Privacy Policy
i-Will does not send your vault content to any server. Your notes, voice recordings, files, and access details stay on your device, encrypted. The server layer carries only the operational control metadata strictly required to run the service — account identity, device ownership, protocol state, and notification delivery. This policy explains what is processed, where, why, and what rights you hold.
1.Data Controller
Under Article 13 of the EU General Data Protection Regulation (GDPR) and Article 10 of Turkey's Personal Data Protection Law No. 6698 (KVKK), the data controller for personal data processed in connection with i-Will is:
Nexalent
Website: nexalent.com.tr
Email: info@nexalent.com.tr
Subject line: GDPR Request or Privacy Request
Nexalent is considered to qualify for the small-scale enterprise exemption from mandatory registration with the Turkish Data Controllers Registry (VERBİS) under KVKK and related regulations. This exemption does not affect compliance with other obligations under KVKK.
2.Categories of Personal Data Processed
i-Will operates across two distinct data layers. The tables below clarify this separation.
A — Data Stored Locally on Your Device — Never Sent to Servers
| Data Category | Description | Storage Location |
|---|---|---|
| Vault notes | Text content added by the user | Device only (cryptographically encrypted) |
| Voice recordings | Audio messages recorded inside the app | Device only (cryptographically encrypted) |
| Files and photos | Media files added to the vault | Device only (cryptographically encrypted) |
| Access details | Passwords, account notes, structured credentials | Device only (cryptographically encrypted) |
| Recipient list | Names and email addresses of trusted contacts. The full recipient list remains on the device in encrypted form. | Device only (cryptographically encrypted) |
| Encrypted backup file | Portable backup exported by the user | Under user control (device or external storage) |
B — Metadata Processed on Servers for Service Operation
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address (HMAC format) | Account mapping and identity verification. The plain email address is never stored on servers — a one-way cryptographic hash is used. | Art. 6(1)(b) — Contractual necessity |
| Installation ID | Enforcing the single active device rule and managing device conflict resolution | Art. 6(1)(b) — Contractual necessity |
| Protocol status | Tracking Safe / Amber / Red / Grace / Suspended states | Art. 6(1)(b) — Contractual necessity |
| Last check-in timestamp | Correct operation of the heartbeat tracking system | Art. 6(1)(b) — Contractual necessity |
| Push notification token | Delivering critical alerts via APNs | Art. 6(1)(b) — Contractual necessity |
| Email provider connection status | Monitoring Gmail / Outlook connection health | Art. 6(1)(b) — Contractual necessity |
| Subscription plan | Controlling access to Premium features | Art. 6(1)(b) — Contractual necessity |
| Language preference | Delivering system messages in the correct language (Turkish / English) | Art. 6(1)(b) — Contractual necessity |
| Grace period metadata | Managing the 24-hour final control window flow | Art. 6(1)(b) — Contractual necessity |
| Guardian token hash | Validating the single-use secure stop link | Art. 6(1)(b) — Contractual necessity |
| Recipient-derived delivery metadata | Limited operational metadata such as recipient count, primary guardian identifier, and masked guardian email data, used only to operate delivery and guardian flows. Full recipient content is not stored on servers. | Art. 6(1)(b) — Contractual necessity |
| Vault item count (aggregate) | Growth signalling and capacity planning; contains no content information | Art. 6(1)(f) — Legitimate interest |
Vault content — notes, recordings, files, and the full recipient list — is never stored on Nexalent's servers and cannot be read by Nexalent. The server layer holds only the limited operational metadata listed above, including certain recipient-derived delivery metadata that is necessary to run guardian and delivery flows.
3.Purposes of Processing
Personal data is processed solely for the following legitimate purposes, limited to what is strictly necessary and proportionate for each:
- Account creation, identity verification, and enforcement of the single active device rule
- Correct operation of the heartbeat protocol (timing, state transitions, notification orchestration)
- Enabling email delivery flows (system messages, guardian notifications, and user-configured outbound delivery messages)
- Delivering push notifications to the device
- Subscription and voucher validation
- Technical fault detection and service reliability
- Compliance with legal obligations
4.Legal Bases for Processing
All processing activities rely on one of the following legal bases under GDPR Article 6 (and the corresponding provisions of KVKK Article 5):
- Contractual necessity (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)): Processing required to provide the core service — account management, protocol operation, notification delivery.
- Legitimate interest (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f)): Aggregate technical data used to improve service quality and reliability; limited to what does not override your fundamental rights and freedoms.
- Legal obligation (GDPR Art. 6(1)(c) / KVKK Art. 5(2)(ç)): Processing required to comply with applicable law or a lawful request from a competent authority.
- Consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)): Where none of the above bases apply, explicit consent may be sought. Such consent may be withdrawn at any time without affecting the lawfulness of prior processing.
5.Email Provider Connections and OAuth
When you connect a Google (Gmail) or Microsoft (Outlook) account, authorisation is handled via the OAuth 2.0 protocol. Within this connection:
- Your verified email address is retrieved for identity verification purposes.
- Only email sending permission is requested. Your inbox, contacts, calendar, mailbox history, and message contents are never accessed or read.
- Connected email providers are used only to send messages created by the user in advance, from the user's own connected account, to the recipients selected by the user, when a user-configured scheduled or protocol condition is met.
- OAuth access and refresh tokens are stored in the secure Keychain on your device. Nexalent's servers do not store your tokens.
- Nexalent does not and cannot read the content of your emails.
- Google or Microsoft user data obtained through OAuth is not used for advertising, user profiling, model or AI training, sale to data brokers, or any unrelated secondary purpose.
- The email provider connection can be removed at any time via Settings > Email Integration inside the app. When the connection is removed, locally stored OAuth tokens are deleted from the device and email sending stops until the user authorises again.
Google's and Microsoft's own privacy policies apply independently to their respective services. These can be found on the respective providers' official websites.
6.Third-Party Providers and International Data Transfers
The following third-party infrastructure providers are used to operate i-Will. Only the minimum data required for the service is transferred to each; vault content is never transferred.
| Provider | Purpose | Data Centre / Country | GDPR / KVKK Safeguard |
|---|---|---|---|
| Google Firebase (Firestore, Functions, App Check) | Control plane metadata, cloud functions, push token management | europe-west1 (Belgium) — Google LLC (US entity) | Google processes data under EU Standard Contractual Clauses (SCCs) and the Google Cloud Data Processing Addendum. GDPR compliant. |
| Apple (APNs) | iOS push notifications | Apple Inc. infrastructure (US) | Subject to Apple's own privacy policy and Apple Developer Agreement. Only the notification token and message payload are transmitted. |
| Google (OAuth / Gmail API) | Google account connection and email sending | Google LLC (US) | Governed by Google OAuth and API Terms of Service. SCCs apply. |
| Microsoft (OAuth / Graph API) | Outlook account connection and email sending | Microsoft Corporation (US) | Governed by Microsoft Services Agreement and Data Protection Addendum. SCCs apply. |
| Apple (App Store / StoreKit) | Subscription and payment processing | Apple Inc. (US) | Subject to Apple's App Store privacy policy. Payment data is not visible to Nexalent. |
All providers listed above are US-based entities and process data outside the European Economic Area. Transfers are carried out under Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46(2)(c) and/or the relevant provider's data processing addenda. For users in Turkey, these transfers are made under KVKK Article 9 on the basis of user consent and/or the relevant provider's data protection commitments. Such transfers are technically necessary for the operation of the service.
7.Posthumous Data and Protocol Delivery
i-Will provides a protocol service that can deliver vault content to designated recipients when user-defined conditions are met. The following points apply:
- Vault content is delivered to the recipients designated by the user, based on prior explicit instructions given by the user within the app.
- Nexalent cannot independently determine whether delivered content qualifies as "estate data" or a "testamentary disposition" under GDPR, KVKK, or any other applicable law. Given the legal uncertainty in this area, users are encouraged to seek professional legal advice regarding estate planning and inheritance.
- Once delivery has been made, any processing of the delivered content by recipients falls outside Nexalent's control and responsibility.
8.Retention Periods
| Data | Retention Period | Deletion Trigger |
|---|---|---|
| Local vault data on device | Until the user deletes it or uses "Delete Everything" | User request or app removal |
| Server-side control metadata | While the account is active + 30 days after account deletion | "Delete Account and All Data" action |
| Push notification token | Until device change or account deletion | Device takeover or account deletion |
| Grace period record | 90 days after grace completion (operational log) | Automatic purge |
| OAuth tokens | Until the connection is removed or the account is deleted | User removes connection or deletes account |
| Encrypted backup file | Under user control; not stored by Nexalent | User manages at their own discretion |
9.Security Measures
Nexalent applies the following technical and organisational measures to protect personal data:
- Vault content is cryptographically encrypted on the device. The encryption key is held exclusively on your device in the iOS Keychain and is never transmitted to Nexalent's servers.
- When app lock is enabled by the user, the vault key is protected by a userPresence constraint — it cannot be unlocked without Face ID, Touch ID, or the device passcode.
- Server-side metadata is protected by Firebase security rules and Cloud Functions; direct client-side write access is blocked.
- Email addresses are never stored as plain text; a server-side HMAC cryptographic digest is used instead.
- The guardian stop token is single-use; only its hash is stored on the server.
- OAuth tokens are stored in the secure Keychain on the user's device.
- All server communications are conducted over TLS.
In the event of a personal data breach, affected individuals and competent supervisory authorities will be notified within the timeframes required by GDPR Article 33 and KVKK Article 12(5).
10.Data of Individuals Under 18
i-Will is intended for use only by individuals who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If an account belonging to a minor is identified, that account and its associated data will be deleted without delay.
If you believe a minor is using the app, please notify us at info@nexalent.com.tr.
11.Your Rights (GDPR Art. 15–22 / KVKK Art. 11)
You hold the following rights. You may exercise any of them by contacting us using the details below — no legal process is required.
To obtain confirmation of whether your personal data is being processed and to receive a copy. (GDPR Art. 15 / KVKK Art. 11(a–b))
To have inaccurate or incomplete personal data corrected without undue delay. (GDPR Art. 16 / KVKK Art. 11(c))
To request deletion of your personal data when the conditions for processing no longer apply. (GDPR Art. 17 / KVKK Art. 11(d))
To request that processing of your data be limited under certain circumstances. (GDPR Art. 18)
To receive the data you have provided in a structured, machine-readable format. (GDPR Art. 20)
To object to processing based on legitimate interest grounds. (GDPR Art. 21 / KVKK Art. 11(e))
To claim compensation for damages resulting from unlawful processing. (KVKK Art. 11(g))
To file a complaint with your local supervisory authority or, for Turkish residents, with the KVK Board at kvkk.gov.tr.
Where processing is based on consent, to withdraw it at any time without affecting prior lawful processing. (GDPR Art. 7(3))
Send an email to info@nexalent.com.tr with the subject line "GDPR Request" or "Privacy Request". Additional information may be requested to verify your identity. Requests will be responded to within one month under GDPR (extendable by two further months for complex cases) and within 30 days under KVKK.
12.Cookies, SDKs, and Analytics
i-Will is a mobile application and does not use browser cookies. No in-app behavioural analytics or third-party advertising SDKs are present. The Firebase SDK is used solely for function calls, push notification delivery, and App Check; no behavioural user profiling is performed.
13.Policy Updates
This Privacy Policy may be updated from time to time. When material changes are made, users will be informed via in-app notification or email. The current version is always published in the app's legal section. Continued use of the app following an update constitutes acceptance of the revised policy.