Privacy Policy

Last updated: 02.04.2026 · Version: 1.2

This Privacy Policy explains, in a clear and practical language, how we handle your personal data while you use the WIN platform (the "Platform").

Related documents (quick links)

1. Where is this policy applicable?

This policy applies to the following operated under the WIN brand:

• WIN mobile application (iOS/Android),
• WIN web domains (https://whoisnextapp.com/ (opens in a new tab) and https://legal.whoisnextapp.com/ (opens in a new tab)),
• help center / campaign pages that may be connected to the Platform (under these domains)

It is applicable to all of these.

If any feature or service requires a separate privacy text, it will be provided to you separately and that specific text will apply with priority.

2. Our approach to privacy (design principles)

By the nature of a "social matching/dating" platform, we design the Platform without concealing the fact that some information will be visible, while aiming to provide the user with a control space.

Our core principles:

• Purpose limitation: We process data for purposes that are genuinely necessary to provide the Platform to you.
• Data minimization: We aim not to open unnecessary data fields and, if opened, not to retain data unnecessarily.
• Layered transparency: We build bridges between documents for users who want detail (KVKK, Cookie, Explicit Consent, Biometric).
• User control: We base our approach on enabling you to manage permissions and consents (and withdraw them).
• Security and abuse prevention: We focus on reducing risks of fake accounts, spam, harassment, and fraud.

3. How does "visibility" work on the Platform?

The core function of WIN is that you create a profile, view profiles, match, and (after matching) message. Therefore, some of your information may be visible to other users.

4. What information do we collect? (details by WIN flows)

In this section, we explain "which data is generated at which step" based on typical Platform flows. For the legal framework and data categories table, the KVKK Information Notice should also be reviewed.

4.1 Account creation and login (Google / phone)

Login to WIN may be provided via Sign in with Google (OAuth) or phone number login (SMS/OTP).

Sign in with Google: Google transmits the information it states will be shared from your account with the Platform. Typically, name (or Google profile name), e-mail address, profile photo, and Google user ID (technical) may be received. The e-mail address is generally considered verified in line with Google processes. After profile creation, phone number verification may be required for certain interactions such as likes on the deck; until this verification is completed, related functions may be restricted.

Phone login: Identity verification is OTP-based. E-mail verification and phone number verification steps are positioned to be completed during the profile creation process rather than at the moment of registration.

4.2 Legal consent & explicit consent layer (first login)

At first use, links to KVKK texts and agreements are presented, and separately selectable permission/consent checkboxes are shown. Example consent topics:

• Processing of location data
• Selfie/face verification
• Matching preferences and compatibility parameters
• Cross-border transfer (cloud infrastructure / providers)
• Campaign and notifications (commercial communication)

Detailed texts: Explicit Consent Texts and Biometric Data Notice and Consent.

4.3 Profile creation (basic fields)

In the onboarding flow, the following profile fields are typically collected. For users who use phone number login, e-mail and phone verification steps are also completed during this profile creation process.

• Profile name (max 16 characters)
• Gender
• Profession
• Height
• Smoking / alcohol frequency
• Sign
• Profile note (Bio) (max 50 characters)

4.4 "Value & compatibility" parameters (sensitive field risk)

In WIN, there may be some "importance level" questions to increase matching compatibility. Example:

• "How important is religion in your life?" (Options: I do not believe, Not central in my life, Important, Very important)
• "How important is the political view of the person you will match with for you?" (Options: I am not interested in politics, They may have a different view, Important to some extent, It is very important that we share the same view)
• "How important are appearance / financial status?"

Some of these questions may involve processing data that is special category personal data or may create inferences in that direction. Therefore:

• an additional information and explicit consent approach is adopted for relevant fields,
• the highest possible privacy and security standards are applied,
• we aim to enable you to manage your preferences for these fields.

For the legal framework: KVKK Information Notice and Explicit Consent Texts.

Your profile typically contains 6 photo slots. In order to maintain safety on the Platform, uploading at least one photo where your face is clearly visible and completing the selfie verification step is mandatory.

Selfie Verification Flow:

• Instant capture is made only via the front camera; photos cannot be uploaded from the gallery.

• We perform pose and profile photo consistency checks with Google Gemini 2.5 Flash; and inappropriate content checks on the selfie with safeSearchDetection (Google Cloud Vision).

• This step is a functional requirement to prevent fake accounts; if consent is not given and at least one photo is not verified, the account is not included in the discovery flow (Deck).

• A green checkmark/badge is placed on each verified photo. Verification is not performed on photos with other people; the verification badge appears only on photos where only the user is present.

• During photo upload:

• gallery/camera access permissions,

• photo files and technical metadata (e.g., file size, format)

may be included.

Note: It is intended not to perform biometric inference from your photos; however, features such as selfie verification are managed with separate texts as they may create an additional biometric assessment risk.

4.6 Location (approximate/precise) and distance

WIN uses location information to show nearby users. Location history is not kept; location data is obtained instantly via GPS or network signals when the app is opened and used in distance calculations. If location permission is not granted, location-based features may be limited. Permission management: device settings and KVKK Information Notice (location and cookie/SDK tabs).

4.7 Selfie / liveness verification (camera/microphone permissions)

Selfie/liveness verification may be applied to reduce fake accounts and increase user trust. In this flow:

• camera permission, may be requested.

The selfie verification images are intended not to be displayed on the profile; for the processing, retention, and destruction approach in this area: Biometric Data Notice and Consent.

4.8 Face data — collection, use, sharing, and retention (single summary)

In line with our Platform transparency commitment, we summarize in this Privacy Policy what is meant by face data. For the detailed legal framework, consent text, and provider tables: Biometric Data Notice and Consent.

What is collected? In the verification flow: a selfie image captured instantly with the front camera (gallery upload is not provided); requested pose/liveness verification; technical outputs produced within face verification performed between the selfie and your profile photos (e.g., similarity score, match/verification result, status information); limited processing metadata (e.g., verification time, number of attempts, error code); and security logs for security and objection processes. General photo uploads published on the profile and verification selfie are designed separately; it is intended that the verification selfie is not shown on the profile.

For what purposes is it used? To increase the likelihood that the profile belongs to a real person, reduce fake accounts and abuse, protect Platform security and service integrity; to conduct reviews in verification objections; and to comply with legal obligations and protect rights. Face/biometric-type data processed in this scope is not used for ad targeting, marketing profiling, or campaign personalization.

Third parties and storage location The verification process may be used for limited automated evaluation with Google Gemini 2.5 Flash (pose and profile consistency / person verification) and Google Cloud Vision (safeSearchDetection — inappropriate content control). As infrastructure, hosting and technical logs may be involved on the Google Cloud / Firebase side. Retention of a permanent biometric template or embedding is not intended. Provider roles and location/transfer details are explained in Biometric Data Notice and Consent and KVKK Information Notice.

Retention period Data in the nature of a biometric map subject to face recognition processing is immediately destroyed after verification is completed. In the system, a non-biometric status such as "verified: yes/no" may be kept. Non-biometric audit/technical metadata records kept for process security may be retained for a limited period within legal limitation and legitimate interest periods. Consent withdrawal and exceptional long-retention cases: Biometric Data Notice and Consent Section 9-10.

Other related sections: 4.2 (consent layer), 4.4 (profile photos and verification flow summary), 4.7 (permissions and technical note).

4.9 Messaging and interactions

When you use the Platform, the following types of data may be generated:

• Interactions: Like/dislike, matching, dual picking, and profile view logs.
• Evaluation: After the chat starts, users exceeding a specific interaction threshold are provided with a voting tool that allows evaluating the other party on Intelligence, Politeness, and Fun attributes. These scores are included in profile average.
• Messaging: Message content and timestamp metadata. Messages are not end-to-end encrypted; they may be reviewed by admins/moderators for moderation and security purposes.
• Security signals: Complaint, blocking, and suspicious behavior records.

This data may be used to operate the matching experience, prevent abuse, and manage disputes.

4.10 Premium subscription features

Additional privacy and visibility features may be offered under Premium subscription:

• Daily deck viewing right: 20 deck views per day (Standard: 5 decks/day).
• Visibility in decks: 2x more visibility advantage in decks.
• Deck filtering: Ability to filter decks.
• Hide Profile: You can completely hide your profile in decks. In this case, only people you liked can see you (in their own "PICKED YOU" sections).
• Read receipts in messages: Viewing read/seen information in messages.
• Online (Online/Offline) Status: Ability to view other users' activity status.
• Score Viewing: Ability to view your own score and the scores users gave to you and others.

For contractual framework and payment details: Subscription and Purchase Terms should be reviewed.

4.11 Support, complaints, objections, and security notifications

When you submit a notification via "Report" or "Block" buttons on profile cards and chat screens, your support record, correspondence, and review notes may be processed.

Related documents:

• Community Guidelines
• Law Enforcement Guide
• Illegal Content Notification Form (for official authorities)
• Security Vulnerability Disclosure Policy
• Transparency Reports

4.12 Automatically collected technical data (device, logs, cookie/SDK)

When you use the Platform, some data is generated/collected automatically. Example:

• Device and app information: device model, operating system version, app version, language/country settings
• Network and security information: IP address, session/log records, error/crash data
• Identifiers: device identifiers and advertising identifiers (IDFA/GAID)
• On web side: cookies and pixels/tags via technologies such as Wix and GA4
• In mobile app: analytics/advertising and performance signals collected via AdMob and Firebase SDKs

This data may be used for secure operation of the Platform, debugging, performance measurement, prevention of abuse, and (depending on your preference) analytics/marketing measurement purposes.

For detailed explanation and preference management: Cookie Policy.

5. What do we use this information for? (purposes — practical explanation)

For details of legal bases under KVKK, the KVKK Information Notice applies. Here, we summarize the purposes as "what does this mean for the user?":

• To provide the service: create an account, show your profile, enable matching and messaging.
• To operate compatibility and recommendation systems: recommend more suitable profiles using profile fields, preference/importance parameters, location, and usage behavior.
• Security: reduce risks of fake accounts, spam/harassment, and fraud; review complaints; apply sanctions if necessary.
• Communication: send service notifications, updates, and (if permitted) marketing announcements.
• Product development: measure performance, perform error/crash analysis, improve user experience.
• Legal compliance and protection of rights: fulfill legal obligations, preserve evidence in disputes, manage official requests.

6. Matching/recommendation system and "profiling"

In the matching and recommendation (deck) flow, WIN evaluates certain parameters together to produce profile ranking/compatibility. This process may in some cases be considered profiling.

6.1 Main signals used (example)

• Profile information: age, gender, height, sign, profession, etc.
• Preference/importance parameters: choices such as appearance/financial status/political view compatibility
• Location/distance: proximity
• Usage behaviors: like/dislike, matching patterns (within the Platform)
• Verification signals: profile verification status and badges
• Cooldown: Rule that profiles shown to you in the deck flow but not selected are not shown again for a certain period
• Premium effects: 20 decks/day (Standard: 5), 2x visibility, deck filtering, profile hiding, read receipts in messages, online/offline status viewing, score viewing

6.2 Discrimination and sensitive areas

Fields such as religion/political view require special attention both in terms of sensitive data nature and discrimination risk. Therefore:

• explicit consent and transparency are taken as basis in these areas,
• compatibility is targeted with the minimum data possible,
• users are intended to be able to manage their preferences.

If services are provided in the EU, an additional bridge may be established with the DSA Compliance Page in terms of recommendation system transparency.

7. With whom do we share your data? (short and clear)

For detailed transfer explanations and the framework of KVKK Articles 8-9: KVKK Information Notice.

8. Cross-border transfer (cloud services) — summary

The Platform may require processing of data abroad due to cloud infrastructure or certain service providers. For the cross-border transfer approach and consent/appropriate safeguard mechanisms:

• KVKK Information Notice
• Explicit Consent Texts

should be reviewed.

9. How long do we retain data? (logic)

The retention period of data varies according to processing purpose, legal obligations, and dispute/security needs.

Example:

• While your account is active: data required to provide the service is retained.
• After account deletion: some records (especially logs/transactions/disputes) may be retained for a limited period due to legal and security requirements.

For the detailed retention approach: KVKK Information Notice and Terms of Use — Section 13.

10. How do you manage your privacy preferences? (step by step)

11. Security

Security is ensured through both technical measures and user behaviors.

• For platform-level security approach and vulnerability disclosure channel: Security Vulnerability Disclosure Policy
• For users' safe usage: Security Tips

By the nature of the internet and mobile applications, nothing is ever 100% secure. WIN aims to apply reasonable technical and administrative measures; however, fully eliminating unauthorized access by third parties or data loss may not be practically possible. Therefore, you should also take basic measures for your account security and contact us in suspicious situations.

12. Children's privacy (18+)

WIN is not intended for individuals under 18. If you suspect a user is under 18, it is recommended that you use the in-platform reporting mechanisms.

13. Legal references (for information purposes)

In the Platform's data protection approach, the following regulations are considered to the extent applicable:

• Law No. 6698 on the Protection of Personal Data (KVKK)
• Communique on the Information Obligation under KVKK
• Regulation on the Transfer of Personal Data Abroad
• Law No. 5651 (log/traffic data approach)
• Law No. 6563 on Electronic Commerce and related secondary legislation (commercial electronic communication)
• Turkish Penal Code No. 5237 Articles 132-140 (privacy and confidentiality of communication)
• (If services are provided in the EU/EEA) GDPR and DSA

These references are shared to ensure transparency for users; concrete implementation details are provided in the relevant documents.

14) Changes and contact

We may update this policy over time. In case of significant changes, we may notify you in-app or announce via web.

For your questions, requests, and KVKK applications regarding this policy and your personal data, communication channels are available at: KVKK Information Notice. To exercise your KVKK rights, you may use the form on the KVKK Application Form page.