Information Notice

Information Notice

INFORMATION NOTICE

Last updated: 23.08.2025

### 1.1. Data Controller and Contact

Data Controller(s):** PsycAI Developer Team

Contact:** info@psycai.net

### 1.2. Principles and Compliance Approach

* Compliance with law and the rule of good faith

* Accuracy and being up to date

* Specific-explicit-legitimate purpose

* Processing that is relevant, limited and proportionate to the purpose (data minimization)

* Storage only for as long as necessary (permanent deletion at the end of the session)

* Transparency and accountability

### 1.3. Categories of Data Processed

**A) Personal Data Categories**

* **Identity/Contact:** name-surname (if any), e-mail (contact)

* **Technical/Session Data:** session ID, client/device type, platform information, error codes

* **Content (In-Session):** messages written by the user are kept encrypted only during the session; deleted when the session ends

Special categories of personal data are not processed. Even if such statements are entered into the free-text field, the system converts these parts into general/anonymous expressions by removing them from the person-level context; this transformation is applied before permanently storing and before transferring to external services.

**B) Categories Not Constituting Personal Data (disclosed for transparency)**

* **Anonymized Content (Model Processing Data – not personal data):** content from which all identifiers that could identify a person have been removed by an anonymization and generalization step before being sent to OpenAI. It does not qualify as personal data; it is processed only in the context of the session and temporarily; no re-association with a real person is performed in the developer system.

### 1.4. Collection Methods and Legal Bases

* **Collection:** in-app forms/interfaces, API calls; necessary logs

* **Legal Bases:**

* Performance of a contract (KVKK Art. 5/2-c): provision of the service, session management

* Legitimate interest (Art. 5/2-f): security, prevention of abuse, error/performance

* Explicit consent (Art. 5/1 & 9): cross-border transfer (Firebase NAM5 + OpenAI – person-decoupled session processing); analytics/personalization

* Legal obligation (Art. 5/2-Γ§): regulatory requests, responses to applications/complaints

### 1.5. Purposes of Processing

* Operating the service; maintaining and securing the session

* Hosting on Firebase; permanent deletion at the end of the session

* (With consent) aggregated analytics and limited personalization to improve the product

* User support/communication processes; legal obligations

### 1.6. Transfer and Recipient Groups

* **Google Firebase (Google LLC/Google Cloud) – NAM5 (US Central):** mandatory technical operations and session-based hosting

* **OpenAI, Inc. (USA) – Person-Decoupled Session Processing:** temporary processing of anonymized and person-decoupled content; cannot be re-associated with a real person in the developer system

### 1.7. Retention, Deletion, Anonymization

* In-session content: during the session; permanent deletion when the session ends

* Technical/log data: limited to necessary periods for security/compliance

* Communication/request data: until the request is finalized

* A time-stamped record is kept regarding deletion operations

### 1.8. Data Subject Rights (KVKK Art. 11)

* **Rights:** to learn whether processing takes place; request information; rectification/deletion/anonymization; to learn about transfers; objection; compensation

* **Application:** info@psycai.net

* **Response time:** 30 days

### 1.9. Security Measures

* Encryption (in transit + at rest), key management, access authorization

* Anonymization and generalization step, data minimization principle, anonymization

* Incident management/breach notification procedure

### 1.10. Updates

The text is updated according to process and legislative changes; the current version is published on our website.

Information Notice - PsycAI β€’ PsycAI