Privacy Policy

1. Who We Are

Kayt is a travel finance application developed and operated by Kayt Inc. If you have any privacy-related questions, you can contact our Data Protection Officer at tozankayra4@gmail.com.

2. Data We Collect

2.1 Information You Provide Directly

• Account data: name, email address, profile photo (optional)
• Travel data: trip names, destinations, dates, travel companions
• Expense data: amounts, categories, currencies, notes, receipt images
• Payment data: subscription billing information (processed by RevenueCat, Apple, or Google — we never store full card numbers)
• Communications: support messages, feedback, survey responses

2.2 Information Collected Automatically

• Device data: device type, OS version, app version, device identifiers
• Usage data: features used, screens viewed, actions taken, session duration
• Location data: approximate GPS location (only when you grant permission; used for currency detection and place suggestions)
• Crash reports: error logs collected via Sentry to improve stability
• Analytics events: anonymized interaction events via PostHog (no personal identifiers)

2.3 Receipt Images

When you use our AI receipt scanning feature, photos you capture are transmitted securely to Google Cloud Vision API for text extraction. Images are processed in real-time and are not stored by Google beyond the duration of the API call. Extracted text data is stored in your account under your control.

3. How We Use Your Data

• Provide and improve the Kayt app and services
• Process and display your expense records and trip budgets
• Send transactional emails (account verification, password reset, subscription receipts)
• Provide customer support
• Analyze usage patterns to improve app design and features
• Comply with legal obligations
• Detect and prevent fraud, abuse, and security incidents

We do not sell your personal data to third parties. We do not use your data for advertising to you.

4. Legal Basis for Processing (GDPR)

• Contract performance: processing necessary to provide you with Kayt services you requested
• Legitimate interests: analytics and security monitoring to improve the service
• Consent: location access, marketing communications (where applicable)
• Legal obligation: compliance with applicable laws

5. Data Sharing

We share your data only with the following categories of trusted service providers, under strict data processing agreements:

• Cloud infrastructure: Google Cloud Platform (EU data centers where possible)
• Analytics: PostHog (anonymized events only)
• Error monitoring: Sentry (crash reports)
• Payments: RevenueCat, Apple App Store, Google Play (billing only)
• Email delivery: Nodemailer via our own SMTP (transactional emails only)
• AI processing: Google Cloud Vision (receipt OCR; see Section 2.3)
• AI trip planning: OpenAI API (trip descriptions you submit; no account data is shared)

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal compliance (e.g., transaction records for tax purposes — up to 7 years).

7. Your Rights (GDPR & KVKK)

Under GDPR and KVKK, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Portability: Receive your data in a machine-readable format; request an export by contacting us at tozankayra4@gmail.com or via the app settings.
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time without affecting past processing

To exercise these rights, contact us at tozankayra4@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies & Tracking

Our website uses minimal cookies required for authentication and security. We do not use third-party advertising cookies. Our mobile app does not use browser cookies; analytics are performed via anonymous session tokens.

• Session cookies: Required for secure authenticated sessions
• Analytics: PostHog events (anonymized, no personal identifiers, can be disabled)

9. Children's Privacy

Kayt is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us immediately.

10. Security

We implement industry-standard security measures including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• JWT-based authentication with short-lived tokens
• Rate limiting and anomaly detection to prevent abuse
• Regular security audits and dependency updates

11. International Data Transfers

If you are located in the European Economic Area (EEA) or Turkey, your data may be transferred to and processed in countries outside your jurisdiction (e.g., the United States). We ensure such transfers are protected under Standard Contractual Clauses (SCCs) or adequacy decisions.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via in-app notification or email. Continued use of Kayt after the effective date constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions, data requests, or complaints:

• Email: tozankayra4@gmail.com
• General: kayttrip@gmail.com