Movo Privacy Policy
Last Updated: April 30, 2026 Effective Date: April 30, 2026
This Privacy Policy describes how GG Tech Teknoloji Sanayi ve Ticaret Limited Şirketi ("GGTech", "Company", "we", "us", "our") collects, uses, stores and protects your personal data when you use the Movo mobile application ("Movo" or the "App"). It is prepared in accordance with the Turkish Personal Data Protection Law No. 6698 ("KVKK") and applicable regulations, and is designed to align with the General Data Protection Regulation ("GDPR") where applicable.
1. Data Controller
The Movo application is operated by GG Tech Teknoloji Sanayi ve Ticaret Limited Şirketi. We act as the data controller for personal data processed through the App.
- Legal Name: GG Tech Teknoloji Sanayi ve Ticaret Limited Şirketi
- Address: Sahrayıcedid Mah. Kireçhaneler Sok. No:6/2 D:5 Kadıköy / Istanbul, Türkiye
- MERSİS No: 0395241549600001
- Trade Registry No: 1029078
- Tax Office / Tax ID: Erenköy Tax Office / 3952415496
- Registered E-mail (KEP): ggtech@hs01.kep.tr
- Contact E-mail: info@ggtech.co
2. Categories of Personal Data Processed
Your personal data may be processed in the following categories while using the App:
| Category | Example Data |
|---|---|
| Identity | Name (optional), username |
| Contact | E-mail address |
| Customer Transaction | Subscription status, credit balance, purchase history |
| Security | Device ID, IP address, session logs, authentication tokens |
| Audio-Visual Records | Photos and videos you upload, generated outputs |
| Marketing | Notification preferences, campaign interactions |
| Technical | App version, device model, OS version, language and region, crash logs |
Special Category Data: Images you upload may contain your face or biometrically identifiable information. Such data is considered "special category personal data" under KVKK Article 6 and is processed only with your explicit consent. You are separately informed and your consent is obtained within the registration/usage flow.
Data Minimization: Names, tags, location information (including EXIF metadata) and any non-visual identifying text contained in the images or videos you upload that are not strictly necessary for AI output generation are not processed or are masked. Only the visual/biometric data strictly required to generate the AI output is processed.
3. Purposes and Legal Basis for Processing
Your personal data is processed on the legal grounds set out in KVKK Articles 5 and 6 (and the equivalent GDPR Article 6 bases where applicable) for the following purposes:
| Purpose | Legal Basis (KVKK / GDPR) |
|---|---|
| Account creation and authentication | Performance of contract (Art. 5/2-c / GDPR 6(1)(b)) |
| Generating AI outputs from your uploaded content | Explicit consent (Art. 5/1, 6/2 / GDPR 6(1)(a), 9(2)(a)) |
| Processing subscription and credit pack purchases | Performance of contract; legal obligation (Art. 5/2-c,ç / GDPR 6(1)(b),(c)) |
| Invoicing and fulfilling tax obligations | Legal obligation (Art. 5/2-ç / GDPR 6(1)(c)) |
| User support and complaint management | Legitimate interest (Art. 5/2-f / GDPR 6(1)(f)) |
| Fraud and abuse prevention | Legitimate interest (Art. 5/2-f / GDPR 6(1)(f)) |
| Service performance, crash analytics | Legitimate interest (Art. 5/2-f / GDPR 6(1)(f)) |
| Marketing, push notifications and campaigns | Explicit consent (Art. 5/1 / GDPR 6(1)(a)) |
4. How We Collect Your Data
Your data is collected electronically through in-app forms and actions, identity providers (Apple ID, Google sign-in, etc.), purchases via the app stores, and automatic technical logs from your device.
5. Parties with Whom We Share Data
Your data may be shared with the following third-party categories in order to provide the service:
5.1. Cloud Infrastructure and Authentication Provider — Firebase / Google Cloud (Google LLC, United States)
Movo's backend infrastructure runs on Firebase / Google Cloud services provided by Google LLC. The principal services used are:
- Firebase Authentication — account creation and session management (e-mail, Apple ID, Google sign-in).
- Cloud Firestore / Realtime Database — storage of structured data such as user profile, subscription status, credit balance and purchase history.
- Cloud Storage for Firebase — transient processing of files during the AI generation flow and, depending on the use case, storage of generated AI outputs (long-term storage of gallery content is primarily performed on Cloudflare R2 — see 5.2).
- Cloud Functions — server-side business logic, including the orchestration of third-party API calls such as fal.ai.
- Firebase Crashlytics / Analytics — monitoring application stability and performance.
Your data is processed on Google's Firebase infrastructure under a Data Processing Addendum / DPA entered into between GGTech and Google LLC, with Google acting solely as a data processor. Google does not use this data for advertising or for training its own AI models under that DPA.
5.2. Object Storage and Content Delivery Provider — Cloudflare R2 (Cloudflare, Inc., United States)
Generated AI outputs (gallery content) are stored on Cloudflare R2, the object storage service provided by Cloudflare, Inc., and delivered to the App for performant in-app access. Cloudflare acts solely as a data processor under a Data Processing Addendum / DPA entered into between GGTech and Cloudflare.
- Cloudflare R2 primarily stores generated AI outputs and the related technical metadata (file name, size, format, etc.).
- Cloudflare does not use content stored on R2 for advertising or for training its own AI models.
- The R2 bucket is configured in automatic / global distribution mode; accordingly, your content may be served from Cloudflare's data centers worldwide (primarily in the United States and other countries).
Cloudflare's current privacy policy and customer DPA are available at https://www.cloudflare.com/privacypolicy/ and https://www.cloudflare.com/cloudflare-customer-dpa/.
5.3. AI Service Provider — fal.ai (Features and Labels, Inc., United States)
When you start an AI generation flow inside the App, the photos and videos you select are shared with fal.ai, located in the United States, for AI generation processing. fal.ai processes your visual/video content only to produce the output you requested, acting as a data processor under the contract executed between GGTech and fal.ai.
Pursuant to fal.ai's applicable Terms of Service:
- Uploaded content (Customer Input) remains the property of the customer/user; ownership is not transferred to fal.ai.
- fal.ai does not use your raw uploaded photos or videos to train its own AI models in a manner that is identifiable to or attributable to you.
- fal.ai may only process anonymised and aggregated usage data ("Usage Data") derived from such content for the purposes of monitoring, supporting and improving the service.
- Source images/videos are not retained on fal.ai's side after the AI output has been generated; they are cleared once processing is complete.
fal.ai's current privacy policy and terms are available at https://fal.ai/privacy and https://fal.ai/terms.
5.4. Other Third Parties
- Payment and subscription providers (Apple App Store, Google Play, RevenueCat) — subscription and credit pack transactions; purchase data held on device/store side.
- Analytics and crash reporting providers — monitoring app stability.
- Competent public authorities — where legally required.
Oversight of Data Processors (DPA): The third-party data processors listed above act solely on GGTech's documented written instructions and pursuant to Data Processing Agreements (DPAs) executed between the parties. Within the scope of KVKK Article 12, GGTech reserves the right to periodically request and audit the KVKK/GDPR compliance, data destruction reports, security audits including penetration testing, and other technical and organizational measures of these processors.
6. International Transfers
Some of the above providers' servers may be located outside of Türkiye (primarily in the United States and the European Union). Your personal data is transferred to countries for which the Turkish Personal Data Protection Board has not issued an adequacy decision based on your separate and explicit consent obtained during in-app registration/use, in compliance with KVKK Article 9. The consent provided may be withdrawn at any time. For EU residents, transfers are performed pursuant to applicable GDPR mechanisms (such as Standard Contractual Clauses) where required.
7. Retention Periods
Personal data is retained for the period necessary to fulfil the processing purposes and in line with minimum statutory retention periods (e.g., up to 10 years under Turkish Tax Procedure Law, Commercial Code and Consumer Protection legislation). When the purpose ceases or the period expires, data is deleted, destroyed or anonymised pursuant to KVKK Article 7.
The table below summarises the retention periods for the main categories of data:
| Data / Category | Storage Location | Retention Period |
|---|---|---|
| Account, profile, subscription and credit balance data | Firebase / Google Cloud | For as long as the account is active; if the account is closed, deleted or anonymised within 30 days at the latest |
| Raw photos/videos uploaded as AI input — fal.ai side | fal.ai (United States) | Not retained by fal.ai after the AI output has been generated; cleared once processing is complete |
| Raw photos/videos uploaded as AI input — Movo side | Firebase / Google Cloud | Deleted or anonymised shortly after the AI output has been generated |
| Generated AI outputs (gallery content) | Cloudflare R2 and/or Firebase / Google Cloud | Until you delete them or close your account; if the account is closed, deleted within 30 days at the latest |
| Purchase / subscription records | Firebase + Apple/Google/RevenueCat | Up to 10 years in line with applicable financial and commercial legislation |
| Traffic data (IP addresses, session logs) | Firebase + our logging infrastructure | Two (2) years in our capacity as hosting provider under Law No. 5651 |
| Crash / error logs | Firebase Crashlytics | For as long as needed to diagnose the issue, up to 90 days |
Account closure and deletion: Upon a user request or account closure, personal data not subject to a statutory retention obligation, together with all generated outputs, is deleted, destroyed or anonymised within 30 days at the latest.
8. Rights of the Data Subject (KVKK Article 11 / GDPR Articles 15–22)
You have the right to:
a) Learn whether your personal data is being processed, b) Request information about processing, c) Learn the purpose of processing and whether data is used accordingly, d) Know the third parties to whom data is transferred within or outside the country, e) Request correction of incomplete/incorrect data, f) Request erasure/destruction pursuant to KVKK Art. 7 (GDPR "right to be forgotten"), g) Request notification of actions (d) and (e) to third parties, h) Object to automated decision-making affecting you adversely, i) Claim damages suffered due to unlawful processing.
To exercise these rights, contact info@ggtech.co in writing or use other methods set out in the Communiqué on Application to the Data Controller. Your requests will be resolved free of charge within 30 days; where a cost is justified, the fee set by the Personal Data Protection Board may apply.
9. Data Security
GGTech implements appropriate technical and administrative measures under KVKK Article 12 to prevent unlawful processing, access and storage of your personal data. These include encrypted transport (TLS), access authorization, log records, staff confidentiality undertakings, and regular security reviews.
Data Breach Notification: In the event of a personal data breach, GGTech shall, in accordance with KVKK Article 12/5 and the relevant decisions of the Personal Data Protection Board, notify:
- the Personal Data Protection Board, and
- the affected data subjects
within 72 hours at the latest from becoming aware of the breach. The notification will include the date of the breach, the categories of data affected, the likely consequences and the technical and organizational measures taken or proposed to be taken.
10. Cookies and Similar Technologies
The mobile application does not use traditional cookies, but may use session tokens, device identifiers (IDFA/GAID, etc.) and local storage (AsyncStorage/Keychain). Analytics and advertising identifiers are processed only within the consent you provide via device settings (Apple ATT / Android advertising ID settings).
11. Children's Data
Movo is not intended for users under 13. Users aged 13–18 are expected to use the app under the supervision of a parent or guardian. If you believe your child's data has been processed without your consent, please contact us at the channels above.
12. Changes
This Privacy Policy may be updated in line with legal changes or service needs. For material changes, you will be notified via in-app notice or e-mail. The current version is always published on this page; the effective date is indicated at the top.
13. Contact
GG Tech Teknoloji Sanayi ve Ticaret Limited Şirketi E-mail: info@ggtech.co KEP: ggtech@hs01.kep.tr Address: Sahrayıcedid Mah. Kireçhaneler Sok. No:6/2 D:5 Kadıköy / Istanbul, Türkiye