Privacy Policy

The data controller of the MoofSearch service is: • Legal Name: MF BILGI TEKNOLOJILERI VE DIJITAL HIZMETLER A.S. (a Turkish joint-stock company) • Address: Kustepe Mah. Mesut Cemil Sk. No: 20 Sisli / Istanbul, Turkey • Tax Office / ID: Kagithane Tax Office — 6201290641 • Email: merhaba@moof.com.tr • Web: https://moofsearch.com This policy covers all personal data collected and processed through MoofSearch (the "Service" or "Platform").

To deliver our service, MoofSearch may collect the following categories of data: • Account information: First name, last name, email address, profile picture URL (when signing in with Google) • Google OAuth tokens: Access and refresh tokens (stored encrypted) • Google Ads data: Customer ID, campaign names, keywords, search terms, click/impression/cost metrics (read-only access) • Usage data: Platform interactions, clicks, generated analyses • Billing data: Transaction reference numbers (card data is never stored — handled by payment processor) • Technical data: IP address, browser type, device information (for security and debugging) We request only the "https://www.googleapis.com/auth/adwords" scope from your Google Ads account. This scope allows us to read your account and generate campaign recommendations; we cannot make any changes to your account.

MoofSearch's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. (https://developers.google.com/terms/api-services-user-data-policy) Specifically, we commit that: • Google user data is used only to provide or improve user-facing features that are prominent in the requesting application's user interface (Google Ads account analysis, optimization recommendations). • Google user data is NOT used for serving advertisements, including retargeting, personalized, or interest-based advertising. • Google user data is NOT sold or transferred to third parties for advertising, marketing, or other purposes. • We do NOT allow humans to read Google user data unless (a) we have obtained your affirmative agreement, (b) it is necessary for security purposes (e.g., investigating abuse), (c) to comply with applicable law, or (d) the data has been aggregated and is used for internal operations in accordance with applicable privacy laws. These commitments apply to all Google user data obtained through restricted scope access.

The data we collect is used only for the following purposes: • Delivering the service: Google Ads account analysis, recommendation generation, report creation • User account management and identity verification • AI-powered analyses (Claude AI and OpenAI services — see "Third-Party Services" section below) • Customer support • Fulfilling legal obligations • Detecting and preventing security threats Your data is never sold, rented, or shared with third parties for advertising purposes.

We rely on the following sub-processors to deliver our service. Each is bound by its own privacy and data processing policies: • Google LLC (USA) — Google Ads API, Google OAuth 2.0 — https://policies.google.com/privacy • Anthropic, PBC (USA) — Claude AI models (anonymized prompts for campaign analysis and insight generation) — https://www.anthropic.com/privacy • OpenAI LLC (USA) — GPT models (anonymized prompts) — https://openai.com/privacy • Vercel Inc. (USA) — Application hosting — https://vercel.com/legal/privacy-policy • Neon Inc. (USA, data stored in AWS Frankfurt / EU region) — Database — https://neon.tech/privacy-policy Prompts sent to AI services are anonymized where possible (user emails, customer names and similar identifiers are stripped) and are not used by these providers for model training. We maintain "zero retention" arrangements with Anthropic and OpenAI under our business/enterprise plans.

We apply the following technical and administrative safeguards to protect your data: • Data in transit: SSL/TLS 1.3 encryption • Data at rest: AES-256 encryption (Neon/Postgres) • OAuth refresh tokens: Stored with symmetric encryption • Password storage: bcrypt hash • Restricted access: Authorized personnel only, 2FA mandatory • Regular security audits and secret rotation • In case of a data breach, we notify Turkish Data Protection Authority (KVKK) and affected users within 72 hours Notifications are made within the legally mandated timeframes.

Our platform uses cookies to improve service quality: • Essential cookies: Session management (next-auth.session-token), CSRF protection • Analytics cookies: Anonymized usage statistics (Google Analytics — optional) • Preference cookies: Theme and language settings For details see our Cookie Policy. You can disable cookies in your browser settings; note that doing so may affect certain features.

Under the EU General Data Protection Regulation (GDPR) and Turkish Law No. 6698 on the Protection of Personal Data (KVKK) you have the following rights: • To learn whether your data is being processed • To request information about processing purposes and categories • To request correction of incomplete or inaccurate data (right to rectification) • To request erasure of your data (right to erasure / "right to be forgotten") • To object to and restrict processing • Right to data portability • Right to object to automated decision-making • Right to lodge a complaint with a supervisory authority (Turkish Data Protection Authority / relevant EU DPA) To exercise these rights, please write to merhaba@moof.com.tr. We respond to requests within 30 days. To revoke Google access specifically: visit https://myaccount.google.com/permissions and remove "MoofSearch" access.

Your data is stored for the following durations: • Account data: As long as the account is active + 30 days after deletion request • Google OAuth tokens: Until OAuth is revoked or account is closed • Payment/invoice records: 10 years (Turkish Tax Procedure Law requirement) • Security logs: 1 year • Anonymized analytics data: Indefinite (in a form where you cannot be identified) To delete your account, use the "delete account" button in settings or write to merhaba@moof.com.tr.

MoofSearch is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact merhaba@moof.com.tr immediately and we will delete it.

Some of our sub-processors are based in the United States. When personal data is transferred outside of the EU/Turkey, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and assess each provider's adequacy. For users in the EU, data stored in our database remains in the Frankfurt (eu-central-1) AWS region.

We reserve the right to update this privacy policy. Material changes will be communicated by email to registered users and announced on this page at least 30 days in advance. The "Last updated" date at the top always reflects the current version.

For questions about our privacy policy or to submit a data subject request: • Email: merhaba@moof.com.tr • Post: MF Bilgi Teknolojileri ve Dijital Hizmetler A.S., Kustepe Mah. Mesut Cemil Sk. No: 20 Sisli / Istanbul, Turkey This policy is effective as of the "Last updated" date and supersedes all prior privacy policies.