Nailterest

Privacy Policy

Effective date: 24 April 2026 · Last updated: 24 April 2026

Nailterest is built with respect for your data. This policy explains, in plain language, what we collect, why we collect it, where it is stored, and how we protect it.

1. Who We Are

Nailterest is developed and operated by Mymed Bilişim Yazılım Teknolojileri A.Ş., a company established under the laws of the Republic of Türkiye.

Contact: info@chambit.app
Website: www.chambit.app

For purposes of the General Data Protection Regulation (GDPR), Mymed Bilişim Yazılım Teknolojileri A.Ş. acts as the Data Controller.

2. Age Requirement

Nailterest is rated for users aged 12 and over. We do not knowingly collect personal data from children under 12. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at info@chambit.app and we will delete the data without delay.

3. Data We Collect

3.1 Account Information

To use Nailterest you must create an account using one of the following methods:

Email and password — we collect your email address.
Sign in with Google — we receive your email address and basic profile information (name, profile picture) from Google.
Sign in with Apple — we receive a unique identifier and, if you choose to share it, your email address (which may be a private relay address).

Account credentials are managed through Firebase Authentication and are not stored directly by us.

3.2 Data You Provide While Using the App

Hand/nail photographs — only when you voluntarily use the AI photo-based design feature. See Section 5 for details.
Support correspondence — if you contact us, we keep your messages and contact details.

3.3 Automatically Collected Data

Device information — device model, operating system version, app version, language preference.
Usage analytics — feature interactions, session duration, screen views. Collected via Firebase Analytics.
Crash reports — technical information about app crashes for stability improvements. Collected via Firebase Crashlytics.
Purchase and subscription data — managed through Apple App Store, Google Play, and our subscription platform Adapty. We do not store full payment card information.

4. Legal Basis for Processing (GDPR)

Performance of a contract (GDPR Art. 6(1)(b)) — to provide the Nailterest app, manage your account, and provide subscription services.
Legitimate interests (GDPR Art. 6(1)(f)) — to improve app stability, prevent abuse, and analyze usage patterns.
Explicit consent (GDPR Art. 6(1)(a)) — when you voluntarily upload a photo for AI processing.
Legal obligation (GDPR Art. 6(1)(c)) — where required by applicable law.

5. Photo Upload and AI Processing

⚠️ Important: When you upload a hand photo to use the AI nail design feature, the image is transmitted to our AI provider Fal.ai in order to generate the design output. The image leaves your device and is sent to Fal.ai's servers.

This only happens when you actively choose to use the photo upload feature. You are always notified before an upload takes place. The AI-generated result is delivered back to your device.

Fal.ai processes images solely to generate the requested output and does not retain them beyond the processing time. For details, see the Fal.ai Privacy Policy.

6. Our Infrastructure and Third-Party Services

Nailterest operates using the services below. Each one processes data on our behalf under appropriate data protection agreements.

Amazon Web Services (AWS) — Istanbul Region (eu-central-2)

Hosts our application servers and data storage. All Nailterest server infrastructure is located in AWS's Istanbul region, keeping data within Türkiye's jurisdiction. AWS Privacy Notice →

Firebase Authentication — User Sign-In

Manages secure authentication for Email/Password, Sign in with Google, and Sign in with Apple. Firebase manages your account credentials within Google's infrastructure. Firebase Privacy →

Firebase Analytics — Usage Analytics

Collects anonymized usage data (feature interactions, session information) to help us improve the app. It does not collect personally identifiable information about individuals.

Firebase Crashlytics — Crash Reporting

Collects technical information about app crashes, including device state and stack traces, to help us fix bugs and improve stability.

Adapty — Subscription Management

Manages in-app subscriptions, purchase verification, and entitlement checks. Adapty receives a pseudonymous user identifier and purchase data from Apple or Google. Adapty Privacy Policy →

Fal.ai — AI Image Processing

Processes hand/nail photos to generate AI nail design outputs. Images are only transmitted with your explicit action. Fal.ai Privacy Policy →

Apple App Store / Google Play

Manages app distribution and in-app purchases. Subject to Apple's and Google's own privacy policies.

7. Data Storage and Retention

Account data (email, authentication identifier): Stored via Firebase Authentication while your account is active. Removed when you delete your account.
Server-side data: Hosted on AWS Istanbul region servers. Retained while your account is active.
Design archive and app preferences: Stored locally on your device only. Deleted when you uninstall the app or use the in-app "Delete All Data" feature.
Support correspondence: Retained for 2 years from the date of your last contact.
Analytics data: Retained in aggregate via Firebase Analytics for up to 24 months.
Crash reports: Retained via Firebase Crashlytics for up to 90 days.
Photo uploads: Not stored by us. Fal.ai processes and deletes images according to its own data retention policy.

8. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or a country with similar data protection laws, you have the following rights:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate data.
Right to erasure — request deletion of your personal data ("right to be forgotten").
Right to restriction — request that we limit the processing of your data.
Right to data portability — receive your data in a machine-readable format.
Right to object — object to processing based on legitimate interests.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at info@chambit.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or disclosure. These include encrypted data transmission (TLS 1.2+), secure AWS infrastructure with access controls, Firebase security rules, and regular security reviews.

10. International Data Transfers

Our primary server infrastructure is located in the AWS Istanbul region (Türkiye). However, some third-party services may process data outside of Türkiye:

Firebase (Authentication, Analytics, Crashlytics) — operated by Google LLC and may process data in the United States and other regions.
Fal.ai — may process uploaded images in the United States or other regions.
Adapty — may process subscription data in the United States or the European Union.

Such transfers are carried out under appropriate safeguards in compliance with GDPR requirements, including Standard Contractual Clauses where applicable.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification or by updating the "Last updated" date at the top of this document.

12. Contact

Email: info@chambit.app
Company: Mymed Bilişim Yazılım Teknolojileri A.Ş.