise any of these rights, please contact us at alidemirci2307@gmail.com. We will respond within the timeframe required by applicable law.

10. Account and Data Deletion

You may request the deletion of your account and all associated personal data at any time by sending an email to alidemirci2307@gmail.com with the subject line "Account Deletion Request." We will process your request and delete your data within a reasonable period, except where retention is required by law. An in-app account deletion feature is planned for a future update.

11. Children's Privacy

Pacecraft is not directed at children under the age of 13 (or under 16 for users in the European Union). We do not knowingly collect personal data from children below these ages. If you believe that a child has provided us with personal data without parental consent, please contact us at alidemirci2307@gmail.com and we will promptly delete that data.

12. Data Security

We take the security of your personal data seriously and implement the following measures:

• Encryption in transit: all data exchanged between your device and our servers is encrypted using HTTPS/TLS.
• Row-level security (RLS): our Supabase database enforces row-level security policies so that each user can access only their own data.
• Access control: access to production systems and databases is restricted to authorized personnel only.
• Anti-cheat system: a multi-layer (7-layer) anti-cheat architecture detects and blocks manipulation attempts, protecting the fairness of the platform for all users.
• Device attestation: Apple DeviceCheck/App Attest and Google Play Integrity are used to verify that the app is running on a genuine, unmodified device.

Despite these measures, no method of data transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly notifying affected users and authorities in the event of a data breach, as required by law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of this page. For significant changes, we will notify you through the app or by email. Your continued use of Pacecraft after any changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

14. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Data Controller: Ali Demirci
• Email: alidemirci2307@gmail.com
• Website: pacecraft.cloud

You may also view our Terms of Service for additional information about the rules governing use of Pacecraft.