Privacy Policy
1. Data Controller
This Privacy Policy applies to the nocta. mobile applications (Customer and Staff) operated by the data controller below.
| Item | Details |
|---|---|
| Data Controller | 1891 Reklam Sanayi Ticaret Limited Şirketi (nocta.) |
| noctameram@gmail.com | |
| Address | Melikşah Mah. Melikşah Cad. No:46/A, Meram/Konya |
| Tax ID | 0012110375 |
| Web | nocta.art |
This is a café loyalty platform. No payments are processed through the app; all financial transactions occur at the café's own point-of-sale system.
2. Personal Data We Collect
2.1 Account Data (via Google Sign-In)
- First name, last name
- Email address
- Profile picture URL (from Google)
- Google account ID
2.2 Profile Data (optional)
- Date of birth
- Phone number
- Notification preferences
2.3 Device & Technical Data
- Firebase Cloud Messaging (FCM) push token
- Operating system version (Android version)
- App version
- Device language
2.4 Loyalty / Behavioral Data
- Visit dates and times
- Transaction amounts (informational; café POS handles payment)
- Loyalty points earned and redeemed
- Campaigns / coupons used
- QR scan events (who, when, by which staff member)
2.5 Communication Data
- Support requests (when you email us)
What we do NOT collect: payment card data, location, contacts, photo gallery, microphone or camera recordings (the camera is used only momentarily for QR scanning — no images are stored).
3. Purposes of Processing
| Purpose | Data Category | Legal Basis (KVKK/GDPR) |
|---|---|---|
| Authentication (Google Sign-In) | Account data | Contract performance |
| Loyalty point calculation | Behavioral data | Contract performance |
| Campaign and announcement notifications | FCM token, preferences | Explicit consent |
| Birthday campaign | Date of birth | Explicit consent |
| Account security / fraud prevention | All data (audit log) | Legitimate interest |
| Service improvement (anonymous aggregate) | Behavioral (anonymized) | Legitimate interest |
| Compliance with legal obligations | Relevant data | Legal obligation |
4. Data Sharing & International Transfers
4.1 Domestic Sharing
- Cloudflare (DNS + CDN)
- Authorized staff (café baristas — only see your name and active campaign at the moment of QR validation)
4.2 International Transfers
| Service | Provider | Location | Purpose |
|---|---|---|---|
| Server infrastructure | Hetzner Online GmbH | Germany (EU) | App data hosting |
| Authentication | Google LLC | USA / EU | Google Sign-In |
| Push notifications | Google LLC (Firebase) | USA / EU | Notification delivery |
| Error monitoring | Self-hosted (GlitchTip) | Germany — our own server | Crash/error reports |
| Backups | Cloudflare R2 | EU | Database backups |
4.3 No Sale of Personal Data
We never sell, rent, or share your data with third parties for marketing purposes.
5. Retention Periods
| Data | Retention |
|---|---|
| Account & profile data | Until account deletion |
| Behavioral data | Until account deletion |
| Audit logs | 90 days after account deletion |
| Backups | 30-day rolling backup |
| Support email archive | 2 years |
6. Account & Data Deletion
You can close your account with one tap from Profile → Delete My Account. Upon deletion, all your loyalty points are lost and not refundable and your personal data is deleted / anonymized within 24 hours.
Alternatively, email noctameram@gmail.com with subject "Account deletion request".
7. Your Rights (KVKK Art. 11 / GDPR Art. 15–22)
- Confirm whether your data is processed
- Obtain information about the processing
- Learn the purpose and whether data is used as intended
- Know third parties to whom data is transferred
- Request correction of incomplete or inaccurate data
- Request erasure under KVKK Art. 7
- Request that corrections / erasures be communicated to third parties
- Object to outcomes resulting solely from automated processing
- Claim damages caused by unlawful processing
We respond within 30 days free of charge.
8. Children's Privacy
The nocta. app does not target users under 13 and does not knowingly collect personal data from anyone under 13.
9. Cookies & Tracking
The mobile app does not use cookies.
10. Security
- Mandatory HTTPS / TLS 1.2+
- Signed JWT session tokens
- QR codes regenerate every 90 seconds and are single-use
- Strong password hashing (bcrypt) for staff PINs
- 15-minute lockout after 5 wrong PIN attempts
- Sensitive fields auto-redacted in logs
11. Changes
The current version is always available at noctaevent.com/privacy-en
12. Contact
Email: noctameram@gmail.com
Address: Melikşah Mah. Melikşah Cad. No:46/A, Meram/Konya