Privacy Notice (GDPR)

hearOS — Tinnitus Awareness & Personalized Sound Routines For Users in the European Economic Area and United Kingdom

Effective date: June 02, 2025 Last updated: June 02, 2025

1. Introduction

ICI Tech Teknoloji A.Ş. ("Company", "we", "us", or "our") processes your personal data in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and, where applicable, the UK GDPR. This Notice applies to users in the EEA and UK.


Data Controller	ICI Tech Teknoloji A.Ş.
Website	https://hearos.app/
Email	app@icitech.com.tr
Country of establishment	Republic of Turkey

EU Representative (Article 27 GDPR): As a company established outside the EEA offering services to EEA residents, we are in the process of designating an EU representative as required by Article 27 GDPR. Updated contact details will be published at https://hearos.app/en/privacy/ once appointed. In the meantime, contact us at app@icitech.com.tr.

Data Protection Officer: We do not currently meet the threshold for mandatory DPO appointment under Article 37 GDPR. All data protection enquiries: app@icitech.com.tr.

Medical Disclaimer: hearOS is a consumer wellness and self-management support tool — not a medical device, diagnostic tool, telehealth service, or substitute for professional clinical care. Nothing in this app constitutes medical advice. Consult qualified clinicians for medical decisions.

2. Special Category Data — Health Information

Under GDPR Article 9, the following data categories processed by hearOS may constitute data concerning health:

Data Category	Why It May Qualify as Health Data
Tinnitus frequency profile	Relates to a chronic auditory condition
Hearing self-check results	Relates to hearing capacity and potential hearing loss
Symptom diary entries	Includes tinnitus intensity, pain, pressure, dizziness, sensitivity, hearing

We process all special category data only on the basis of your explicit consent under GDPR Article 9(2)(a). You provide this consent when you:

Complete your first frequency matching session
Enable the symptom diary
Use the hearing self-check feature

You may withdraw this consent at any time through Settings → Privacy → Manage Consents without affecting the lawfulness of prior processing. Withdrawal of consent for health data will restrict access to the features that rely on it.

3. Data We Process

3.1 Account Information

Email address, password (hashed), optional display name and profile photo. An account is required to use hearOS — there is no offline or guest mode.

3.2 Tinnitus Profile Data (Special Category)

Estimated perceived tinnitus frequency (Hz) from guided matching sessions, sound profile preferences, session history.

3.3 Hearing Self-Check Data (Special Category)

Results from the in-app hearing self-check (personal awareness tool, not a diagnostic audiogram), self-check history and trends.

3.4 Symptom Diary Data (Special Category)

Daily self-reported entries: tinnitus intensity, pain, pressure, dizziness, sound sensitivity, hearing. Weekly trend summaries.

3.5 Sound Therapy Session Data

Sound content played, session duration, volume preferences, favorites, listening patterns, Relief Studio history.

3.6 Progress and Tracking Data

Daily relief scores, streak records, goals, reminders, milestone achievements.

3.7 Microphone / Ambient Noise Data

Real-time ambient sound level measurements for the environment noise monitoring feature. Audio is processed on-device in real time and is never recorded, stored, or transmitted.

3.8 Subscription and Purchase Data

Subscription status, tier, purchase date, transaction ID, RevenueCat pseudonymous customer ID.

3.9 Device and Technical Data

Device type, OS version, app version, IP address (truncated), time zone, session timestamps, crash and error logs.

3.10 Push Notification Data

Device push token and notification interaction events (if permission granted).

3.11 Communications Data

Email address and message content from support or feedback contacts.

4. Legal Bases for Processing (GDPR)

Purpose	GDPR Legal Basis
Account creation and management	Art. 6(1)(b) — Performance of contract
Sound therapy delivery and frequency matching	Art. 6(1)(b) — Performance of contract
Processing tinnitus profile data	Art. 9(2)(a) — Explicit consent
Processing hearing self-check results	Art. 9(2)(a) — Explicit consent
Processing symptom diary entries	Art. 9(2)(a) — Explicit consent
Ambient noise monitoring (microphone)	Art. 6(1)(a) — Consent (device permission)
Subscription management and Premium access	Art. 6(1)(b) — Performance of contract
App quality improvement and crash analysis	Art. 6(1)(f) — Legitimate interests
Security monitoring and fraud prevention	Art. 6(1)(f) — Legitimate interests
Support request handling	Art. 6(1)(b) — Performance of contract
Legal obligations	Art. 6(1)(c) — Legal obligation
Legal disputes	Art. 6(1)(f) — Legitimate interests
Marketing communications	Art. 6(1)(a) — Consent

Legitimate interests assessment: Where we rely on Art. 6(1)(f), we have conducted a balancing test confirming our interests do not override your rights. You may object — see Section 8.

5. How We Collect Your Data

Method	Examples
Directly from you	Registration, frequency matching, symptom diary, support messages
Automatically	Session data, crash reports, device info
Device sensors	Microphone (real-time ambient noise only, not stored)
Third-party services	Subscription status from RevenueCat; payment confirmation from Apple/Google

6. What We Do Not Do

We do not sell your personal data.
We do not share tinnitus profile, hearing, or symptom diary data with Meta, TikTok, Google Ads, or any advertising network.
We do not use your health-related data for ad targeting or behavioural profiling.
We do not record, store, or transmit microphone audio.
We do not use advertising identifiers (IDFA / GAID).
We do not make automated decisions with significant effects based on your health data.

7. Data Sharing and Recipients

Recipient	Purpose	Transfer Mechanism
Infrastructure providers	Hosting, operations	SCCs
RevenueCat	Subscription management	SCCs
Apple / Google	Payment processing	SCCs
Customer support providers	Handling requests	SCCs
Financial and legal advisors	Accounting, legal	SCCs
Courts and regulators	Lawful requests	Art. 49 derogation where applicable
Potential acquirers (under confidentiality)	Due diligence	SCCs
Marketing partners	With explicit prior consent only	SCCs

8. Your Rights Under GDPR

Right	Article	What It Means
Right of access	Art. 15	Obtain confirmation of processing and a copy of your data
Right to rectification	Art. 16	Correct inaccurate or incomplete data
Right to erasure	Art. 17	Request deletion ("right to be forgotten")
Right to restriction	Art. 18	Limit processing in certain circumstances
Right to data portability	Art. 20	Receive your data in a machine-readable format (where processing is consent- or contract-based)
Right to object	Art. 21	Object to processing based on legitimate interests or for direct marketing
Right to withdraw consent	Art. 7(3)	Withdraw any consent at any time without penalty
Right not to be subject to automated decisions	Art. 22	Not be profiled by fully automated means with significant effects
Right to lodge a complaint	Art. 77	Contact your national supervisory authority

How to exercise your rights

Email app@icitech.com.tr with subject "GDPR Data Subject Request — hearOS". We respond within one month; complex requests may be extended by two months with notice. All responses are free of charge.

In-app controls

Action	Where
Delete account	Settings → Account → Delete Account
Withdraw health data consent	Settings → Privacy → Manage Consents
Export your data	Settings → Privacy → Export My Data (where available)
Revoke marketing consent	Settings → Privacy → Marketing Preferences

9. Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection supervisory authority:

Country	Authority	Website
🇫🇷 France	CNIL	https://www.cnil.fr
🇩🇪 Germany	BfDI + state DPAs	https://www.bfdi.bund.de
🇪🇸 Spain	AEPD	https://www.aepd.es
🇬🇧 United Kingdom	ICO	https://ico.org.uk
🇳🇱 Netherlands	AP	https://autoriteitpersoonsgegevens.nl
🇸🇪 Sweden	IMY	https://www.imy.se
Other EEA	Your national DPA	https://edpb.europa.eu/about-edpb/about-edpb/members_en

We encourage you to contact us first — most concerns can be resolved quickly.

10. International Data Transfers

ICI Tech Teknoloji A.Ş. is established in Turkey. The European Commission has not issued an adequacy decision for Turkey under GDPR Article 45 as of this Notice's effective date.

For all transfers from the EEA or UK, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor)
UK International Data Transfer Agreements (IDTAs) for transfers from the UK
In exceptional cases, GDPR Article 49 derogations (e.g., performance of a contract with you)

You may request a copy of the applicable transfer mechanism by contacting app@icitech.com.tr.

11. Data Retention

Data Category	Retention Period
Account data	Duration of account + 3 years after deletion
Special category health data (tinnitus, hearing, symptom diary)	Duration of account + 1 year after deletion; deleted within 30 days of consent withdrawal
Subscription and transaction records	10 years (Turkish commercial law)
Support communications	3 years from last contact
Crash and error logs	12 months
Security and access logs	12 months
Marketing consent records	3 years from consent or last engagement
Microphone / ambient noise data	Not stored — real-time processing only

12. Security

TLS 1.2+ encryption in transit; encryption at rest
Special category health data stored with elevated access controls and restricted to authorized personnel
Microphone audio never stored or transmitted
Penetration testing and regular security assessments
Data breach notification: We notify the competent supervisory authority within 72 hours (GDPR Art. 33) and affected users without undue delay when there is high risk (Art. 34)

13. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making that produces legal or similarly significant effects under GDPR Article 22.

Tinnitus frequency profiles and symptom trend summaries are generated from your own input data and displayed to you as personal insights — they do not constitute automated decisions with external consequences.

14. Children's Privacy

hearOS is intended for users aged 18 and older. We do not knowingly process personal data of children. Under GDPR Article 8, processing of a child's data in the context of information society services requires parental consent. If you believe a child has submitted data, contact app@icitech.com.tr for immediate deletion.

15. Cookies

Our website (https://hearos.app/) uses cookies. A consent banner is shown on first visit.

Cookie Type	Legal Basis	Opt-Out
Strictly necessary	Art. 6(1)(f) — Legitimate interest	Not possible
Analytics	Art. 6(1)(a) — Consent	Via cookie banner
Marketing	Art. 6(1)(a) — Consent	Via cookie banner

We do not use cookies to infer tinnitus status, hearing status, or any health information. The hearOS app does not use advertising identifiers.

16. Changes to This Notice

For material changes, we will notify you at least 14 days in advance via in-app notice or email. The current version is always at https://hearos.app/en/privacy/gdpr/.

17. Contact Us


Email	app@icitech.com.tr
Website	https://hearos.app/
Subject line	"GDPR Data Subject Request — hearOS"

We acknowledge all privacy enquiries within 5 business days and resolve within one month.

*hearOS is a wellness companion — not medical care. Nothing in this app constitutes medical advice or guarantees any outcome.*