Effective date: September 3, 2024
Privacy Policy
Effective date: September 3, 2024
Hamla Teknoloji A.Ş.(Oarca) Privacy and Policy
Last Updated: 27 June 2025
1. Introduction
This Privacy and Security Policy outlines in detail how Hamla Teknoloji A.Ş. (“Oarca”) collects, processes, stores, protects, and, where necessary, shares your personal data when you interact with our mobile application, services, and related platforms. We are committed to safeguarding your privacy and ensuring the highest standards of data protection and transparency in all jurisdictions in which we operate.
This Policy applies to all users of the Oarca mobile application and associated services worldwide and is designed to comply with international data protection regulations, including but not limited to:
• General Data Protection Regulation (GDPR) for residents of the European Union (EU) and European Economic Area (EEA),
• Law on the Protection of Personal Data (KVKK) for residents of Türkiye,
• California Consumer Privacy Act (CCPA) for residents of California, United States.
Our commitment to privacy means that we only collect and process personal data that is necessary for the provision, improvement, and personalization of our services, and we always do so with a lawful basis. We also take reasonable technical and organizational measures to ensure the confidentiality, integrity, and availability of your data.
This Policy explains:
• What types of personal data we collect and why;
• How we use and process your data;
• How we store and secure your information;
• The conditions under which we may share your data with third parties;
• Your legal rights and choices regarding your data.
We may update this Privacy and Security Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. Whenever we make a significant change, we will notify users through appropriate channels (such as app notifications or in-app banners). The most recent version of this Policy will always be available within the application under the “Privacy Policy” section.
By creating an account on the Oarca app, you acknowledge that you have read, understood, and accepted this Privacy and Security Policy. Separate consent is requested for processing sensitive data and AI-powered personalization features.
2. Data We Collect
We collect various types of personal and technical data to provide and enhance the functionality, safety, and performance of the Oarca mobile application. Data collection occurs through multiple channels:
• Directly from You: Information that you intentionally provide to us during registration, profile setup, or app usage.
• Automatically through the App: Information gathered via sensors, system permissions, or usage patterns while you interact with the app.
• Third-Party Integrations: Data retrieved through connected services (e.g., health tracking devices, wearables, cloud backups, or login providers such as Apple, Google, or Facebook).
The categories of data we collect may include, but are not limited to:
• Personal identifiers: Full name, email address, phone number (if provided), date of birth, gender, and profile picture.
• Location data: Real-time GPS coordinates, route history, and geofenced activity zones.
• Device metadata: Device model, operating system version, unique device identifiers, IP address, app version, battery and connectivity status.
• Performance and biometric data: Heart rate, cadence, stroke rate, pace, session duration, and perceived exertion (if entered).
• Multimedia content: Photos or videos taken or uploaded within the app, including those captured during training sessions or events.
• Team and training details: Memberships in clubs or teams, attendance records, training logs, coach-assigned programs, and shared workouts.
• Connected hardware data: Details from paired devices such as heart rate monitors, GPS watches, rowing sensors, or onboard cameras.
We ensure that all collected data is handled in accordance with applicable laws and only retained for as long as necessary to fulfill the stated purposes. Each category of data we collect is processed based on a specific legal ground, such as user consent (GDPR Art. 6(1)(a)), contractual necessity (Art. 6(1)(b)), or legitimate interest (Art. 6(1)(f)), depending on the context and type of interaction.
3. Account and Activity Data
When you create an account on Oarca, you are asked to provide specific personal details that form the basis of your user profile. These include:
• Full name
• Email address
• Date of birth
• Gender
• Profile photo (optional)
• Login credentials or authentication via third-party accounts (e.g., Google, Apple, Facebook)
Once your account is active, we also collect activity-specific data as part of your regular app usage. This data enables us to deliver core features such as performance analytics, team coordination, progress tracking, and personalized feedback. Activity data includes, but is not limited to:
• Session start and end times
• Type of training or workout
• Real-time metrics (e.g., distance, speed, pace, split times, stroke count/rate)
• Perceived effort (if manually entered)
• Route paths (via GPS)
• Team affiliations and group session participation
• Notes, comments, or feedback related to sessions
• Training plans created or followed
All collected activity data is securely stored and can be exported or deleted upon user request, in compliance with relevant data protection laws. The processing of account and activity data is necessary for the performance of our contract with the user (Art. 6(1)(b) GDPR) and for improving our legitimate interests such as platform optimization.
4. Location and GPS Data
Precise location data is essential for delivering many of Oarca’s core functionalities, especially those related to real-time performance tracking and group coordination during outdoor water sports. We collect and process GPS-based location information only when:
• You have explicitly granted location permissions through your device’s operating system;
• You are actively using app features that require location access (e.g., route recording, live tracking, crew positioning).
The purposes of collecting location data include:
• Visualizing routes on maps during and after training
• Providing real-time position updates for coaches and teammates
• Generating performance metrics like distance, speed, and elevation gain
• Enabling safety features such as emergency location sharing and route deviation alerts
• Supporting analytics for route optimization and stroke efficiency
You retain full control over your location permissions at all times. You may revoke access via device settings, though doing so may limit or disable functionalities dependent on GPS (such as live tracking or session mapping). Oarca does not collect or process location data in the background without your explicit consent. Location data is processed only with your explicit consent (Art. 6(1)(a) GDPR) and can be withdrawn at any time through your device settings or the app.
5. Media and Shared Content
Oarca enables users to upload, create, and share various forms of content that enrich their training experience and foster community engagement. This includes:
• Photos and videos captured during training sessions, events, or shared via profile updates
• Posts and comments made within team groups, event pages, or community discussions
• Feedback and ratings submitted about workouts, teammates, or shared sessions
• Route designs and training plans manually drawn or recorded with GPS
All such content becomes associated with your Oarca profile and may be shared with:
• Teams and clubs you belong to
• Event pages for races, group trainings, or competitions
• Friends or followers (if social features are enabled)
• Coaches and support staff, if applicable
You retain full control over the visibility of your shared content through customizable privacy settings in the app. You can choose whether content is:
• Public (visible to all users)
• Team-only (visible to team members or event participants)
• Private (visible only to you or designated contacts)
We do not claim ownership of your uploaded content; however, by sharing it within the app, you grant us a limited license to display, store, and transmit the content solely for purposes of operating the platform. You may delete your shared content at any time unless it is required to be retained for safety, moderation, or compliance purposes.
6. Contacts and Team Discovery
To help you connect with friends, teammates, or coaches already using the platform, Oarca offers an optional contact synchronization feature. When you enable this feature:
• The app may temporarily access your device’s contact list, including names, phone numbers, and email addresses
• This data is used exclusively to match your contacts with existing Oarca users or suggest new connections
Key privacy principles for this feature:
• No unsolicited messages are sent to your contacts without your permission
• Contact data is never stored permanently on our servers and is discarded after the matching process
• You are always notified before any invitations or recommendations are made
• You can disable or revoke contact syncing at any time from the app settings
This feature is completely optional and does not affect your ability to use core functionalities of the app.
7. Device Integrations and External Services
To deliver a more complete and seamless fitness experience, Oarca offers integrations with a range of external devices and third-party health platforms. These may include:
• Wearable fitness devices such as Apple Watch, Garmin, Polar, Fitbit, or similar
• Health tracking apps like Apple Health, Google Fit, or Samsung Health
• Smart equipment including rowing machines, GPS watches, and heart rate monitors
When enabled, these integrations may share the following data types with Oarca:
• Heart rate and heart rate zones
• Cadence, stroke rate, or pedal RPM
• Step counts, movement, and duration
• Calories burned or estimated energy expenditure
• Session logs and training history
All integrations are governed by explicit user consent. You are prompted to grant access the first time you connect a new service or device. You may revoke these permissions at any time through:
• Your mobile operating system settings (e.g., Apple Health permissions)
• The settings panel within the Oarca app
• The external platform’s own access control interface
Oarca only accesses data relevant to the selected functionality, and never shares your connected device data with third parties without your consent.
8. Sensitive Health Data
Oarca includes features that allow users to monitor and analyze health and performance metrics using biometric tracking. If you choose to enable these features, we may process sensitive personal data, such as:
• Heart rate zones (e.g., aerobic, anaerobic, VO2 max)
• Recovery metrics (e.g., heart rate variability, rest periods, fatigue levels)
• Perceived or calculated effort levels during training
• Wellness indicators from integrated wearables or health platforms
Due to the highly personal nature of this data, we treat it with the strictest privacy protections in accordance with applicable health data regulations such as GDPR Article 9 and other relevant laws.
Key safeguards include:
• Explicit user consent: We only process this data if you actively opt in and grant permission through the app or your connected devices.
• Granular control: You can enable or disable specific data types individually (e.g., heart rate but not recovery data).
• No automatic sharing: Sensitive health data is never shared with other users, teams, or external entities without your prior and informed consent.
• Secure processing and storage: All sensitive data is encrypted in transit and at rest, and is stored separately from non-sensitive user data whenever possible.
You may withdraw consent and delete this data at any time from your in-app settings. Sensitive data such as biometric and health-related metrics are processed strictly with your explicit consent, in accordance with GDPR Article 9(2)(a).
9. Payments and Transactions
Oarca offers subscription-based features and in-app purchases that are processed through trusted third-party payment platforms, including:
• Apple App Store (Apple Pay)
• Google Play Store (Google Pay)
• Stripe for direct online payments on the web
To ensure secure and compliant processing:
• We do not collect or store full credit card numbers or bank details on our servers.
• All transactions are encrypted and handled securely by the respective payment service providers.
• You may manage, update, or cancel your subscription directly from your Apple or Google account settings, or via the Stripe customer portal (if applicable).
Upon successful payment, you will receive email receipts or confirmation notices at your registered email address. We may also notify you in-app of billing status, renewal reminders, or failed payments.
If you request a refund, it must be initiated through the platform from which the purchase was made (e.g., Apple, Google), as we do not have authority to issue refunds for those transactions.
10. Using Third-Party Accounts
To streamline the signup and login experience, Oarca allows users to authenticate using third-party accounts such as:
• Google (Gmail/Google Workspace)
• Apple ID
• Meta (Facebook/Instagram)
• Amazon Web Services
When you choose to log in via one of these services, we may receive access to basic profile information, which typically includes:
• Full name
• Email address
• Profile picture (if permission is granted)
We only access the minimum necessary data as permitted by the third-party provider’s OAuth or Sign in with Appleprotocols. You are always informed of the exact data that will be shared before authentication is completed.
You can manage or revoke Oarca’s access to your third-party login data through:
• Your Google Account settings (myaccount.google.com)
• Your Apple ID privacy dashboard (appleid.apple.com)
• Your Facebook account settings (facebook.com/settings)
Revoking access may prevent future logins via the third-party service, but your Oarca data remains available and recoverable by setting a standalone email/password combination, if needed.
11. Your Rights and Choices
At Oarca, we are committed to empowering you with control over your personal data. Depending on your jurisdiction (such as under the GDPR, KVKK, or CCPA), you have the following rights with respect to the personal information we collect and process:
• Right of Access:You may request a copy of the personal data we hold about you, along with details on how it is used and with whom it is shared.
• Right to Rectification:If you believe that any of your personal data is inaccurate, incomplete, or outdated, you may request corrections or updates.
• Right to Erasure (“Right to be Forgotten”):You may request that we delete your personal data from our systems, subject to exceptions required by law or legitimate business purposes (e.g., financial recordkeeping or fraud prevention).
• Right to Object or Restrict Processing:You may object to certain types of data processing, such as receiving marketing communications, or request a temporary halt to processing during a dispute over accuracy or purpose.
• Right to Data Portability:You may request your data in a structured, commonly used, and machine-readable format for transfer to another service provider.
• Right to Withdraw Consent:Where processing is based on your explicit consent (e.g., health metrics or device integration), you may withdraw this consent at any time without affecting the lawfulness of processing prior to withdrawal.
If you reside in Türkiye, you also have the following rights under KVKK Article 11:
• Learn whether your personal data is being processed
• Request information about the processing activities
• Learn the purposes of processing and whether they are fulfilled
• Know third parties to whom data is transferred domestically or abroad
• Request correction of incomplete or inaccurate data
• Request deletion or anonymization under Article 7
• Object to results of automated processing
• Claim compensation in case of damages due to unlawful processing
To exercise any of these rights, you may submit a written request to:
📧 info@hamlateknoloji.com
We aim to respond to all valid requests within the legally required timeframes (e.g., 30 days under GDPR), and may ask for identity verification to protect your privacy.
12. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:
• Providing ongoing access to your account and services
• Delivering customer support and resolving disputes
• Meeting contractual and legal obligations
• Complying with audit, accounting, and regulatory requirements
• Improving and securing our platform (e.g., fraud detection, performance logs)
Specific retention periods vary based on the type of data and the applicable legal framework. For example:
• Account-related data is retained for the duration of your active use of Oarca.
• Inactive or deleted accounts will have their data deleted or anonymized within 30 to 45 days, unless legal or regulatory retention requirements apply.
• Payment and transactional records may be retained for up to 10 years in accordance with financial and tax regulations.
• Anonymized or aggregated data (that can no longer be linked to a specific user) may be retained indefinitely for analytical purposes.
Retention Table:
• Location data: Retained for 12 months unless otherwise requested
• Contact sync data: Deleted immediately after use
• Health metrics: Retained as long as AI features are enabled
• Shared media (posts, videos): Until manually deleted by the user or account removal
• Anonymized aggregated data: May be retained indefinitely for research and development
You may also request early deletion of your data, subject to the constraints above.
13. International Transfers of Data
As a global platform, Oarca may process and store your personal data on servers located in jurisdictions outside your country of residence. This may include:
• Türkiye, where our headquarters and primary data infrastructure are located
• European Union (EU) countries
• United States and other countries where our partners or infrastructure providers operate
To ensure your data remains protected regardless of location, we implement appropriate international data transfer safeguards, such as:
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions from regulatory authorities for countries deemed to have strong data protection laws
• Binding corporate rules or intra-group agreements, where applicable
• Encryption and secure channels for transmission and storage
We regularly review our data transfer practices to ensure they remain aligned with global privacy standards and applicable regulations, such as GDPR (Article 44–50) and CCPA.
14. KVKK-Specific Notice for Turkish Users
In accordance with Article 10 of the Law No. 6698 on the Protection of Personal Data (KVKK), the following information is provided to users residing in Türkiye, regarding the processing of their personal data by Hamla Teknoloji A.Ş.:
• Data Controller Information
As defined by KVKK, the data controller is:
Hamla Teknoloji Anonim Şirketi
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204
Sarıyer, İstanbul
Email for KVKK-related inquiries: info@hamlateknoloji.com
• Legal Basis of Processing (KVKK Art. 5, 6 & 7)
Personal data is processed only when at least one of the legal bases under KVKK is met:
• Explicit consent from the data subject
• Necessity for the establishment or performance of a contract
• Fulfillment of the data controller's legal obligations
• Protection of vital interests of the data subject or another individual
• Publicization by the data subject
• Necessity for the establishment, exercise, or protection of a legal right
• Legitimate interest of the data controller, provided that such interest does not override the fundamental rights and freedoms of the data subject
The following categories of personal data are processed only upon your explicit and informed consent, which is requested separately at the time of enabling each feature:
• Location data (e.g., GPS tracking)
• Health and biometric data (e.g., heart rate, effort level, fatigue indicators)
• Connected hardware data (e.g., smartwatches, heart rate bands)
• AI-powered personalized performance summaries
Processing of sensitive personal data, such as health-related data, is conducted strictly in accordance with KVKK Article 6, either based on explicit consent or under legally permitted conditions. Users are informed and asked for permission prior to any such processing, and may withdraw their consent at any time.
• Data Retention and Minimization (KVKK Art. 4 & 7)
Personal data is retained only for the duration necessary to fulfill the stated purposes, and in accordance with legal and regulatory requirements. Maximum retention periods include:
• GPS and route data: 12 months, unless extended by user preference
• Health and biometric data: as long as AI personalization remains enabled
• Account metadata: until deletion request or 45 days of inactivity
• Payment and financial records: up to 10 years (as required by tax regulations)
Upon request, users may have their data deleted or anonymized, as outlined in Article 7 of KVKK. Data not needed for any processing purpose is routinely deleted or anonymized.
• Data Transfer (KVKK Art. 9)
Personal data may be transferred to domestic or international service providers (e.g., cloud services, analytics, payment processors) only if:
• The recipient country is determined to have an adequate level of data protection by the Turkish Data Protection Authority, or
• The explicit consent of the user is obtained prior to transfer, or
• A written undertaking is executed and Board approval is granted where adequacy is not established
Data may be transferred to trusted providers such as Google Cloud, Amazon AWS, or Firebase, but only to the extent necessary for operating the application and always in accordance with applicable safeguards.
• Rights of the Data Subject (KVKK Art. 11)
In accordance with Article 11 of the KVKK, users have the right to:
1. Learn whether their personal data is being processed
2. Request information regarding the scope of processing
3. Learn the purpose of processing and whether it is being carried out in accordance with such purpose
4. Know the third parties to whom personal data is transferred, domestically or internationally
5. Request correction of incomplete or inaccurate data
6. Request deletion or anonymization of personal data within the scope of Article 7
7. Request notification of correction or deletion to third parties
8. Object to results arising from automated data processing exclusively
9. Request compensation in case of damages arising from unlawful processing
• Exercising Your Rights
Users residing in Türkiye may submit their requests regarding their personal data, in line with KVKK Article 13, using the following methods:
• By sending an email with secure electronic signature to: info@hamlateknoloji.com
• By delivering a signed written request in person or via mail to our company headquarters:
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204, Sarıyer, İstanbul
• Or by other methods permitted by the Turkish Data Protection Authority (KVKK Kurumu)
Requests will be answered within 30 days of receipt. If the request incurs a processing cost, the tariff set by the KVKK Board will apply, and you will be informed beforehand.
15. Data Security
At Oarca, we are committed to protecting your personal data through a comprehensive set of technical, organizational, and procedural safeguards. While no digital system can ever be completely immune to cyber threats, we implement industry best practices to significantly reduce risk.
Our security practices include:
• TLS (Transport Layer Security) Encryption: All data transmitted between your device and our servers is encrypted using TLS protocols to prevent interception or tampering during transmission.
• Role-Based Access Controls (RBAC): Internal access to user data is restricted based on job roles and responsibilities. Only authorized personnel with a legitimate need can access specific datasets.
• Two-Factor Authentication (2FA): All administrative and privileged accounts are secured with mandatory 2FA to prevent unauthorized access even in the event of credential compromise.
• Data Minimization and Encryption at Rest: Sensitive data (e.g., health metrics) is encrypted and stored with strict access controls.
• Regular Security Audits: We conduct internal and external vulnerability assessments and penetration testing on a routine basis.
• Secure Coding Practices: Our engineering team adheres to OWASP (Open Web Application Security Project) guidelines to prevent common exploits such as SQL injection, cross-site scripting (XSS), and others.
In case of a data breach, we follow a documented incident response protocol and will notify users and authorities as required under applicable laws (e.g., GDPR Articles 33–34). We perform regular encrypted backups and maintain disaster recovery protocols to ensure data continuity in case of system failures.
16. Children’s Privacy
We take the privacy of children very seriously and comply with applicable child data protection laws, including the Children’s Online Privacy Protection Act (COPPA) in the U.S. and Article 8 of the GDPR in the EU.
• Minimum Age Requirement: Oarca is not intended for children under the age of 13. We actively block account registration for anyone below this age based on the information provided during signup. If we become aware that data from a child under 13 has been collected, we will delete it promptly.
• Ages 13 to 17: Users aged between 13 and 17 may use the platform with stricter default privacy controls to safeguard their data. These include:
o Private profiles enabled by default
o Messaging features disabled or restricted
o Limited use of sensitive data such as health or location metrics
o Restricted content discovery in public feeds or leaderboards
• For users under the age of 18 residing in Türkiye, registration and data processing is permitted only with the explicit consent of a parent or legal guardian.
If such consent is not provided, the account may be deactivated and associated data will be deleted in accordance with KVKK Article 7.”
Parents or guardians may contact us at info@hamlateknoloji.com to review or request deletion of a minor’s data.
17. Cookies and Technical Data
To provide a smooth, secure, and personalized experience, Oarca uses cookies and collects various forms of technical and analytical data from your device and interactions with the app. These technologies help us:
• Understand user behavior and usage trends
• Detect and resolve errors or crashes
• Optimize app performance and usability
• Enhance security and fraud prevention
Data collected may include:
• Device type and model (e.g., iPhone 14, Galaxy S22)
• Operating system version (e.g., iOS 17, Android 13)
• IP address and country of access
• App version and feature usage patterns
• Crash logs and error reports
• Screen resolution and touch behavior (for UI/UX analysis)
• Referrer information (e.g., if you arrived via a team invite link)
Types of cookies and similar technologies we may use:
• Essential Cookies: Required for basic app functionality (e.g., login sessions)
• Performance and Analytics Cookies: Used to improve app quality and experience
• Functional Cookies: Help store your preferences and settings
You can control or disable certain types of cookies or telemetry data via the in-app Privacy Settings menu. However, please note that disabling essential cookies may impact the app's core functionality. On your first use of the app, you will be presented with a cookie consent prompt, allowing you to accept or reject non-essential cookies. You can change your preferences at any time in Settings > Privacy.
18. AI and Personalization Features
Oarca leverages artificial intelligence (AI) and machine learning (ML) technologies to provide smarter, more personalized training experiences. These features are designed to help users better understand their performance and optimize their routines, and they are only activated with your explicit permission.
We may use anonymized or aggregated data (i.e., data that cannot be used to directly identify you) to:
• Generate personalized session summaries based on your past performance
• Provide tailored recommendations for training intensity, recovery time, and pacing
• Detect anomalies in metrics like heart rate or stroke pattern
• Benchmark your progress against anonymized data from similar users or teams
• Offer predictive analytics for race prep, fatigue detection, or improvement areas
Your privacy and control are central to these features. You can:
• Opt-in or opt-out at any time from the app
• Request that your data not be used for AI training purposes (even anonymously)
• View a history of any automated insights generated for your account
These systems do not make automated decisions that affect your legal rights or access to services. All recommendations are assistive, not mandatory. These AI features do not make automated decisions that have a legal or significant effect on the user, as defined under GDPR Article 22. All recommendations are assistive and non-binding.
From time to time, we may introduce experimental or beta features powered by AI or advanced data processing models. These features are clearly marked as “Beta” and may be subject to change or deactivation. Participation is optional and requires separate user consent. When enabled, these features may process your training or biometric data in different ways for testing or refinement purposes. All such data is still handled under the same security and privacy safeguards described in this Policy. You may opt out of beta features at any time from the app settings.
19. Communication Preferences
To keep you informed and engaged, we may send various types of communications related to your Oarca account and activity. These may include:
• Training summaries and performance insights
• Feature updates or important service changes
• User surveys or feedback requests
• Team invitations or group announcements
• Educational content to improve your training experience
You may choose to:
• Enable or disable push notifications, email updates, or in-app alerts
• Customize which categories of communication are relevant to you
• Opt out entirely from marketing or promotional messages
However, some communications are considered transactional or essential and cannot be disabled. These include:
• Billing receipts and payment confirmations
• Security alerts or account recovery messages
• Changes to our Terms of Service or Privacy Policy
We strive to keep all communications relevant, minimal, and respectful of your time.
20. Data Sharing and Disclosure
We are firmly committed to protecting your privacy. Oarca does not sell your personal data under any circumstances.
We only share data with third parties under strict, lawful conditions, including:
a) Service Providers and Vendors
We partner with trusted third-party providers who support the operation and improvement of our platform. These include:
• Payment processors (e.g., Stripe, Apple, Google)
• Cloud infrastructure providers (e.g., AWS, Google Cloud)
• Analytics services (e.g., Firebase, Sentry)
• Customer support platforms
These partners are contractually bound to process your data only on our behalf and in accordance with this Privacy Policy and applicable data protection laws.
b) Legal or Regulatory Requirements
We may disclose data if required to comply with a valid legal obligation, court order, or governmental request. In such cases, we limit the disclosure to what is strictly necessary and, when legally permitted, notify the user.
c) User Authorization
We may share or display your data if you explicitly authorize it—for example, by connecting with teammates, sharing a public training route, or linking with third-party apps.
d) Public Visibility Settings
Depending on your profile and content visibility settings, certain data (such as profile name, event participation, or shared workouts) may be viewable by others.
We never disclose sensitive data such as health metrics or location history without your active consent. We do not share your personal data with advertisers, ad networks, or data brokers for marketing purposes.
21. Contact Information
Hamla Teknoloji A.Ş.
Oarca App – Privacy Compliance
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204
Sarıyer,İstanbul
Email: info@hamlateknoloji.com
Hamla Teknoloji A.Ş.(Oarca) Privacy and Policy
Last Updated: 27 June 2025
1. Introduction
This Privacy and Security Policy outlines in detail how Hamla Teknoloji A.Ş. (“Oarca”) collects, processes, stores, protects, and, where necessary, shares your personal data when you interact with our mobile application, services, and related platforms. We are committed to safeguarding your privacy and ensuring the highest standards of data protection and transparency in all jurisdictions in which we operate.
This Policy applies to all users of the Oarca mobile application and associated services worldwide and is designed to comply with international data protection regulations, including but not limited to:
• General Data Protection Regulation (GDPR) for residents of the European Union (EU) and European Economic Area (EEA),
• Law on the Protection of Personal Data (KVKK) for residents of Türkiye,
• California Consumer Privacy Act (CCPA) for residents of California, United States.
Our commitment to privacy means that we only collect and process personal data that is necessary for the provision, improvement, and personalization of our services, and we always do so with a lawful basis. We also take reasonable technical and organizational measures to ensure the confidentiality, integrity, and availability of your data.
This Policy explains:
• What types of personal data we collect and why;
• How we use and process your data;
• How we store and secure your information;
• The conditions under which we may share your data with third parties;
• Your legal rights and choices regarding your data.
We may update this Privacy and Security Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. Whenever we make a significant change, we will notify users through appropriate channels (such as app notifications or in-app banners). The most recent version of this Policy will always be available within the application under the “Privacy Policy” section.
By creating an account on the Oarca app, you acknowledge that you have read, understood, and accepted this Privacy and Security Policy. Separate consent is requested for processing sensitive data and AI-powered personalization features.
2. Data We Collect
We collect various types of personal and technical data to provide and enhance the functionality, safety, and performance of the Oarca mobile application. Data collection occurs through multiple channels:
• Directly from You: Information that you intentionally provide to us during registration, profile setup, or app usage.
• Automatically through the App: Information gathered via sensors, system permissions, or usage patterns while you interact with the app.
• Third-Party Integrations: Data retrieved through connected services (e.g., health tracking devices, wearables, cloud backups, or login providers such as Apple, Google, or Facebook).
The categories of data we collect may include, but are not limited to:
• Personal identifiers: Full name, email address, phone number (if provided), date of birth, gender, and profile picture.
• Location data: Real-time GPS coordinates, route history, and geofenced activity zones.
• Device metadata: Device model, operating system version, unique device identifiers, IP address, app version, battery and connectivity status.
• Performance and biometric data: Heart rate, cadence, stroke rate, pace, session duration, and perceived exertion (if entered).
• Multimedia content: Photos or videos taken or uploaded within the app, including those captured during training sessions or events.
• Team and training details: Memberships in clubs or teams, attendance records, training logs, coach-assigned programs, and shared workouts.
• Connected hardware data: Details from paired devices such as heart rate monitors, GPS watches, rowing sensors, or onboard cameras.
We ensure that all collected data is handled in accordance with applicable laws and only retained for as long as necessary to fulfill the stated purposes. Each category of data we collect is processed based on a specific legal ground, such as user consent (GDPR Art. 6(1)(a)), contractual necessity (Art. 6(1)(b)), or legitimate interest (Art. 6(1)(f)), depending on the context and type of interaction.
3. Account and Activity Data
When you create an account on Oarca, you are asked to provide specific personal details that form the basis of your user profile. These include:
• Full name
• Email address
• Date of birth
• Gender
• Profile photo (optional)
• Login credentials or authentication via third-party accounts (e.g., Google, Apple, Facebook)
Once your account is active, we also collect activity-specific data as part of your regular app usage. This data enables us to deliver core features such as performance analytics, team coordination, progress tracking, and personalized feedback. Activity data includes, but is not limited to:
• Session start and end times
• Type of training or workout
• Real-time metrics (e.g., distance, speed, pace, split times, stroke count/rate)
• Perceived effort (if manually entered)
• Route paths (via GPS)
• Team affiliations and group session participation
• Notes, comments, or feedback related to sessions
• Training plans created or followed
All collected activity data is securely stored and can be exported or deleted upon user request, in compliance with relevant data protection laws. The processing of account and activity data is necessary for the performance of our contract with the user (Art. 6(1)(b) GDPR) and for improving our legitimate interests such as platform optimization.
4. Location and GPS Data
Precise location data is essential for delivering many of Oarca’s core functionalities, especially those related to real-time performance tracking and group coordination during outdoor water sports. We collect and process GPS-based location information only when:
• You have explicitly granted location permissions through your device’s operating system;
• You are actively using app features that require location access (e.g., route recording, live tracking, crew positioning).
The purposes of collecting location data include:
• Visualizing routes on maps during and after training
• Providing real-time position updates for coaches and teammates
• Generating performance metrics like distance, speed, and elevation gain
• Enabling safety features such as emergency location sharing and route deviation alerts
• Supporting analytics for route optimization and stroke efficiency
You retain full control over your location permissions at all times. You may revoke access via device settings, though doing so may limit or disable functionalities dependent on GPS (such as live tracking or session mapping). Oarca does not collect or process location data in the background without your explicit consent. Location data is processed only with your explicit consent (Art. 6(1)(a) GDPR) and can be withdrawn at any time through your device settings or the app.
5. Media and Shared Content
Oarca enables users to upload, create, and share various forms of content that enrich their training experience and foster community engagement. This includes:
• Photos and videos captured during training sessions, events, or shared via profile updates
• Posts and comments made within team groups, event pages, or community discussions
• Feedback and ratings submitted about workouts, teammates, or shared sessions
• Route designs and training plans manually drawn or recorded with GPS
All such content becomes associated with your Oarca profile and may be shared with:
• Teams and clubs you belong to
• Event pages for races, group trainings, or competitions
• Friends or followers (if social features are enabled)
• Coaches and support staff, if applicable
You retain full control over the visibility of your shared content through customizable privacy settings in the app. You can choose whether content is:
• Public (visible to all users)
• Team-only (visible to team members or event participants)
• Private (visible only to you or designated contacts)
We do not claim ownership of your uploaded content; however, by sharing it within the app, you grant us a limited license to display, store, and transmit the content solely for purposes of operating the platform. You may delete your shared content at any time unless it is required to be retained for safety, moderation, or compliance purposes.
6. Contacts and Team Discovery
To help you connect with friends, teammates, or coaches already using the platform, Oarca offers an optional contact synchronization feature. When you enable this feature:
• The app may temporarily access your device’s contact list, including names, phone numbers, and email addresses
• This data is used exclusively to match your contacts with existing Oarca users or suggest new connections
Key privacy principles for this feature:
• No unsolicited messages are sent to your contacts without your permission
• Contact data is never stored permanently on our servers and is discarded after the matching process
• You are always notified before any invitations or recommendations are made
• You can disable or revoke contact syncing at any time from the app settings
This feature is completely optional and does not affect your ability to use core functionalities of the app.
7. Device Integrations and External Services
To deliver a more complete and seamless fitness experience, Oarca offers integrations with a range of external devices and third-party health platforms. These may include:
• Wearable fitness devices such as Apple Watch, Garmin, Polar, Fitbit, or similar
• Health tracking apps like Apple Health, Google Fit, or Samsung Health
• Smart equipment including rowing machines, GPS watches, and heart rate monitors
When enabled, these integrations may share the following data types with Oarca:
• Heart rate and heart rate zones
• Cadence, stroke rate, or pedal RPM
• Step counts, movement, and duration
• Calories burned or estimated energy expenditure
• Session logs and training history
All integrations are governed by explicit user consent. You are prompted to grant access the first time you connect a new service or device. You may revoke these permissions at any time through:
• Your mobile operating system settings (e.g., Apple Health permissions)
• The settings panel within the Oarca app
• The external platform’s own access control interface
Oarca only accesses data relevant to the selected functionality, and never shares your connected device data with third parties without your consent.
8. Sensitive Health Data
Oarca includes features that allow users to monitor and analyze health and performance metrics using biometric tracking. If you choose to enable these features, we may process sensitive personal data, such as:
• Heart rate zones (e.g., aerobic, anaerobic, VO2 max)
• Recovery metrics (e.g., heart rate variability, rest periods, fatigue levels)
• Perceived or calculated effort levels during training
• Wellness indicators from integrated wearables or health platforms
Due to the highly personal nature of this data, we treat it with the strictest privacy protections in accordance with applicable health data regulations such as GDPR Article 9 and other relevant laws.
Key safeguards include:
• Explicit user consent: We only process this data if you actively opt in and grant permission through the app or your connected devices.
• Granular control: You can enable or disable specific data types individually (e.g., heart rate but not recovery data).
• No automatic sharing: Sensitive health data is never shared with other users, teams, or external entities without your prior and informed consent.
• Secure processing and storage: All sensitive data is encrypted in transit and at rest, and is stored separately from non-sensitive user data whenever possible.
You may withdraw consent and delete this data at any time from your in-app settings. Sensitive data such as biometric and health-related metrics are processed strictly with your explicit consent, in accordance with GDPR Article 9(2)(a).
9. Payments and Transactions
Oarca offers subscription-based features and in-app purchases that are processed through trusted third-party payment platforms, including:
• Apple App Store (Apple Pay)
• Google Play Store (Google Pay)
• Stripe for direct online payments on the web
To ensure secure and compliant processing:
• We do not collect or store full credit card numbers or bank details on our servers.
• All transactions are encrypted and handled securely by the respective payment service providers.
• You may manage, update, or cancel your subscription directly from your Apple or Google account settings, or via the Stripe customer portal (if applicable).
Upon successful payment, you will receive email receipts or confirmation notices at your registered email address. We may also notify you in-app of billing status, renewal reminders, or failed payments.
If you request a refund, it must be initiated through the platform from which the purchase was made (e.g., Apple, Google), as we do not have authority to issue refunds for those transactions.
10. Using Third-Party Accounts
To streamline the signup and login experience, Oarca allows users to authenticate using third-party accounts such as:
• Google (Gmail/Google Workspace)
• Apple ID
• Meta (Facebook/Instagram)
• Amazon Web Services
When you choose to log in via one of these services, we may receive access to basic profile information, which typically includes:
• Full name
• Email address
• Profile picture (if permission is granted)
We only access the minimum necessary data as permitted by the third-party provider’s OAuth or Sign in with Appleprotocols. You are always informed of the exact data that will be shared before authentication is completed.
You can manage or revoke Oarca’s access to your third-party login data through:
• Your Google Account settings (myaccount.google.com)
• Your Apple ID privacy dashboard (appleid.apple.com)
• Your Facebook account settings (facebook.com/settings)
Revoking access may prevent future logins via the third-party service, but your Oarca data remains available and recoverable by setting a standalone email/password combination, if needed.
11. Your Rights and Choices
At Oarca, we are committed to empowering you with control over your personal data. Depending on your jurisdiction (such as under the GDPR, KVKK, or CCPA), you have the following rights with respect to the personal information we collect and process:
• Right of Access:You may request a copy of the personal data we hold about you, along with details on how it is used and with whom it is shared.
• Right to Rectification:If you believe that any of your personal data is inaccurate, incomplete, or outdated, you may request corrections or updates.
• Right to Erasure (“Right to be Forgotten”):You may request that we delete your personal data from our systems, subject to exceptions required by law or legitimate business purposes (e.g., financial recordkeeping or fraud prevention).
• Right to Object or Restrict Processing:You may object to certain types of data processing, such as receiving marketing communications, or request a temporary halt to processing during a dispute over accuracy or purpose.
• Right to Data Portability:You may request your data in a structured, commonly used, and machine-readable format for transfer to another service provider.
• Right to Withdraw Consent:Where processing is based on your explicit consent (e.g., health metrics or device integration), you may withdraw this consent at any time without affecting the lawfulness of processing prior to withdrawal.
If you reside in Türkiye, you also have the following rights under KVKK Article 11:
• Learn whether your personal data is being processed
• Request information about the processing activities
• Learn the purposes of processing and whether they are fulfilled
• Know third parties to whom data is transferred domestically or abroad
• Request correction of incomplete or inaccurate data
• Request deletion or anonymization under Article 7
• Object to results of automated processing
• Claim compensation in case of damages due to unlawful processing
To exercise any of these rights, you may submit a written request to:
📧 info@hamlateknoloji.com
We aim to respond to all valid requests within the legally required timeframes (e.g., 30 days under GDPR), and may ask for identity verification to protect your privacy.
12. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:
• Providing ongoing access to your account and services
• Delivering customer support and resolving disputes
• Meeting contractual and legal obligations
• Complying with audit, accounting, and regulatory requirements
• Improving and securing our platform (e.g., fraud detection, performance logs)
Specific retention periods vary based on the type of data and the applicable legal framework. For example:
• Account-related data is retained for the duration of your active use of Oarca.
• Inactive or deleted accounts will have their data deleted or anonymized within 30 to 45 days, unless legal or regulatory retention requirements apply.
• Payment and transactional records may be retained for up to 10 years in accordance with financial and tax regulations.
• Anonymized or aggregated data (that can no longer be linked to a specific user) may be retained indefinitely for analytical purposes.
Retention Table:
• Location data: Retained for 12 months unless otherwise requested
• Contact sync data: Deleted immediately after use
• Health metrics: Retained as long as AI features are enabled
• Shared media (posts, videos): Until manually deleted by the user or account removal
• Anonymized aggregated data: May be retained indefinitely for research and development
You may also request early deletion of your data, subject to the constraints above.
13. International Transfers of Data
As a global platform, Oarca may process and store your personal data on servers located in jurisdictions outside your country of residence. This may include:
• Türkiye, where our headquarters and primary data infrastructure are located
• European Union (EU) countries
• United States and other countries where our partners or infrastructure providers operate
To ensure your data remains protected regardless of location, we implement appropriate international data transfer safeguards, such as:
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions from regulatory authorities for countries deemed to have strong data protection laws
• Binding corporate rules or intra-group agreements, where applicable
• Encryption and secure channels for transmission and storage
We regularly review our data transfer practices to ensure they remain aligned with global privacy standards and applicable regulations, such as GDPR (Article 44–50) and CCPA.
14. KVKK-Specific Notice for Turkish Users
In accordance with Article 10 of the Law No. 6698 on the Protection of Personal Data (KVKK), the following information is provided to users residing in Türkiye, regarding the processing of their personal data by Hamla Teknoloji A.Ş.:
• Data Controller Information
As defined by KVKK, the data controller is:
Hamla Teknoloji Anonim Şirketi
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204
Sarıyer, İstanbul
Email for KVKK-related inquiries: info@hamlateknoloji.com
• Legal Basis of Processing (KVKK Art. 5, 6 & 7)
Personal data is processed only when at least one of the legal bases under KVKK is met:
• Explicit consent from the data subject
• Necessity for the establishment or performance of a contract
• Fulfillment of the data controller's legal obligations
• Protection of vital interests of the data subject or another individual
• Publicization by the data subject
• Necessity for the establishment, exercise, or protection of a legal right
• Legitimate interest of the data controller, provided that such interest does not override the fundamental rights and freedoms of the data subject
The following categories of personal data are processed only upon your explicit and informed consent, which is requested separately at the time of enabling each feature:
• Location data (e.g., GPS tracking)
• Health and biometric data (e.g., heart rate, effort level, fatigue indicators)
• Connected hardware data (e.g., smartwatches, heart rate bands)
• AI-powered personalized performance summaries
Processing of sensitive personal data, such as health-related data, is conducted strictly in accordance with KVKK Article 6, either based on explicit consent or under legally permitted conditions. Users are informed and asked for permission prior to any such processing, and may withdraw their consent at any time.
• Data Retention and Minimization (KVKK Art. 4 & 7)
Personal data is retained only for the duration necessary to fulfill the stated purposes, and in accordance with legal and regulatory requirements. Maximum retention periods include:
• GPS and route data: 12 months, unless extended by user preference
• Health and biometric data: as long as AI personalization remains enabled
• Account metadata: until deletion request or 45 days of inactivity
• Payment and financial records: up to 10 years (as required by tax regulations)
Upon request, users may have their data deleted or anonymized, as outlined in Article 7 of KVKK. Data not needed for any processing purpose is routinely deleted or anonymized.
• Data Transfer (KVKK Art. 9)
Personal data may be transferred to domestic or international service providers (e.g., cloud services, analytics, payment processors) only if:
• The recipient country is determined to have an adequate level of data protection by the Turkish Data Protection Authority, or
• The explicit consent of the user is obtained prior to transfer, or
• A written undertaking is executed and Board approval is granted where adequacy is not established
Data may be transferred to trusted providers such as Google Cloud, Amazon AWS, or Firebase, but only to the extent necessary for operating the application and always in accordance with applicable safeguards.
• Rights of the Data Subject (KVKK Art. 11)
In accordance with Article 11 of the KVKK, users have the right to:
1. Learn whether their personal data is being processed
2. Request information regarding the scope of processing
3. Learn the purpose of processing and whether it is being carried out in accordance with such purpose
4. Know the third parties to whom personal data is transferred, domestically or internationally
5. Request correction of incomplete or inaccurate data
6. Request deletion or anonymization of personal data within the scope of Article 7
7. Request notification of correction or deletion to third parties
8. Object to results arising from automated data processing exclusively
9. Request compensation in case of damages arising from unlawful processing
• Exercising Your Rights
Users residing in Türkiye may submit their requests regarding their personal data, in line with KVKK Article 13, using the following methods:
• By sending an email with secure electronic signature to: info@hamlateknoloji.com
• By delivering a signed written request in person or via mail to our company headquarters:
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204, Sarıyer, İstanbul
• Or by other methods permitted by the Turkish Data Protection Authority (KVKK Kurumu)
Requests will be answered within 30 days of receipt. If the request incurs a processing cost, the tariff set by the KVKK Board will apply, and you will be informed beforehand.
15. Data Security
At Oarca, we are committed to protecting your personal data through a comprehensive set of technical, organizational, and procedural safeguards. While no digital system can ever be completely immune to cyber threats, we implement industry best practices to significantly reduce risk.
Our security practices include:
• TLS (Transport Layer Security) Encryption: All data transmitted between your device and our servers is encrypted using TLS protocols to prevent interception or tampering during transmission.
• Role-Based Access Controls (RBAC): Internal access to user data is restricted based on job roles and responsibilities. Only authorized personnel with a legitimate need can access specific datasets.
• Two-Factor Authentication (2FA): All administrative and privileged accounts are secured with mandatory 2FA to prevent unauthorized access even in the event of credential compromise.
• Data Minimization and Encryption at Rest: Sensitive data (e.g., health metrics) is encrypted and stored with strict access controls.
• Regular Security Audits: We conduct internal and external vulnerability assessments and penetration testing on a routine basis.
• Secure Coding Practices: Our engineering team adheres to OWASP (Open Web Application Security Project) guidelines to prevent common exploits such as SQL injection, cross-site scripting (XSS), and others.
In case of a data breach, we follow a documented incident response protocol and will notify users and authorities as required under applicable laws (e.g., GDPR Articles 33–34). We perform regular encrypted backups and maintain disaster recovery protocols to ensure data continuity in case of system failures.
16. Children’s Privacy
We take the privacy of children very seriously and comply with applicable child data protection laws, including the Children’s Online Privacy Protection Act (COPPA) in the U.S. and Article 8 of the GDPR in the EU.
• Minimum Age Requirement: Oarca is not intended for children under the age of 13. We actively block account registration for anyone below this age based on the information provided during signup. If we become aware that data from a child under 13 has been collected, we will delete it promptly.
• Ages 13 to 17: Users aged between 13 and 17 may use the platform with stricter default privacy controls to safeguard their data. These include:
o Private profiles enabled by default
o Messaging features disabled or restricted
o Limited use of sensitive data such as health or location metrics
o Restricted content discovery in public feeds or leaderboards
• For users under the age of 18 residing in Türkiye, registration and data processing is permitted only with the explicit consent of a parent or legal guardian.
If such consent is not provided, the account may be deactivated and associated data will be deleted in accordance with KVKK Article 7.”
Parents or guardians may contact us at info@hamlateknoloji.com to review or request deletion of a minor’s data.
17. Cookies and Technical Data
To provide a smooth, secure, and personalized experience, Oarca uses cookies and collects various forms of technical and analytical data from your device and interactions with the app. These technologies help us:
• Understand user behavior and usage trends
• Detect and resolve errors or crashes
• Optimize app performance and usability
• Enhance security and fraud prevention
Data collected may include:
• Device type and model (e.g., iPhone 14, Galaxy S22)
• Operating system version (e.g., iOS 17, Android 13)
• IP address and country of access
• App version and feature usage patterns
• Crash logs and error reports
• Screen resolution and touch behavior (for UI/UX analysis)
• Referrer information (e.g., if you arrived via a team invite link)
Types of cookies and similar technologies we may use:
• Essential Cookies: Required for basic app functionality (e.g., login sessions)
• Performance and Analytics Cookies: Used to improve app quality and experience
• Functional Cookies: Help store your preferences and settings
You can control or disable certain types of cookies or telemetry data via the in-app Privacy Settings menu. However, please note that disabling essential cookies may impact the app's core functionality. On your first use of the app, you will be presented with a cookie consent prompt, allowing you to accept or reject non-essential cookies. You can change your preferences at any time in Settings > Privacy.
18. AI and Personalization Features
Oarca leverages artificial intelligence (AI) and machine learning (ML) technologies to provide smarter, more personalized training experiences. These features are designed to help users better understand their performance and optimize their routines, and they are only activated with your explicit permission.
We may use anonymized or aggregated data (i.e., data that cannot be used to directly identify you) to:
• Generate personalized session summaries based on your past performance
• Provide tailored recommendations for training intensity, recovery time, and pacing
• Detect anomalies in metrics like heart rate or stroke pattern
• Benchmark your progress against anonymized data from similar users or teams
• Offer predictive analytics for race prep, fatigue detection, or improvement areas
Your privacy and control are central to these features. You can:
• Opt-in or opt-out at any time from the app
• Request that your data not be used for AI training purposes (even anonymously)
• View a history of any automated insights generated for your account
These systems do not make automated decisions that affect your legal rights or access to services. All recommendations are assistive, not mandatory. These AI features do not make automated decisions that have a legal or significant effect on the user, as defined under GDPR Article 22. All recommendations are assistive and non-binding.
From time to time, we may introduce experimental or beta features powered by AI or advanced data processing models. These features are clearly marked as “Beta” and may be subject to change or deactivation. Participation is optional and requires separate user consent. When enabled, these features may process your training or biometric data in different ways for testing or refinement purposes. All such data is still handled under the same security and privacy safeguards described in this Policy. You may opt out of beta features at any time from the app settings.
19. Communication Preferences
To keep you informed and engaged, we may send various types of communications related to your Oarca account and activity. These may include:
• Training summaries and performance insights
• Feature updates or important service changes
• User surveys or feedback requests
• Team invitations or group announcements
• Educational content to improve your training experience
You may choose to:
• Enable or disable push notifications, email updates, or in-app alerts
• Customize which categories of communication are relevant to you
• Opt out entirely from marketing or promotional messages
However, some communications are considered transactional or essential and cannot be disabled. These include:
• Billing receipts and payment confirmations
• Security alerts or account recovery messages
• Changes to our Terms of Service or Privacy Policy
We strive to keep all communications relevant, minimal, and respectful of your time.
20. Data Sharing and Disclosure
We are firmly committed to protecting your privacy. Oarca does not sell your personal data under any circumstances.
We only share data with third parties under strict, lawful conditions, including:
a) Service Providers and Vendors
We partner with trusted third-party providers who support the operation and improvement of our platform. These include:
• Payment processors (e.g., Stripe, Apple, Google)
• Cloud infrastructure providers (e.g., AWS, Google Cloud)
• Analytics services (e.g., Firebase, Sentry)
• Customer support platforms
These partners are contractually bound to process your data only on our behalf and in accordance with this Privacy Policy and applicable data protection laws.
b) Legal or Regulatory Requirements
We may disclose data if required to comply with a valid legal obligation, court order, or governmental request. In such cases, we limit the disclosure to what is strictly necessary and, when legally permitted, notify the user.
c) User Authorization
We may share or display your data if you explicitly authorize it—for example, by connecting with teammates, sharing a public training route, or linking with third-party apps.
d) Public Visibility Settings
Depending on your profile and content visibility settings, certain data (such as profile name, event participation, or shared workouts) may be viewable by others.
We never disclose sensitive data such as health metrics or location history without your active consent. We do not share your personal data with advertisers, ad networks, or data brokers for marketing purposes.
21. Contact Information
Hamla Teknoloji A.Ş.
Oarca App – Privacy Compliance
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204
Sarıyer,İstanbul
Email: info@hamlateknoloji.com
Hamla Teknoloji A.Ş.(Oarca) Privacy and Policy
Last Updated: 27 June 2025
1. Introduction
This Privacy and Security Policy outlines in detail how Hamla Teknoloji A.Ş. (“Oarca”) collects, processes, stores, protects, and, where necessary, shares your personal data when you interact with our mobile application, services, and related platforms. We are committed to safeguarding your privacy and ensuring the highest standards of data protection and transparency in all jurisdictions in which we operate.
This Policy applies to all users of the Oarca mobile application and associated services worldwide and is designed to comply with international data protection regulations, including but not limited to:
• General Data Protection Regulation (GDPR) for residents of the European Union (EU) and European Economic Area (EEA),
• Law on the Protection of Personal Data (KVKK) for residents of Türkiye,
• California Consumer Privacy Act (CCPA) for residents of California, United States.
Our commitment to privacy means that we only collect and process personal data that is necessary for the provision, improvement, and personalization of our services, and we always do so with a lawful basis. We also take reasonable technical and organizational measures to ensure the confidentiality, integrity, and availability of your data.
This Policy explains:
• What types of personal data we collect and why;
• How we use and process your data;
• How we store and secure your information;
• The conditions under which we may share your data with third parties;
• Your legal rights and choices regarding your data.
We may update this Privacy and Security Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. Whenever we make a significant change, we will notify users through appropriate channels (such as app notifications or in-app banners). The most recent version of this Policy will always be available within the application under the “Privacy Policy” section.
By creating an account on the Oarca app, you acknowledge that you have read, understood, and accepted this Privacy and Security Policy. Separate consent is requested for processing sensitive data and AI-powered personalization features.
2. Data We Collect
We collect various types of personal and technical data to provide and enhance the functionality, safety, and performance of the Oarca mobile application. Data collection occurs through multiple channels:
• Directly from You: Information that you intentionally provide to us during registration, profile setup, or app usage.
• Automatically through the App: Information gathered via sensors, system permissions, or usage patterns while you interact with the app.
• Third-Party Integrations: Data retrieved through connected services (e.g., health tracking devices, wearables, cloud backups, or login providers such as Apple, Google, or Facebook).
The categories of data we collect may include, but are not limited to:
• Personal identifiers: Full name, email address, phone number (if provided), date of birth, gender, and profile picture.
• Location data: Real-time GPS coordinates, route history, and geofenced activity zones.
• Device metadata: Device model, operating system version, unique device identifiers, IP address, app version, battery and connectivity status.
• Performance and biometric data: Heart rate, cadence, stroke rate, pace, session duration, and perceived exertion (if entered).
• Multimedia content: Photos or videos taken or uploaded within the app, including those captured during training sessions or events.
• Team and training details: Memberships in clubs or teams, attendance records, training logs, coach-assigned programs, and shared workouts.
• Connected hardware data: Details from paired devices such as heart rate monitors, GPS watches, rowing sensors, or onboard cameras.
We ensure that all collected data is handled in accordance with applicable laws and only retained for as long as necessary to fulfill the stated purposes. Each category of data we collect is processed based on a specific legal ground, such as user consent (GDPR Art. 6(1)(a)), contractual necessity (Art. 6(1)(b)), or legitimate interest (Art. 6(1)(f)), depending on the context and type of interaction.
3. Account and Activity Data
When you create an account on Oarca, you are asked to provide specific personal details that form the basis of your user profile. These include:
• Full name
• Email address
• Date of birth
• Gender
• Profile photo (optional)
• Login credentials or authentication via third-party accounts (e.g., Google, Apple, Facebook)
Once your account is active, we also collect activity-specific data as part of your regular app usage. This data enables us to deliver core features such as performance analytics, team coordination, progress tracking, and personalized feedback. Activity data includes, but is not limited to:
• Session start and end times
• Type of training or workout
• Real-time metrics (e.g., distance, speed, pace, split times, stroke count/rate)
• Perceived effort (if manually entered)
• Route paths (via GPS)
• Team affiliations and group session participation
• Notes, comments, or feedback related to sessions
• Training plans created or followed
All collected activity data is securely stored and can be exported or deleted upon user request, in compliance with relevant data protection laws. The processing of account and activity data is necessary for the performance of our contract with the user (Art. 6(1)(b) GDPR) and for improving our legitimate interests such as platform optimization.
4. Location and GPS Data
Precise location data is essential for delivering many of Oarca’s core functionalities, especially those related to real-time performance tracking and group coordination during outdoor water sports. We collect and process GPS-based location information only when:
• You have explicitly granted location permissions through your device’s operating system;
• You are actively using app features that require location access (e.g., route recording, live tracking, crew positioning).
The purposes of collecting location data include:
• Visualizing routes on maps during and after training
• Providing real-time position updates for coaches and teammates
• Generating performance metrics like distance, speed, and elevation gain
• Enabling safety features such as emergency location sharing and route deviation alerts
• Supporting analytics for route optimization and stroke efficiency
You retain full control over your location permissions at all times. You may revoke access via device settings, though doing so may limit or disable functionalities dependent on GPS (such as live tracking or session mapping). Oarca does not collect or process location data in the background without your explicit consent. Location data is processed only with your explicit consent (Art. 6(1)(a) GDPR) and can be withdrawn at any time through your device settings or the app.
5. Media and Shared Content
Oarca enables users to upload, create, and share various forms of content that enrich their training experience and foster community engagement. This includes:
• Photos and videos captured during training sessions, events, or shared via profile updates
• Posts and comments made within team groups, event pages, or community discussions
• Feedback and ratings submitted about workouts, teammates, or shared sessions
• Route designs and training plans manually drawn or recorded with GPS
All such content becomes associated with your Oarca profile and may be shared with:
• Teams and clubs you belong to
• Event pages for races, group trainings, or competitions
• Friends or followers (if social features are enabled)
• Coaches and support staff, if applicable
You retain full control over the visibility of your shared content through customizable privacy settings in the app. You can choose whether content is:
• Public (visible to all users)
• Team-only (visible to team members or event participants)
• Private (visible only to you or designated contacts)
We do not claim ownership of your uploaded content; however, by sharing it within the app, you grant us a limited license to display, store, and transmit the content solely for purposes of operating the platform. You may delete your shared content at any time unless it is required to be retained for safety, moderation, or compliance purposes.
6. Contacts and Team Discovery
To help you connect with friends, teammates, or coaches already using the platform, Oarca offers an optional contact synchronization feature. When you enable this feature:
• The app may temporarily access your device’s contact list, including names, phone numbers, and email addresses
• This data is used exclusively to match your contacts with existing Oarca users or suggest new connections
Key privacy principles for this feature:
• No unsolicited messages are sent to your contacts without your permission
• Contact data is never stored permanently on our servers and is discarded after the matching process
• You are always notified before any invitations or recommendations are made
• You can disable or revoke contact syncing at any time from the app settings
This feature is completely optional and does not affect your ability to use core functionalities of the app.
7. Device Integrations and External Services
To deliver a more complete and seamless fitness experience, Oarca offers integrations with a range of external devices and third-party health platforms. These may include:
• Wearable fitness devices such as Apple Watch, Garmin, Polar, Fitbit, or similar
• Health tracking apps like Apple Health, Google Fit, or Samsung Health
• Smart equipment including rowing machines, GPS watches, and heart rate monitors
When enabled, these integrations may share the following data types with Oarca:
• Heart rate and heart rate zones
• Cadence, stroke rate, or pedal RPM
• Step counts, movement, and duration
• Calories burned or estimated energy expenditure
• Session logs and training history
All integrations are governed by explicit user consent. You are prompted to grant access the first time you connect a new service or device. You may revoke these permissions at any time through:
• Your mobile operating system settings (e.g., Apple Health permissions)
• The settings panel within the Oarca app
• The external platform’s own access control interface
Oarca only accesses data relevant to the selected functionality, and never shares your connected device data with third parties without your consent.
8. Sensitive Health Data
Oarca includes features that allow users to monitor and analyze health and performance metrics using biometric tracking. If you choose to enable these features, we may process sensitive personal data, such as:
• Heart rate zones (e.g., aerobic, anaerobic, VO2 max)
• Recovery metrics (e.g., heart rate variability, rest periods, fatigue levels)
• Perceived or calculated effort levels during training
• Wellness indicators from integrated wearables or health platforms
Due to the highly personal nature of this data, we treat it with the strictest privacy protections in accordance with applicable health data regulations such as GDPR Article 9 and other relevant laws.
Key safeguards include:
• Explicit user consent: We only process this data if you actively opt in and grant permission through the app or your connected devices.
• Granular control: You can enable or disable specific data types individually (e.g., heart rate but not recovery data).
• No automatic sharing: Sensitive health data is never shared with other users, teams, or external entities without your prior and informed consent.
• Secure processing and storage: All sensitive data is encrypted in transit and at rest, and is stored separately from non-sensitive user data whenever possible.
You may withdraw consent and delete this data at any time from your in-app settings. Sensitive data such as biometric and health-related metrics are processed strictly with your explicit consent, in accordance with GDPR Article 9(2)(a).
9. Payments and Transactions
Oarca offers subscription-based features and in-app purchases that are processed through trusted third-party payment platforms, including:
• Apple App Store (Apple Pay)
• Google Play Store (Google Pay)
• Stripe for direct online payments on the web
To ensure secure and compliant processing:
• We do not collect or store full credit card numbers or bank details on our servers.
• All transactions are encrypted and handled securely by the respective payment service providers.
• You may manage, update, or cancel your subscription directly from your Apple or Google account settings, or via the Stripe customer portal (if applicable).
Upon successful payment, you will receive email receipts or confirmation notices at your registered email address. We may also notify you in-app of billing status, renewal reminders, or failed payments.
If you request a refund, it must be initiated through the platform from which the purchase was made (e.g., Apple, Google), as we do not have authority to issue refunds for those transactions.
10. Using Third-Party Accounts
To streamline the signup and login experience, Oarca allows users to authenticate using third-party accounts such as:
• Google (Gmail/Google Workspace)
• Apple ID
• Meta (Facebook/Instagram)
• Amazon Web Services
When you choose to log in via one of these services, we may receive access to basic profile information, which typically includes:
• Full name
• Email address
• Profile picture (if permission is granted)
We only access the minimum necessary data as permitted by the third-party provider’s OAuth or Sign in with Appleprotocols. You are always informed of the exact data that will be shared before authentication is completed.
You can manage or revoke Oarca’s access to your third-party login data through:
• Your Google Account settings (myaccount.google.com)
• Your Apple ID privacy dashboard (appleid.apple.com)
• Your Facebook account settings (facebook.com/settings)
Revoking access may prevent future logins via the third-party service, but your Oarca data remains available and recoverable by setting a standalone email/password combination, if needed.
11. Your Rights and Choices
At Oarca, we are committed to empowering you with control over your personal data. Depending on your jurisdiction (such as under the GDPR, KVKK, or CCPA), you have the following rights with respect to the personal information we collect and process:
• Right of Access:You may request a copy of the personal data we hold about you, along with details on how it is used and with whom it is shared.
• Right to Rectification:If you believe that any of your personal data is inaccurate, incomplete, or outdated, you may request corrections or updates.
• Right to Erasure (“Right to be Forgotten”):You may request that we delete your personal data from our systems, subject to exceptions required by law or legitimate business purposes (e.g., financial recordkeeping or fraud prevention).
• Right to Object or Restrict Processing:You may object to certain types of data processing, such as receiving marketing communications, or request a temporary halt to processing during a dispute over accuracy or purpose.
• Right to Data Portability:You may request your data in a structured, commonly used, and machine-readable format for transfer to another service provider.
• Right to Withdraw Consent:Where processing is based on your explicit consent (e.g., health metrics or device integration), you may withdraw this consent at any time without affecting the lawfulness of processing prior to withdrawal.
If you reside in Türkiye, you also have the following rights under KVKK Article 11:
• Learn whether your personal data is being processed
• Request information about the processing activities
• Learn the purposes of processing and whether they are fulfilled
• Know third parties to whom data is transferred domestically or abroad
• Request correction of incomplete or inaccurate data
• Request deletion or anonymization under Article 7
• Object to results of automated processing
• Claim compensation in case of damages due to unlawful processing
To exercise any of these rights, you may submit a written request to:
📧 info@hamlateknoloji.com
We aim to respond to all valid requests within the legally required timeframes (e.g., 30 days under GDPR), and may ask for identity verification to protect your privacy.
12. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:
• Providing ongoing access to your account and services
• Delivering customer support and resolving disputes
• Meeting contractual and legal obligations
• Complying with audit, accounting, and regulatory requirements
• Improving and securing our platform (e.g., fraud detection, performance logs)
Specific retention periods vary based on the type of data and the applicable legal framework. For example:
• Account-related data is retained for the duration of your active use of Oarca.
• Inactive or deleted accounts will have their data deleted or anonymized within 30 to 45 days, unless legal or regulatory retention requirements apply.
• Payment and transactional records may be retained for up to 10 years in accordance with financial and tax regulations.
• Anonymized or aggregated data (that can no longer be linked to a specific user) may be retained indefinitely for analytical purposes.
Retention Table:
• Location data: Retained for 12 months unless otherwise requested
• Contact sync data: Deleted immediately after use
• Health metrics: Retained as long as AI features are enabled
• Shared media (posts, videos): Until manually deleted by the user or account removal
• Anonymized aggregated data: May be retained indefinitely for research and development
You may also request early deletion of your data, subject to the constraints above.
13. International Transfers of Data
As a global platform, Oarca may process and store your personal data on servers located in jurisdictions outside your country of residence. This may include:
• Türkiye, where our headquarters and primary data infrastructure are located
• European Union (EU) countries
• United States and other countries where our partners or infrastructure providers operate
To ensure your data remains protected regardless of location, we implement appropriate international data transfer safeguards, such as:
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions from regulatory authorities for countries deemed to have strong data protection laws
• Binding corporate rules or intra-group agreements, where applicable
• Encryption and secure channels for transmission and storage
We regularly review our data transfer practices to ensure they remain aligned with global privacy standards and applicable regulations, such as GDPR (Article 44–50) and CCPA.
14. KVKK-Specific Notice for Turkish Users
In accordance with Article 10 of the Law No. 6698 on the Protection of Personal Data (KVKK), the following information is provided to users residing in Türkiye, regarding the processing of their personal data by Hamla Teknoloji A.Ş.:
• Data Controller Information
As defined by KVKK, the data controller is:
Hamla Teknoloji Anonim Şirketi
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204
Sarıyer, İstanbul
Email for KVKK-related inquiries: info@hamlateknoloji.com
• Legal Basis of Processing (KVKK Art. 5, 6 & 7)
Personal data is processed only when at least one of the legal bases under KVKK is met:
• Explicit consent from the data subject
• Necessity for the establishment or performance of a contract
• Fulfillment of the data controller's legal obligations
• Protection of vital interests of the data subject or another individual
• Publicization by the data subject
• Necessity for the establishment, exercise, or protection of a legal right
• Legitimate interest of the data controller, provided that such interest does not override the fundamental rights and freedoms of the data subject
The following categories of personal data are processed only upon your explicit and informed consent, which is requested separately at the time of enabling each feature:
• Location data (e.g., GPS tracking)
• Health and biometric data (e.g., heart rate, effort level, fatigue indicators)
• Connected hardware data (e.g., smartwatches, heart rate bands)
• AI-powered personalized performance summaries
Processing of sensitive personal data, such as health-related data, is conducted strictly in accordance with KVKK Article 6, either based on explicit consent or under legally permitted conditions. Users are informed and asked for permission prior to any such processing, and may withdraw their consent at any time.
• Data Retention and Minimization (KVKK Art. 4 & 7)
Personal data is retained only for the duration necessary to fulfill the stated purposes, and in accordance with legal and regulatory requirements. Maximum retention periods include:
• GPS and route data: 12 months, unless extended by user preference
• Health and biometric data: as long as AI personalization remains enabled
• Account metadata: until deletion request or 45 days of inactivity
• Payment and financial records: up to 10 years (as required by tax regulations)
Upon request, users may have their data deleted or anonymized, as outlined in Article 7 of KVKK. Data not needed for any processing purpose is routinely deleted or anonymized.
• Data Transfer (KVKK Art. 9)
Personal data may be transferred to domestic or international service providers (e.g., cloud services, analytics, payment processors) only if:
• The recipient country is determined to have an adequate level of data protection by the Turkish Data Protection Authority, or
• The explicit consent of the user is obtained prior to transfer, or
• A written undertaking is executed and Board approval is granted where adequacy is not established
Data may be transferred to trusted providers such as Google Cloud, Amazon AWS, or Firebase, but only to the extent necessary for operating the application and always in accordance with applicable safeguards.
• Rights of the Data Subject (KVKK Art. 11)
In accordance with Article 11 of the KVKK, users have the right to:
1. Learn whether their personal data is being processed
2. Request information regarding the scope of processing
3. Learn the purpose of processing and whether it is being carried out in accordance with such purpose
4. Know the third parties to whom personal data is transferred, domestically or internationally
5. Request correction of incomplete or inaccurate data
6. Request deletion or anonymization of personal data within the scope of Article 7
7. Request notification of correction or deletion to third parties
8. Object to results arising from automated data processing exclusively
9. Request compensation in case of damages arising from unlawful processing
• Exercising Your Rights
Users residing in Türkiye may submit their requests regarding their personal data, in line with KVKK Article 13, using the following methods:
• By sending an email with secure electronic signature to: info@hamlateknoloji.com
• By delivering a signed written request in person or via mail to our company headquarters:
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204, Sarıyer, İstanbul
• Or by other methods permitted by the Turkish Data Protection Authority (KVKK Kurumu)
Requests will be answered within 30 days of receipt. If the request incurs a processing cost, the tariff set by the KVKK Board will apply, and you will be informed beforehand.
15. Data Security
At Oarca, we are committed to protecting your personal data through a comprehensive set of technical, organizational, and procedural safeguards. While no digital system can ever be completely immune to cyber threats, we implement industry best practices to significantly reduce risk.
Our security practices include:
• TLS (Transport Layer Security) Encryption: All data transmitted between your device and our servers is encrypted using TLS protocols to prevent interception or tampering during transmission.
• Role-Based Access Controls (RBAC): Internal access to user data is restricted based on job roles and responsibilities. Only authorized personnel with a legitimate need can access specific datasets.
• Two-Factor Authentication (2FA): All administrative and privileged accounts are secured with mandatory 2FA to prevent unauthorized access even in the event of credential compromise.
• Data Minimization and Encryption at Rest: Sensitive data (e.g., health metrics) is encrypted and stored with strict access controls.
• Regular Security Audits: We conduct internal and external vulnerability assessments and penetration testing on a routine basis.
• Secure Coding Practices: Our engineering team adheres to OWASP (Open Web Application Security Project) guidelines to prevent common exploits such as SQL injection, cross-site scripting (XSS), and others.
In case of a data breach, we follow a documented incident response protocol and will notify users and authorities as required under applicable laws (e.g., GDPR Articles 33–34). We perform regular encrypted backups and maintain disaster recovery protocols to ensure data continuity in case of system failures.
16. Children’s Privacy
We take the privacy of children very seriously and comply with applicable child data protection laws, including the Children’s Online Privacy Protection Act (COPPA) in the U.S. and Article 8 of the GDPR in the EU.
• Minimum Age Requirement: Oarca is not intended for children under the age of 13. We actively block account registration for anyone below this age based on the information provided during signup. If we become aware that data from a child under 13 has been collected, we will delete it promptly.
• Ages 13 to 17: Users aged between 13 and 17 may use the platform with stricter default privacy controls to safeguard their data. These include:
o Private profiles enabled by default
o Messaging features disabled or restricted
o Limited use of sensitive data such as health or location metrics
o Restricted content discovery in public feeds or leaderboards
• For users under the age of 18 residing in Türkiye, registration and data processing is permitted only with the explicit consent of a parent or legal guardian.
If such consent is not provided, the account may be deactivated and associated data will be deleted in accordance with KVKK Article 7.”
Parents or guardians may contact us at info@hamlateknoloji.com to review or request deletion of a minor’s data.
17. Cookies and Technical Data
To provide a smooth, secure, and personalized experience, Oarca uses cookies and collects various forms of technical and analytical data from your device and interactions with the app. These technologies help us:
• Understand user behavior and usage trends
• Detect and resolve errors or crashes
• Optimize app performance and usability
• Enhance security and fraud prevention
Data collected may include:
• Device type and model (e.g., iPhone 14, Galaxy S22)
• Operating system version (e.g., iOS 17, Android 13)
• IP address and country of access
• App version and feature usage patterns
• Crash logs and error reports
• Screen resolution and touch behavior (for UI/UX analysis)
• Referrer information (e.g., if you arrived via a team invite link)
Types of cookies and similar technologies we may use:
• Essential Cookies: Required for basic app functionality (e.g., login sessions)
• Performance and Analytics Cookies: Used to improve app quality and experience
• Functional Cookies: Help store your preferences and settings
You can control or disable certain types of cookies or telemetry data via the in-app Privacy Settings menu. However, please note that disabling essential cookies may impact the app's core functionality. On your first use of the app, you will be presented with a cookie consent prompt, allowing you to accept or reject non-essential cookies. You can change your preferences at any time in Settings > Privacy.
18. AI and Personalization Features
Oarca leverages artificial intelligence (AI) and machine learning (ML) technologies to provide smarter, more personalized training experiences. These features are designed to help users better understand their performance and optimize their routines, and they are only activated with your explicit permission.
We may use anonymized or aggregated data (i.e., data that cannot be used to directly identify you) to:
• Generate personalized session summaries based on your past performance
• Provide tailored recommendations for training intensity, recovery time, and pacing
• Detect anomalies in metrics like heart rate or stroke pattern
• Benchmark your progress against anonymized data from similar users or teams
• Offer predictive analytics for race prep, fatigue detection, or improvement areas
Your privacy and control are central to these features. You can:
• Opt-in or opt-out at any time from the app
• Request that your data not be used for AI training purposes (even anonymously)
• View a history of any automated insights generated for your account
These systems do not make automated decisions that affect your legal rights or access to services. All recommendations are assistive, not mandatory. These AI features do not make automated decisions that have a legal or significant effect on the user, as defined under GDPR Article 22. All recommendations are assistive and non-binding.
From time to time, we may introduce experimental or beta features powered by AI or advanced data processing models. These features are clearly marked as “Beta” and may be subject to change or deactivation. Participation is optional and requires separate user consent. When enabled, these features may process your training or biometric data in different ways for testing or refinement purposes. All such data is still handled under the same security and privacy safeguards described in this Policy. You may opt out of beta features at any time from the app settings.
19. Communication Preferences
To keep you informed and engaged, we may send various types of communications related to your Oarca account and activity. These may include:
• Training summaries and performance insights
• Feature updates or important service changes
• User surveys or feedback requests
• Team invitations or group announcements
• Educational content to improve your training experience
You may choose to:
• Enable or disable push notifications, email updates, or in-app alerts
• Customize which categories of communication are relevant to you
• Opt out entirely from marketing or promotional messages
However, some communications are considered transactional or essential and cannot be disabled. These include:
• Billing receipts and payment confirmations
• Security alerts or account recovery messages
• Changes to our Terms of Service or Privacy Policy
We strive to keep all communications relevant, minimal, and respectful of your time.
20. Data Sharing and Disclosure
We are firmly committed to protecting your privacy. Oarca does not sell your personal data under any circumstances.
We only share data with third parties under strict, lawful conditions, including:
a) Service Providers and Vendors
We partner with trusted third-party providers who support the operation and improvement of our platform. These include:
• Payment processors (e.g., Stripe, Apple, Google)
• Cloud infrastructure providers (e.g., AWS, Google Cloud)
• Analytics services (e.g., Firebase, Sentry)
• Customer support platforms
These partners are contractually bound to process your data only on our behalf and in accordance with this Privacy Policy and applicable data protection laws.
b) Legal or Regulatory Requirements
We may disclose data if required to comply with a valid legal obligation, court order, or governmental request. In such cases, we limit the disclosure to what is strictly necessary and, when legally permitted, notify the user.
c) User Authorization
We may share or display your data if you explicitly authorize it—for example, by connecting with teammates, sharing a public training route, or linking with third-party apps.
d) Public Visibility Settings
Depending on your profile and content visibility settings, certain data (such as profile name, event participation, or shared workouts) may be viewable by others.
We never disclose sensitive data such as health metrics or location history without your active consent. We do not share your personal data with advertisers, ad networks, or data brokers for marketing purposes.
21. Contact Information
Hamla Teknoloji A.Ş.
Oarca App – Privacy Compliance
Reşitpaşa Mahallesi, Katar Caddesi, İTÜ Arı Teknokent 3 Binası, Kapı No: 4, Daire No: B204
Sarıyer,İstanbul
Email: info@hamlateknoloji.com
Row Efficient and Safe.
Reşitpaşa Mah. Katar Cad. İTÜ Arı Teknokent 3 Binası No: 4 İç Kapı No: B204
Sarıyer / İstanbul / Türkiye
info@hamlateknolojli.com
Row Efficient and Safe.
Reşitpaşa Mah. Katar Cad. İTÜ Arı Teknokent 3
Binası No: 4 İç Kapı No: B204
Sarıyer / İstanbul / Türkiye
info@hamlateknolojli.com
Row Efficient and Safe.
Reşitpaşa Mah. Katar Cad. İTÜ Arı Teknokent 3 Binası No: 4 İç Kapı No: B204
Sarıyer / İstanbul / Türkiye
info@hamlateknolojli.com