Privacy Policy

WashIQ is operated and self-hosted by Ali Özyıldırım (the "Operator"), acting as the data controller for personal data processed through the WashIQ platform. The Operator is reachable at [email protected].

Where a car-wash business uses WashIQ to operate its own location, that business acts as an independent data controller for the personal data of its own customers, and WashIQ acts as a data processor on its behalf under a Data Processing Agreement.

We only collect personal data that is necessary to provide the WashIQ service. Specifically:

• Account data — full name, email address, phone number (optional), hashed password (bcrypt), preferred language and role.
• Vehicle data — license plate, brand, model, color and any vehicle photos you upload.
• Booking and wash data — selected package, location, requested time, queue stage, payment status, completed wash photos and AI dirt-detection results.
• Payment data — handled directly by Stripe. We store only the Stripe customer ID, charge IDs, last four digits of the card and the billing country. Full card numbers never reach WashIQ servers.
• Device data — push notification tokens (Firebase Cloud Messaging), platform (iOS/Android/web), application version and locale.
• Technical data — IP address, user-agent, request logs, error traces and approximate location derived from the OpenStreetMap Nominatim tile proxy when you allow geolocation in the marketplace.

We process the data above only for clearly defined purposes:

• To create and secure your account and to authenticate sign-ins.
• To deliver the service you requested — taking bookings, running the live queue, processing payments, calculating loyalty points and sending receipts.
• To send transactional notifications about your bookings, wash stages and payments through email and push.
• To improve and secure the platform — abuse prevention, fraud detection, debugging and aggregated analytics.
• To meet our legal obligations under Turkish tax, accounting and consumer-protection law.

Under the GDPR, we rely on the following lawful bases: performance of a contract (Art. 6(1)(b)) when we deliver the service you signed up for; legitimate interests (Art. 6(1)(f)) for fraud prevention, platform security and product analytics; legal obligation (Art. 6(1)(c)) for tax and accounting records; and consent (Art. 6(1)(a)) for optional marketing emails and non-essential cookies.

Under the KVKK, processing is based on the explicit grounds in Article 5 — primarily the necessity of processing for the conclusion or performance of a contract, the controller's legitimate interests, and your explicit consent for optional uses.

WashIQ is self-hosted by the Operator on infrastructure under the Operator's direct control. The primary data store is a PostgreSQL database located in Türkiye; uploaded images are stored on the same infrastructure. Backups are encrypted and rotated regularly.

Payments are processed by Stripe (see §7). Push notifications are routed through Firebase Cloud Messaging. Map tiles are proxied from the OpenStreetMap Nominatim service. We do not export bulk personal data outside these processors.

We keep personal data only as long as needed for the purpose for which it was collected:

• Active accounts: for as long as the account exists, plus 90 days after deletion for backup rotation.
• Bookings, payments and invoices: 10 years, as required by Turkish Commercial Code and tax legislation.
• Push tokens, server logs and analytics events: maximum 12 months unless tied to a security incident under investigation.

We share the minimum amount of personal data necessary with the following sub-processors, each bound by their own privacy policies and our DPAs:

• Stripe Payments Europe, Ltd. — payment processing, fraud detection and payout. Stripe acts as an independent controller for card data.
• Google Firebase Cloud Messaging — delivery of push notifications to your device.
• OpenStreetMap Foundation (Nominatim) — geocoding and tile rendering when you use the marketplace map.
• Email delivery provider (transactional only) — verification, password reset and booking confirmation messages.

Some of the processors above (Stripe, Google) are headquartered outside Türkiye and the EEA. Where data is transferred internationally, transfers are protected by Standard Contractual Clauses approved by the European Commission and, where applicable, by an explicit consent under KVKK Article 9.

Subject to applicable law, you have the following rights regarding your personal data. You can exercise them by emailing [email protected] — we respond within 30 days.

• Right of access — request a copy of the data we hold about you.
• Right to rectification — correct inaccurate data.
• Right to erasure — delete your account and personal data.
• Right to data portability — receive your data in a machine-readable format.
• Right to object and to restrict processing — including opting out of marketing.
• Right to lodge a complaint with the Turkish Data Protection Authority (KVKK) or your local EU supervisory authority.

WashIQ uses strictly necessary cookies for authentication (session JWT) and to remember your locale. These cookies are required for the service to function and do not require consent.

We do not use third-party advertising cookies. We do not sell or rent personal data to any third party for advertising purposes.

All traffic is encrypted in transit with TLS 1.2+. Passwords are hashed with bcrypt. Database backups are encrypted at rest. Access to production data is limited to the Operator and is logged. We notify affected users and the competent supervisory authority within 72 hours of any confirmed personal data breach.

WashIQ is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has created an account, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be notified by email or by an in-app notice at least 14 days before they take effect. The "Last updated" date at the top reflects the latest revision.

Ali Özyıldırım acts as the Data Protection Officer for WashIQ. All privacy, KVKK and GDPR requests should be addressed to [email protected] with the subject line "Data Request".