RotaTalk Privacy Policy

Last Updated: January 18, 2026

1. Introduction

RotaTalk ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service"). RotaTalk is the data controller responsible for your personal data.

2. Age Restriction

You must be at least the minimum age of digital consent in your country, or the age specified by the app's local rating on your device's app store (such as the App Store or Google Play), whichever is higher, to use the Service. We do not knowingly collect or process personal data from individuals under this age.

2.1. Child Safety Standards

RotaTalk is committed to maintaining a safe and respectful environment for all users, including minors.

  • We strictly prohibit any content related to child sexual abuse material (CSAM).
  • Users can report any child safety concerns directly within the app.
  • All reports are reviewed promptly, and appropriate actions are taken in compliance with applicable laws.
  • We cooperate with regional and national authorities when necessary to ensure child safety.

For any concerns or reports related to child safety, please contact us at: support@rotatalk.com.

3. Information We Collect and Legal Basis

3.1. Information You Provide

  • Username: Required to ensure unique identification within channels and prevent impersonation (Legal basis: Contractual necessity)
  • Full Name: Optional, helps with user identification (Legal basis: Legitimate interest)
  • Profile Picture: Optional, allows users to present themselves professionally (Legal basis: Consent)
  • Email or Phone: One is required for account creation and verification. You can sign up with either email or phone number, not both (Legal basis: Contractual necessity)
  • Voice Messages: Required for Voice Chat communication (Legal basis: Contractual necessity)
  • Customer Support Communications: Processed when you contact us (Legal basis: Legitimate interest)
  • User Blocking Data: We store blocking relationships (blocker user ID, blocked user ID, and timestamp) to enforce user-to-user blocking for safety and user control. This data enables mutual blocking functionality where blocked users cannot see, hear, or interact with each other (Legal basis: Legitimate interest in providing safety features)
  • Voice Posts: Audio recordings you create for the Social Feed, including metadata such as duration and creation time (Legal basis: Consent - explicit action of recording and publishing)
  • Post Location Data: Geographic coordinates (latitude, longitude) and location name optionally attached to voice posts. Enabled by default if location permission granted; can be disabled per post. This data is visible to authenticated users based on post visibility settings (Legal basis: Consent)
  • Post Reactions: Likes, dislikes, and other reactions you give to posts, attributed to your account (Legal basis: Contractual necessity)
  • Post Reports: Content reports you submit including report reason and context (Legal basis: Legitimate interest for platform safety)
  • Data Controller: The data controller for personal data collected in the RotaTalk service is Nesim Tunc. You can submit your data protection requests to legal@rotatalk.com.

3.2. Automatically Collected Information

  • Device Information: Basic device type and operating system for service optimization (Legal basis: Legitimate interest)
  • Device Identifiers: Android SSAID and generated device IDs for security, analytics, and cross-device ban enforcement (Legal basis: Legitimate interest)
  • Location Data: Required for service functionality and user safety (Legal basis: Contractual necessity)
  • Performance Data: App crashes and technical issues for service improvement (Legal basis: Legitimate interest)
  • Analytics Data: User interaction patterns, feature usage, and behavioral analytics for service improvement (Legal basis: Legitimate interest)
  • Post Analytics: Play counts, impression counts, and engagement metrics for voice posts. These metrics are displayed publicly on posts to authenticated users (Legal basis: Legitimate interest)

3.3. Third-Party Analytics and Services

We use the following third-party services that may collect and process your data:

  • Amplitude Analytics: Collects usage analytics to improve our service, including:
    • Usernames: Logged for security monitoring (abuse prevention, ban evasion detection) and service analytics. Usernames are public identifiers within RotaTalk and do not contain personal information
    • Device Identifiers: Partially masked (first 8 characters only) to balance debugging needs with privacy
    • User Interactions: Session data, feature usage, speaking time, and behavioral patterns
    • Public Channel Names: Names of public channels are logged for analytics. Private channel names (Teams) are never logged - only pseudonymous channel IDs are used for private channels to protect your privacy
    • Location Events: We log when location sharing is started/stopped and participant counts, but we do not log GPS coordinates or precise location data to analytics
    • Aggregated Metrics: Total speaking time, session counts, and other usage statistics

    All analytics data is stored in Amplitude's EU region and retained for 2 years for service improvement purposes

  • Sentry: Collects crash reports and error logs including device information and application state for service improvement
  • OneSignal: Manages push notifications and collects device tokens, user preferences, and notification interaction data
  • Resend: Handles authentication emails including verification codes, password resets, and account notifications. Processes email addresses and delivery status information
  • Firebase Test Lab Detector: Used to detect Google Play Store testing interactions to filter them from analytics data
  • Google Maps: Displays location data and may collect map interaction statistics
  • Shorebird: Delivers over-the-air app updates. Collects app version, platform information, and patch delivery status to provide bug fixes and improvements

Each service operates under their respective privacy policies and may use data for their own analytics purposes.

4. Data Retention

  • Account and profile information: Retained as long as your account is active
  • Location data: Only last known location is stored
  • Voice messages: Deleted immediately after successful delivery
  • Performance data (crash logs): Retained for 90 days
  • Device identifiers (SSAID): Retained indefinitely for security and ban enforcement
  • Analytics data: Retained for 2 years for service improvement
  • Push notification tokens: Retained until user opts out or app is uninstalled
  • Voice Post audio files: Retained for up to 2 years from deletion or expiration for legal compliance and safety investigations, regardless of user deletion. Posts are hidden from feed but files retained
  • Voice Post metadata (location, channel link, timestamps): Retained indefinitely for service records and compliance
  • Post reaction data: Retained indefinitely for service records
  • Post analytics (plays, impressions): Retained indefinitely for service improvement
  • Post reports: Retained indefinitely for audit and investigation purposes
  • Played post IDs (device-local): Last 100 posts tracked locally on device for "played" indicator, cleared on app reinstall
  • Upon account deletion request: All personal data is permanently deleted within 30 days, except voice posts which are retained for legal compliance as described above

You can request account deletion through Menu → Account → Account Deletion. Once requested, your account and associated data will be permanently deleted after a 30-day grace period.

5. Location Services

5.1. Manual Location Sharing ("Live Location Sharing")

Complete Control: Location sharing is fully manual and under your control. You must actively tap "Live Location Sharing" to share your location with others in your channel. This sharing is session-based and temporary.

  • Manual Action Required: Location sharing only happens when you tap "Live Location Sharing"
  • Session-Based: Sharing automatically stops when you leave a channel or close the app
  • Mutual Benefit: To see others on the map, you must first share your own location by going "Live"
  • Always Controllable: You can manually stop sharing at any time with the "Stop" button

5.2. Location Permission vs. Location Sharing

There's an important distinction between having location permission and sharing your location:

  • Location Permission: Allows the app to show your own position on the map and provide safety features
  • Location Sharing ("Live Location Sharing"): Makes your location visible to other users in your channel - this requires your explicit action
  • Last Known Location: For safety and emergency purposes, the app may retain your last known location, but this is NOT shared with other users unless you are "Live"

5.3. Voice Post Location Tagging

Optional Location Attachment: Voice posts can include your location (latitude, longitude, location name) at time of recording.

  • Default Setting: Location is attached by default if you have granted location permission
  • User Control: You can disable location for individual posts before publishing
  • Visibility: Location data is visible to authenticated users who can view your post
  • Retention: Location data is retained with post metadata indefinitely for service records
  • Privacy Consideration: Be aware that enabling location reveals your whereabouts at time of recording

6. Device Permissions

Our application requires the following device permissions:

  • Microphone Access: Required for push-to-talk voice communication
  • Location Access: Required for service functionality and user safety as detailed in Section 5
  • Notification Access: Required for push notifications and service updates

You can manage these permissions through your device settings, though some features may not function without required permissions.

7. Voice Communication Security

  • Voice transmissions are secured using Transport Layer Security (TLS) 1.3
  • Live voice communication data is not permanently stored on our servers
  • Voice transmission security is regularly audited and updated

Important Notice - Microphone Usage: While your microphone is active, everything you say can be heard by other users in the channel. RotaTalk does not record, monitor, or supervise any content spoken through your microphone when it is active. You are entirely responsible for when your microphone is turned on and off. Always exercise caution to ensure your microphone is not unintentionally left on. Users are solely responsible for all content spoken or heard during voice communication sessions.

7.1. Voice Post Storage Security

  • Voice posts are encrypted at rest using AES-256 encryption
  • Voice files are stored in EU-based Supabase Storage infrastructure
  • Access to voice files is controlled by row-level security policies
  • Voice posts are retained for 2 years for legal compliance, even after user deletion or expiration

Important Notice - Voice Post Permanence: Unlike live voice communication, voice posts are stored and may be played multiple times by authenticated users. Posts are retained for legal compliance even after deletion. Consider this before posting sensitive information.

7.2. Deep Links

Voice posts may generate shareable deep links. By creating a voice post:

  • Deep links require app authentication to access content
  • Links may be shared by users but only authenticated app users can view content
  • Linked content follows the same retention and visibility rules

8. International Data Transfers

Our services are hosted on servers located within the European Union. We ensure compliance with GDPR and other applicable data protection laws through:

  • Use of EU-based infrastructure
  • Standard Contractual Clauses with service providers
  • Regular security assessments
  • Appropriate technical and organizational measures

9. Data Security and Breach Notification

We implement appropriate technical and organizational measures to protect your personal data. In the event of a personal data breach, we will:

  • Notify relevant supervisory authorities within 72 hours
  • Inform affected users promptly if the breach is likely to result in a high risk to their rights and freedoms
  • Provide information about the breach and steps taken to mitigate risks
  • Document all breaches and remedial actions taken

10. Tracking Technologies

Our mobile application does not use cookies but does use analytics and error tracking services as described in Section 3.3. Device identifiers and analytics data are collected for service functionality, security, and improvement purposes as outlined in Section 3.2.

10.5. My Teams and Private Communication Data

When you create or join a Team (private channel), we collect and process the following data:

  • Team Membership: Information about which Teams you are a member of
  • Team Metadata: Team name, creation date, and ownership information
  • Member Lists: List of users who are members of each Team
  • Invite Codes: Generated invite codes for Team access (stored until disabled by Team owner)
  • Team Activity Logs: Join/leave timestamps and membership changes for security and moderation

10.5.1. Legal Basis for Processing

  • Team Membership Data: Contractual necessity (required to provide the Teams feature)
  • Team Metadata: Contractual necessity (required for Team functionality)
  • Activity Logs: Legitimate interest (platform security and abuse prevention)

10.5.2. Data Retention

  • Team Membership: Deleted when you leave a Team or delete your account
  • Team Metadata: Deleted when Team is deleted by owner or upon account deletion
  • Activity Logs: Retained for 90 days for security purposes
  • Invite Codes: Deleted when Team owner disables them or Team is deleted

10.5.3. Voice Communication in Teams

The same privacy policies apply to Teams as to public channels:

  • Voice communication is not recorded or stored permanently
  • All voice transmissions are encrypted with TLS 1.3
  • Only session metadata (timestamps, channel IDs) may be retained for security purposes
  • See Section 7 (Voice Communication Security) for complete details

10.5.4. Sharing with Third Parties

  • Team data is not shared with third parties except as required by law
  • Law enforcement may request Team metadata with a valid legal order (see Terms & Conditions Section 8.5.4)
  • Analytics services (Amplitude) receive pseudonymous usage statistics only:
    • Private channel names (Teams) are NEVER logged to analytics - we only send pseudonymous channel IDs (UUIDs)
    • Event counts like "Teams feature used X times" are logged without Team names or member lists
    • This ensures your private Teams remain private while allowing us to improve the service

10.5.5. Your Control Over Team Data

  • You can leave a Team at any time, which deletes your membership data
  • Team owners can delete their Team, which removes all associated data
  • Account deletion removes all Team memberships and owned Teams
  • You can request a copy of your Team membership data by contacting support@rotatalk.com

11. Your Rights and How to Exercise Them

Under GDPR and KVKK, you have the following rights:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data
  • Object to data processing
  • Request manual export of your profile and account information

To exercise these rights, contact us at support@rotatalk.com. We will respond to your request within 30 days. For account deletion, use Menu → Account → Account Deletion.

Retention Exception: Voice posts and associated data may be retained beyond deletion requests for up to 2 years where required for legal compliance, ongoing investigations, or regulatory purposes. This retention is based on legitimate interest for platform safety and legal compliance.

12. Changes to Privacy Policy

  • We will notify you of any significant changes to this policy
  • Changes will be communicated through in-app notifications
  • 30-day notice will be provided when possible
  • Continued use of the service after changes constitutes acceptance

13. Contact Information

For privacy-related questions or to exercise your rights, contact us at:

support@rotatalk.com

© 2025 RotaTalk. All rights reserved.