Privacy Policy

1. Introduction and Purpose

This Privacy Policy (hereinafter referred to as the "Policy") has been prepared to set out the principles and procedures governing the processing of personal data obtained through the Futba mobile application (the "Application"), pursuant to Regulation (EU) 2016/679 on the General Data Protection Regulation (the "GDPR") and the Turkish Personal Data Protection Law No. 6698 (the "KVKK"), along with any other applicable legislation.

The installation of the Application, its use in any manner, or access by any means shall be deemed to constitute acceptance of the terms set forth herein, having been read and understood in full.

2. Definitions

Personal Data: Means any information relating to an identified or identifiable natural person.
Data Subject: Means the natural person whose personal data is processed.
Data Controller: Means the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system.
Processing: Means any operation or set of operations performed on personal data, whether or not by automated means, including but not limited to collection, recording, storage, organisation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.
Explicit Consent: Means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes relating to a particular matter.

3. Identity of the Data Controller

Pursuant to Article 13 of the GDPR and Article 10 of the KVKK, the Futba team shall act as the Data Controller in respect of all personal data processed through the Application (the "Data Controller"). The Data Controller may be contacted through the channels set forth in Section 13 of this Policy.

4. Categories of Personal Data Processed

The following categories of personal data shall be processed through the Application:

4.1. Identity and Contact Data

Email address (obtained automatically when signing in via Google or Apple through Firebase Authentication)
Authentication identifier (Firebase UID) — used strictly for system-level identification and shall not be disclosed to third parties
Username
First and last name (only where provided by the Data Subject)
Telephone number (only where provided by the Data Subject)

4.2. Profile and Demographic Data

Age, height, weight, preferred playing position
Short biography
City and district
Profile photograph or system-generated avatar

4.3. Location Data

Device location (GPS): Processed solely while the Application is actively in use, for the purpose of presenting nearby matches and user suggestions. No continuous background tracking shall be carried out.
Hometown location: A fixed location voluntarily selected by the Data Subject on a map. This location shall take precedence over device location.

4.4. Transaction Security Data

IP address
Device information (user-agent — operating system, browser/application version)
Date and time of sign-in
Firebase Cloud Messaging (FCM) notification token
Platform (Android / iOS)

4.5. In-Application Interaction Data

Information relating to matches created or joined, team assignments, selected venues
In-app chat content (match chat and one-to-one chat)
Friendship connections and pending requests
Statistical metrics such as completed match count and login-day count
Reports submitted about other users (for moderation purposes)

5. Purposes of Processing

Personal data shall be processed in accordance with the general principles set forth in Article 4 of the KVKK and the conditions established in Articles 5 and 6 thereof, strictly limited to the following purposes:

Creation of a user account, authentication, and session management
Performance of the core functions of the Application (listing nearby matches, match creation, matchmaking, chat, friendship connections)
Transmission of match-related information and reminder notifications (including nearby match, match reminder, friend request, and kick notifications)
Ensuring community safety and reviewing reports of inappropriate content, harassment, or abuse (moderation)
Measuring Application performance, detecting technical errors, and conducting improvement activities
Fulfilment of legal obligations arising from applicable legislation and requests from competent authorities
Establishment, exercise or defence of legal claims in the event of a dispute

6. Legal Bases for Processing

Personal data shall be processed on the following legal bases:

Performance of a contract — Article 6(1)(b) of the GDPR; Article 5/2(c) of the KVKK: essential components of service provision.
Compliance with a legal obligation — Article 6(1)(c) of the GDPR; Article 5/2(ç) of the KVKK: obligations relating to notification, retention, and safeguarding required by applicable legislation.
Establishment, exercise, or defence of legal claims — Article 5/2(e) of the KVKK; Article 6(1)(f) of the GDPR as legitimate interest.
Legitimate interests of the Data Controller — Article 6(1)(f) of the GDPR; Article 5/2(f) of the KVKK: service security, fraud prevention, performance improvement.
Explicit consent — Article 6(1)(a) of the GDPR; Article 5/1 of the KVKK: relied upon only where none of the above legal bases apply.

7. Transfer of Personal Data

7.1. Transfer to Other Users

In view of the social nature of the Application, the following data shall be rendered visible to other users: username, name, profile photograph, city and district, position, completed match count, matches created/joined, and messages exchanged with users with whom contact is initiated. Email address, telephone number, precise GPS coordinates, and Firebase UID shall under no circumstances be disclosed to other users.

7.2. Transfer to Service Providers

In order to maintain the technical infrastructure of the Application, personal data shall be shared in the capacity of data processor with the following service providers:

Service Provider	Purpose	Data Location
Firebase Authentication (Google LLC)	Authentication	United States / EU
Firebase Cloud Messaging (Google LLC)	Notification delivery	United States / EU
Google Maps / Places API (Google LLC)	Map and location services	United States / EU
Supabase Inc.	Database hosting (PostgreSQL)	European Union
Fly.io, Inc.	Server hosting	Frankfurt, Germany
Cloudflare, Inc.	Content delivery network (CDN), DNS, security	Global

Where cross-border transfers are carried out, the safeguards required under Article 9 of the KVKK and Articles 44 to 49 of the GDPR shall be observed to the greatest extent possible. Personal data shall not be sold to third parties for marketing purposes.

7.3. Transfer to Competent Authorities

Where the transfer of data becomes mandatory by virtue of a court order, a request from a public prosecutor or law enforcement authority, or any other requirement arising under applicable legislation, only the data strictly covered by such request shall be transferred to the competent authority following appropriate legal review.

8. Retention Periods

Personal data shall be retained for the period necessary for the purposes of processing, taking into account the minimum retention periods prescribed by applicable legislation:

Account data: Retained until a valid deletion request is received.
Completed matches: Automatically deleted 90 (ninety) days following the completion date.
Cancelled matches: Automatically deleted 7 (seven) days following the cancellation date.
Login history: Retained for a maximum of 12 (twelve) months.
Following account deletion: Name, biography, avatar image, and chat history shall be deleted without delay; statistical figures (such as total match count and age group) shall be retained in anonymised form only.

9. Rights of the Data Subject

Pursuant to Article 11 of the KVKK and Articles 15 to 22 of the GDPR, the Data Subject shall have the following rights:

To be informed whether their personal data are being processed
To request information relating to such processing
To ascertain the purposes of processing and whether the data are used in line therewith
To be informed of the third parties to whom the data have been transferred domestically or abroad
To request correction of data processed incompletely or inaccurately
To request erasure or destruction where the grounds for processing no longer exist
To request that rectification, erasure or destruction be notified to third parties to whom the data has been transferred
To object to a result produced solely by automated means that adversely affects the Data Subject
To claim compensation for any damage arising from unlawful processing
Right to data portability (GDPR Article 20)
Right to object to processing (GDPR Article 21)

Applications concerning the foregoing rights shall be submitted in writing to the contact details provided in Section 13, in Turkish or English, together with sufficient identifying information. Applications shall be concluded within the periods prescribed under the Communiqué on the Procedures and Principles for Application to the Data Controller, and in any event no later than thirty (30) days.

In the event that the application is rejected, not responded to, or the response is deemed inadequate, the Data Subject may lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu) or, where applicable, with the competent supervisory authority in the relevant Member State of the European Union.

10. Data Security

Within the scope of Article 12 of the KVKK and Article 32 of the GDPR, reasonable technical and administrative measures shall be implemented to prevent unlawful processing of and access to personal data and to ensure their preservation. In this regard:

All communications between the Application and the server are conducted over encrypted HTTPS connections compliant with TLS 1.2 and above.
Passwords are not stored by the Data Controller; authentication is performed through the Firebase Authentication infrastructure.
Access to servers and databases is restricted to authorised service accounts only.
Sensitive configuration values are not retained in source code; secure environment variables and secrets managers are employed.
Input validation and rate limiting are enforced at all API endpoints.

Notwithstanding all technical and administrative measures taken, absolute security of any information system cannot be guaranteed. Should a security vulnerability be identified, the Data Subject is kindly invited to report it at the earliest opportunity to support@futba.net.

11. Children's Privacy

The Application is not intended for use by children under the age of 13. Should it be established that personal data belonging to a Data Subject under the age of 13 has been processed without the Data Controller's knowledge, the relevant account and associated data shall be deleted without undue delay. Parents or legal guardians with concerns on this matter are invited to contact support@futba.net.

12. Amendments to the Policy

This Policy may be updated from time to time at the sole discretion of the Data Controller. In the event of material amendments, Data Subjects shall be notified in advance through in-app notifications or electronic mail. The most current version of the Policy shall at all times be available at this URL. The "Effective Date" shall be revised upon each update.

13. Contact and Applications

Any enquiries concerning this Policy or applications relating to the exercise of the rights hereunder may be addressed through the following channels:

Email: support@futba.net
Website: https://futba.net

← Back to home