Mustafa Evleksiz
Privacy

Privacy policy — SoruX

Last updated: May 30, 2026

This policy explains what SoruX collects, why, and your choices. Operated by Mustafa Evleksiz — contact mustafa@mustafaevleksiz.com.

1. Summary

SoruX is an AI-native YKS prep platform — Vertex AI generates curriculum-aligned questions on demand and an ELO engine adjusts difficulty per topic. To run the service we process account, learning, AI prompt, and usage data. We do not sell personal data and we do not use your learning data for advertising or AI model training.

2. Data we collect

We collect only what's needed to run the service:

  • Account: email and display name (if you sign up via email).
  • Apple Sign-In and Google Sign-In identifiers (if you use those).
  • Profile: avatar, class level, target exam type (TYT/AYT/KPSS, etc.).
  • Learning: solve history, correct/wrong counts, per-topic ELO scores.
  • AI prompts: only subject + topic + difficulty metadata — no personal data in the prompt payload.
  • AI-generated content: questions and solutions stored in a user-scoped pool.
  • Push notification token (Firebase Cloud Messaging).
  • Subscription status and purchase receipts (via RevenueCat over Apple/Google).
  • Crash and diagnostic data (Firebase Crashlytics).
  • Local device data (SharedPreferences/MMKV — session, preferences, offline cache).
  • Optional uploaded photo for profile avatar (image_picker; avatar only).
  • Classroom/teacher mode (if used): class membership and assignment history.

3. How we use your data

Your data powers the core service:

  • Generate, validate and serve YKS questions tailored to your weak topics.
  • Maintain your account, profile, subscription and learning progress.
  • Send transactional notifications and study reminders.
  • Detect errors, abuse (rate-limiting) and improve performance.
  • Comply with legal obligations.

4. Legal bases (GDPR)

Performance of a contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), consent for analytics/notifications where required (Art. 6(1)(a)), and legal obligations (Art. 6(1)(c)).

5. Who we share data with

Sub-processors act under our instructions — we do not sell personal data:

  • Google Firebase (Auth, Firestore, Cloud Functions, Storage, App Check, Cloud Messaging, Crashlytics) — backend, auth, sync, notifications, crash reporting.
  • Google (Vertex AI / Gemini API) — question generation, validation, distractor engine, AI Coach (topic + subject + difficulty prompts; no PII in payload).
  • Apple (Sign in with Apple) — auth provider.
  • Google (Sign in with Google) — auth provider.
  • RevenueCat — subscription orchestration over Apple/Google billing.
  • Apple App Store (StoreKit) — iOS subscription billing.
  • Google Play Billing — Android subscription billing.
  • Upstash (Redis REST) — rate-limiting, question-pool index cache, leaderboard cache (anonymized keys, no PII).
  • Replicate — optional on-demand AI avatar image generation (user prompt only).

6. AI generation and your data

When you tap a topic, we send a minimal prompt (subject + topic + difficulty) to Google's Vertex AI / Gemini API to generate a fresh question. We do not include your email, name or solve history in the prompt. Generated questions are stored in a user-scoped pool. Vertex AI's default policy is to NOT use API content for model training; we rely on this default.

7. Avatar photos

If you upload a profile photo, it is used only as your account avatar. We do not run face recognition or biometric analysis on it, and it is never used for AI model training.

8. Children and education data

SoruX is built for students preparing for Turkish university and civil-service entrance exams (YKS/KPSS), so users may include minors aged 13+. Learning data (solve history, ELO scores) is processed solely to personalise the learning experience; it is never shared with third parties or sold. Parents or schools can request account deletion at any time via support.

9. Data retention

How long different data lives:

  • Account and learning data: kept while your account is active.
  • AI-generated questions: kept in your user-scoped pool while your account is active.
  • Crash/analytics: retained per provider defaults.
  • Push notification tokens: rotated by the OS and on sign-out.

10. International transfers

Most providers (Google, RevenueCat, Upstash, Apple, Replicate) process data outside Turkey, including the United States. Transfers rely on appropriate safeguards (Standard Contractual Clauses) and, where required, your explicit consent.

11. Your rights and account deletion

Under GDPR/KVKK you may request access, correction, deletion, restriction, portability, and objection. To exercise them:

  • In-app account deletion: Settings → Account → Delete account.
  • In-app local data wipe: Settings → Privacy → Delete all device data.
  • Email: mustafa@mustafaevleksiz.com (we process within 30 days).

12. Security

We use industry-standard measures — encryption in transit, Firebase App Check, role-based Firestore rules, and rate-limiting on AI endpoints. No method is 100% secure; we cannot guarantee absolute security.

13. Changes

We may update this policy; material changes will be notified in-app or by updating this page's date.

14. Contact

Mustafa Evleksiz — mustafa@mustafaevleksiz.com.

Back to project
Mustafa Evleksiz — Product Engineer · Mustafa Evleksiz