Privacy Policy

Last updated: May 2026

MasajGo ("we", "our", or "us") operates the MasajGo mobile and web application (the "Service"). This Privacy Policy explains how we collect, use, share, store, and protect your personal data — including data obtained through Google APIs — in accordance with the Google API Services User Data Policy and the Google APIs Terms of Service.

MasajGo's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

1. Google User Data — What We Access

When you sign in with Google ("Sign in with Google"), MasajGo requests the following OAuth 2.0 scopes:

Scope	Data Accessed	Why It Is Needed
`openid`	A unique Google identifier (sub)	Authenticate your identity without a password
`email`	Your Google account email address	Create and identify your MasajGo account; send booking confirmations
`profile`	Your display name and profile picture URL	Pre-fill your name on your MasajGo profile for a smoother onboarding experience

We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google product beyond basic identity information listed above.

2. Google User Data — How We Use It

2.1 Authentication

The Google unique identifier (sub) is used solely to authenticate you each time you sign in. It allows us to link your login to your MasajGo account without storing your Google password.

2.2 Account Creation & Management

Your email address is used to:

Create your MasajGo account if one does not already exist.
Send booking confirmations, reminders, and service-related notifications.
Recover your account if access is lost.

2.3 Profile Pre-fill

Your Google display name may be used to pre-populate your MasajGo profile name. You can change or remove this at any time in your account settings.

2.4 No Advertising Use

Google user data is never used for advertising, retargeting, profiling, or any purpose unrelated to providing the MasajGo service you requested.

3. Google User Data — How We Share It

We do not sell or rent Google user data. We share it only in the following limited circumstances:

Recipient	Data Shared	Purpose
Supabase (database & auth infrastructure)	Email, name, Google user ID	Secure storage of your account record; authentication token management
Law enforcement / legal obligations	Minimum required by law	Compliance with applicable Turkish or international law when legally compelled

No Google user data is shared with advertisers, analytics providers, data brokers, or any third party for commercial purposes.

4. Data Storage & Protection

All data is stored on Supabase infrastructure, which uses AES-256 encryption at rest and TLS 1.2+ in transit.
Access to production databases is restricted to authorised MasajGo personnel via multi-factor authenticated accounts.
We do not store Google OAuth tokens beyond the session required to complete authentication. Refresh tokens, if issued, are stored in Supabase's secure auth schema, not in application-level tables.
Your Google account password is never visible to or stored by MasajGo at any point.
All connections to masajgo.com and our API endpoints are HTTPS-only.

5. Data Retention & Deletion

5.1 Retention periods

Data Type	Retention Period
Account information (name, email, Google ID)	Until you delete your account, then purged within 30 days
Booking history	2 years for legal/financial compliance, then permanently deleted
Authentication logs	90 days for security auditing
Google OAuth tokens	Duration of active session only; revoked and deleted on sign-out

5.2 How to delete your data

You can request full deletion of your MasajGo account and all associated data (including any data obtained via Google login) by:

In-app: Settings → Account → Delete Account
Email: destek@masajgo.com — subject line "Data Deletion Request"

We will confirm deletion within 7 business days and complete permanent deletion within 30 days.

You may also revoke MasajGo's access to your Google account at any time via Google Account Permissions. Revoking access will sign you out of MasajGo but will not automatically delete your MasajGo account data; please submit a deletion request separately if desired.

6. Other Personal Data We Collect

Phone number (optional, for booking reminders via SMS)
Delivery address (for home visit bookings — stored only for active bookings)
Payment information (processed by our payment provider; card numbers are never stored by MasajGo)

7. Cookies

We use only technically necessary session cookies for authentication. We do not use advertising, tracking, or analytics cookies.

8. Children's Privacy

MasajGo is not directed to children under 18. We do not knowingly collect data from minors.

9. Your Rights (KVKK / GDPR)

Depending on your jurisdiction, you have the right to access, correct, port, restrict processing of, or delete your personal data. To exercise any right, email destek@masajgo.com.

10. Changes to This Policy

We will post updates to this page and update the "Last updated" date. Continued use of MasajGo after changes constitutes acceptance of the revised policy.

11. Contact

MasajGo
Website: masajgo.com
Email: destek@masajgo.com