Privacy Notice (GDPR)

As ICI Tech Teknoloji A.Ş. ("Company", "we", "us", or "our"), the privacy and security of your personal data is one of our highest priorities.

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and, where applicable, the UK GDPR. This Privacy Notice applies to users located in the European Economic Area (EEA) and the United Kingdom.

Personal data means any information relating to an identified or identifiable natural person.

If you become a Platform User by accepting the Terms of Use in order to benefit from the habit tracking, crisis support tools, progress analytics, and personal recovery support services (together, "Platform Services") offered via the SoberX mobile application and/or website (together, the "Platform"), we would like to inform you about the personal data we process.

Important notice: SoberX is not a medical device, diagnostic tool, telehealth service, or substitute for professional medical treatment. The app is a supportive tool designed for habit change and personal support. In crisis situations, please contact your local emergency services or a qualified healthcare professional immediately.

EU Representative (Article 27 GDPR): As a company established outside the EEA that offers services to EEA residents, we are in the process of designating an EU representative as required by Article 27 GDPR. Updated contact details will be published at https://soberx.app/privacy once appointed. In the meantime, you may exercise your rights by contacting us directly at app@icitech.com.tr.

Data Protection Officer: We do not currently meet the threshold requiring mandatory DPO appointment under Article 37 GDPR. For all data protection enquiries, please contact app@icitech.com.tr.

3.1 Account Information

Collected only if you choose to create an account:

• Email address, password (hashed), optional display name, username, and profile photo

No account required. SoberX can be used fully offline. If you choose not to register, this category is not collected.

3.2 Habit and Tracking Data

• Selected habit category (nicotine, alcohol, gambling, social media, sugar, caffeine, or similar)
• Start date, self-defined goals, and personal motivation text
• Daily log entries (sober / partial / slip), streak records, milestones
• Savings calculations (money, time, calories, or custom metric)
• Evening review and reflection entries

3.3 In-App Tool Usage Data

• Urge Wave session timestamps and completion status
• Risk Radar time-of-day urge patterns derived from your own logs
• Focus Tunnel session data
• Daily Pledge completion timestamps

This data stays on your device and is not transmitted to our servers unless you explicitly enable cloud backup.

3.4 Voice Release Data

• Microphone input processed temporarily to generate a calm reflection
• Transcript text generated from your voice input

Audio stays on your device. Recordings and transcripts are stored locally and never uploaded.

3.5 Safety Chain Data

• Names and contact details of trusted people you choose to add

Safety Chain contacts stay on your device and are never transmitted to us or any third party.

3.6 Subscription and Purchase Data

• Subscription tier and status, purchase and renewal dates, transaction ID
• Platform of purchase (App Store or Google Play)
• RevenueCat pseudonymous customer ID

We never receive your payment card details. All payment processing is handled by Apple or Google.

3.7 Device and Technical Data

• Device type and model, operating system and version, app version
• IP address (truncated where possible), time zone and locale
• App session timestamps, crash logs, and error reports

3.8 Push Notification Data

• Device push token (if you grant notification permission)
• Notification delivery and open events

3.9 Communications Data

• Email address and message content when you contact us for support

3.10 Special Category Data

Habit categories such as alcohol, gambling, and related substance use may constitute data concerning health or data relating to a natural person's mental health under GDPR Article 9. We process this data only on the basis of your explicit consent (Article 9(2)(a)), which you provide when you select a habit category in the app. You may withdraw this consent at any time — see Section 9.

Under GDPR, we must have a valid legal basis for each processing activity. The table below sets out our purposes and the corresponding legal bases.

Legitimate interests assessment: Where we rely on Art. 6(1)(f), we have carried out a balancing test and determined that our legitimate interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 9.

Special category data: Where we process special category data (Art. 9), we rely on your explicit consent, given when you first select a habit category. You may withdraw this consent at any time without affecting the lawfulness of prior processing.

Given the sensitivity of recovery-related data, we make the following explicit commitments:

• We do not sell your personal data to any third party.
• We do not share your addiction category, sobriety status, urge logs, risk scores, journal content, or Safety Chain contacts with Meta, TikTok, Google Ads, or any advertising network.
• We do not use your in-app recovery data for ad targeting or behavioural profiling.
• We do not use advertising identifiers (IDFA / GAID).
• We do not share Voice Release audio with any third party or use it to train AI models.
• We do not require a public profile or social account to use SoberX.

We share personal data only where necessary and with appropriate safeguards.

Local-only data (Voice Release, Safety Chain, Urge Wave logs) is never shared with anyone — it never leaves your device.

ICI Tech Teknoloji A.Ş. is established in Turkey. The European Commission has assessed Turkey and, as of this Policy's effective date, has not issued an adequacy decision in respect of Turkey under GDPR Article 45.

Accordingly, when we transfer personal data from the EEA or UK to Turkey or to other third countries where our service providers operate, we rely on one or more of the following transfer mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor, or Module 1: Controller to Controller as applicable)
• UK International Data Transfer Agreements (IDTAs) for transfers from the UK
• In exceptional cases, the derogations provided in GDPR Article 49

You may request a copy of the applicable transfer mechanism by contacting us at app@icitech.com.tr.

As a data subject under the GDPR, you have the following rights:

How to exercise your rights

Submit a request to app@icitech.com.tr with the subject line "GDPR Data Subject Request". We will respond within one month of receipt, free of charge. Where requests are complex or numerous, we may extend this by a further two months with notice.

In-app controls

You have the right to lodge a complaint with the data protection supervisory authority in your country of residence or place of work, or where you believe an infringement has occurred.

We encourage you to contact us first at app@icitech.com.tr — most concerns can be resolved quickly and informally.

We retain your personal data only as long as necessary for the purposes described in this Notice, or as required by applicable law.

Account deletion: We will delete or irreversibly anonymize your data within 30 days of account deletion, except where a longer retention period is required by law.

We implement appropriate technical and organizational measures to protect your data, including:

• TLS 1.2+ encryption for all data in transit
• Encryption at rest for server-stored data
• Local-first architecture for sensitive recovery data
• Access controls and need-to-know authorization
• Optional biometric or passcode lock within the app
• Regular security assessments and penetration testing
• Maintained data breach response procedures

Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours as required by GDPR Art. 33. Where the breach is likely to result in a high risk, we will also notify you directly without undue delay in accordance with GDPR Art. 34.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, as described in GDPR Article 22.

Risk Radar summaries are generated entirely from your own logged data and are presented to you as informational pattern summaries for your personal planning — they do not constitute automated decisions with external consequences.

The Platform is intended for users aged 18 and older. We do not knowingly collect personal data from children. If you believe a child has submitted data through the Platform, please contact us at app@icitech.com.tr and we will delete the data promptly.

Our marketing website (https://soberx.app/) uses cookies. A consent banner is shown on your first visit.

We do not use cookies to infer health status, recovery journey, or habit category. The SoberX app does not use advertising identifiers or advertising SDKs.

We may update this Privacy Notice from time to time. For material changes, we will notify you via in-app notice or email at least 14 days before the change takes effect. The current version is always available at https://soberx.app/privacy.

We aim to acknowledge all privacy enquiries within 5 business days and resolve them within one month.

SoberX is a self-help companion — not medical care. Everything in this app and on this website is general information and optional guidance for your own planning. It is not personalized medical advice and does not guarantee any outcome.