mustafabaykal.com / Crisis Desk

Privacy Policy

Last updated: 2026-06-10 · Effective: 2026-06-10

Who we are (data controller)

Mustafa Baykal (Individual Developer), jurisdiction: Republic of Türkiye.

For all privacy-related questions: mustafabaykal91@gmail.com

What we collect

Third-party services we use

Data processors and international transfers

We use the following processors. All have signed Data Processing Agreements (DPAs); transfers to the United States are additionally protected by Standard Contractual Clauses (SCCs) per GDPR Articles 44–49 (post-Schrems II).

ProcessorPurposeLocationDPASCC
RevenueCat, Inc. App Store receipt validation, subscription entitlement, and restore-purchases coordination across your devices. Processes only an anonymous, randomly generated app-user identifier — never your name, email, or payment details. USA
Apple, Inc. App Store distribution and in-app purchase processing. Apple handles all payment data; we never see or store card or billing information. Global N/A

Data retention

We keep data only as long as necessary for the purpose collected, or as required by law (GDPR Art. 5(1)(e); KVKK Art. 7).

Data typeRetention periodReason
Anonymous RevenueCat app-user ID (random UUID — never linked to name/email/phone)until-deletionRequired so your Premium entitlement and restore-purchases work across app launches and devices.
Local game progress (case progress, endings discovered, best grade, settings, chosen language and theme)until-deletionStored locally on your device via AsyncStorage; deleted automatically when you uninstall the app. Never transmitted to us.
Subscription receipts (via Apple + RevenueCat)7-yearsTurkish tax law (Vergi Usul Kanunu, Art. 253) requires payment-record retention for 7 years. Linked only to the anonymous user ID — no personal identification.

No account, anonymous play

Crisis Desk has no sign-up, no login, and no account. You can play the entire game anonymously. Because we never ask who you are, we cannot link your play to a real-world identity.

We do NOT collect

We do not collect or use: your real name, email address, phone number, precise location, contacts, photos, microphone, camera, health/fitness data, calendar, browsing history, biometrics, or any social-network profile. The game has no chat, no leaderboard, and no social messaging.

No advertising

Crisis Desk contains NO third-party advertising. We do not use your advertising identifier (IDFA) and we never show behavioral or personalized ads. If advertising is ever added in a future version, this policy will be updated first and, on iOS, App Tracking Transparency (ATT) consent will be requested where legally required — you will always be able to decline.

Local-only game progress

Your case progress, the endings you have discovered, your best engineer grade, your chosen language and console theme, and your audio/haptics settings are stored locally on your device using AsyncStorage. This data never leaves your device and is removed automatically when you uninstall the app.

Device language (read locally, not collected)

On first launch, Crisis Desk reads your device's language setting so it can open in your language. This reading happens entirely on your device and is never transmitted to us or to any third party. You can change the language anytime in Settings.

Children's privacy (COPPA + GDPR-K)

Crisis Desk is rated 9+ and is suitable for a general teen-and-up audience. We do not knowingly collect personal information from children. The game collects no personal data, requires no account, has no chat, and shows no ads — which minimizes any risk to younger players. If you believe a child has somehow provided personal information through this app, email mustafabaykal91@gmail.com and we will delete it within 30 days.

International data transfers (post-Schrems II)

The only data that may leave your device are subscription receipts, which flow to RevenueCat (USA) and Apple (global) to validate your purchase. RevenueCat operates under a signed Data Processing Agreement with Mustafa Baykal and Standard Contractual Clauses (SCCs) approved post-Schrems II. Apple StoreKit is a global pipeline outside our control — see Apple's privacy policy for transfer details.

We do not sell or share your data

We do not sell, rent, or trade personal information, and we do not share it for cross-context behavioral advertising. We have never done so. The only third parties involved are Apple and RevenueCat, strictly to validate your purchases.

Automated decision-making (GDPR Art. 22)

Crisis Desk does not use AI, profiling, or any automated decision-making that produces legal or similarly significant effects. The in-game simulation (incident pacing, the failure track, and endings) is deterministic, runs entirely on your device, and is driven only by your in-game choices.

Breach notification

In the unlikely event of a personal-data breach affecting you, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and, where there is a high risk to your rights, notify you directly on this page and in-app.

Your rights

Legal bases for processing (GDPR Art. 6)

Children

Crisis Desk is not directed at children under 9. We do not knowingly collect data from children under that age. If you believe a child has provided us data, contact mustafabaykal91@gmail.com and we will delete it within 30 days.

Security

We implement industry-standard security measures: TLS 1.3 for all network traffic, encrypted at rest where stored on third-party services, no plaintext credentials, principle of least privilege for data access. No system is 100% secure; if a breach impacts you, we will notify per GDPR Art. 33–34 (within 72 hours of discovery).

California / CCPA

California residents have the right to: (i) know what personal info we collect; (ii) delete personal info; (iii) opt out of sale (we do not sell); (iv) non-discrimination. To exercise: email mustafabaykal91@gmail.com with subject "CCPA request".

Changes

If this policy changes materially, the "Last updated" date will be revised. Significant changes will be flagged in-app and we will provide a 30-day notice period for objection where required by law.

Contact

Privacy questions: mustafabaykal91@gmail.com · Data subject requests: same email, subject "Data subject request".

Related: Terms of Service · Delete your account · Support