Privacy Policy

Section 1 — Data Controller

The data controller responsible for processing personal data collected through the Services is:

For inquiries regarding this Policy or our data practices, please contact us through our contact page.

Section 2 — Information We Collect

2.1 Account Information (User-Provided)

When you register for an account or sign in, we may collect:

• Email address and display name (optional, depending on sign-in method)
• Authentication provider chosen (Email/Password, Google Sign-In, Apple Sign-In, or Anonymous/Guest access)
• Account credentials — passwords are cryptographically hashed server-side and are never stored or transmitted in plaintext
• Communications and correspondence you send to us

Anonymous (Guest) Users: You may use certain features of the Services without creating a full account. Anonymous access requires completion of a CAPTCHA verification to prevent automated abuse. Anonymous users are assigned a device-based identifier and have limited access to certain features.

2.2 Device Information (Automatically Collected)

When you install and use the GeoShake mobile application, we automatically collect:

• Device ID: A randomly generated unique identifier (UUID), created on first launch and persisted locally on your device
• Device Model: Hardware model name (e.g., "iPhone 15 Pro", "Galaxy S24")
• Operating System and Version: Platform (iOS or Android) and OS version number
• App Version: The version of the GeoShake application you are running

This information is synced to our servers on each app launch to ensure service compatibility, deliver appropriate push notifications, and diagnose technical issues.

2.3 Location Data (With Your Explicit Permission)

We collect precise location data only when you explicitly grant location permission through your device's operating system prompt. When granted, we collect:

• Precise geographic coordinates (latitude and longitude)
• Reverse-geocoded location name (city, province/state, country)
• Your preferred earthquake notification radius (in kilometers)

Location data is used to: deliver earthquake alerts relevant to your area, associate geographic context with your community reports, and display regional information. You may revoke location permission at any time through your device settings, and you may clear your saved location from within the app's Settings screen.

2.4 Community Earthquake Reports (User-Initiated)

When you voluntarily submit a community earthquake report through the app, we collect:

• Your user identifier (linked to your account or anonymous session)
• Your current geographic location at the time of the report
• The Mercalli intensity level you selected
• Timestamp of the report submission

Reports are processed server-side and clustered with other nearby reports to form "community earthquakes." Individual reports are aggregated — your identity is not publicly visible in community earthquake data. A cooldown period (rate limit) applies between consecutive report submissions to prevent misuse.

2.5 Push Notification Tokens

With your permission, we collect a Firebase Cloud Messaging (FCM) registration token from your device. This token is used exclusively to deliver:

• Earthquake early warning and alert notifications
• Community earthquake alarm notifications
• Network status and maintenance updates

The FCM token is automatically refreshed by the Firebase SDK and updated on our servers accordingly. The token is removed from our servers when you delete your account.

2.6 Authentication and Session Analytics

For security monitoring and abuse detection, we collect anonymized authentication event data, including:

• Event type (e.g., sign-up, sign-in, sign-out, session refresh, biometric unlock attempt)
• Success or failure status
• Authentication provider used
• Timestamp of the event

These events are batched locally and transmitted periodically. They do not include browsing history, screen views, tap patterns, or any form of behavioral tracking. We do not use third-party behavioral analytics platforms (such as Mixpanel, Amplitude, or similar services) in the mobile application.

2.7 Seismic Sensor Data (Hardware Devices Only)

GeoShake hardware devices (e.g., GeoShake T1, DIY variants) collect and transmit seismic acceleration data for earthquake detection and early warning purposes. This data includes:

• Peak Ground Acceleration (PGA) measurements
• Three-axis acceleration values (X, Y, Z)
• Station or node identifier and geographic coordinates
• Timestamps, wave type classifications, and magnitude estimates
• Device telemetry (firmware version, WiFi signal strength, calibration status)

This data is transmitted via an encrypted MQTT connection (WSS — WebSocket Secure) to our servers and processed to provide real-time earthquake detection services to the community.

2.8 Local Device Storage

The GeoShake app uses MMKV, a platform-native encrypted key-value store, to persist the following data locally on your device:

• Device identifier (UUID)
• Language preference (English or Turkish)
• Report submission cooldown timers
• Community earthquake disclaimer acceptance state
• Onboarding completion state

This data remains on your device and is encrypted at rest using platform-native encryption. It is not transmitted to our servers unless explicitly stated in the sections above.

Section 3 — Use of Information

We use the collected information for the following purposes:

• To provide, maintain, and improve our Services, including earthquake detection and early warning features
• To send earthquake alerts and community notification push messages relevant to your location
• To cluster and aggregate community earthquake reports for seismic event detection
• To calculate user reputation scores based on report accuracy (processed in anonymized, aggregated form)
• To verify user identity through CAPTCHA for anonymous account registrations
• To enforce rate limits and prevent abuse of the community reporting system
• To process transactions and fulfill hardware product orders
• To communicate with you regarding your account, purchases, or support inquiries
• To aggregate and analyze seismic data for scientific research and public safety
• To detect, prevent, and address technical issues, security threats, and fraudulent activity
• To comply with legal obligations and enforce our terms

Section 4 — Disclosure of Information

We may share your information in the following circumstances:

• Service Providers: Third-party vendors who assist in providing our Services (see Section 5 below for a complete list)
• Scientific Community: Aggregated and anonymized seismic data and community earthquake data may be shared with research institutions and earthquake monitoring organizations
• Legal Requirements: When required by law, court order, or governmental authority
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you have given us explicit permission to share your information

We do not sell your personal information to third parties for marketing or advertising purposes.

Section 5 — Third-Party Service Providers

We use the following third-party services to operate the GeoShake platform. Each provider receives only the minimum data necessary for its specific function:

We do not use advertising SDKs, behavioral analytics platforms (such as Mixpanel, Amplitude, or Facebook Analytics), social media tracking pixels, or any cross-app tracking frameworks in the GeoShake mobile application.

Section 6 — Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in Transit: All API communications use TLS 1.2 or higher. MQTT connections for hardware devices use WSS (WebSocket Secure) with TLS encryption.
• Encryption at Rest: Local device storage uses MMKV with platform-native encryption (iOS Keychain / Android Keystore). Server-side data is stored in Supabase's encrypted database infrastructure.
• Bot Prevention: hCaptcha verification is required before anonymous account creation to prevent automated abuse and false reporting.
• Rate Limiting: Cooldown periods are enforced on earthquake report submissions to prevent spam, flooding, and false reporting.
• Row-Level Security: Our database enforces row-level security policies, ensuring users can only access and modify their own data.
• Device-Based Tracking: Anonymous users are tracked by a locally generated device identifier to prevent abuse. This identifier is not used for cross-app tracking or advertising.
• Biometric Authentication: If you enable Face ID or Touch ID, all biometric data is processed entirely on your device by the operating system. We never receive, transmit, or store biometric data.
• Credential Security: Passwords are cryptographically hashed using industry-standard algorithms. We never store or log plaintext passwords.
• Access Controls: Data access is restricted to authorized personnel on a need-to-know basis.

Notwithstanding the foregoing, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.

Section 7 — Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods include:

• Account Data: Retained for the duration of your account. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
• Community Earthquake Reports: Retained indefinitely in anonymized and aggregated form for scientific research and public safety purposes. Your individual identity is not retained in the aggregated dataset after account deletion.
• Seismic Sensor Telemetry: Retained indefinitely for scientific research, earthquake analysis, and historical reference.
• Authentication Analytics: Retained for 12 months from the date of collection, then automatically purged.
• Push Notification Tokens: Updated upon token refresh; removed from our servers upon account deletion.
• Local Device Data: Remains on your device until you uninstall the app or clear app data.

You may request deletion of your personal data at any time by contacting us or by using the account deletion feature within the app's Settings screen.

Section 8 — Your Rights

Subject to applicable law, you may have the following rights regarding your personal data:

• Right to Access: Obtain a copy of your personal data we hold
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Limit how we process your data
• Right to Object: Object to certain types of processing
• Right to Portability: Receive your data in a structured, machine-readable format
• Right to Withdraw Consent: Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

To exercise these rights, please contact us or use the account management features within the app. We will respond to your request within 30 days, or as required by applicable law.

Section 9 — Cookies and Tracking

Our website (geoshake.org) uses cookies and similar technologies to enhance your experience and analyze usage patterns. Types of cookies we use include:

• Essential Cookies: Required for basic website functionality
• Analytics Cookies: Help us understand how visitors interact with our website (Google Analytics)
• Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our website. The GeoShake mobile application does not use cookies or web-based tracking technologies.

Section 10 — Children's Privacy

Our Services are not directed to children under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us immediately.

Section 11 — International Transfers

Your information may be transferred to and processed in countries other than your country of residence, including but not limited to the United States and European Union member states (where our third-party service providers operate). These countries may have different data protection laws. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable law.

Section 12 — Apple App Privacy

In compliance with Apple's App Store privacy requirements, we disclose the following:

• Data Linked to You: Email address (if provided), device identifier, location data (if permission granted), and community earthquake reports may be linked to your account or identity.
• Data Not Linked to You: Aggregated seismic sensor data, anonymized authentication analytics, crash diagnostics, and FCM notification tokens.
• Data Used to Track You: None. We do not track you across apps or websites owned by other companies for advertising or marketing purposes.
• App Tracking Transparency: The GeoShake app does not use the IDFA (Identifier for Advertisers) and does not participate in cross-app tracking.

Section 13 — Google Play Data Safety

In compliance with Google Play's Data Safety requirements, we disclose the following:

• Data Collected: Location (approximate and precise, optional with user permission), device identifier, email address (optional, for registered users), community earthquake report data.
• Data Shared: Aggregated and anonymized seismic data may be shared with research institutions for scientific purposes. No personal data is shared for advertising.
• Data Encryption: All data is encrypted in transit using TLS. Local storage uses platform-native encryption.
• Data Deletion: Users may request account and data deletion through the app's Settings screen or by contacting us.
• Advertising: Collected data is not used for advertising purposes. The app does not contain advertisements.

Section 14 — Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be notified through our Services (in-app notification), on our website, or by email to registered users. The "Last Updated" date at the top of this page indicates when the Policy was last revised. Your continued use of the Services following the posting of changes constitutes your acceptance of such changes.

Section 15 — Contact

For questions, concerns, or requests regarding this Privacy Policy, your personal data, or our data practices, please contact us through our contact page.