KVKK Disclosure Notice

Last updated: June 1, 2026

Location Simulator – Mock GPS Disclosure Notice on Processing of Personal Data (Under the Personal Data Protection Law No. 6698)

Data Controller: Abdulkadir ER Contact: akillisletme@gmail.com

1. Introduction This disclosure notice has been prepared in accordance with Article 10 of the Personal Data Protection Law No. 6698 ("KVKK") to inform you about how your personal data is processed during your use of Location Simulator – Mock GPS ("the App").

2. Personal Data Processed

A. Data Processed Locally on Your Device: • Mock location coordinates you set within the App • Favorite locations you save and associated notes • Joystick starting positions • Saved routes and PRO route waypoints (with speed/altitude/dwell parameters) • Human behavior simulation settings • Scheduled location settings • Smart Shield rules (package name ↔ location profile mappings) • The foreground app's package name held in memory by the Smart Shield Accessibility Service (not written to disk, not logged) • Photo GPS Editor: local editing of EXIF location metadata of the photo the user explicitly picks, and saving a new copy to the device gallery • Home widget and floating widget slot settings • Map and interface preferences • Language, theme, usage/consent status

IMPORTANT: All of the above data is stored solely on your device using local storage (HydratedBloc and SharedPreferences). This data is never transmitted to any server or third party.

B. Data Processed Through Third-Party SDKs: • Google Maps SDK: May process data in accordance with Google's own privacy policy during map display. We do not access or receive this data. • Firebase Remote Config: Only receives a configuration request to check the minimum app version. No personal data is transmitted. • Firebase Crashlytics: Only active on release builds when the CRASHLYTICS flag is enabled. May process technical crash data such as app version, package name, device model, OS version, crash time, error logs, and stack traces. Name, email, phone, contacts, messages, user content, and saved locations are never knowingly collected. • Cloud Firestore (read-only): Only reads the app_meta/changelog document to display the "What's New" (changelog) text. No user data is written or uploaded to Firestore; only during the read request may standard connection metadata such as the IP address be processed under Google's own policies.

3. Personal Data We Do Not Process We explicitly do not collect, process, store, or transmit: • Your real GPS location (location permission is used only for local map centering and mock setup validation; it is not sent to our servers) • Device identifiers (IMEI, Android ID, Advertising ID) • IP addresses • Usage statistics, behavioral data, or analytics (no analytics SDK including Google Analytics or Firebase Analytics is included) • Personal identification information (name, email, phone, etc.) • Financial or payment information • Biometric data • Communication data (contacts, SMS, call logs) • Screen content, typed text, messages, passwords (the Smart Shield Accessibility Service is configured with android:canRetrieveWindowContent="false" and does not read screen content) • The list of your installed apps (read locally for the Smart Shield app picker only; the list is never sent off the device) • Your photos or photo metadata (Photo GPS Editor only accesses the single photo the user picks and performs no background photo scanning) • Advertising SDK or ad profiles (no advertising network is integrated)

Note: Only when Firebase Crashlytics is enabled, technical data such as crash stack, device model, and OS version is processed; see Section 6 below for details.

4. Purposes of Data Processing Limited local data processing serves the following purposes: • Providing the App's core mock location functionality (Basic Mock, Joystick, Route, Pro Route, Human Simulation) • Storing your favorite locations, routes, and simulations for convenient reuse • Detecting the foreground app via Smart Shield and automatically starting the user-defined location profile (fully local, no screen content is read) • Editing the EXIF GPS metadata of a photo the user explicitly picks via the Photo GPS Editor (local operation, a new copy is saved to the device gallery) • Triggering scheduled mock locations via the scheduler (AlarmManager; RECEIVE_BOOT_COMPLETED is required to re-register after reboot) • Quick control via the floating widget and home widget • Remembering your app preferences and consent status • Checking the required minimum app version via Firebase Remote Config • Monitoring app stability and diagnosing crashes via Firebase Crashlytics (release builds only, when enabled)

5. Legal Basis for Data Processing • KVKK Article 5/2-c: Processing is necessary for the performance of the App's functionality accepted by the user • KVKK Article 5/2-f: Legitimate interests of the data controller (app version check for security and compliance) • KVKK Article 5/1: Your explicit consent obtained through the in-app consent mechanism for general use of the App

6. Data Transfer • Domestic Transfer: No personal data is transferred to any domestic third party. • International Transfer: We do not directly transfer personal data internationally. The following third-party services may process technical data through Google's global infrastructure: - Google Maps SDK: map-tile requests (IP address etc. subject to Google's own policies) - Firebase Remote Config: configuration requests such as app version and device locale - Firebase Crashlytics: only on release builds and when enabled, crash stack, device model, OS version, and app version are sent to Google; no personal identifier is included - Address search (Geocoding): the place-name query you search on the map is resolved into coordinates via the Android system geocoder (over the internet; the backend resolver may be Google). Only the search text you type leaves the device; it is not stored or used for profiling - Cloud Firestore (read-only): the app_meta/changelog document is read to display the "What's New" (changelog) text. Read-only; no user data is written or uploaded • We do not access or control the raw data in these communications; the data is subject to the relevant provider's own privacy policies. • We do not sell, rent, or share any data with data brokers or third parties.

7. Data Retention Period • Local Data: All data stored on your device is retained until you clear the app data from Android Settings or uninstall the App. • Server-Side Data: Since we do not collect any data, we do not retain any data on servers. • You always have full control over your data.

8. Your Rights Under KVKK Article 11 You have the right to: a) Learn whether your personal data is being processed b) Request information about the processing if your personal data has been processed c) Learn the purpose of processing your personal data and whether it is used in accordance with its purpose d) Know the third parties to whom your personal data has been transferred domestically or abroad e) Request rectification if your personal data has been processed incompletely or inaccurately f) Request deletion or destruction of your personal data under the conditions stipulated in Article 7 of KVKK g) Request notification of rectification and deletion operations to third parties to whom your personal data has been transferred h) Object to the emergence of a result against you through the analysis of processed data exclusively by automated systems i) Claim compensation if you suffer damage due to unlawful processing of your personal data

To exercise any of these rights, please contact: akillisletme@gmail.com We will respond to your request within the legally required 30 days.

9. Data Security Measures We implement the following measures to protect your data: • All data is stored locally on your device, eliminating server-side breach risks • No unnecessary data collection, minimizing exposure risk • The App does not require internet access for core functionality (only for map tiles and version check) • We follow the principle of data minimization, collecting only what is strictly necessary

10. Changes to This Notice This disclosure notice may be updated periodically. Changes will be reflected in the "Last Updated" date. Significant changes will be communicated through an in-app notification.

11. Governing Law This disclosure notice is governed by the laws of the Republic of Turkey, primarily the Personal Data Protection Law No. 6698.

12. Related Detailed Information Pages This KVKK notice is a summary. The following pages provide more detailed information on the related topics: • Permissions and Data Use — why each Android permission is requested • Accessibility Service Disclosure — how Smart Shield works and what it does not do • Third-Party Services — Google Maps + Firebase family list • Data Deletion — how to delete local data

— Change Note (June 1, 2026): Updated for the v1.7.0 release. The read-only use of Cloud Firestore (app_meta/changelog) was explicitly added to the third-party SDK list (Section 2) and the data-transfer section (Section 6).