← Home Terms Privacy Acceptable Use DMCA 🇬🇧 Türkçe · English

Privacy Policy

Version: v1 — last updated: 2026-04-25.

⚠ English translation in preparation. This is an unofficial reference translation of the canonical Turkish Gizlilik Politikası. In case of conflict, the Turkish version is authoritative and binding. A reviewed translation will replace this notice.

1. Data collected

1.1 Account

Email + password hash (bcrypt; raw password is never stored)
Name (optional)
OAuth profile URL and avatar (when signing in via Google/GitHub/Microsoft/LinkedIn/ORCID)
OAuth access_token — encrypted at rest via crypto.py Fernet (AES-128-CBC + HMAC-SHA256), key derived from HOCA_ENCRYPTION_KEY env.
Registration IP — for audit and abuse protection.

1.2 Job data

PDF files — under jobs/<job_id>/ or, if configured, on S3 / Azure Blob / DO Spaces.
Output mp4 / mp3 — same location.
Job records: id, user id, status, page count, credit usage, error message, attestations, opt-in options.
Voice clone WAVs — under user_voices/<user_id>/<sha256>.wav or in the storage backend.

1.3 Automatically collected

HTTP request logs (IP, user-agent, endpoint, status code) — for debugging and abuse, 30 days.
Audit log — admin moderation actions (who did what when). 365 days.

2. Purposes

Provide the service (job execution, credit accounting)
Detect abuse (rate-limit, duplicate voice fingerprint)
Legal obligations (DMCA / takedown requests, prosecutor requests)
Account security (login notifications, IP-based suspicious activity)

No marketing use; no sale to third parties.

3. Third-party services

Service	Data	Policy
Anthropic API (Claude)	Job narration text	Anthropic Privacy Policy — not used for model training (commercial tier).
Groq / OpenRouter (fallback LLM)	Same	Provider's own policy.
edge-tts (Microsoft)	TTS text	Microsoft Privacy.
iyzico	Payment info	iyzico KVKK-compliant; card number does not reach us.
AWS S3 / Azure Blob / DO Spaces	Output files	Provider SLA.
OAuth (Google/GitHub/MS/LinkedIn/ORCID)	Email + name	Provider policies.

4. Encryption & security

Cookies: httponly, samesite=lax, secure=True in production (COOKIE_SECURE=1 env).
OAuth token: Fernet AES-128 + HMAC-SHA256 in DB.
Passwords: bcrypt (default 12 rounds).
TLS: Enforced by the reverse proxy (nginx / cloud LB); your deployment must enable TLS.
Rate-limit: auth 5/min, jobs 30/min (slowapi).

If you reside in Türkiye, under KVKK: - Data deletion request: legal@hoca.example.com - Data portability: your existing jobs can be downloaded as JSON+ZIP - Data rectification: directly via Settings → Profile - Right to object: for automated decisions (e.g. abuse-flag disable), you may contact the admin

For GDPR (EU residents) the same rights apply; requests go through the same channel.

6. Cookies

hoca_token — JWT auth, 30 days, httponly+secure.
session — Starlette SessionMiddleware (OAuth state); short-lived.

No third-party cookies (no analytics).

7. Retention

Data	Period
Account	While active, plus 30 days after deletion request
Job records	90 days (then anonymized)
PDF / mp4	30 days after job completion, then removed from storage
Voice WAV	Until the user deletes it, or until account closure
OAuth access_token	Until the provider revokes it, or until the user disconnects
Audit log	365 days (legal obligation)

8. Contact

Data Protection: dpo@hoca.example.com
Complaints: KVKK Authority (Türkiye) / your local data protection authority