Last Updated: March 11, 2026
This Privacy Policy explains how IAO (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our mobile application and website (useiao.com).
This policy applies to users worldwide. Where applicable, region-specific rights and obligations are described separately for the European Union (GDPR), United States (CalOPPA / CCPA), and Turkey (KVKK / Law No. 5651).
IAO is intended for users aged 17 and older. We do not knowingly collect data from anyone under this age. If we become aware that a user is underage, we will delete their account and associated data promptly.
1. What Data We Collect
| Data | Why We Collect It |
|---|---|
| Email address | Account creation, authentication, support communication |
| Debate messages | Delivering the real-time debate experience; moderation |
| Report & block records | User safety, moderation, potential legal proceedings |
| Connection logs (IP address, timestamps) | Security, fraud prevention, legal compliance |
| Push notification token | Sending match and topic notifications (only if you opt in) |
| Account metadata (creation date, last login) | Account management, moderation |
We do not collect: your real name, phone number, location, photos, or any government-issued ID. Your debate opponent never sees your identity — only your messages.
2. How We Use Your Data
- To provide and operate the IAO debate service
- To match you with a debate partner on the daily topic
- To send notifications you have opted into (match found, new topic)
- To moderate content and enforce our Terms of Service
- To respond to your support requests
- To comply with applicable legal obligations
We do not sell your personal data. We do not currently display ads. If this changes in the future, this policy will be updated and you will be notified in advance.
3. Data Retention
We retain data only as long as necessary for the stated purpose or as required by law:
| Data type | Retention period | Reason |
|---|---|---|
| Debate messages | 90 days | Moderation; then permanently deleted |
| Report records | 2 years | Legal proceedings, repeat-violation detection |
| Block records | Until account deletion | User safety |
| Connection logs (IP, timestamps) | 1 year | Turkish Law No. 5651; security |
| Account data (email, metadata) | Until account deletion, then within 30 days | Account management |
| Push notification token | Until notifications are disabled or account is deleted | Notification delivery |
4. Third-Party Services
We currently use the following third-party services to operate IAO:
- Supabase (database & authentication) — SOC 2 Type II certified; governed by their Privacy Policy.
- Apple Push Notification Service (APNs) — used to deliver opt-in notifications; governed by Apple’s Privacy Policy.
We do not share your personal data with advertisers or data brokers. If we add new third-party integrations in the future, this policy will be updated.
5. Your Rights by Region
All rights below can be exercised by emailing [email protected] or using the in-app feature (⚙ Settings → Delete Account). We will respond within 30 days.
🇪🇺 European Union — GDPR
Under the General Data Protection Regulation (GDPR) you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure (“right to be forgotten”) — request deletion of your data
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Restrict processing — request that we limit how we use your data
- Withdraw consent — at any time, where processing is consent-based
Legal basis for processing: contractual necessity (to provide the service), legal obligation (compliance with applicable law), and legitimate interest (safety and moderation).
International transfers: Your data may be stored on servers outside the EU (Supabase infrastructure). We rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.
You may lodge a complaint with your local supervisory authority: Find your DPA →
🇺🇸 United States — CalOPPA / CCPA
If you are a California resident, under CalOPPA and CCPA you have the right to:
- Know — request disclosure of the categories and specific pieces of personal information we have collected
- Delete — request deletion of your personal information
- Opt out of sale — we do not sell personal data; this right is satisfied by default
- Non-discrimination — we will not discriminate against you for exercising your privacy rights
To submit a request, email [email protected] with subject line “California Privacy Request”. We will respond within 45 days.
Do Not Track: Our app does not respond to browser DNT signals, as no industry-wide standard has been established.
🇹🇷 Türkiye — KVKK
6698 sayılı KVKK kapsamında aşağıdaki haklara sahipsiniz:
- Kişisel verilerinizin işlenip işlenmediğini öğrenme
- İşlenmişse buna ilişkin bilgi talep etme
- İşlenme amacını ve amacına uygun kullanılıp kullanılmadığını öğrenme
- Yurt içinde veya yurt dışında aktarıldığı üçüncü kişileri bilme
- Eksik veya yanlış işlenmiş verilerin düzeltilmesini isteme
- Verilerin silinmesini veya yok edilmesini isteme
- Otomatik sistemler vasıtasıyla aleyhinize sonuç çıkmasına itiraz etme
- Kanuna aykırı işleme sebebiyle uğradığınız zararın giderilmesini talep etme
Taleplerinizi [email protected] adresine iletebilirsiniz. 30 gün içinde yanıt verilir.
5651 Sayılı Kanun: Bağlantı kayıtları (IP adresi, zaman damgası) yasal yükümlülük kapsamında 1 yıl saklanmaktadır.
6. Account Deletion
- In-app: ⚙ Settings → Delete Account
- By email: [email protected]
Upon deletion, your email, account metadata, and notification token are permanently removed within 30 days. Debate messages are deleted after 90 days. Report records may be retained for up to 2 years for legal compliance.
7. Security
- TLS encryption for all data in transit
- Encrypted storage via Supabase (SOC 2 Type II certified)
- Access controls limiting internal data access
- Regular security reviews
If we become aware of a data breach that affects your rights, we will notify you as required by applicable law.
8. Cookies
The IAO mobile app does not use cookies. Our website (useiao.com) may use essential cookies for basic functionality only. We do not use advertising or tracking cookies.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the top of this page. For significant changes, we will notify you via the app or email. Continued use of IAO after changes are posted constitutes acceptance of the updated policy.