EN translation: The legally binding version of this document is the Turkish original at /legal/gizlilik.html. This English translation is provided for information only; in case of any conflict, the TR text prevails.
This page summarises how Pilo (Wireless Remote) processes your personal data. The full KVKK / GDPR notice is at /legal/kvkk.html.
1) Data we collect
- Account: email, display name, locale, country code.
- Authentication: BCrypt password hash, or OAuth links (Google
sub, Facebookid, Applesub). If you use Apple's "Private Relay" we store the relay address. - Device: a hardware id (SHA-256 prefix of machine name + OS bits), platform, version, last-seen timestamp.
- Subscription & billing: the subscription id reported by the payment provider (Iyzico / Google Play / Apple / Microsoft), amount, currency, status. Pilo never stores card numbers — they live only at the provider.
- Telemetry: anonymous usage events (e.g.
social_login,device_added). We do not collect IP or GPS.
2) Why we process it
- Account creation, sign-in, device licensing (contract performance).
- Reconciliation with billing providers (legal obligation — bookkeeping).
- Product improvement (legitimate interest, identifier-free).
3) Social-login data flow
When you tap "Continue with Google / Facebook / Apple":
- Your browser (PC) or OS (Android) talks to the provider directly — Pilo never sees your provider password.
- The provider returns a signed identity token; our server only verifies the token and stores
provider,provider_id,email,display_name,avatar_url. - If the same provider + id appears again, we link to the existing account.
4) In-app purchase flow
| Provider | Flow | What Pilo receives |
|---|---|---|
| Iyzico (TR · web/PC) | Checkout iframe → card processor → server webhook | paymentId, amount, currency, status |
| Google Play (Android) | Play Billing → purchaseToken → verified server-side | token, productId, expiryTime |
| Apple StoreKit 2 (iOS) | StoreKit + ASSN V2 (signed JWS) | txn id, productId, expirationDate |
| Microsoft Store (Windows) | StoreContext receipt → server verification | storeId, anonymous user id |
Card data never reaches Pilo's servers. PCI-DSS scope sits with the provider.
5) Retention
- Account & devices: while active + 30 days after deletion request, then permanently anonymised.
- Invoices: 10 years (TR) / 7 years (EU) as required by tax law.
- Refresh tokens: max 30 days.
- Telemetry events: 90 days, then aggregated.
- Sign-in history: 180 days. Each entry contains the timestamp, IP address, country (resolved offline — see §5a), browser/OS string, and whether the attempt succeeded. Used to power the "Recent Sign-ins" panel and to send you a heads-up email when we see a sign-in from a network we hadn't seen for you in the previous 30 days.
5a) Country lookup (GeoIP)
To show a country flag next to each sign-in we resolve IP addresses against a local copy of the MaxMind GeoLite2 Country database. The lookup happens entirely on Pilo's server — no IP address ever leaves Pilo to a third party for this. The GeoLite2 database is provided by MaxMind, Inc.; this product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com, and is licensed under CC BY-SA 4.0.
6) Your rights
- Access & portability:
GET /v1/me/exportor Settings → "Download my data" — full JSON dump. - Deletion:
DELETE /v1/me(in-app "Delete my account") — anonymised within 30 days. - Rectification: Settings → "Edit profile".
- Complaint: For Turkey, KVKK Authority; for the EU, your local DPA.
Contact: privacy@pilo.media