LEGAL · MACROLIGHT
Privacy Policy
Son güncelleme: May 15, 2026
Macrolight Privacy Policy
Version 1.0 Effective date: 2026-05-06 Last updated: 2026-05-06
1. Introduction
This Privacy Policy ("Policy") explains how the Macrolight mobile application ("App", "we", "us", "our") collects, uses, shares, and protects your personal data. This Policy is written to comply with the EU General Data Protection Regulation ("GDPR"), the Turkish Personal Data Protection Law ("KVKK"), and Apple App Store privacy requirements.
Macrolight was previously known as "NutriLens" and "RecipeAI". The product has been rebranded to Macrolight; the underlying technical infrastructure remains the same.
By using Macrolight, you acknowledge that you have read and understood this Policy.
2. Data Controller
| Field | Value |
|---|---|
| Controller | Nuray Yağcı (sole proprietor) |
| Country | Türkiye (Turkey) |
| macrolight.app@gmail.com |
For data subject requests, please contact us by email at the address above.
3. Categories of Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, display name | Sign-up form, Apple/Google login |
| Authentication credentials | Password (hashed via bcrypt by Supabase Auth — we never see plaintext) | Sign-up / login |
| Profile data | Profile picture URL (from Apple/Google), username | Social login, user editing |
| User-generated content | Recipes you create, photos you upload, comments, likes, follow relationships | In-app interaction |
| Health-related personal data ⚠️ | Weight, height, age, gender, daily calorie goal, body composition | User-entered (voluntary) |
| Nutrition logs | Daily food log, water intake, weight tracking, meal photos and AI nutrition analysis results | In-app interaction, camera capture |
| Usage data | App-open events, feature usage counts, monthly scan counts | Automatic in-app telemetry |
| Device data | Device model, iOS version, language, region | Apple standard attribution |
| Technical data | IP address (transient security logs), APNS push notification token | Automatic |
IMPORTANT — Special Category Data: Weight, height, body composition, and other health-related metrics are classified as "special categories of personal data" under GDPR Article 9 and "özel nitelikli kişisel veri" under KVKK Article 6. We process these only with your explicit consent, granted when you enter the data into the App. You may withdraw consent at any time, in which case the data will be deleted.
4. Data We Do NOT Collect
In the interest of transparency, we do not collect:
- Precise location: No Core Location usage; we do not track where you are.
- Contacts, calendar, photo library: Only single camera-captured images you explicitly take are processed. We do not access your photo library or address book.
- Apple Health (HealthKit): No HealthKit integration at this time.
- Financial data: Card and payment data is handled exclusively by Apple. We see only anonymized purchase events.
- Advertising identifiers (IDFA): We do not perform behavioral advertising and do not access IDFA.
5. Purposes of Processing
We process your personal data for the following purposes:
- Creating, authenticating, and managing your account
- Storing and displaying your recipes, posts, and community interactions
- Providing AI-powered recipe extraction and food photo analysis
- Tracking your daily calorie, macronutrient, and health-related goals
- Managing your subscription and renewal status
- Improving service quality, debugging, and preventing security threats
- Enforcing community rules (content moderation, anti-spam)
- Complying with legal obligations (tax records, lawful requests)
- Sending APNS push notifications (likes, comments, follows, reminders)
6. Legal Bases for Processing (GDPR Article 6 / KVKK Article 5-6)
| Data / Processing | Legal Basis |
|---|---|
| Account management, subscriptions | GDPR Art. 6(1)(b) — Performance of a contract / KVKK Art. 5/2(c) |
| User content, in-app activity | GDPR Art. 6(1)(b) and 6(1)(f) — Legitimate interests |
| Health-related data (weight, height, calorie tracking) | GDPR Art. 9(2)(a) — Explicit consent / KVKK Art. 6/3 |
| Security logs, fraud prevention | GDPR Art. 6(1)(f) — Legitimate interests |
| Marketing communications | GDPR Art. 6(1)(a) — Consent |
| Legal obligations (tax, lawful requests) | GDPR Art. 6(1)(c) — Legal obligation |
| Push notifications | GDPR Art. 6(1)(a) — Consent (revocable via iOS Settings) |
7. Sharing with Third Parties
To provide the service, we share certain data with the following service providers (data processors). All processors are contractually bound to safeguard your data and process it only on our instructions.
| Provider | Purpose | Data Shared | Region |
|---|---|---|---|
| Apple Inc. | App distribution, In-App Purchases, Sign in with Apple, APNS push notifications | Apple account ID, device token, purchase records | USA |
| Supabase Inc. | Backend infrastructure (auth, database, storage, edge functions) | Email, profile, recipes, photos, comments, health data | USA / EU |
| Google LLC (Gemini API) | AI analysis of uploaded photos and videos (calorie/macro estimation) | Uploaded photo/video files (transient — Google does not use this data to train its models under the paid API terms) | USA |
| xAI Corp (Grok API) | Nutrition Q&A and text-based nutrition advice | The nutrition question text you send (xAI does not use these requests to train its models per its API terms) | USA |
| Google LLC (Sign in with Google) | OAuth login | Email, name, profile picture URL | USA |
| Resend Inc. | Transactional email (password reset, etc.) | Email address | USA |
| RapidAPI Marketplace (Instagram Looter, FlashAPI) | Instagram media URL extraction | Instagram post URL only | USA |
| Fly.io (yt-dlp microservice) | TikTok / YouTube video downloading | Video URL only | USA / EU |
International Transfers
Data may be transferred to, stored in, and processed in countries outside the European Economic Area or Türkiye, including the United States. For such transfers we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- The data subject's explicit consent under KVKK Art. 9 and GDPR Art. 49(1)(a) where SCCs are not in place.
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Active account data | For as long as your account is active |
| After account deletion | All identifiable data deleted within 30 days of deletion request, except records we must retain for legal reasons (e.g., tax records — 10 years per Turkish Tax Procedure Law) |
| Community posts | Persist until manually deleted; on account deletion they are anonymized |
| Server access / security logs | 90 days |
| Push notification token | Until invalidated by an iOS event, or 6 months of inactivity |
| Backups | Rolling 30-day backups; deleted from backups within at most 30 days of account deletion |
9. Your Rights
Under GDPR (Articles 15–22)
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure ("right to be forgotten") — request deletion under specified conditions
- Restriction of processing — limit how we use your data
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time (without affecting prior lawful processing)
- Not be subject to decisions based solely on automated processing producing legal effects
- Lodge a complaint with your national supervisory authority
Under KVKK (Article 11)
In addition to similar rights as above, you may also request that any rectification or deletion be communicated to third parties to whom data was transferred, and seek compensation for damages caused by unlawful processing.
How to Exercise Your Rights
Email macrolight.app@gmail.com from the email address associated with your account. We will respond within 30 days (extendable in complex cases). You may also file a complaint with:
- Türkiye: Kişisel Verileri Koruma Kurulu — www.kvkk.gov.tr
- EU/EEA: Your national Data Protection Authority
10. Children's Privacy
Macrolight is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. In the EU/EEA, the age limit may be higher under GDPR Art. 8 (typically 16, depending on member state).
If we learn that we have collected data from a child under 13 (or the applicable age in your jurisdiction), we will delete the account immediately. Parents or legal guardians may contact macrolight.app@gmail.com to request deletion.
The App's age rating in the App Store is 4+, but account creation requires the user to confirm they are at least 13 years old (or the applicable minimum in their jurisdiction).
11. Security Measures
We implement the following technical and organizational measures:
- TLS 1.2+ encryption in transit
- Supabase Row-Level Security (RLS) policies for access control
- bcrypt password hashing (we never store plaintext passwords)
- API keys stored only in environment variables, never in source code
- Regular backups and disaster recovery plans
- Limited personnel access on a need-to-know basis (support tasks only)
- Suspicious-activity monitoring
While no system is perfectly secure, we follow industry best practices.
12. Data Breach Notification
If we become aware of a personal data breach involving your data:
- Under GDPR: We will notify the relevant supervisory authority within 72 hours, and notify affected users without undue delay if the breach poses a high risk to their rights and freedoms (Articles 33–34).
- Under KVKK: We will notify the Turkish Data Protection Authority within 72 hours and inform affected users in a reasonable time, per the KVKK Data Breach Notification Communiqué.
13. Apple Privacy Nutrition Labels Mapping
For App Store privacy labels, our data practices map as follows:
| App Store Category | Data Type | Linked to User | Used to Track |
|---|---|---|---|
| Data Linked to You | Email, name, user content, health & fitness, purchases, identifiers (user ID), usage data, diagnostics | Yes | No |
| Data Not Linked to You | Crash logs, performance metrics | No | No |
No third-party tracking is performed.
14. Cookies and Web Tracking
The App itself does not use cookies, since it is a native iOS application. If you visit our website (e.g., macrolight.app) we may use only strictly necessary cookies. No third-party advertising or analytics cookies are used.
15. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified to you via email and an in-app notice. The current version is always available at this URL. The effective date is shown at the top of the document.
16. Contact
For questions, requests, or complaints about this Policy:
Email: macrolight.app@gmail.com Postal address: Available on request.
Version 1.0 — Effective date: 2026-05-06