Clear, honest explanation of how your data is collected, used, and protected.
Effective date: 14 Nisan 2026
Version: 3.0
If there is a conflict between the Turkish and English versions, the Turkish text prevails.
The data controller for services offered under the Radarlo brand is the following legal entity:
Legal Name
Radarlo (legal entity details being finalized)
Brand
radarlo.com
Registered Address
Istanbul, Türkiye
Tax / Trade Registry No
To be published
Registered e-Mail (KEP)
To be published
info@radarlo.com
This page will be updated once legal entity registration is complete. The current information can be found here and in the §17 Version Log.
You can reach our Data Protection Officer for all questions about your personal data and to exercise your rights:
Email: dpo@radarlo.com
Postal: Radarlo DPO, Istanbul / Türkiye
For KVKK-scope requests, use the Data Subject Application Form: /kvkk.
For users in the European Economic Area (EEA), an EU representative is being appointed pursuant to GDPR Article 27. Representative details will be published here upon completion:
Representative: To be published (EU-based provider such as Prighter / VeraSafe)
Contact: eu-rep@radarlo.com
A separate UK representative will be appointed for users in the United Kingdom.
Data below is collected only when necessary to provide the service. The legal basis for each category is listed in §5.
Email, hashed password, display name, phone (optional), country, preferred language, vehicle type, premium status, IBAN (only if you request a referral payout), promotional consent.
Device ID, operating system and version, device model, app version, push notification token (FCM), notification/location/sound/vibration permission states.
While the mobile app is active, your GPS location is processed approximately every 10 seconds with a 10 metre distance filter. Location is sent to our server to query nearby radar points and discarded from memory as soon as possible. Raw location trails are not persistently stored server-side. This processing triggers a Data Protection Impact Assessment (DPIA) under GDPR Article 35; public summary: /legal/dpia-summary.
Your IP address and user-agent are stored alongside refresh tokens for 30 days to detect session abuse (refresh_tokens table).
Alerts and reports you voluntarily submit: location, alert type, comment, photo (EXIF GPS is stripped), vote counts. Reports auto-expire after 2 hours.
Apple App Store and Google Play receipts, product ID, plan, trial and renewal dates. Card and payment details are never transmitted to us; they are handled by Apple/Google.
If you consent, Firebase Analytics, Google Analytics 4 (G-Z8MPYK1FZT), Firebase Crashlytics and the AdMob advertising identifier (AAID/IDFA) are processed. Without consent these tools are disabled.
With your consent, aggregate statistics such as session start/end location, total distance travelled and how many alerts were shown are recorded.
When you sign in with Google, Apple or Facebook, the provider ID and email are stored; your password is never transmitted to us.
GDPR Art. 6(1) · KVKK Art. 5 · UAE PDPL Art. 5 · KSA PDPL Art. 5
| Purpose | Data | Basis (GDPR) |
|---|---|---|
| Account creation, login, password reset | Account | 6(1)(b) — Contract performance |
| Showing nearby radar points | Location, device | 6(1)(b) — Contract performance |
| Push notification delivery | FCM token, device ID | 6(1)(a) — Explicit consent |
| Abuse and fraud detection | IP, user-agent, session history | 6(1)(f) — Legitimate interests |
| Subscription management | Purchase receipt, plan | 6(1)(b) — Contract performance |
| Personalised analytics | Firebase Analytics, GA4 | 6(1)(a) — Consent (cookie banner) |
| Personalised advertising (AdMob) | AAID/IDFA | 6(1)(a) — Consent (UMP form) |
| Crash reports | Crashlytics | 6(1)(f) — Legitimate interests |
| Legal obligations (tax, disputes) | Invoices, correspondence | 6(1)(c) — Legal obligation |
For processing requiring explicit consent under KVKK, additional consent is collected via /kvkk/acik-riza-metni.
| Data | Duration |
|---|---|
| Account information | Until account deletion + 30 day archive |
| Refresh token (refresh_tokens) | 30 days |
| Community report / alert | 2 hours (auto-delete) |
| Push delivery log | 90 days |
| Crash report (Crashlytics) | 90 days |
| Analytics events (GA4 / Firebase) | 14 months |
| Invoice / payment records | 10 years (TR Tax Law) |
| Database backups | 90 days |
| Raw GPS trail (server) | Not persisted — memory only |
We have data processing agreements (DPAs) with the following third parties. The current list, with last-updated date, is maintained on this page.
| Processor | Purpose | Location |
|---|---|---|
| Google Firebase (Auth, FCM, Analytics, Crashlytics) | Auth, push, analytics, crash | EU / US |
| Google AdMob | Ad serving | US |
| Google Analytics 4 | Web analytics | EU / US |
| Apple App Store / Google Play | Subscription, IAP verification | US |
| PayTR | Türkiye payment processing | TR |
| Upstash Redis | Rate limiting, caching | EU / Global |
| Nodemailer SMTP provider | Transactional email | EU / US |
| Self-hosted (PostgreSQL + PostGIS, 140.245.31.93) | Primary database | Region being confirmed |
Some of our sub-processors (Google, Apple) may transfer data outside Türkiye and the EU. We rely on appropriate safeguards under GDPR Arts. 44–49 and KVKK Art. 9:
For direct transfers from Türkiye to the EU we obtain explicit consent or an adequate safeguard under KVKK Art. 9. Copies of the SCCs may be requested from dpo@radarlo.com.
Radarlo does not carry out solely automated decision-making that produces legal effects concerning you or similarly significantly affects you (GDPR Art. 22).
Prioritising alerts (e.g. showing the nearest radar first) is automated; this does not amount to profiling and has no legal effect on the user.
Radarlo is a driving-related service and is not intended for individuals below the driving-licence age. You must be at least 16 (EU), 13 (US/COPPA), and 18 (paid subscriptions) to create an account.
If we learn we have collected data from a child without parental consent, we delete it promptly. Contact dpo@radarlo.com with concerns.
Depending on your jurisdiction, you have the following rights:
GDPR / UK GDPR
Access, rectification, erasure, restriction, portability, objection, challenge automated decisions, complaint (local DPA).
KVKK (Türkiye)
Art. 11: know, third parties transferred to, rectify, erase/destroy, compensation for damages, complaint to the Authority.
UAE PDPL
Access, rectification, erasure, restriction, portability, complaint to the UAE Data Office.
KSA PDPL
Be informed, access, correction, destruction, complaint to SDAIA.
CCPA / CPRA (California)
Know, delete, correct, limit sensitive PI, Do Not Sell/Share.
Global
Withdraw consent at any time; learn which providers received your data.
To exercise your rights: /legal/request use the self-service portal or email dpo@radarlo.com. We respond within 30 days.
If a breach affecting your personal data occurs, we notify the competent supervisory authority within 72 hours and you without undue delay (GDPR Arts. 33–34, KVKK Art. 12(5)).
Our website obtains your consent before loading non-essential cookies, as required by ePrivacy Directive Art. 5(3). See the itemised list: /cookies.
Advertising consent in the mobile app is collected through the Google User Messaging Platform (UMP) form; you can re-open the form at any time via Settings → Privacy → Ad Consent.
If your browser sends a Global Privacy Control signal, we treat it as a "Do Not Sell/Share" request under CCPA/CPRA.
We may update this policy to reflect changes to the service or legal requirements. Material changes are announced by email or in-app notice before taking effect.
| Version | Date | Summary |
|---|---|---|
| 3.0 | 2026-04-14 | Comprehensive rewrite: real data flows, DPO/EU rep, sub-processor table, retention schedule, KVKK/PDPL/CCPA/GPC sections. |
| 2.x | 2025-11-25 | Basic GDPR rights; limited data categories. |