Privacy Policy.

This Privacy Policy explains how Barış Kayırtar, doing business as Citrapps ("Citrapps", "we", "us", or "our"), collects, uses, stores, shares, and protects personal information when users access or use the idiomed mobile application and related services (the "App" or "Services"). idiomed is a mobile educational platform designed for medical school students. The App may provide study tools such as question banks, flashcards, clinical case-based educational content, progress tracking, personalized study features, usage limits, subscriptions, and related learning features. By using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the App.

The App is provided for educational purposes only. It does not provide medical advice, diagnosis, treatment, clinical decision support, or professional healthcare services. Content in the App may include AI-generated or AI-assisted educational materials. Although we aim to provide accurate and useful educational content, errors, omissions, outdated information, or inaccuracies may occur. Users should verify medical information using official textbooks, academic resources, clinical guidelines, instructors, or licensed healthcare professionals. The App must not be used for patient care, diagnosis, treatment decisions, emergency situations, or any real-world clinical decision-making.

The App is intended for users who are at least 18 years old. The App is not directed to children or minors. We do not knowingly collect, solicit, or market to users under 18 years of age or the equivalent age specified by applicable law in the user jurisdiction. If we become aware that we have collected personal information from a child or minor contrary to this Policy, we will take reasonable steps to deactivate the account and delete such information, unless retention is required by applicable law.

We collect information that users provide directly, information generated through use of the App, information received through login or payment platforms, and technical information collected automatically through our service providers. Account and identity information: email address; full name; username; account creation date; contact preferences; login method, including email/password, Google Sign-In, or Apple Sign-In; and authentication identifiers managed by Firebase Authentication. Profile, education, and personalization information: school, class year, country, city, clinical level, optional birth date, theme preference such as dark mode, exam date, study goal, study style, hard topics, strong and weak subjects, study hours, study time, target percentile, anxiety-related survey answers, TUS date, TUS attempt information, motivation, weak-action preference, study tools used, persona type, and related personalization fields. Activity and learning analytics: login count, last login, streak, total questions solved, correct answers, lifetime quiz count, daily question/card usage and limits, daily goals, total study minutes, subject statistics, subject totals, last studied subject, subject study count, daily statistics such as solved questions, correct answers and study minutes, badges, study sessions, saved questions, saved flashcards, incorrect questions, custom decks, list codes for shared question lists, and report or feedback submissions.

Subscription and purchase information: subscription type, premium/free status, trial status, purchase or entitlement status, and information needed to verify App Store or Google Play subscription access. We do not directly collect or store payment card numbers, security codes, or full payment instrument details. Payments are processed by Apple App Store or Google Play. Technical, device, and diagnostic information: device and app information, mobile operating system, app version, device identifiers or app instance identifiers where available, IP address or proxy server information, language preferences, mobile carrier or network information, app usage events, crash logs, error logs, performance data, analytics identifiers, push notification tokens, and related technical data collected through Firebase, Google Analytics, and similar services. Feedback and reports: if you submit feedback, report a question, or send a complaint, we may collect the content of your message, related question identifiers, your user ID, and associated metadata needed to review and respond. Google API information: if you use Google Sign-In or other Google-related login features, we may receive limited account information such as your name, email address, and authentication identifiers, depending on your Google account settings and permissions. Our use of information received from Google APIs will comply with the Google API Services User Data Policy, including applicable Limited Use requirements.

The App is designed for medical education and study tracking. It is not designed to collect patient records, protected health information, real clinical case files, biometric data, or real-world clinical care information. Users cannot upload their own patient files or clinical case files through the App. However, users may be able to send feedback, reports, support messages, shared lists, or similar content. You must not submit patient information, protected health information, medical records, real clinical case details, sensitive personal data, or any information that identifies another person. We may collect education-related profile information, survey responses, and learning analytics. Some jurisdictions may treat certain account, education, login, demographic, or inference data as sensitive. We process such information only as described in this Policy, where necessary to provide and improve the App, where you choose to provide it, or where otherwise permitted by applicable law. We do not intentionally collect health records or patient information. If prohibited sensitive information is submitted accidentally, we may delete it, restrict access to it, or take other reasonable steps where possible.

We use personal information for the following purposes:

• to create, authenticate, secure, and manage user accounts;
• to provide App features such as quizzes, flashcards, saved questions, saved flashcards, custom decks, shared list codes, study tracking, and progress review;
• to personalize the learning experience based on profile, survey, performance, and study data;
• to track study progress, learning history, subject activity, streaks, goals, badges, and performance statistics;
• to manage free plans, usage limits, premium subscriptions, trial access, purchase verification, and entitlement status;
• to send push notifications such as study reminders, streak reminders, daily goals, account messages, and service updates;
• to analyze usage trends, improve learning recommendations, detect errors, troubleshoot crashes, maintain reliability, and develop new features;
• to respond to feedback, reports, complaints, and support requests;
• to maintain account security, prevent misuse, apply fair usage limits, detect suspicious activity, and protect the integrity of the App;

• to comply with legal obligations, enforce our terms and policies, and establish, exercise, or defend legal claims.

Where applicable law requires a legal basis for processing personal information, including for users in the European Economic Area, United Kingdom, Switzerland, or similar jurisdictions, we rely on one or more of the following legal bases:

• Performance of a contract: to create accounts, provide the App, manage subscriptions, apply usage limits, and deliver requested features;
• Legitimate interests: to improve the App, maintain security, prevent abuse, analyze usage trends, troubleshoot technical issues, and develop better educational features, provided those interests are not overridden by user rights and interests;
• Consent: where required for specific features, optional profile information, certain notifications, analytics choices, or other processing that requires consent;
• Legal obligations: to comply with applicable laws, court orders, platform rules, tax/accounting requirements, and lawful requests;
• Legal claims: to establish, exercise, or defend legal claims;
• Vital interests: only in exceptional cases where processing is necessary to protect a person from serious harm. For users in Türkiye, a separate KVKK clarification text may further explain processing activities under Turkish Law No. 6698 on the Protection of Personal Data.

We may use the following third-party services to operate, host, secure, analyze, authenticate, notify, diagnose, improve, and monetize the App through subscriptions: Firebase Authentication, Firebase Firestore / Realtime Database, Firebase Analytics, Firebase Crashlytics, Firebase Cloud Messaging, Google Analytics, Google Sign-In, Apple Sign-In, Apple In-App Purchase, and Google Play Billing. The categories of service providers that may process personal information include cloud computing services, data storage providers, analytics services, performance monitoring and crash reporting tools, user account registration and authentication services, push notification providers, and payment/subscription platform providers. These providers may process information on our behalf or as independent service providers according to their own terms and privacy policies. We do not sell personal information. We do not use advertising networks in the App.

The App may offer a free version with usage limits, a premium subscription, and a one-week free premium trial. Payments are handled through Apple App Store or Google Play, depending on the user device and purchase method. We may store subscription status, plan type, trial status, purchase verification data, and entitlement information so that we can provide access to premium features. We do not directly collect or store payment card numbers, payment security codes, or full payment instrument details.

We may send push notifications, including study reminders, streak reminders, daily goal notifications, account-related messages, and service updates. Users can disable push notifications through device settings or, where available, App settings.

We use analytics and diagnostic tools to understand how users interact with the App, measure performance, improve learning features, detect bugs, monitor crashes, and make the App more useful. This may include behavior analysis such as questions solved, time spent, subject activity, progress patterns, and feature usage.

We do not collect precise geolocation data. We do not use advertising networks, targeted advertising, or ad-related tracking technologies in the App. We do not use cookies in the App. If our legal information pages are published as static pages without analytics or tracking scripts, we do not use cookies on those pages either. If we later add website analytics, cookies, pixels, or similar technologies to a website, we will update this Policy or provide an appropriate cookie notice where required. We may use Google Analytics or Firebase Analytics for app analytics. Users may be able to manage certain analytics or tracking preferences through device settings, platform controls, or settings offered by the relevant provider.

The App may allow users to register or log in using Google Sign-In or Apple Sign-In. Depending on the provider and user settings, we may receive information such as name, email address, and authentication identifiers. We use this information only to create, authenticate, and manage the user account and provide the App. We do not currently use Facebook, X, or similar social network login features. We do not receive friends lists from social media providers.

Users may save questions and create lists from saved questions. Users may share a question list using a list code. If a list or deck is shared, associated content, list metadata, and creator identifiers may be visible or accessible as necessary for the sharing feature to function. Users should not include personal or sensitive information in shared lists, decks, reports, or feedback.

We may share personal information in the following situations:

• Service providers: with vendors and service providers that help us operate, host, analyze, authenticate, notify, diagnose, secure, or improve the App;
• Apple and Google: for subscriptions, billing, authentication, platform compliance, and purchase verification;
• Legal and safety reasons: if required by law, regulation, court order, legal process, or lawful request, or where necessary to protect our rights, users, security, or the integrity of the App;
• Business transfers: in connection with a merger, acquisition, restructuring, financing, sale of assets, or similar transaction, subject to appropriate safeguards. We do not sell personal information. We do not share personal information for targeted advertising. We do not use advertising networks in the App.

The App is intended for global use. Personal information may be processed and stored in countries other than the user country of residence, including countries where our service providers operate. Data protection laws in those countries may differ from local laws. Where required, we use appropriate legal, technical, and organizational safeguards for international transfers.

We retain personal information for as long as needed to provide the App, maintain user accounts, comply with legal obligations, resolve disputes, enforce agreements, prevent fraud or abuse, and support legitimate business purposes. No purpose in this Policy is intended to require us to keep personal information longer than the period during which the user has an account with us, unless a longer retention period is required or permitted by law, security needs, billing verification, fraud prevention, backup systems, dispute resolution, or compliance obligations. When a user deletes their account, we will delete or anonymize account data and associated app data where reasonably possible, except where retention is required or permitted for legal, security, billing, fraud prevention,

backup, or compliance reasons. If deletion from backups is not immediately possible, we will isolate the data from ordinary processing until deletion is possible according to our backup retention practices.

Users can delete their account through the App where available. Users may also contact us at contact@citrapps.com to request account deletion or assistance. Depending on applicable law and the user location, users may have rights to access, correct, update, delete, restrict, object to, or receive a copy of their personal information. Users may also have the right to withdraw consent where processing is based on consent. We may need to verify identity before responding to requests. Users may review or update certain account information by logging in to their account settings, where available. If a request is denied or limited, we will explain the reason where required by applicable law.

Users in the European Economic Area, United Kingdom, Switzerland, Canada, or similar jurisdictions may have additional rights under applicable data protection laws, including the right to request access to personal information, rectification, erasure, restriction of processing, data portability, objection to processing, and withdrawal of consent. If a decision that produces legal or similarly significant effects is made solely by automated means, and if applicable law grants this right, users may request information about the main factors involved and may request human review. idiomed does not currently use automated decision-making to make legal or similarly significant decisions about users. Users in the EEA or UK may have the right to lodge a complaint with their local data protection authority. Users in Switzerland may contact the Swiss Federal Data Protection and Information Commissioner. Users in Canada may have rights under applicable federal or provincial privacy laws.

Depending on the state of residence, US users may have specific privacy rights, including the right to know whether we process personal information, access personal information, correct inaccuracies, request deletion, obtain a copy of personal information, and not be discriminated against for exercising privacy rights. Where applicable, US users may also have the right to opt out of targeted advertising, the sale or sharing of personal information, or certain profiling that produces legal or similarly significant effects. We do not sell personal information and do not share personal information for targeted advertising. Some US state laws may provide additional rights, such as the right to obtain categories of third parties to whom personal information has been disclosed, the right to limit the use or disclosure of sensitive personal information, or the right to appeal a privacy request decision. To exercise rights, users may email contact@citrapps.com. Authorized agents may submit requests where permitted by applicable law, but we may require proof of authorization and may verify the identity of the user before processing the request. If we decline to take action on a request and applicable law provides an appeal right, users may appeal by emailing contact@citrapps.com. If an appeal is denied, users may have the right to contact their state attorney general or other competent authority.

Some web browsers and mobile operating systems include Do-Not-Track or similar settings. Because there is no uniform technology standard for recognizing and implementing Do-Not-Track signals, we do not currently respond to such signals. If a legally required standard is adopted that applies to us, we will update this Policy accordingly.

We use reasonable technical and organizational measures designed to protect personal information, including the security features of Firebase and other service providers. However, no method of transmission or storage is completely secure. We cannot guarantee absolute security. Users should access the App only within a secure environment and should protect their login credentials.

The App does not show advertisements and does not use advertising networks. We do not sell personal information or share personal information for targeted advertising. If this changes in the future, we will update this Privacy Policy before or when the relevant advertising features are introduced.

The App does not currently provide an in-app AI chat or user-facing AI assistant. User data is stored in Firebase and is not intentionally sent to AI model providers for user-facing AI processing. If we introduce user-facing AI features or send user data to AI service providers in the future, we will update this Privacy Policy and, where required, request appropriate consent. This does not prevent us from using AI-assisted methods internally to create or improve educational materials, provided that user personal information is not intentionally submitted to AI model providers for user-facing AI processing unless this Policy is updated and legal requirements are met.

We may update this Privacy Policy from time to time. The updated version will be indicated by a revised "Last updated" date. Where required by law or where changes are material, we may provide additional notice through the App, email, or other appropriate means. We encourage users to review this Policy periodically.

If you have questions, requests, or concerns about this Privacy Policy or our privacy practices, you may contact us at: Citrapps / idiomed Operator: Barış Kayırtar Email: contact@citrapps.com Location: Mersin, Türkiye