Privacy Policy

Last updated: May 4, 2026

Kardo Labs Yazılım Anonim Şirketi (Company, we, us) is committed to protecting the personal data of users (User, you) of the HIT! platform. This Privacy Policy is prepared under the Turkish Personal Data Protection Law No. 6698 (KVKK) and aligns with the EU GDPR where applicable. It also describes how we handle data we receive from third-party platforms, including TikTok and Google.

1. Data Controller

The data controller for your personal data is the Company, with the following contact information:

  • Legal name: Kardo Labs Yazılım Anonim Şirketi
  • Address: EVKA 3 Mah. 119/2 Sk. Standartkent Sitesi No: 4-4 İç Kapı No: 15 Bornova / İZMİR
  • MERSIS no: 0524165119400001
  • Tax office / no: Bornova V.D. / 5241651194
  • Email: hello@kardolabs.com
  • Phone: +90 507 598 59 59

2. Personal Data We Collect

The Platform collects the following data:

  • Identity: first name, last name, email address (received either at sign-up or from your Google/Apple account when you choose those sign-in methods)
  • Account: user ID, sign-in method (Apple, Google, email)
  • Content: videos you upload (deleted after analysis), analysis results and scores
  • Payment: payments are processed through iyzico; we do not store card numbers — only the transaction reference and invoicing details
  • Usage: platform usage statistics, session information, device and browser details
  • TikTok integration data: when you choose to link your TikTok account, see Section 3 for the exact fields and purposes.
  • Google sign-in data: when you choose to sign in with Google, see Section 4 for the exact fields, scopes, and purposes.

3. TikTok Integration

HIT! integrates with TikTok via OAuth (TikTok Login Kit) so creators can connect their own TikTok account and analyze their own videos with our AI coach. This integration is optional — you can use HIT! without connecting TikTok.

3.1 Data we receive from TikTok

If you choose to connect your TikTok account, we receive the following data through the TikTok Display API, scoped to the permissions you grant during the OAuth consent screen:

  • Basic profile (user.info.basic): open_id, union_id, display name, avatar URL — used to confirm you linked the correct account inside the in-app Creator Hub.
  • Profile metadata (user.info.profile): bio description, verified status, username — displayed on your TikTok profile page inside HIT!
  • Account statistics (user.info.stats): follower count, following count, total post count, total likes — rendered on your analytics dashboard so you can track growth alongside your AI coaching scores.
  • Your own public videos (video.list): video id, share URL, thumbnail, title/caption, duration, and per-video metrics (view, like, comment, share counts) — listed so you can pick a specific video to analyze with our AI coach. We never access videos from other accounts.

3.2 How we use TikTok data

The TikTok data we receive is used solely to:

  • Display your linked TikTok account information inside HIT!
  • List your own short-form posts so you can pick one to analyze
  • Show your TikTok analytics alongside the AI coaching scores in your dashboard

When you ask the AI coach to analyze one of your TikTok videos, we download the video bytes from TikTok's CDN and process them through Google Gemini to generate the coaching report. The video bytes are deleted from our servers immediately after the analysis is complete; only the textual coaching report and score remain associated with your account.

3.3 Tokens, disconnection, and retention

OAuth access and refresh tokens are stored encrypted on our servers and used only to call TikTok's API on your behalf. You can disconnect your TikTok account at any time from inside HIT! Settings, or by revoking access at tiktok.com/setting/manage-app-permissions. When you disconnect your TikTok account or delete your HIT! account:

  • Access and refresh tokens are revoked and deleted within 30 days
  • TikTok-derived profile, stats, and video metadata are deleted within 30 days
  • Coaching reports linked to TikTok videos remain in your HIT! account unless you delete them

3.4 No transfer to third parties

We do not sell, share, or otherwise transfer your TikTok data to any third party for marketing or advertising. The only third-party processor that ever sees TikTok video bytes is Google Gemini, which acts as a sub-processor and does not retain content after analysis.

4. Google Sign-In and Firebase Authentication

HIT! offers Sign-in with Google as one of the authentication methods, implemented through Firebase Authentication (provided by Google LLC). When you choose to sign in with Google, we receive a limited set of profile fields needed to create and manage your HIT! account. This section describes that data flow specifically and is the controlling disclosure for any Google user data we handle.

4.1 Data we receive from Google

When you sign in with Google, we request the following OAuth 2.0 scopes — and only these scopes:

  • openid: a unique and stable identifier for your Google account (the Google user ID)
  • email: your Google account email address and whether it has been verified by Google
  • profile: your name and Google profile picture URL

We do not request access to Gmail, Google Drive, Google Calendar, Contacts, Photos, or any other Google service or scope.

4.2 How we use Google sign-in data

The data we receive from Google is used solely to:

  • Create your HIT! account on first sign-in and link it on subsequent sign-ins
  • Identify you across sessions and devices
  • Populate your in-app profile (display name and avatar)
  • Send transactional and service emails to your verified address

4.3 Sharing of Google user data

We do not share, transfer, or disclose Google user data with any third party other than Firebase Authentication (Google LLC), which acts as our identity backend on our behalf and is itself part of Google. No Google user data is sent to TikTok, iyzico, Gemini, or any other processor.

4.4 Protection of Google user data

Google user data is transmitted exclusively over TLS, stored in Firebase Authentication, and encrypted at rest by Google Cloud. Access is restricted to authenticated server-side code through the Firebase Admin SDK and Cloud IAM controls.

4.5 Retention and deletion

Google sign-in records are retained while your HIT! account is active. When you delete your HIT! account, the linked Firebase Authentication record and all associated Google profile fields are permanently deleted within 30 days. You can also revoke HIT!'s access to your Google account at any time at myaccount.google.com/permissions.

4.6 Limited Use compliance

HIT!'s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, HIT!:

  • does not sell Google user data to third parties
  • does not use Google user data for targeted advertising
  • does not use Google user data to train artificial intelligence or machine learning models
  • does not transfer Google user data to others except as strictly necessary to provide or improve the user-facing features of HIT! that you have explicitly requested, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you
  • uses humans to read your Google user data only with your explicit consent for specific messages, when needed for security purposes (such as investigating abuse), or to comply with applicable law

5. Purposes and Legal Basis for Processing

Your personal data is processed for the following purposes:

  • Providing the service and performing content analysis (performance of contract)
  • Creating and managing user accounts (performance of contract)
  • Processing subscriptions and payments (performance of contract, legal obligation)
  • Operating the optional TikTok integration on your behalf (consent and performance of contract)
  • Operating Google Sign-In and Firebase Authentication on your behalf (consent and performance of contract)
  • Improving the quality of the service (legitimate interest)
  • Meeting legal obligations (Commercial Code, Tax Procedure Code, and related laws)

6. Sharing of Data

Your personal data is not shared with third parties except in the following cases:

  • Payment processor: iyzico Ödeme Hizmetleri A.Ş.
  • AI analysis: Google Gemini API — receives only the user-uploaded videos (or the user's own TikTok videos selected for analysis); Gemini does not retain content after the analysis and does not use it to train models. Google sign-in data is never sent to Gemini.
  • Authentication: Firebase Authentication (Google LLC) — see Section 4 for the full disclosure.
  • Infrastructure: Google Cloud Platform (data hosting)
  • TikTok: only to call TikTok's API on your behalf using the tokens you authorized through Login Kit
  • Legal obligations: upon request from competent public authorities

7. International Data Transfers

Some of our service providers (Google LLC, iyzico, TikTok) are located outside Türkiye. In this scope, your personal data may be transferred abroad under KVKK Article 9 with adequate security measures in place.

8. Retention Periods

Uploaded videos are deleted from our servers as soon as the AI analysis is complete. Analysis results and account information are retained while your account is active. When you delete your account, all of your data — including TikTok-derived metadata, tokens, and Google sign-in records — is permanently deleted within 30 days. Payment and invoice records are retained for 10 years as required by the Tax Procedure Code and Commercial Code.

9. Your Rights

Under KVKK Article 11 (and corresponding EU GDPR rights where applicable), you have the right to:

  • Learn whether your personal data is being processed
  • Request information about processing if it is being processed
  • Learn the purpose of processing and whether the data is used in accordance with that purpose
  • Know the third parties to whom data is transferred domestically or abroad
  • Request correction of incomplete or inaccurate data
  • Request deletion or destruction of your data under KVKK Article 7
  • Object to results that emerge against you solely from automated analysis
  • Claim damages caused by unlawful processing

To exercise these rights, you can write to hello@kardolabs.com. Your request will be answered within the periods set by the Turkish Personal Data Protection Authority.

10. Cookies

Our platform uses technical cookies for session management and to improve the user experience. These cookies are strictly necessary for the service to operate and do not contain personal data. We do not use third-party marketing or tracking cookies.

11. Security Measures

The Company applies administrative and technical safeguards required under KVKK and related regulations to protect your personal data. Data is transmitted over encrypted connections (HTTPS) and access controls are enforced against unauthorized access. OAuth tokens for third-party platforms (including TikTok and Google) are encrypted at rest.

12. Changes

This Privacy Policy may be updated as needed. Updated versions are published on the Platform; material changes are also notified by email.

13. Contact

For questions about this Privacy Policy or to exercise your rights, please contact us at hello@kardolabs.com.