Privacy Policy

Data Controller: Cureonics LLC

Web: cureonics.com · App: vantrix.app

1 Introduction and Scope

This Privacy Policy ("Policy") governs the processing of personal data of users of the Vantrix application ("App"), developed and operated by Cureonics LLC ("Cureonics", "we", "us", or "our").

Vantrix is a science-based, gamified focus and learning tool designed for teens aged 10–17 who have been diagnosed with or show symptoms of Attention Deficit Hyperactivity Disorder (ADHD). The App is available on iOS, Android, and web platforms and is designed for child users and their parents/legal guardians.

warning

Important Note: Vantrix is not a medical device or treatment tool. It does not provide any diagnosis, treatment, or therapy services. Collected data cannot be used as a medical resource.

1.1. Legal Framework

Turkish Personal Data Protection Law No. 6698 (KVKK)
European Union General Data Protection Regulation (GDPR, (EU) 2016/679)
US Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506)
Google Play Families Policy and Apple App Store Child Safety Guidelines
Turkish Penal Code No. 5237 — Provisions regarding child protection and personal data
Turkish Law No. 5651 on Regulation of Publications on the Internet

1.2. Definitions

Term	Definition
Child User	App user aged 10–17
Parent/Guardian	Parent or legal guardian of the Child User
Personal Data	Any information relating to an identified or identifiable natural person
Sensitive Data	Sensitive data including health data, under KVKK Article 6
Data Controller	Cureonics LLC
Data Processor	Third parties processing data on behalf of the data controller
Services	Vantrix app, website, and all related digital services
AI Processing	AI-based task decomposition and personalization operations

2 Personal Data We Collect

Vantrix collects the following categories of personal data to provide its services. The scope of data collected from child users is kept to a minimum in accordance with legal requirements (data minimization principle).

2.1. Account Creation Data

Email address (parent email for parental consent + child account info)
Google OAuth authentication data (when Sign in with Google is selected)
Username or nickname (real name is not required)
Date of birth or age information (for age verification and content adaptation)
Password (stored hashed and salted; never stored in plain text)

2.2. Profile and Personalization Data

Interests and hobbies (optionally entered by the child)
Personal goals and learning objectives
Preferred work duration and break settings
Language and interface preferences

2.3. Usage and Behavioral Data

In-app activity data: completed tasks, focus time statistics, XP and badge achievements
Timing data: session start/end times, pomodoro cycle statistics
Virtual study room participation data (room entry/exit, duration)
Interaction data: app navigation paths, click and scroll data
Performance metrics: error reports, crash logs, app response times

2.4. AI-Processed Data

AI task decomposition inputs: task descriptions and explanations entered by the user
AI-generated outputs: decomposed subtasks and recommendations
Personalization model data: preference and learning pathways based on user behavior

2.5. Parent Dashboard Data

Parent's account and contact information
Summary reports on child's progress (viewed by parent)
Goals and rewards set by parent
Coaching and support records

2.6. Technical and Device Data

Device type, operating system and version
Browser type and version (for web access)
IP address (stored anonymized)
Unique device identifiers (advertising identifiers are NOT collected)
Cookies and similar tracking technologies (functional purposes only)

2.7. Data We Do Not Collect

Medical diagnosis or treatment information
ADHD medication usage information
Precise location data (GPS)
Contacts, call logs, or SMS data
Biometric data (fingerprint, facial recognition)
Advertising identifiers (AAID, IDFA)
Direct messaging content between children (no DM function exists)

3 Processing Purposes and Legal Bases

Processing Purpose	Data Category	Legal Basis
Account creation and authentication	Account data, email	Explicit consent (parental)
Service delivery and personalization	Profile, usage data	Contract performance
AI task decomposition	Task inputs, AI outputs	Explicit consent
Gamification (XP, badges)	Usage data	Contract performance
Parent dashboard delivery	Parent and child progress data	Consent + legitimate interest
Security and moderation	Social interaction data	Legitimate interest + legal obligation
Error detection and performance	Technical data, crash reports	Legitimate interest
Legal obligations	All required categories	Legal obligation

4 Child Privacy and Special Protection

As Vantrix's primary target audience is children (ages 10–17), the highest standards for child privacy are applied.

4.1. COPPA Compliance

Verifiable Parental Consent (VPC) is obtained for all users under 13 before account creation.
Parental consent is verified through email verification + additional identity confirmation.
Parents have the right to review, modify, or delete their children's data at any time.
Data collected from children is kept to the minimum strictly necessary for service delivery.
No child data is sold, rented, or shared with third-party advertisers or data brokers.

4.2. Child Data Under KVKK

Requires parental/guardian consent for all child users (ages 10–17).
Does not process sensitive personal data (health data) belonging to children.
Classifies child data as a separate category in its Data Processing Inventory.

4.3. Safe Social Environment

No direct messaging (DM) feature exists within the app.
All interactions in virtual study rooms are monitored by automatic content filters and human moderators.
Inappropriate, harmful, or bullying content is immediately detected and removed.
Children are prevented from sharing personal contact information with other users.
Parents can manage their children's social interaction access from the parent dashboard.

5 AI Data Processing

5.1. AI Processing Principles

Purpose Limitation: AI is used only for task decomposition, learning recommendations, and personalization.
Data Minimization: Only data necessary for processing is sent to the AI model.
Anonymous Processing: User data is anonymized for AI model training; no individual profiling.
No Automated Decision-Making: AI does not make automated decisions with legal effects on the child.
Error Tolerance and Oversight: AI outputs are periodically subject to human review.

5.2. Third-Party AI Services

A Data Processing Agreement (DPA) is signed with each service provider.
Service providers' COPPA, KVKK, and GDPR compliance is audited.
Child data cannot be used for the AI service provider's own model training.
The list of AI service providers is published in Annex A of this Policy.

6.1. Third-Party Sharing

Vantrix does not share user data with advertisers, data brokers, or profiling service providers under any circumstances. Data sharing occurs only in the following cases:

Service Providers: For technical services — only under a Data Processing Agreement (DPA).
Legal Requirements: Pursuant to court orders or authorized administrative bodies.
Safety: Reporting emergencies threatening children's safety to law enforcement.
Corporate Changes: In case of merger, acquisition, or asset sale — users are notified in advance.

6.2. International Data Transfer

Adequacy decisions of the Personal Data Protection Board under KVKK Article 9 are followed.
Standard Contractual Clauses (SCCs) under GDPR Article 46 are applied.
Service providers compliant with the EU-US Data Privacy Framework are preferred.
COPPA-equivalent protection is evaluated for all child data transfers.

7 Data Security

7.1. Technical Measures

Transport Encryption: All data transfers encrypted with TLS 1.3.
Storage Encryption: Data stored encrypted with AES-256.
Password Security: Passwords hashed and salted with bcrypt/Argon2.
Access Control: Role-based access control (RBAC) and least privilege principle.
Infrastructure Security: Firewall, DDoS protection, IDS/IPS active.
Code Security: Regular security audits and independent penetration tests.

7.2. Administrative Measures

Confidentiality Agreements: All personnel sign confidentiality agreements.
Access Restriction: Child data access limited to specially trained personnel.
Training: Regular child privacy and data protection training.
Incident Response: Authority notification within 72 hours, user notification within 7 days.

8 Data Retention Period

Data Category	Retention Period	Deletion Method
Account data	While active + 30 days from deletion request	Automatic permanent deletion
Usage data	12 months from creation (after anonymization)	Anonymization + deletion
AI processing logs	90 days	Automatic permanent deletion
Moderation records	6 months	Permanent deletion
Technical logs	90 days	Automatic permanent deletion
Parental consent records	While active + legal retention period	Post-legal period deletion
Backups	Within 30 days after main data deletion	Secure destruction

9 User Rights

9.1. Rights Under KVKK (Article 11)

Learn whether personal data is being processed
Request information if personal data has been processed
Learn the purpose of processing and whether it is used accordingly
Know third parties to whom data is transferred
Request correction of incomplete or incorrect data
Request deletion or destruction under KVKK Article 7
Request notification of corrections/deletions to third parties
Object to results arising from automated analysis
Claim compensation for damages from unlawful processing

9.2. Rights Under GDPR

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / "right to be forgotten" (Article 17)
Right to data portability (Article 20)
Right to restriction of processing (Article 18)
Right to object (Article 21)
Right not to be subject to automated decision-making (Article 22)
Right to lodge a complaint with a data protection authority

9.3. Parental Rights Under COPPA

Review all personal information collected from the child
Withdraw consent for data collection and use
Request deletion of the child's personal information
Ensure account closure if consent is withdrawn

9.4. How to Apply

Email: privacy@cureonics.com
In-app: Settings > Privacy > Data Request
Web form: vantrix.app/privacy-request

Applications are responded to within 30 days after identity verification (per KVKK and GDPR).

10 Cookies and Tracking

Type	Purpose	Duration	Required
Session cookie	Authentication and secure login	Session	Required
Preference cookie	Language and interface preferences	12 months	Required
Security cookie	CSRF protection and fraud prevention	Session	Required

Vantrix does not use any analytics, marketing, or third-party tracking cookies.

11 Advertising Policy

Vantrix applies a zero-advertising policy.

No advertisements are displayed. No user data is processed for advertising. No third-party advertising SDK or tracking pixel is integrated. This is a core design principle and will not change.

12 Open Source and Transparency

Code Audit: Independent researchers can verify data processing from source code.
Community Contribution: Early detection of vulnerabilities by the community.
Vulnerability Reporting: Report to security@cureonics.com under our responsible disclosure policy.

13 Policy Changes

Updated Policy published at vantrix.app/privacy.
All registered users (parents) notified by email.
Visible in-app notification displayed.
Explicit consent re-obtained for significant child data processing changes.
Previous versions archived and accessible.

14 Contact

Data Protection Officer (DPO)

Email: privacy@cureonics.com

Web: vantrix.app/privacy

Cureonics LLC

Web: cureonics.com

Turkish Authority: Personal Data Protection Board (KVKK)

www.kvkk.gov.tr

15 Applicable Law and Jurisdiction

This Privacy Policy is subject to the data protection legislation of the user's country of residence. For users in Turkey, KVKK No. 6698 applies; for EEA users, GDPR applies; for US users, COPPA provisions apply. Competent courts and data protection authorities of the relevant country have jurisdiction.