Privacy Policy
Last updated: 2026-07-03
1. Who we are
Agapi (the "App") is operated by TABA TASARIM İNŞAAT A.Ş., a Turkish joint-stock company, registered at Şehit Şekir Elkovan Cad., Ataşehir, İstanbul, Türkiye 34770, tax ID 7300363271 ("we", "us", "operator"). The user-facing brand is Graviti Labs. Contact: [email protected]. Data Protection Officer: [email protected].
2. What data we collect
- Account information. Email address (if you sign in), first name or nickname, age range (not exact date of birth), pronouns, preferred language.
- Conversation content. The messages you send to Agapi and Agapi's responses. Encrypted at rest with AES-256-GCM.
- Relationship profiles. Aliases, descriptors, status, temperature — about the people you discuss. We default to aliases; real names only with your explicit per-relationship consent.
- Purchase information. Apple-issued transaction IDs and product identifiers. We never see your credit card number.
- Voice input during Agapi Live. When you start an Agapi Live video call, your microphone audio is streamed in real time to generate the AI character's spoken replies. It is processed transiently for that single purpose and is not recorded or stored after the call ends. We never access your device camera during Agapi Live — only your microphone, and only while a call is active. Your voice is used solely to power the conversation; it is never used for biometric identification, voiceprinting, profiling, or AI-model training.
- Diagnostic and crash data. Anonymized error reports and performance metrics. Never your conversation content.
Agapi does not serve advertising, does not use Apple's advertising identifier (IDFA), and does not track you across other companies' apps or websites.
3. Why we collect it
- To operate the service (legal basis: contract). We need your input to generate Agapi's responses.
- Memory and Patterns features (legal basis: explicit consent). You opt in during onboarding; you can revoke at any time.
- Agapi Live, our real-time AI video companion (legal basis: contract + your explicit consent). You start each call; your microphone audio is processed in real time to power the conversation with the AI character, then discarded.
- Crisis routing (legal basis: vital interests). Surfacing local crisis resources when our safety classifier detects acute distress.
- Analytics and crash reporting (legal basis: explicit consent). Off by default — collected only if you opt in under Settings → Privacy → "Share anonymous usage data". Aggregated and anonymized; never per-user behavior tracking, and never your conversation content. You can turn it off again at any time.
We do not use your data for advertising of any kind.
4. Data about other people
When you describe a partner, parent, friend, or anyone else, you are sharing data about a third party who hasn't consented to our processing. We mitigate this by defaulting to aliases and never sharing partner data with any third party. If the person you describe contacts us at [email protected] and requests deletion of data about them, we honor the request without requiring proof.
5. Where we store data
Postgres database, Redis cache, and MinIO object storage are all hosted on Hetzner servers in Frankfurt, Germany (EU). Google Gemini API requests (for AI text generation and Agapi Live voice) traverse Google's region. During an Agapi Live call, your microphone audio is routed in real time through LiveKit's media servers and processed by Google Gemini to generate replies, while the on-screen AI avatar video is generated by Beyond Presence; this audio is transient — it is not written to disk or retained after the session. Apple App Store events traverse Apple's infrastructure under their published privacy practices. We maintain a Data Processing Agreement with every vendor.
6. Who we share with
- Google — Gemini API for AI text generation and Agapi Live voice, Firebase Auth for sign-in, Firebase Cloud Messaging for push notifications.
- LiveKit — real-time audio/video transport for Agapi Live calls (carries your microphone audio and the AI avatar's video during a session).
- Beyond Presence — generates the AI avatar's video for Agapi Live. The avatar is an AI-generated character, not a real person; any resemblance to a real individual is unintentional.
- Apple — App Store purchase processing.
- Hetzner — database and storage infrastructure (EU only).
- Yandex — transactional email delivery (smtp.yandex.com) for receipts, magic links, and opt-in newsletters.
We do not sell your data, ever. We do not use your conversation content — text or voice — to train AI models. Every vendor above acts as our processor under a Data Processing Agreement.
7. Your rights
Under GDPR (EU) and KVKK (Turkey), you have the right to:
- Access — Settings → Export my data. Returns a JSON + PDF dump within 7 days.
- Rectification — edit your profile fields, or per-message "forget this" in any conversation.
- Erasure — Settings → Delete account. We hard-delete within 30 days, after a 7-day grace period during which you can cancel.
- Restriction — Settings → Take a 30-day pause. Your account is hidden; nothing is deleted.
- Portability — the export above is machine-readable.
- Object — granular toggles in Settings for analytics, push, and email categories.
- Complain — to your local data protection authority. In Turkey: KVKK Kurulu. In Germany: BayLDA (Bavaria).
8. Account access history
If any member of our team views your conversation content from our internal admin panel, we record that access and surface it to you in Settings → Privacy → Account access history. This is a transparency commitment we make voluntarily, beyond what GDPR and KVKK strictly require.
9. How long we keep data
- Messages and memory summaries: kept while your account is active; deleted on account deletion.
- Patterns: kept while the relationship is active; deleted 90 days after archival.
- Consents and ledger records: retained 5 years post-deletion (anonymized) for legal compliance.
- Backups: 30-day rolling encrypted snapshots, then purged.
- Analytics events: 90 days; aggregated metrics indefinite.
10. Children
Agapi is for adults 18+ only. We enforce an age gate at signup. If you self-disclose during a conversation that you are under 18, we pause the conversation and surface youth-appropriate resources. We do not knowingly collect data from anyone under 18.
11. Changes to this policy
We will notify you in-app and via email at least 30 days before any material change takes effect. The "last updated" date at the top of this page reflects the current version.
12. Contact
General privacy: [email protected] · DPO: [email protected] · KVKK contact: [email protected]