Privacy Policy
hearOS — Tinnitus Awareness & Personalized Sound Routines
Effective date: June 02, 2025 Last updated: June 02, 2025
1. Who We Are
hearOS is developed and operated by ICI Tech Teknoloji A.Ş. ("Company", "we", "us", or "our"), a technology company registered in Turkey.
| Company | ICI Tech Teknoloji A.Ş. |
| Website | https://hearos.app/ |
| app@icitech.com.tr | |
| Data Controller | ICI Tech Teknoloji A.Ş. |
We process personal data in compliance with the Turkish Personal Data Protection Law No. 6698 (KVKK).
Medical Disclaimer: hearOS is a consumer wellness and self-management support tool. It is not a medical device, regulated health app, telehealth service, or substitute for professional diagnosis, treatment, or clinical care. Descriptions and routines within the app are optional self-tracking ideas only — not individualized medical advice. Experiences vary; consult qualified clinicians for medical decisions.
2. Scope of This Policy
This Privacy Policy applies to:
- The hearOS iOS app (distributed via the Apple App Store)
- The hearOS Android app (distributed via Google Play)
- The hearOS website at https://hearos.app/
- Any related support, marketing, or communication channels operated by us
EEA and UK users: Please also read our GDPR Privacy Notice, which applies to you in addition to this Policy and contains additional rights and protections under the General Data Protection Regulation.
3. Data We Collect
3.1 Account Information
An account is required to use hearOS. We collect:
- Email address
- Password (stored as a one-way hash — we never see your plain-text password)
- Optional: display name, profile photo
3.2 Tinnitus Profile Data
- Guided frequency matching results (estimated perceived tinnitus pitch in Hz)
- Sound profile preferences derived from matching sessions
- Session history and adjustments over time
This data is health-related and is processed only with your explicit consent.
3.3 Hearing Self-Check Data
- Results from the in-app hearing self-check, inspired by common screening formats
- Self-check history and trends
This data is health-related, for personal awareness and tracking only — not a diagnostic audiogram. Processed only with your explicit consent.
3.4 Symptom Diary Data
- Self-reported daily entries for: tinnitus intensity, pain, pressure, dizziness, sound sensitivity, and hearing
- Weekly trend summaries derived from your entries
This data is health-related and is processed only with your explicit consent.
3.5 Sound Therapy Session Data
- Sound content played, session duration, volume preferences
- Completion records, favorites, and listening patterns
- Relief Studio and sleep session history
3.6 Progress and Tracking Data
- Daily relief scores and streak records
- Goals, reminders, and milestone achievements
- App engagement patterns (session frequency, feature usage)
3.7 Microphone / Ambient Noise Data
- Ambient sound level measurements captured when the environment noise monitoring feature is active
- Processed in real time on your device to display noise levels and inform session recommendations
Ambient audio is not recorded, stored, or transmitted to our servers. Microphone access is used only for real-time noise level measurement.
3.8 Subscription and Purchase Data
- Subscription tier and status (active, trial, expired, cancelled)
- Purchase date, renewal date, transaction ID
- Platform of purchase (App Store or Google Play)
- RevenueCat pseudonymous customer ID
We never receive your payment card details. All payment processing is handled by Apple or Google.
3.9 Device and Technical Data
- Device type and model, OS version, app version
- IP address (truncated where possible), time zone and locale
- App session timestamps, crash logs, and error reports
3.10 Push Notification Data
- Device push token (if you grant notification permission)
- Notification delivery and open events
3.11 Communications Data
- Email address and message content when you contact us for support or feedback
3.12 Legal and Compliance Data
- Records required by applicable Turkish law, regulatory correspondence, legal proceedings
4. How We Collect Your Data
| Method | Examples |
|---|---|
| Directly from you | Account registration, frequency matching, symptom diary entries, support messages |
| Automatically during use | Session data, crash reports, device info |
| From your device sensors | Microphone (ambient noise monitoring only, real-time, not stored) |
| From third-party services | Subscription status from RevenueCat; payment confirmation from Apple or Google |
5. Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Performance of contract |
| Delivering sound therapy and frequency matching | Performance of contract |
| Processing tinnitus profile, hearing self-check, and symptom diary data | Explicit consent (health-related data) |
| Ambient noise monitoring (microphone) | Explicit consent (device permission) |
| Managing subscription status and Premium access | Performance of contract |
| Improving app quality, crash analysis | Legitimate interest |
| Security monitoring and fraud prevention | Legitimate interest |
| Responding to support requests | Performance of contract |
| Legal obligations | Legal obligation |
| Legal disputes | Legitimate interest / Legal obligation |
| Marketing communications | Consent |
6. How We Use Your Data
Core App Functionality
- Authenticating your account and syncing your data across devices
- Generating your tinnitus frequency profile and personalizing sound routines
- Tracking daily progress, relief scores, and symptom trends
- Displaying ambient noise levels and adjusting session recommendations
- Managing your subscription and unlocking Premium features
App Quality and Safety
- Diagnosing crashes and fixing bugs
- Security monitoring and fraud prevention
- Aggregated usage analysis to improve features
Communications
- Transactional messages (subscription receipts, password resets)
- Recovery reminders and milestone notifications (with your permission)
- Marketing messages (with your explicit consent only)
Legal and Compliance
- Meeting obligations under Turkish law
- Responding to lawful regulatory or court requests
- Protecting our legal rights in disputes
7. What We Do Not Do
- We do not sell your personal data to any third party.
- We do not share your tinnitus data, hearing self-check results, symptom diary entries, or frequency profile with Meta, TikTok, Google Ads, or any advertising network.
- We do not use your health-related data for ad targeting or behavioural profiling.
- We do not record, store, or transmit microphone audio. Ambient noise monitoring is real-time and on-device only.
- We do not use advertising identifiers (IDFA on iOS, GAID on Android).
- We do not knowingly collect personal data from children under 18.
Where marketing measurement tools are used on our website, they are limited to consent-based, generic signals — never health or tinnitus inferences.
8. Subscriptions and Billing
hearOS Premium is an auto-renewing subscription available through the Apple App Store (iOS) and Google Play (Android).
We use RevenueCat to manage subscription state. RevenueCat receives a pseudonymous customer ID and your subscription status only — not your name, email, payment details, or any health data. RevenueCat privacy policy: https://www.revenuecat.com/privacy
We never receive or store your payment card details. All payment processing is handled by Apple or Google.
To manage or cancel your subscription:
- iOS: Settings → [your name] → Subscriptions → hearOS
- Android: Google Play → Profile → Payments & subscriptions → Subscriptions → hearOS
9. Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| Apple App Store | iOS distribution and payment processing | https://www.apple.com/legal/privacy/ |
| Google Play | Android distribution and payment processing | https://policies.google.com/privacy |
| RevenueCat | Subscription state management | https://www.revenuecat.com/privacy |
We do not integrate advertising SDKs or behavioural analytics platforms into the hearOS app.
10. Data Sharing and Disclosure
| Recipient | Purpose | Legal Basis |
|---|---|---|
| Infrastructure and technology providers | Hosting, app operations, security | Contract / Legitimate interest |
| RevenueCat | Subscription management | Contract |
| Apple / Google | Payment processing | Contract |
| Customer support providers | Handling your requests | Contract |
| Financial and legal advisors | Accounting, auditing, legal | Legal obligation / Legitimate interest |
| Courts, regulators, enforcement agencies | Lawful requests | Legal obligation |
| Potential acquirers (under strict confidentiality) | Due diligence | Legitimate interest |
| Marketing partners | With your explicit prior consent only | Consent |
We never share tinnitus profile data, hearing self-check results, or symptom diary entries with advertising or analytics partners.
11. International Data Transfers
ICI Tech Teknoloji A.Ş. is based in Turkey. Some service providers operate internationally. For all international transfers, we apply appropriate safeguards as required by KVKK Article 9, including standard contractual clauses.
12. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 3 years after deletion |
| Tinnitus profile, hearing, and symptom data | Duration of account + 1 year after deletion |
| Subscription and transaction records | 10 years (Turkish commercial law) |
| Support communications | 3 years from last contact |
| Crash and error logs | 12 months |
| Security and access logs | 12 months |
| Marketing consent records | 3 years from consent or last engagement |
| Microphone / ambient noise data | Not stored — real-time processing only |
Account deletion: We will delete or irreversibly anonymize your data within 30 days of account deletion, except where a longer period is required by law.
13. Security
- TLS 1.2+ encryption for all data in transit
- Encryption at rest for server-stored data
- Health-related data (tinnitus profile, symptom diary, hearing results) is treated with elevated access controls
- Microphone data is never stored or transmitted
- Optional biometric or passcode lock within the app
- Regular security assessments and penetration testing
- Data breach response plan in place; breach notifications per KVKK requirements
14. Push Notifications
| Type | Examples | Requires Opt-In |
|---|---|---|
| Transactional | Subscription confirmation, password reset | No |
| Therapy reminders | Daily session reminder, streak nudge | Yes |
| Milestone alerts | "7-day streak achieved" | Yes |
| Marketing | New features, special offers | Yes — separate opt-in |
Manage in Settings → Notifications within the app or through your device settings.
15. Children's Privacy
hearOS is intended for users aged 18 and older. We do not knowingly collect data from minors. If you believe a child has submitted data, contact us at app@icitech.com.tr and we will delete it promptly.
16. Your Privacy Rights
| Right | How to Exercise |
|---|---|
| Access your data | app@icitech.com.tr — "Data Access Request" |
| Correct inaccurate data | Update in-app or contact us |
| Delete your account and data | Settings → Account → Delete Account |
| Export your data | Settings → Privacy → Export My Data *(where available)* |
| Withdraw consent (health data) | Settings → Privacy → Manage Consents |
| Withdraw marketing consent | Settings → Privacy → Marketing Preferences |
| Object to legitimate interest processing | app@icitech.com.tr |
We respond to all privacy requests within 30 days, free of charge.
17. Cookies and Tracking Technologies
Our website (https://hearos.app/) uses cookies. A consent banner is shown on your first visit.
| Type | Purpose | Opt-Out |
|---|---|---|
| Strictly necessary | Core site functionality | Not possible |
| Analytics | Aggregate visitor behaviour | Via cookie banner |
| Marketing | App store click-through measurement | Via cookie banner |
We do not use cookies to infer tinnitus status, hearing status, or any health information. The hearOS app does not use advertising identifiers or advertising SDKs.
18. EEA and UK Users
If you are located in the EEA or UK, the GDPR applies to your data. Please read our full GDPR Privacy Notice, which covers:
- GDPR article-level legal bases for each processing activity
- Your rights under GDPR Articles 15–22 (including data portability)
- Standard Contractual Clauses for international transfers
- Our EU Representative status (Article 27)
- How to lodge a complaint with your local supervisory authority (CNIL, BfDI, AEPD, ICO, etc.)
- 72-hour breach notification obligations
19. Changes to This Policy
For material changes, we will notify you via in-app notice or email at least 14 days before changes take effect. The current version is always at https://hearos.app/en/privacy/.
20. Contact Us
| app@icitech.com.tr | |
| Website | https://hearos.app/ |
| Subject line | "Privacy Request — hearOS" |
We acknowledge all privacy enquiries within 5 business days.
21. Governing Law
This Privacy Policy is governed by the laws of the Republic of Turkey, including KVKK No. 6698 and the Electronic Commerce Law No. 6563. Disputes are subject to the jurisdiction of Turkish courts.
*hearOS is a wellness companion — not medical care. Nothing in this app constitutes medical advice or guarantees any outcome.*