Privacy Policy
How we protect your psychological data and personal information.
Effective Date: 05.04.2026
1. Data Controller
The data controller responsible for your personal data is:
Deep Node Studios
Istanbul, Turkiye
Email: info@deepnodestudios.com
Privacy requests: info@deepnodestudios.com
2. Scope
This Privacy Policy applies to the Valeur mobile application and all related services operated by Deep Node Studios (collectively, the "Service"). It covers the rights afforded to you under applicable data protection laws including the Turkish KVKK (Law No. 6698), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).
By creating an account or using the Service, you acknowledge that you have read this Privacy Policy and consent to the collection, processing, and transfer of your personal data as described herein. If you do not agree, do not use the Service.
3. Data We Collect
3.1 Data You Provide
| CCPA Category | Examples | Legal Basis |
|---|---|---|
| A. Identifiers | Name, email, date of birth, Apple ID, Google ID | Contract performance (GDPR Art. 6(1)(b)) |
| B. Profile / Customer records | Photos, education, occupation, interests, personality flaws | Contract performance |
| C. Protected classifications / Sensitive data | Gender, sexual orientation, gender preferences | Explicit consent (GDPR Art. 9(2)(a) / KVKK Art. 6) |
| K. Inferences / Personality data | Quiz responses, personality vectors, archetype classifications, compatibility scores | Explicit consent |
| G. Geolocation data | GPS coordinates, H3 geo-index | Explicit consent |
| F. Internet activity / Chat messages | Text messages exchanged with matches | Contract performance |
3.2 Data We Collect Automatically
| CCPA Category | Examples | Legal Basis |
|---|---|---|
| F. Internet activity / Usage data | App opens, card views, feature usage events | Legitimate interest (GDPR Art. 6(1)(f)) |
| A. Identifiers / Device data | Device ID, timezone, language preference, FCM token | Contract performance |
| D. Commercial information | In-app purchase receipts, transaction IDs, product IDs | Contract performance |
3.3 Sources of Data
All personal data is collected directly from you (through the app) or from your device (automatically). We do not purchase or acquire personal data from third-party data brokers.
4. Purpose of Processing
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and authentication | Identifiers, device data | Contract performance |
| Profile display and matchmaking | Profile data, location, personality data | Contract / explicit consent |
| Compatibility scoring (automated) | Personality vectors, personality archetypes | Explicit consent |
| Location-based matching | GPS, H3 index | Explicit consent |
| Push notifications | FCM token, timezone, language | Contract performance |
| In-app purchases | Purchase receipts, transaction data | Contract performance |
| Service improvement and analytics | Usage data (aggregated) | Legitimate interest |
| Fraud prevention | Device ID, referral logs | Legitimate interest |
| Legal compliance | As required | Legal obligation |
5. Automated Decision-Making and Profiling (GDPR Art. 22)
Valeur uses a personality-based compatibility algorithm to match users. This involves:
- A 52-dimensional personality vector derived from your quiz responses
- Compatibility scoring that compares your vector with other users to produce a 0–100 similarity score
- Dealbreaker filtering that removes profiles incompatible with your stated preferences
- Location filtering using your H3 geo-index to prioritise nearby users
These automated processes determine which profiles you see in the discovery feed. While this constitutes profiling, it does not produce legal effects — it affects only which potential matches are displayed within the app.
Your rights: You may request human review of any matching decision by emailing info@deepnodestudios.com. You may also request an explanation of how your compatibility score was calculated with any specific user.
6. Data Sub-Processors and International Transfers
We use the following sub-processors. For transfers to countries without an adequacy decision (USA), we rely on Standard Contractual Clauses (SCCs) and/or explicit consent at registration.
| Processor | Country | Data Shared | Purpose | Safeguard |
|---|---|---|---|---|
| Google Firebase (FCM) | USA | FCM token, timezone, language, notification metadata | Push notifications | SCCs / consent |
| Google Sign-In | USA | Email, Google ID token | Authentication | SCCs / consent |
| Apple Sign-In | USA | Apple ID, refresh token | Authentication | SCCs / consent |
| AWS S3 (eu-central-1) | EU (Frankfurt) | Profile photos | Media storage | EU adequacy |
| MongoDB Atlas | EU (Frankfurt) | All personal data | Primary database | EU adequacy |
All sub-processors are bound by Data Processing Agreements that prohibit them from using your data for any purpose other than providing their service to us. We do not sell, share, or disclose your data to any other third parties except as required by law.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and profile data | Until account deletion |
| Chat messages | Content deleted on account deletion; message metadata (timestamps, counts) retained for analytics |
| Personality data | Retained indefinitely (non-PII; used for aggregate analytics) |
| Usage events | 180 days (auto-deleted) |
| Purchase records | Retained indefinitely in anonymised form for revenue analytics |
| Referral device logs | 90 days after account deletion (fraud prevention) |
| S3 profile photos | Deleted immediately on account deletion |
| Anonymised user records | Kept indefinitely for aggregate analytics (zero PII) |
When the purpose of processing ends or you request deletion, your data is erased in accordance with applicable law.
8. Your Rights
Depending on your jurisdiction, you have the following rights. We honour all of these by default regardless of where you live.
8.1 Rights Under All Jurisdictions
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of all your personal data | Email: info@deepnodestudios.com |
| Portability | Receive your data in machine-readable JSON format | Email: info@deepnodestudios.com |
| Correction | Fix inaccurate data | Edit your profile directly, or email info@deepnodestudios.com |
| Deletion | Erase all your personal data | In-app: Settings > Delete Account |
| Object / Restrict | Object to processing or request restriction | Email: info@deepnodestudios.com |
| Human review | Contest an automated matching decision | Email: info@deepnodestudios.com |
8.2 Additional Rights Under KVKK (Turkiye)
You may learn whether your data is processed, learn the purpose, know third parties it was transferred to, request correction, request deletion, request notification of changes to third parties, object to automated analysis, and claim compensation for unlawful processing. You may lodge a complaint with the KVKK Board (Kisisel Verileri Koruma Kurulu). Response time: 30 days.
8.3 Additional Rights Under GDPR (EU/EEA)
You have the right to withdraw consent at any time (withdrawal does not affect prior lawful processing). You may lodge a complaint with your local Data Protection Authority. If you believe we process your data based on legitimate interest, you may object and we will cease processing unless we demonstrate compelling legitimate grounds. Response time: 30 days.
8.4 Additional Rights Under CCPA/CPRA (California)
You have the right to know the categories and specific pieces of personal information collected about you in the preceding 12 months (see Section 3). You will not be discriminated against for exercising any privacy right — you will receive the same service and pricing regardless. Response time: 45 days.
How to Submit a Request
- Email: info@deepnodestudios.com
- In-app: Settings > Delete Account (for account and data deletion)
We will respond within 30 days (45 days for California residents). You may also designate an authorised agent to submit requests on your behalf (provide signed authorisation).
9. Sale and Sharing of Personal Data
We do not sell your personal data. We do not share your personal data for cross-context behavioural advertising. We do not disclose your data to data brokers. The only third parties who receive your data are the sub-processors listed in Section 6, solely to provide the Service.
Sensitive personal information (sexual orientation, precise geolocation, chat contents, personality data) is used only to provide the core matching service. We do not use sensitive data for advertising, profiling for third parties, or any purpose beyond what is strictly necessary for the Service.
10. Data Security
We implement the following technical and organisational measures:
- Encryption at rest (AWS S3 SSE-KMS, MongoDB Atlas encryption)
- Encryption in transit (TLS 1.3)
- Secure token storage on device (platform Keystore/Keychain)
- Structured logging with PII masking
- Access controls with least-privilege IAM policies
- AWS CloudTrail audit logging with 3-year retention
- Breach detection via CloudWatch monitoring
In the event of a data breach likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34 and applicable law.
11. Children
The Service is not directed at anyone under the age of 18. We enforce this with server-side age verification during profile creation. We do not knowingly collect personal data from children. If we learn that we have collected data from a user under 18, we will delete it promptly.
12. Policy Changes
We may update this Privacy Policy as the Service evolves. Material changes will be notified in-app, and the Effective Date will be updated. Continued use of the Service after a policy update constitutes acceptance.
13. Contact
Deep Node Studios
Istanbul, Turkiye
General inquiries: info@deepnodestudios.com
Privacy / data subject requests: info@deepnodestudios.com