Privacy Policy

Unshade — Last updated: May 12, 2026

Important Notice: This English version is the primary international version of this Privacy Policy. A local-language version may be binding for users in that locale where mandatory consumer, privacy, or transparency law requires it. If a translation conflicts with this English version, the English version controls only to the maximum extent permitted by applicable law.

Please read this Privacy Policy carefully. It explains what personal data Unshade collects, how we use it, who we share it with, our legal bases for processing under GDPR and KVKK, our zero-tolerance approach to child safety and CSAM, our security and breach-notification practices, your rights, and how to exercise them.

1. Who We Are and Scope

Unshade is developed and operated by Palms Yazılım Ticaret Limited Şirketi (“we”, “us”, “our”), a limited liability company incorporated under the laws of the Republic of Turkey (Trade Registry No: 13484). This Privacy Policy applies to the Unshade mobile application, Unshade APIs, public Signal links and previews, billing-related integrations, support requests, and Unshade legal pages on palmsandbirds.com.

Data Controller / Veri Sorumlusu:
Palms Yazılım Ticaret Limited Şirketi
Registered office / official address: the address recorded in the Turkish trade registry for Palms Yazılım Ticaret Limited Şirketi
Email: hello@palmsandbirds.com
Website: www.palmsandbirds.com

For users in the European Union, we act as the Data Controller as defined under Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).

For users in Turkey, we act as the Veri Sorumlusu as defined under Turkish Law No. 6698 on the Protection of Personal Data (“KVKK”).

Unshade is strictly for adults aged 18 and over. We do not knowingly permit minors to create accounts or use adult relationship features.

2. What Data We Collect and Why

2.1 Account Information

When you create an Unshade account, we collect:

• Email address — used for authentication, account recovery, and essential service communications.
• Password hash or authentication provider IDs — used to secure email/password, Google, Apple, or guest authentication. We do not store your plain-text password.
• Display name — used to personalize your experience and identify you to your partner within the App.
• Gender, looking-for preferences, and owner type — used for profile setup, Couple Mode, Signals Mode, QR styling, and compatibility filters.
• Language preference — used to display the App in your preferred language.
• Profile photo (avatar) — voluntarily provided; may be shown to connected partners, Signal viewers, or users who are eligible to see your Signal feed card.
• Age-gate, consent, privacy, and legal-version records — used to document your confirmations, AI opt-in status, privacy settings, and accepted terms.
• Account status, refresh tokens, credits balance, and plan metadata — used to keep your account secure and provide paid features.

Legal basis (GDPR): Performance of a contract (Article 6(1)(b) GDPR) — necessary to provide the service you requested.
Legal basis (KVKK): Performance of a contract to which the data subject is party.

2.2 Relationship Preference Data, Desire Maps, and Compatibility Scores

During onboarding, check-ins, Signal creation, and Couple Mode, you may voluntarily provide relationship preference and intention data. This includes:

• Intent, goals, communication style, energy, comfort priorities, boundaries, concerns, and availability.
• Looking-for preferences, location preferences, custom notes, and selected Desire Map answers.
• Derived tags, openness/desire scores, segments, match scores, friction/alignment summaries, and compatibility explanations.
• Couple pairing state, invite codes, relationship status, check-in source, and related report summaries.

Depending on your jurisdiction and the responses you provide, this data may reveal intimate preferences, sexual life, sexual orientation, or similar sensitive information and may constitute special category data under GDPR Article 9 and special categories of personal data under KVKK Article 6.

Purpose: Create your Desire Map, generate compatibility and Signal matching, support Couple Mode, produce reports or coaching, and personalize the App.
Legal basis (GDPR): Your explicit consent (Article 9(2)(a) GDPR), obtained during onboarding.
Legal basis (KVKK): Your explicit consent (açık rıza), obtained during onboarding or before the relevant feature is used.

We record consent evidence for sensitive relationship-data processing, including the accepted document versions, timestamp, language/locale, device or platform context, and request metadata. You may withdraw optional consent where the App supports it; withdrawal stops new optional processing but does not affect processing already completed or records we must retain for legal, security, or audit reasons.

2.3 City & Location Data

You may provide a city name during onboarding or profile setup. With device permission, the App may use your device location to resolve your city through a reverse-geocoding provider. We may store the city you choose and city-level coordinates (cityLat and cityLng) to calculate approximate distance for nearby Signal feed results.

• We do not run continuous background tracking.
• We do not sell location data.
• Your city label may appear on your QR code or Signal card.
• Approximate distance may be shown to eligible Signal feed viewers when both users have city-level coordinates.

Legal basis (GDPR): Your consent, given when you grant location permission or save a city (Article 6(1)(a) GDPR), and performance of the service when you request nearby features (Article 6(1)(b)).
Legal basis (KVKK): Your explicit consent (açık rıza), given via your device’s permission system.
Retention: City and city-level coordinates are retained while your account is active or until you update or remove them where the App supports doing so.

2.4 Chat & Communication Data

When you use Couple Chat or Signal Chat, messages are transmitted through our servers and stored so they can be delivered to chat participants. Chat data may include message text, sender ID, chat ID, read state, mute state, hidden chat state, safety flags, and timestamps.

• Text messages are visible to chat participants and may be reviewed by authorized personnel if you report abuse, safety risks, fraud, or legal violations.
• Image messages, if enabled, are stored in Firebase Cloud Storage and are designed to expire after approximately 10 minutes.
• Message rewriting and opening-coach features process your submitted text with AI only when you request the feature, have a paid entitlement where required, and have opted in to AI processing.
• Safety systems may flag or block content involving coercion, violence, exploitation, minors, harassment, or other prohibited conduct.

Retention: Chat messages are retained while needed to provide the chat feature, unless you delete or hide a chat, block a user, disconnect, or delete your account. Image messages expire separately as described above. Reports and safety records may be retained where necessary to protect users, enforce terms, and comply with law.

Screenshots and off-device copies. Even before an image message expires, the recipient may capture, screenshot, screen-record, photograph, forward, or otherwise save the content using their device or another device. We cannot prevent such capture and we do not control what recipients do with content they have received. Do not send any image, video, or message you would not be comfortable being seen, copied, shared, or retained indefinitely.

2.5 Check-in & Coaching Data

The App includes periodic check-in features and an AI communication coach. Data generated through these features (responses, progress records, session logs) is used to:

• Track your communication progress over time.
• Generate personalized AI coaching responses and weekly digests.
• Provide predictive insights to improve your connection quality.
• Create reports, safety or wellbeing insights, and conversation coaching sessions where available.

AI features require an explicit AI opt-in and, for most features, a paid entitlement. We aim to send only the minimum context needed for the AI feature. You can turn off AI opt-in in the App where available; turning it off stops new AI processing but does not undo processing already completed.

2.6 Signals, Public Links, and Mini-Match Previews

Signals Mode lets you create or view public Signal links and QR codes. Signal data may include owner type, public ID, QR data, QR style, city label, preview summary, match threshold, chat price in credits, normalized tags, profile snapshot, and desire score snapshot. Anyone with a public Signal link may see limited Signal preview information. Authenticated feed viewers may see additional limited information such as display name, avatar, city, approximate distance, identity label, and match score if the feed rules allow it.

Anyone with a public Signal link can view a basic teaser of the Signal (avatar, owner type, city label, and a short summary). The teaser is informational only; compatibility scoring, match details, and chat unlock require account registration. At registration we collect your date of birth and refuse accounts for users under 18. Where local law requires stronger age verification for adult or age-restricted content, that local law applies to your use of public Signal pages, and you should not view these pages if you are below the local legal age.

2.7 Billing, Device & Technical Data

We collect minimal technical data necessary to operate the service:

• Device type and operating system version (for compatibility)
• App version
• Language/locale setting
• Push token metadata and notification preference status, only if notifications are enabled
• RevenueCat app user ID, entitlement status, purchase product IDs, transaction IDs, receipt validation results, credits balance, and plan expiry metadata
• Security logs, rate-limit events, API diagnostics, and fraud-prevention metadata such as request timestamps and IP-derived technical logs where generated by our infrastructure

We do not use third-party advertising SDKs. We do not collect advertising identifiers.

3. Third-Party Services

Unshade relies on the following third-party services:

• OpenAI API (AI features) — Processes message rewriting, coaching, compatibility, digest, and safety-analysis requests when AI features are enabled. Data sent through the API is not used to train OpenAI models under OpenAI’s API data controls, unless OpenAI’s terms or your configuration state otherwise. Privacy Policy
• Google Sign-In (authentication) — Optional authentication method. Only your Google account email and basic profile are accessed. Privacy Policy
• Sign in with Apple (authentication) — Optional authentication method. Only your Apple-provided email and name are accessed. Privacy Policy
• RevenueCat (subscription billing) — Manages in-app purchase verification and subscription status. RevenueCat processes purchase receipts from Apple App Store and Google Play. Privacy Policy
• Firebase Cloud Storage (media storage) — Profile photos and image messages are stored in Firebase Cloud Storage. Privacy Policy
• Apple Push Notification service (APNs) / Firebase Cloud Messaging (FCM) (when push notifications are enabled) — Process device push tokens and delivery metadata required to send service alerts or optional communications.
• OpenStreetMap / Nominatim (reverse geocoding) — Used to resolve a device-provided latitude/longitude into a city when you request city detection.
• Cloud hosting, database, logging, and security providers — Used to host the App backend, store data, secure the service, and monitor reliability.

We do not sell or rent your personal data. We do not share personal data with third parties for third-party advertising. We share data only with processors, service providers, app stores, authorities, or other users as described in this Policy, as instructed by you, or as required by law.

4. Data Transfers Outside Your Country

Your data may be processed in Turkey, the European Union/European Economic Area, the United States, and other countries where our service providers operate. International transfers may occur when we use cloud infrastructure, OpenAI, Google/Firebase, Apple, RevenueCat, app stores, or support/security providers.

• For GDPR-covered users, we rely on adequacy decisions, Standard Contractual Clauses, Data Processing Agreements, transfer impact assessments, and supplementary safeguards where required.
• For Turkish users, cross-border transfers are made under KVKK Article 9 mechanisms, including explicit consent or other legally permitted safeguards where applicable.

5. Data Retention

• Account data: Retained while your account is active. Account deletion marks the account for purge and anonymization or deletion of associated records, subject to lawful retention needs.
• Relationship preference data, Desire Maps, Signals, Signal scans, check-ins, reports, coaching data, insights, and digests: Retained while needed to provide the relevant feature and removed or anonymized through account deletion or applicable feature deletion workflows.
• Chat messages: Retained while needed for chat delivery and user history. Image messages are designed to expire after approximately 10 minutes. Hidden chats may remain visible to other participants. Reports and safety records may be retained for enforcement and legal purposes.
• Mini-match previews: Expire after approximately 24 hours.
• Profile photos: Retained until you update or delete them, or delete your account.
• City/location: Retained as long as your account is active. Removable via profile settings at any time.
• Push tokens and notification preferences: Retained until you disable notifications, uninstall the App, or delete your account.
• Billing, transaction, tax, fraud-prevention, legal, audit, dispute, and consent records: Retained for the period required or permitted by law and for as long as statutory limitation periods, legal defense, audit, or compliance needs continue. Consent and legal-acceptance evidence may be retained after account deletion where needed to prove compliance. Retention is limited to what is relevant, proportionate, and necessary for these purposes.
• Backups and logs: Removed on a rolling schedule according to our backup, security, and infrastructure retention practices unless preservation is legally required. Production security and diagnostic logs are normally kept only for a limited operational period.

6. Age Restriction and Child Safety

Unshade is intended exclusively for adults aged 18 and over, or such higher minimum age as your local law requires for adult relationship or dating services. By creating an account, you confirm that you meet the applicable minimum age. We do not knowingly collect or process personal data from persons under that age. If you believe a minor has created an account, please contact us immediately at hello@palmsandbirds.com and we will take steps to delete the account and any associated data.

Zero-tolerance for CSAM and child sexual exploitation. We have a zero-tolerance policy against child sexual abuse material (“CSAM”), the sexualization of minors, child grooming, and any other content or conduct that exploits or endangers children. We may use automated and manual safety reviews of profile data, public Signal data, image messages, and reported content to detect and prevent such material.

Reporting and cooperation. If we become aware of apparent CSAM, child grooming, or other apparent child-safety violations, we may, and where required by applicable law we will: (i) preserve the content, metadata, IP-derived logs, account information, and related records as evidence; (ii) report the matter to the U.S. National Center for Missing & Exploited Children (“NCMEC”) CyberTipline, relevant INHOPE hotlines, the EU Centre established under applicable EU child-safety regulation, Turkish law-enforcement and child-protection authorities, and/or other competent authorities; and (iii) cooperate with law-enforcement and judicial requests in accordance with applicable law. Where we report CSAM or other serious child-safety violations to authorities, the lawful basis for related personal-data processing is our legal obligation (Article 6(1)(c) GDPR; KVKK Article 5(2)(ç)) and our and the public’s legitimate interest in child protection (Article 6(1)(f) GDPR; KVKK Article 5(2)(f)).

7. Your Rights Under GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights:

• Right of Access (Article 15): Request a copy of your personal data by contacting us.
• Right to Rectification (Article 16): Update your profile information directly in the App.
• Right to Erasure (Article 17): Request account deletion through the App’s settings. Deletion starts a purge or anonymization workflow, subject to lawful retention needs.
• Right to Restriction (Article 18): Request restriction of processing by contacting us.
• Right to Data Portability (Article 20): Request your data in a portable format by contacting us.
• Right to Object (Article 21): Object to processing by contacting us.
• Right to Withdraw Consent: Withdraw consent for relationship preference data processing or AI features at any time through the App’s settings. This does not affect the lawfulness of processing prior to withdrawal.
• Rights related to automated decision-making and profiling: Compatibility scores, eligibility thresholds, match feeds, and AI insights are produced algorithmically and are used to personalize the App’s recommendations and content. In our view these outputs do not produce legal or similarly significant effects on you within the meaning of GDPR Article 22 because (i) you make all final decisions about which signals to view, which users to contact, and whether to meet anyone, and (ii) no decision affecting your legal rights or access to essential services is made automatically by the system. If you believe an automated output has had a legal or similarly significant effect on you, or if you wish to obtain meaningful information about the logic involved, you may contact us to request human review.
• Right to Lodge a Complaint: Lodge a complaint with your national data protection authority.

To exercise your rights: use the in-app settings, or contact hello@palmsandbirds.com.

8. Your Rights Under KVKK (Turkish Users)

For users located in Turkey, your rights under Article 11 of KVKK include the right to: learn whether your data is processed, request information about processing, learn the purpose of processing, know third parties to whom data is transferred, request rectification, request erasure, and object to automated decisions. A Turkish-language version is available at /tr/unshade/privacy/. To exercise your rights, contact hello@palmsandbirds.com.

9. Data Security and Breach Notification

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest;
• Secure token-based authentication with automatic session refresh;
• Role-based access controls on our servers and least-privilege internal access;
• Password hashing, rate limiting, content safety checks, and abuse controls;
• Logging, monitoring, and intrusion-detection on production systems;
• Regular security reviews, vulnerability management, and incident-response processes;
• Data-processing agreements and security commitments with our material processors.

However, no data transmission over the internet is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials, devices, and email account secure.

Breach notification. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within the timeframe required by applicable law (under GDPR, without undue delay and where feasible within 72 hours) and, where the breach is likely to result in a high risk to you, we will notify you without undue delay using your account email or another reasonable means. For Turkish users, breach notifications are made to the Personal Data Protection Authority (KVKK Kurumu) as required by KVKK Article 12.

10. User Visibility and Sharing Choices

Some Unshade features are designed to share limited information with other users. If you create a Couple connection, your partner may see profile, chat, Desire Map, check-in, report, and related couple data depending on the feature. If you create or share a Signal, people with the link and eligible feed viewers may see limited Signal preview information. Do not enter information you are not comfortable using for the App’s relationship, Signal, matching, and coaching features.

11. Marketing Communications and Opt-Outs

We do not currently send marketing emails, and we do not share your personal data with third parties for their own marketing. If we introduce optional marketing or product-update communications in the future, we will rely on your consent where required by applicable law (Article 6(1)(a) GDPR; KVKK explicit consent) and you will be able to opt out at any time through in-app settings or the unsubscribe link in the relevant message.

Operational and service messages — for example, security alerts, account-verification emails, billing receipts, legal-update notices, abuse or safety reports, and chat-related notifications — are not marketing and are sent as necessary to operate the service.

Push notifications are sent only if you grant the relevant device permission, and you can revoke that permission at any time through your device settings.

12. Web Cookies, Do Not Track, and Global Privacy Control

Our Unshade legal pages on palmsandbirds.com use strictly necessary website storage and optional Google Analytics cookies. Analytics is disabled by default and is activated only after consent through the cookie banner where required. You can withdraw or change browser-cookie consent by clearing this site’s local storage/cookies or using browser controls. Mobile app SDK storage is separate from website cookies.

Because there is no widely-accepted industry standard for handling browser “Do Not Track” (DNT) signals, our website does not respond differently to DNT signals. We do, however, honour your choices made through our cookie banner. Where applicable law gives binding effect to a Global Privacy Control (GPC) signal as an opt-out of sale or sharing of personal data, we will honour that signal; we do not sell or share personal data for cross-context behavioural advertising in any case.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the “Last updated” date at the top of this document and, where appropriate, through in-app notifications. If changes affect the processing of relationship preference or special category data, we will request your renewed consent before continuing such processing.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

Email: hello@palmsandbirds.com
Website: www.palmsandbirds.com
Palms Yazılım Ticaret Limited Şirketi