Renlio Privacy Policy
Effective date: 19 May 2026 Last updated: 19 May 2026 Version: 2.0
This Privacy Policy ("Policy") describes the privacy practices of Renlio ("App" or "Service"), a mobile application developed and operated by Bayram BaΕ ("we", "us", "data controller"). Please read this Policy before using the App.
βοΈ Compliance. This Policy is drafted with reference to Turkey's Personal Data Protection Law (KVKK No. 6698), the EU General Data Protection Regulation (GDPR), UK GDPR, California CCPA/CPRA, COPPA, Brazil's LGPD, and China's PIPL. Depending on which markets you publish in, legal review by qualified counsel is recommended.
1. Data Controller and Contact
- Data controller: Bayram BaΕ (individual developer)
- Email: bayrambas255@icloud.com
- Support site: https://bayrambas255.github.io/renlio-support/
- Mailing address: Istanbul, Turkey (contact via bayrambas255@icloud.com)
- Tax/Registry No: Individual developer β tax registration to be updated when applicable
- VERBΔ°S registration: Exempt β under KVKK Article 16 and VERBΔ°S regulations, an individual developer below the thresholds (annual revenue 1M TRY / 50 employees / sensitive data as main activity). Additionally, Renlio does not store personal data on developer servers, so VERBΔ°S is practically inapplicable.
2. TL;DR β What Renlio Collects About You
Short answer: nothing.
| Data | Where stored | Can we see it? |
|---|---|---|
| Your subscription list (Netflix, Spotify, prices, notes, usage) | CloudKit private container in your Apple ID iCloud | β Never |
| Your preferences (currency, country, appearance, App Lock) | Your device's UserDefaults | β No |
| Optional display name / email you enter in Profile | Your device's UserDefaults (never sent to a server) | β No β only on your device |
| Apple ID, phone, system identifiers | Never collected β Renlio has no account system, no Sign in with Apple button | β |
| Location, camera, microphone, health | Never collected | β |
| Advertising identifier (IDFA) | Not collected β Renlio shows no ads, requests no ATT permission | β |
| Usage analytics / event logs | Not collected β no analytics SDK is integrated | β |
| In-app purchase records | Apple App Store / StoreKit | Apple sends us transaction ID + subscription status; we never access bank/card info |
There is no Renlio server, no Renlio database, no Renlio analytics backend. The app runs on Apple infrastructure (iCloud + StoreKit) with no developer server in the loop.
3. Data Processing β Detailed
3.1 Your subscription data (user data)
Every subscription you add to Renlio β service name, brand, plan, price, billing date, notes, payment method, usage marks, price history β is stored directly in your Apple ID's iCloud private container (iCloud.com.bayrambas.renlio).
- Storage location: Apple Inc. CloudKit infrastructure (Apple data centers, region-appropriate)
- Access: Only you (the Apple ID holder). We (the developer) never see this data; it never reaches any server we operate, never appears in any log we keep.
- Cross-device sync: Automatic across iPhone/iPad/Mac signed into the same Apple ID (handled by CloudKit).
- Legal basis: GDPR Article 6(1)(b) performance of contract; KVKK Article 5/2(c) contract.
- Retention: Until you delete it. Apple iCloud retention policies apply.
3.2 Local device preferences
The following settings are stored only in your device's UserDefaults; they are not sent to any server:
- Preferred currency, default country
- Appearance mode (light/dark/system)
- Notification preferences (7 toggles)
- App Lock on/off + Face ID/Touch ID selection
- Onboarding completion flag
- Optional display name and email address you enter on the Profile screen (used only for in-app display; never used in any verification/communication flow, never sent to a server)
3.3 In-app purchases (StoreKit)
Renlio's premium subscription is purchased through Apple App Store / StoreKit2. The transaction:
- Happens entirely on Apple infrastructure. We have no access to your card number, bank details, or CVV.
- Apple sends us only: transaction ID, product ID (yearly/monthly/lifetime), subscription status (active/cancelled/will-renew), purchase date.
- Your premium status is stored as an
isPremiumflag in your device's UserDefaults. This information is not on our server. - Legal basis: GDPR Article 6(1)(b); KVKK Article 5/2(c).
- Retention: Determined by Apple under Apple Media Services Terms.
3.4 Analytics (not collected)
Renlio collects no usage analytics whatsoever. No event logs, no device identifiers, no crash reports are sent to any external server.
- No third-party analytics SDK β Firebase Analytics, Mixpanel, Amplitude, TelemetryDeck, Sentry, etc. are not integrated.
- App Store Connect built-in metrics (downloads, retention, crash rate) are auto-generated by Apple; this is outside Renlio's control and Apple addresses it in its own privacy policy.
- Crash reports: Visible only via Xcode Organizer (Apple infrastructure, standard Apple β Apple ID holder flow). Renlio does not operate any crash backend.
3.5 Service catalog (in-app only, no server)
The subscription templates Renlio knows about (Netflix, Spotify, ChatGPT Plus, etc.) and their default price suggestions ship with the app as bundled JSON files inside the IPA (templates-v1.json, prices-v1.json).
- No network requests β the catalog is read from local files at launch.
- Catalog updates ship only with a new app release (via App Store / TestFlight).
- Listed prices are only suggestions / starting values; you can enter any amount when editing your own subscription.
3.6 Photo access (optional)
If you choose to import screenshots of subscription bills or Apple subscription pages, only the photos you select are read via iOS PHPickerViewController. Renlio does not request access to your entire photo library. Selected images are processed on-device and not sent to any server.
3.7 Notifications
Renlio uses local notifications (UNUserNotificationCenter) β renewal/trial reminders are scheduled on your device. There is no remote push notification. If you deny notification permission, the app continues to work (only reminders won't appear).
CloudKit sends user-invisible "silent push" notifications for cross-device sync; these never appear on screen and are processed only as a sync signal.
3.8 Biometrics (Face ID / Touch ID)
If you enable App Lock, the iOS LocalAuthentication framework performs on-device verification only. Biometric data stays in Apple's Secure Enclave; it is never sent to us nor readable by us.
3.9 Children's data (COPPA / KVKK)
Renlio is not designed for users under 13. We do not knowingly collect personal data from children under 13. If you believe your child has used Renlio, write to bayrambas255@icloud.com and we will take appropriate action.
4. Third-Party Service Providers
| Provider | Purpose | Data | Region | Legal protection |
|---|---|---|---|---|
| Apple Inc. | iCloud / CloudKit (user data), StoreKit (IAP), Push service (silent sync) | Subscription data (in your iCloud β we don't see it), transaction ID | Apple regional data center | Apple user agreements |
No third-party SDK. No advertising network. No analytics provider. No data broker. No sale of user data to third parties.
Transfer to legal authorities: Only with court order / legal obligation, within KVKK/GDPR limits. In practice, there is no user data on our servers to transfer.
5. International Data Transfer
- CloudKit: Apple stores your data in a data center appropriate to your region. Apple maintains regional compliance for Europe, Turkey, and other jurisdictions.
- Turkey β abroad: Under KVKK Article 9, explicit consent or transfer to countries with adequate protection. Renlio itself does not send data abroad; Apple iCloud infrastructure operates under its own privacy policy.
6. Retention Periods
| Data | Storage | Period |
|---|---|---|
| Subscription data | Apple ID iCloud (CloudKit) | Under Apple ID holder's control, until deleted |
| Device preferences | Device UserDefaults | Until app is deleted |
| StoreKit transaction records | Apple | Apple Media Services Terms |
| Service catalog (bundled JSON) | On device inside the IPA | Until app is deleted |
7. Security Measures
- TLS 1.2+ encrypted network traffic (CloudKit, StoreKit β Apple infrastructure)
- Apple iCloud private container encryption β Apple applies industry-standard end-to-end and encryption-at-rest
- Face ID / Touch ID App Lock β optional in-device content protection
- App Transport Security (ATS) β no insecure HTTP allowed (only iOS built-in Apple service exceptions)
- PrivacyInfo.xcprivacy manifest β Apple Required Reason APIs and collected data types are transparently declared
In case of a breach: In practice, there is no user data on our servers that could leak. If a breach occurs on the Apple iCloud side, Apple notifies under its own procedures. If Renlio incurs a re-notification duty, KVKK Article 12 (72-hour notification to the Authority) and GDPR Articles 33-34 procedures apply.
8. Your Rights
Depending on where you live, you have the following rights. For all requests, write to bayrambas255@icloud.com; we respond within 30 days at no cost.
8.1 KVKK Article 11 (Turkey residents)
- Learn whether your data is processed
- Request information (category, purpose, source)
- Request deletion or destruction
- Object to processing
- Claim compensation for damages
Practical note: Because Renlio has no account, a "request a copy of my personal data" request often returns empty β your data is not with us, it is in your iCloud. You can access, download, or delete your Renlio CloudKit container directly from your Apple ID: Apple iCloud Settings β "Apps Using iCloud" β Renlio.
8.2 GDPR / UK GDPR Rights (EU and UK residents)
- Right of access (Article 15) β requested data is not on our server; you are directed to your Apple iCloud
- Right to rectification (Article 16) β you can edit subscription records directly in the app
- Right to erasure / Right to be forgotten (Article 17) β the "Reset all data" button in the app (Profile screen) wipes local + CloudKit data
- Right to data portability (Article 20) β Profile β "Export Data" generates a structured JSON file (
renlio-export-<date>.json) containing your full subscription list and preferences - Right to object (Article 21) β no analytics or marketing processing happens, so this right has no practical target
- Automated decision-making (Article 22) β Renlio makes no automated decisions affecting you
- Right to complain β file with your local supervisory authority (TR: Personal Data Protection Authority / kvkk.gov.tr)
8.3 CCPA / CPRA Rights (California residents)
- Right to Know β the categories collected are listed in this Policy (in practice, no category is held on developer servers)
- Right to Delete β the in-app "Reset all data"
- Right to Correct β edit records in-app
- Right to Opt-Out of Sale/Sharing β we do not sell or share any personal information
- Non-discrimination β we will not discriminate against you for exercising these rights
8.4 LGPD (Brazil) / PIPL (China)
LGPD Article 18 and PIPL Articles 44-50 grant equivalent rights of information, access, correction, deletion, portability, and complaint. Renlio's "data is not with us" architecture practically auto-satisfies most of these rights.
8.5 Account / data deletion
From within the app, Profile β "Reset all data" will: - Delete all subscription data on your device - Delete all data in the CloudKit private container (CloudKit propagates the deletion to your other devices) - Reset device preferences
Additionally, you can delete iCloud copies via Apple iCloud Settings β "Manage Storage" β Renlio β "Delete Data".
Under App Store Review Guideline 5.1.1(v), this feature is always accessible from within the app.
9. Cookies, SDKs, and Trackers
- No cookies (mobile app, not browser)
- No tracking SDKs β
NSPrivacyTracking=false,NSPrivacyTrackingDomainsis empty - No analytics SDK β Firebase Analytics, Mixpanel, Amplitude, TelemetryDeck, etc. are not integrated
- No IDFA collection
- No advertising network
- No behavioral targeting
10. Automated Decision-Making and Profiling
The App makes no fully automated decisions that affect you, builds no profiles, and performs no credit/employment/health evaluation. The "Smart Suggestions" feature is calculated only on your device; there is no server-side profiling.
11. Policy Updates
We may update this Policy from time to time. The current version is always published at the canonical support site URL and can be tracked by the effective date and version number at the top of the document. You are encouraged to review the Policy before using the App and after any material update.
For material changes β particularly those expanding data processing categories or introducing new third-party integrations β an announcement is posted on the support site. Continued use of the App after the new Policy takes effect constitutes your acceptance of it.
12. Complaints
- Write to us first: bayrambas255@icloud.com
- If we don't respond or you're not satisfied, you may complain to your local supervisory authority: - Turkey: Personal Data Protection Authority β kvkk.gov.tr - EU: Your country's Data Protection Authority (list: edpb.europa.eu) - UK: Information Commissioner's Office β ico.org.uk - California: California Privacy Protection Agency β cppa.ca.gov - Brazil: Autoridade Nacional de Proteção de Dados β anpd.gov.br
13. Contact
- Email: bayrambas255@icloud.com
- Mail: Bayram BaΕ, Istanbul, Turkey (contact via bayrambas255@icloud.com)
- Web: https://bayrambas255.github.io/renlio-support/en/privacy.html
Version history: - v2.0 (19 May 2026): Firebase + analytics fully removed. Zero third-party SDKs. Apple-only stack (iCloud/CloudKit + StoreKit). Service catalog now ships bundled with the app as JSON, no live Firestore reads. - v1.0 (17 May 2026): Initial release. Local-first architecture: user subscription data lives in CloudKit private container; no user data on developer servers; Firestore public catalog and Firebase Analytics aggregate events.