← Back to Home

Privacy Policy

This Privacy Policy describes how CinderSpire Studio ("CinderSpire", "we", "our", "us"), an independent software studio operated by Mustafa Bilgic and based in Adiyaman, Turkey, collects, uses, stores, and protects your personal information when you use our mobile applications or visit our website at https://playtools.top.

This Privacy Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK) No. 6698, the California Consumer Privacy Act (CCPA/CPRA), Apple's App Store Review Guidelines, Google Play's Data Safety requirements, and the Children's Online Privacy Protection Act (COPPA).

1. Data Controller & Contact

2. Applications Covered by This Policy

This Privacy Policy applies specifically to the following published applications and our website. Each application has its own data collection profile, described in Section 4.

If we publish additional applications in the future, this Privacy Policy will be updated to include them with app-specific disclosures before release.

3. Categories of Personal Data We Collect

We only collect the minimum data needed to operate and improve our apps.

3.1 Data You Provide Directly

• Contact details — Name and email address when you submit the website contact form or apply to the affiliate program
• Support correspondence — Messages and details you share when contacting support
• Purchase identifiers — Transaction identifiers returned by the Apple App Store or Google Play when you buy a subscription or in-app product (processed through Adapty, see Section 6)
• Account preferences — In-app settings, language selection, and theme, stored locally on your device

3.2 Data Collected Automatically

• Device and technical data — Device model, operating system and version, app version, screen size, device language, and country setting
• Diagnostic data — Crash reports, stack traces, and non-fatal error events collected via Sentry and Firebase Crashlytics
• App interaction events — Anonymous usage events (screens viewed, features used, session start and stop) via Firebase Analytics, used to improve the app
• Approximate IP-based location — For fraud prevention and regional content only; we do not use GPS unless explicitly requested by a feature and the permission is granted
• Advertising identifier — On iOS, the IDFA is only accessed if you grant permission via the App Tracking Transparency prompt. On Android, the Advertising ID is governed by Google Play Services and can be reset or disabled in system settings

3.3 Lookify-Specific Data

• Photos you upload — Images you select or capture for virtual try-on are processed via our API. Photos are used only for the active try-on session and are not retained on our servers beyond the session unless you explicitly save a look
• Camera access — Only activated after you grant the system camera permission and only to capture images for try-on features
• Saved looks — Items and outfits you choose to save are stored locally on your device and, if you opt in, synchronized via Firebase

3.4 AudiFusion Pro-Specific Data

• Local audio file access — The app reads audio files from your device storage to play them. Audio content never leaves your device and is not uploaded to any server
• EQ and preset configurations — Stored locally on your device
• No microphone access — AudiFusion Pro does not request or use the microphone

3.5 Data We Do Not Collect

• Government identifiers, date of birth, phone number, or home address
• Full payment card numbers, bank account details, or financial credentials (handled entirely by Apple, Google, and Adapty)
• Precise location without explicit permission
• Contacts, calendar, SMS, call logs, or health data
• Biometric data

4. Per-App Data Collection Summary

The table below reflects the data collection disclosures we publish to the Apple App Store Privacy Nutrition Label and the Google Play Data Safety form.

App	Data Collected	Linked to User?	Used for Tracking?
Lookify	Photos (session only), Email (optional), Device ID, Crash data, Usage data, Purchase history	Only if you create an account	No, unless ATT consent is granted for ads on iOS
AudiFusion Pro	Device ID, Crash data, Usage data, Purchase history	No	No, unless ATT consent is granted for ads on iOS
playtools.top	Name & Email (contact form), Analytics cookies (opt-in)	Yes for form submissions	No

5. Purposes and Legal Basis (GDPR Article 6)

Under the GDPR, we identify a lawful basis for each type of data processing.

Purpose	Data Used	GDPR Legal Basis (Art. 6)
Providing core app functionality (try-on, audio playback, settings)	Device data, local files, preferences	Performance of a contract (Art. 6(1)(b))
Account creation, purchases, and subscription management	Email, purchase identifiers	Performance of a contract (Art. 6(1)(b))
Crash reporting and stability improvements	Diagnostic data, device data	Legitimate interests (Art. 6(1)(f)) — improving software quality
Usage analytics and product improvement	Anonymized event data	Legitimate interests (Art. 6(1)(f)); consent where required (Art. 6(1)(a))
Personalized advertising (iOS only after ATT prompt)	Advertising identifier, device data	Consent (Art. 6(1)(a))
Responding to support and contact requests	Email, message content	Legitimate interests (Art. 6(1)(f))
Compliance with legal obligations	Transaction records, correspondence	Legal obligation (Art. 6(1)(c))

6. Third-Party Services and SDKs

We integrate a limited set of third-party services to run our apps and website. Each service operates under its own privacy policy, and we only send the minimum data required.

Service	Purpose	Data Shared	Privacy Policy
Google Firebase (Analytics, Remote Config, Auth)	App analytics, configuration, optional sign-in	Device ID, event data, IP, email (if using Firebase Auth)	firebase.google.com/support/privacy
Firebase Crashlytics	Crash reporting	Device model, OS, stack trace, session ID	firebase.google.com/support/privacy
Sentry	Error monitoring and performance tracing	Error events, stack traces, device information, session ID	sentry.io/privacy
Google AdMob	Monetization (only with ATT consent on iOS)	Advertising identifier, device data, IP	policies.google.com/technologies/ads
Adapty	Subscription management and paywalls	Transaction identifiers, subscription state, anonymized user ID	adapty.io/privacy
Amazon Interactive Video Service (IVS) — Lookify only	Real-time video streaming for try-on features	Session tokens, device data, image data (session only)	aws.amazon.com/privacy
Apple App Store / Google Play	App distribution, billing, subscriptions	Handled directly by the respective store	apple.com/legal/privacy · policies.google.com/privacy
Google Analytics 4 (website only)	Website traffic analytics (opt-in via Consent Mode v2)	Anonymized IP, page events	policies.google.com/privacy

We do not sell or rent your personal data to any third party. We do not use the data above for automated decision-making or profiling that would produce legal effects concerning you.

7. Apple App Tracking Transparency (ATT)

On iOS 14.5 and later, our applications comply with Apple's App Tracking Transparency framework. Before any tracking that would access the IDFA for cross-app advertising, the app will display Apple's standard ATT prompt and request your permission.

• If you allow tracking, AdMob and related advertising SDKs may use the IDFA to deliver more relevant ads
• If you do not allow tracking, we will not access the IDFA, and any ads shown will be contextual rather than personalized
• You can change this choice at any time from iOS Settings → Privacy & Security → Tracking
• Sign in with Apple, Firebase Analytics, Crashlytics, and Sentry do not use IDFA and operate regardless of your ATT choice

8. iOS Permissions and Purpose Strings

When an iOS permission prompt appears, our apps include a clear purpose string explaining why the permission is needed:

• Camera (Lookify): "Lookify needs camera access to capture your photo for virtual try-on features."
• Photo Library (Lookify): "Lookify needs photo library access so you can select images for virtual try-on."
• App Tracking Transparency (Lookify, AudiFusion Pro): "Allow tracking to receive more relevant ads. This does not give access to your name or address."
• Media Library (AudiFusion Pro): "AudiFusion Pro needs access to your music files so you can play and enhance them."

All permissions are optional. Denying a permission will only disable the specific feature that requires it and will not prevent the rest of the app from functioning.

9. Data Storage, Retention, and Security

9.1 Where Data Is Stored

• App data is primarily stored on your device
• Server-side data (Firebase, Sentry, Adapty) is hosted in their respective cloud regions with EU Standard Contractual Clauses in place
• Amazon IVS streams are processed in AWS regions nearest to you for performance

9.2 Retention Periods

Data Type	Retention Period
Contact form submissions	Up to 24 months, then deleted
Crash reports (Sentry / Crashlytics)	90 days by default, maximum 12 months
Firebase Analytics events	14 months (Firebase default)
Purchase records (Adapty)	As long as required by tax and consumer protection law (up to 10 years)
Account data (if you create one)	Until you request deletion
Local app files (preferences, saved looks)	Until you uninstall the app or clear its storage

9.3 Security Measures

• Encryption in transit — TLS 1.2 or higher for all network communication
• Encryption at rest — Provided by Firebase, AWS, and Adapty infrastructure
• Access control — Two-factor authentication and role-based access for all developer consoles
• Data minimization — We only request permissions and collect data the feature actually needs
• Vulnerability monitoring — Sentry performance and error monitoring, plus dependency scanning for SDK updates

10. International Data Transfers

Because our third-party providers (Google, AWS, Sentry, Adapty) operate globally, your data may be transferred to and processed in countries outside the European Economic Area, Turkey, or your country of residence, including the United States.

For such transfers, we rely on one or more of the following safeguards:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Certification schemes such as the EU-US Data Privacy Framework

11. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Right to be informed about how we use your data
• Right of access to a copy of your personal data
• Right to rectification of inaccurate or incomplete data
• Right to erasure (also known as "the right to be forgotten")
• Right to restrict processing in certain circumstances
• Right to data portability in a machine-readable format
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time, without affecting the lawfulness of past processing
• Right to lodge a complaint with a supervisory authority (KVKK in Turkey, your local EU Data Protection Authority, or the relevant authority in your jurisdiction)

For California residents, you additionally have the right to know, delete, correct, and opt out of the sale or sharing of personal information under CCPA/CPRA. We do not sell or share personal information for cross-context behavioral advertising.

To exercise any of these rights, email [email protected]. We respond within 30 days and never charge for verified requests.

12. Account and Data Deletion

You can request deletion of your account and associated personal data at any time:

• In-app: Open the app Settings and use the "Delete Account" option where available
• By email: Send a deletion request to [email protected] from the email address associated with your account

Upon request, we delete your personal data within 30 days, except where retention is required by law (for example, tax records for purchase transactions).

13. Children's Privacy (COPPA)

Our applications are not directed to children under the age of 13 (or the equivalent minimum age in the user's jurisdiction). We do not knowingly collect personal data from children under 13.

• Apps are rated for general audiences in the App Store and Google Play
• No advertising known to target children is served
• If you are a parent or guardian and believe we may have collected data from a child, contact us at [email protected] and we will promptly delete the information

14. Cookies (Website Only)

Our website uses a minimal set of cookies and similar technologies:

• Strictly necessary — Session, CSRF, and preference cookies that keep the site working
• Analytics (opt-in) — Google Analytics 4 via Google Consent Mode v2. Analytics storage is denied by default until you grant consent

You can clear or block cookies in your browser settings at any time. The mobile apps do not use browser cookies.

15. Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the competent supervisory authority within 72 hours (GDPR Art. 33)
• Notify affected users without undue delay where required (GDPR Art. 34)
• Publish a notice on our website describing the nature of the breach and mitigation steps

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Post a notice on our website and in the relevant apps
• Provide a reasonable notice period before the new version takes effect

Continued use of our apps or website after the effective date of an updated Privacy Policy constitutes acceptance of the changes. If you do not agree, please stop using the apps and contact us so we can delete your data.

17. Contact Us

This Privacy Policy was originally prepared in English. If a translation is provided, the English version prevails in case of any conflict.

Last updated: 2026-04-09