Who we are (data controller)
Mustafa Baykal (Individual Developer), jurisdiction: Republic of Türkiye.
For all privacy-related questions: mustafabaykal91@gmail.com
What we collect
- Nothing personal. Crisis Desk does not require an account or collect identifying information about you.
Third-party services we use
- RevenueCat (subscription receipt validation + entitlement management)
- Apple StoreKit (in-app purchase processing — handled entirely by Apple)
Data processors and international transfers
We use the following processors. All have signed Data Processing Agreements (DPAs); transfers to the United States are additionally protected by Standard Contractual Clauses (SCCs) per GDPR Articles 44–49 (post-Schrems II).
| Processor | Purpose | Location | DPA | SCC |
|---|---|---|---|---|
| RevenueCat, Inc. | App Store receipt validation, subscription entitlement, and restore-purchases coordination across your devices. Processes only an anonymous, randomly generated app-user identifier — never your name, email, or payment details. | USA | ✓ | ✓ |
| Apple, Inc. | App Store distribution and in-app purchase processing. Apple handles all payment data; we never see or store card or billing information. | Global | ✓ | N/A |
Data retention
We keep data only as long as necessary for the purpose collected, or as required by law (GDPR Art. 5(1)(e); KVKK Art. 7).
| Data type | Retention period | Reason |
|---|---|---|
| Anonymous RevenueCat app-user ID (random UUID — never linked to name/email/phone) | until-deletion | Required so your Premium entitlement and restore-purchases work across app launches and devices. |
| Local game progress (case progress, endings discovered, best grade, settings, chosen language and theme) | until-deletion | Stored locally on your device via AsyncStorage; deleted automatically when you uninstall the app. Never transmitted to us. |
| Subscription receipts (via Apple + RevenueCat) | 7-years | Turkish tax law (Vergi Usul Kanunu, Art. 253) requires payment-record retention for 7 years. Linked only to the anonymous user ID — no personal identification. |
No account, anonymous play
Crisis Desk has no sign-up, no login, and no account. You can play the entire game anonymously. Because we never ask who you are, we cannot link your play to a real-world identity.
We do NOT collect
We do not collect or use: your real name, email address, phone number, precise location, contacts, photos, microphone, camera, health/fitness data, calendar, browsing history, biometrics, or any social-network profile. The game has no chat, no leaderboard, and no social messaging.
No advertising
Crisis Desk contains NO third-party advertising. We do not use your advertising identifier (IDFA) and we never show behavioral or personalized ads. If advertising is ever added in a future version, this policy will be updated first and, on iOS, App Tracking Transparency (ATT) consent will be requested where legally required — you will always be able to decline.
Local-only game progress
Your case progress, the endings you have discovered, your best engineer grade, your chosen language and console theme, and your audio/haptics settings are stored locally on your device using AsyncStorage. This data never leaves your device and is removed automatically when you uninstall the app.
Device language (read locally, not collected)
On first launch, Crisis Desk reads your device's language setting so it can open in your language. This reading happens entirely on your device and is never transmitted to us or to any third party. You can change the language anytime in Settings.
Children's privacy (COPPA + GDPR-K)
Crisis Desk is rated 9+ and is suitable for a general teen-and-up audience. We do not knowingly collect personal information from children. The game collects no personal data, requires no account, has no chat, and shows no ads — which minimizes any risk to younger players. If you believe a child has somehow provided personal information through this app, email mustafabaykal91@gmail.com and we will delete it within 30 days.
International data transfers (post-Schrems II)
The only data that may leave your device are subscription receipts, which flow to RevenueCat (USA) and Apple (global) to validate your purchase. RevenueCat operates under a signed Data Processing Agreement with Mustafa Baykal and Standard Contractual Clauses (SCCs) approved post-Schrems II. Apple StoreKit is a global pipeline outside our control — see Apple's privacy policy for transfer details.
We do not sell or share your data
We do not sell, rent, or trade personal information, and we do not share it for cross-context behavioral advertising. We have never done so. The only third parties involved are Apple and RevenueCat, strictly to validate your purchases.
Automated decision-making (GDPR Art. 22)
Crisis Desk does not use AI, profiling, or any automated decision-making that produces legal or similarly significant effects. The in-game simulation (incident pacing, the failure track, and endings) is deterministic, runs entirely on your device, and is driven only by your in-game choices.
Breach notification
In the unlikely event of a personal-data breach affecting you, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and, where there is a high risk to your rights, notify you directly on this page and in-app.
Your rights
- Access — request a copy of any data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion (see Delete account).
- Portability — receive your data in a machine-readable format.
- Restriction — restrict processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Object to automated decisions — the app does not make consequential automated decisions; you may still email us per GDPR Art. 22.
- Withdraw consent — for any processing based on consent.
- Lodge a complaint — with your local supervisory authority (in Türkiye: KVKK; in EU: your national DPA).
Legal bases for processing (GDPR Art. 6)
- Performance of a contract — processing payment receipts via Apple/RevenueCat to provide your subscription.
- Legitimate interests — anonymized analytics + crash reporting to improve the app.
- Consent — health permissions, push notifications, ATT tracking (you can withdraw at any time in iOS Settings).
- Legal obligation — retaining payment records per applicable tax law.
Children
Crisis Desk is not directed at children under 9. We do not knowingly collect data from children under that age. If you believe a child has provided us data, contact mustafabaykal91@gmail.com and we will delete it within 30 days.
Security
We implement industry-standard security measures: TLS 1.3 for all network traffic, encrypted at rest where stored on third-party services, no plaintext credentials, principle of least privilege for data access. No system is 100% secure; if a breach impacts you, we will notify per GDPR Art. 33–34 (within 72 hours of discovery).
California / CCPA
California residents have the right to: (i) know what personal info we collect; (ii) delete personal info; (iii) opt out of sale (we do not sell); (iv) non-discrimination. To exercise: email mustafabaykal91@gmail.com with subject "CCPA request".
Changes
If this policy changes materially, the "Last updated" date will be revised. Significant changes will be flagged in-app and we will provide a 30-day notice period for objection where required by law.
Contact
Privacy questions: mustafabaykal91@gmail.com · Data subject requests: same email, subject "Data subject request".