Privacy Policy

1. Data Controller

For the purposes of the General Data Protection Regulation (GDPR), the data controller responsible for your personal data is:

2. Personal Data We Collect

We collect and process the following categories of personal data when you use the Dozi application:

2.1. Identity and Contact Data

Data Type	Description	Source
Name	First and last name from your Google account	Google Sign-In
Email Address	Your Google account email	Google Sign-In
Profile Picture	Profile image from your Google account	Google Sign-In
Date of Birth	Optional, user-provided	User input

2.2. Special Category Data (Health Data)

Data Type	Description	Purpose
Medication Information	Medicine names, dosages, administration methods, barcodes	Medication reminder service
Medication History	Taken/skipped doses, timestamps	Adherence tracking and statistics
Reminder Schedules	Medication times and frequencies	Timely reminder notifications
Stock Information	Remaining medication quantities	Low stock alerts
Health Notes	User-entered health notes and appointments	Activity calendar and health tracking
Health Measurements	Blood pressure, glucose, temperature (Premium)	Health monitoring and trends

2.3. Technical and Device Data

Data Type	Description	Purpose
Device Identifier	Unique device ID	Security, multi-device management
FCM Token	Firebase Cloud Messaging token	Push notification delivery
IP Address	Internet protocol address	Security, geographic analysis
Device Information	Android version, device model/manufacturer	Compatibility, debugging
App Version	Dozi application version	Support, update notifications
Crash Reports	Application error logs	Bug fixing, stability improvement

2.4. Location Data (Premium Feature)

Data Type	Description	Purpose	Collection Method
Precise GPS Coordinates	Real-time latitude and longitude from device GPS	Location-based medication reminders (geofencing)	Android Location Services API when app is in foreground or background
Saved Locations	User-defined places (home, work, pharmacy, etc.) with coordinates	Geofence trigger points for reminders	User input via Google Maps integration
Geofence Events	Entry/exit events when you arrive at or leave saved locations	Triggering location-based medication reminders	Android Geofencing API

How We Use Location Data

• Location-Based Reminders: We use your location to send medication reminders when you arrive at or leave specific places (e.g., "Take your medication when you get home")
• Geofencing: We create virtual boundaries around your saved locations to detect when you enter or exit these areas

Location Data Storage and Sharing

• Local Processing: Location data is primarily processed on your device
• Saved Locations: Your saved location names and coordinates are stored in Firebase Firestore for sync across devices
• No Third-Party Sharing: We do NOT share your location data with third parties for advertising or marketing purposes
• No Sale of Data: We do NOT sell your location data

2.5. AI Assistant Data

Data Type	Description	Purpose
Chat History	Conversations with the AI assistant	Contextual responses, personalization
User Preferences	Learned preferences and habits	Proactive suggestions, personalization

2.6. Family Tracking Data (Badi System)

Data Type	Description	Purpose
Badi Connections	Family member/caregiver relationships	Family tracking system operation
Shared Medication Data	Medication and adherence data shared with Badis	Escalation notifications, monitoring
Nicknames	Privacy-protected display names	Privacy-preserving identification

2.7. Payment and Subscription Data

Data Type	Description	Purpose
Subscription Status	Premium/Family plan status	Feature access control
Purchase Token	Google Play purchase verification token	Subscription validation

3. Purposes of Processing

We process your personal data for the following purposes:

3.1. Core Service Delivery

• Sending timely medication reminder notifications
• Tracking medication adherence and calculating statistics
• Managing stock levels and sending low stock alerts
• Activity calendar and health notes management
• Offline-first service delivery without internet connection

3.2. Account Management

• Creating and authenticating user accounts
• Profile management and personalization
• Multi-device synchronization
• Account security maintenance

3.3. Premium Services

• Location-based reminder delivery
• Full-screen alarm functionality
• AI assistant service provision
• Privacy Shield feature operation
• Health measurement tracking
• Family plan multi-user management

3.4. Family Tracking System (Badi)

• Sharing medication tracking with family members/caregivers
• Sending escalation notifications
• Managing Buddy (Badi) connections
• QR code-based quick connection setup

3.5. Communication

• Sending medication reminder notifications
• Delivering escalation and emergency notifications
• Informing about application updates
• Responding to support requests

3.6. Security and Debugging

• Detecting and preventing unauthorized access
• Identifying and fixing application errors
• Performance monitoring and improvement
• Firebase App Check security verification

3.7. Analytics and Improvement

• Collecting anonymized usage statistics
• Improving user experience
• Developing new features
• Enhancing service quality

4. Lawful Basis for Processing

Under Article 6 of the GDPR, we process your personal data based on the following lawful bases:

Lawful Basis	GDPR Article	Processing Activities
Consent	Art. 6(1)(a)	Marketing communications, analytics, optional features
Contract Performance	Art. 6(1)(b)	Account creation, core service delivery, subscription management
Legal Obligation	Art. 6(1)(c)	Tax records, regulatory compliance, legal requests
Legitimate Interests	Art. 6(1)(f)	Security measures, fraud prevention, service improvement

4.1. Special Category Data (Health Data)

4.2. Withdrawal of Consent

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent:

• Email us at privacy@dozi.app
• Use the in-app privacy settings
• Delete your account through Settings > Account > Delete Account

4.3. Legitimate Interests Assessment

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:

• Security: Protecting our systems and users from fraud and unauthorized access
• Service Improvement: Analyzing usage patterns to enhance user experience
• Business Operations: Maintaining and improving our services

5. Data Sharing and International Transfers

We may share your personal data with the following categories of recipients:

5.1. Service Providers (Data Processors)

Provider	Purpose	Location	Safeguards
Google Firebase	Authentication, database, notifications, analytics	USA/EU	SCCs, SOC 2, ISO 27001
Google Cloud Platform	Server infrastructure, data storage	USA/EU	SCCs, SOC 2, ISO 27001
Firebase Vertex AI	AI assistant service (Gemini)	USA	DPA, encryption
Google Play Services	App distribution, payment processing	USA	PCI DSS, GDPR compliant

5.2. International Data Transfers

• Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms with all data processors
• Data Processing Agreements: GDPR-compliant agreements with all service providers
• Technical Measures: Encryption in transit and at rest
• Access Controls: Principle of least privilege for all data access

5.3. Other Recipients

• Family Members (Badis): Only with your explicit consent and only the data you choose to share
• Legal Authorities: When required by law or to protect our legal rights
• Professional Advisors: Lawyers, accountants for legal and business purposes

5.4. Data We Never Share

We never sell your personal data. The following data is never shared with third parties:

• Your health data (except Badi sharing with your explicit consent)
• AI assistant conversation history (not used for model training)
• Location data (processed locally on your device only)
• Privacy Shield custom messages

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Data Category	Retention Period	Post-Retention Action
Account and Identity Data	Duration of account + 30 days after deletion	Deletion or anonymization
Health Data (Medications, History)	Duration of account + 30 days after deletion	Permanent deletion
AI Chat History	Last 30 days (on device)	Automatic deletion
Location Data	Real-time processing only, no persistent storage	Immediate deletion after processing
Security and Log Data	2 years	Deletion
Support Communications	3 years	Deletion or anonymization
Subscription and Payment Records	7 years (legal requirement)	Deletion after legal period
Analytics Data	2 years (anonymized)	Already anonymized

6.1. Criteria for Retention Periods

We determine retention periods based on:

• The nature and sensitivity of the personal data
• The purposes for which we process the data
• Applicable legal requirements
• Our legitimate business interests
• Your reasonable expectations

7. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

7.1. Technical Measures

• Encryption: All sensitive data encrypted using AES-256 standard. TLS 1.3 for data in transit.
• Secure Authentication: Firebase Authentication with secure session management, Google Sign-In integration.
• App Integrity: Firebase App Check with Play Integrity API to prevent unauthorized access.
• Infrastructure Security: Enterprise-grade protection through Google Cloud infrastructure.
• Automatic Backups: Firestore automatic backup for data loss prevention.
• Access Logging: Comprehensive logging of all data access.
• Security Testing: Regular security scans and penetration testing.
• Offline Security: Local database encryption, secure synchronization.

7.2. Organizational Measures

• Access Control: Principle of least privilege for all personnel.
• Confidentiality Agreements: All employees and contractors bound by confidentiality obligations.
• Data Processing Records: Comprehensive records of all processing activities (Article 30).
• Training: Regular data protection and security training for personnel.
• Vendor Assessment: Regular audits of third-party service providers.
• Incident Response: Documented procedures for data breach response.
• Privacy by Design: Data protection integrated into all development processes.

7.3. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware (Article 33)
• Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms (Article 34)
• Document all data breaches, including facts, effects, and remedial actions taken
• Take immediate measures to mitigate the breach and prevent future occurrences

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

8.1. Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, access to that data and information about the processing.

8.2. Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

8.3. Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required for compliance with a legal obligation

8.4. Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

• You contest the accuracy of the data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

8.5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

8.6. Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

8.7. Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

8.8. How to Exercise Your Rights

To exercise any of your rights, please contact us at:

• Email: privacy@dozi.app
• In-App: Settings > Privacy > GDPR Request
• Web Form: www.dozi.app/gdpr-request

We will respond to your request within one month. In complex cases, we may extend this by two additional months, and we will inform you of any such extension.

9. Children's Privacy

We are committed to protecting the privacy of children who use our services.

9.1. Age Restrictions

• Dozi requires users to be at least 16 years old (or the applicable age of digital consent in your country).
• For users under 18, parental or legal guardian consent is required.
• We do not knowingly collect personal data from children without appropriate consent.

9.2. Parental Rights

Parents and legal guardians have the right to:

• Access their child's personal data
• Request rectification or deletion of their child's data
• Withdraw consent at any time
• Object to processing of their child's data

9.3. Additional Protections

• Enhanced security measures for children's health data
• Family tracking system (Badi) for parental supervision
• No marketing communications to child accounts
• Age-appropriate privacy notices

10. Cookies and Tracking Technologies

Dozi is a native mobile application and does not use cookies. However, we use the following technologies:

10.1. Firebase Analytics

• Purpose: Anonymized usage statistics and app performance monitoring
• Data Collected: Device type, OS version, app interactions (anonymized)
• Opt-Out: Settings > Privacy > Analytics

10.2. Firebase Crashlytics

• Purpose: Crash reporting and stability improvement
• Data Collected: Device information, crash logs (no personal data)
• Opt-Out: Settings > Privacy > Crash Reports

10.3. Local Storage

• Purpose: Offline-first functionality, app preferences
• Data Stored: Encrypted medication data, user preferences
• Control: Cleared when you delete the app or your account

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in applicable laws and regulations
• Changes to our data processing activities
• New features or services
• Feedback from supervisory authorities

11.1. Notification of Changes

We will notify you of material changes through:

• In-App Notification: Pop-up when you open the app
• Email: Notification to your registered email address
• Website: Publication at www.dozi.app

11.2. Effective Date

Changes will take effect 30 days after notification. Continued use of the app after this period constitutes acceptance of the changes. If you do not agree with the changes, you may delete your account.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

13. Right to Lodge a Complaint

Under Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

13.1. EU Supervisory Authorities

You can find your local data protection authority at:

• EU: European Data Protection Board - List of Authorities
• UK: Information Commissioner's Office (ICO) - www.ico.org.uk

13.2. Turkish Data Protection Authority

For users in Turkey, you may also contact: