Privacy Policy

Muzluk is a progress app that lets people submit short natural-language entries, including through the Muzluk app and through WhatsApp. The service turns those entries into notes, completed-work records, todos, plans, memories, scores, and short replies.

Muzluk is designed first as a private progress journal and self-log. Most inputs are treated as private account content by default, not as public reflections or public posts.

For privacy questions or requests, contact us at hello@muzluk.com.

We collect different categories of information depending on how you use Muzluk. Some categories always apply, such as account or entry data. Others apply only if you use optional features such as WhatsApp, paid plans, public profiles, sharing, direct messages, planner interviews, or voice and image features.

For example, if you write studied bio, fixed the login bug, I need to record the launch demo but I keep avoiding it, or wrote 300 words for my thesis, Muzluk stores that text and can process it through AI-powered product flows to structure it into app state.

• Account, identity, and sign-in data, which may include your name, username, email address, phone number, profile image, locale, timezone, anonymous or identified account status, onboarding answers, plan tier or status, policy acceptance version and time, session records, authentication records, verification records, refresh-token or one-time-code records, and related account-safety records.
• Content you submit, which may include entries, raw text, notes, todos, plans, goals, work logs, study logs, reflections, proof logs, pursuit names, question or help-session inputs, planner interview answers, emotional check-ins, voice recordings, transcripts, study-note images, messages, profile fields, shared-entry content, and other content you choose to send to Muzluk.
• Generated and derived product data, which may include summaries, classifications, tags, deadlines, accomplishments, next steps, feed cards, plan outlines, todo architecture, memories, session memories, memory cards, embeddings or vector representations, search or retrieval records, reflection outputs, pattern detections, and other AI- or system-generated structure created from your use of the service.
• Progression, reward, and activity data, which may include bananas, XP, ranks, leagues, cases, streaks, multipliers, bounties, mission or goal state, proof labels, todo state, reward history, score or ledger events, badges, achievements, and related progress mechanics or activity records.
• Social, public-profile, messaging, and sharing data, if you use those features, which may include public profile fields, profile visibility or suggestion preferences, friend requests, friendships, conversation membership, direct messages, message previews, read state, share links or share tokens, and shared screenshots or cards where the feature creates them.
• WhatsApp and external-channel data, if you message Muzluk through WhatsApp or another supported external channel, which may include your phone number, normalized phone number, sender or channel identifiers, display name if provided, inbound or outbound message text, timestamps, provider message ids, delivery or reply state, connection or session state, and anonymous channel identity records.
• Payment, subscription, and entitlement data, if you purchase paid access, which may include app user id, email address, product or plan identifiers, entitlement status, subscription status, renewal status, cancellation status, refund or chargeback status, transaction identifiers, purchase dates, expiration dates, billing provider or app-store records, and limited billing support records. Muzluk does not intentionally collect or store full payment card numbers.
• Operational, security, and compliance data, which may include AI usage events, token usage metadata, rate-limit records, client-reported error reports, abuse-prevention or security records, Cloudflare challenge or clearance signals, policy acceptance records, deletion-request handling records, account-claim or security-decision records, and narrow pseudonymous compliance-audit records used to prove security or deletion handling without storing raw submitted content in the audit rows.
• Device, browser, and local-storage data, which may include settings, preferences, drafts, caches, guest counters, local histories or logs, uploaded local media references, client-side session state, and similar browser or device storage needed to run the service.

The sections below on AI processing, WhatsApp and Meta, service providers, retention, deletion, and Turkey and KVKK explain in more detail how some of these categories are processed, shared, retained, or deleted.

Bananas, XP, ranks, leagues, bounties, cases, multipliers, and related mechanics are product mechanics designed to make progress visible. They are not money, financial rewards, gambling credits, sweepstakes entries, prizes, stored value, or transferable assets.

You can message Muzluk on WhatsApp before creating or connecting a Muzluk account. When you do, we create an anonymous Muzluk identity connected to your WhatsApp sender id so your entries and replies can work.

If you later verify the same phone number in Muzluk, future WhatsApp messages are routed to that verified account when the server can match that number to exactly one verified Muzluk user. Historical anonymous data stays tied to the earlier anonymous WhatsApp identity until it is deleted or handled through support workflows.

• To provide and secure your account, including sign-in, verification, session management, anonymous or claimed account handling, fraud prevention, access control, human verification, and account safety.
• To store, sync, display, search, and retrieve your records across the app, including entries, notes, todos, plans, goals, memories, question-session history, planner records, messages, files, and related product state.
• To run AI-assisted product features that turn messy input into useful structure, including classification, summaries, planning, memory extraction, retrieval, search, transcription, reflection support, next-step generation, and similar model-backed flows. The AI processing section below explains this in more detail.
• To operate Muzluk's progression and product mechanics, including calculating or updating missions, proof logs, bananas, XP, ranks, leagues, streaks, badges, achievements, multipliers, reward history, and similar progress signals.
• To operate social, public, and sharing features when you use them, including public profiles, profile suggestions, friendships, direct messages, conversations, share links, and related visibility or delivery logic.
• To operate WhatsApp and other supported external-channel flows when you use them, including receiving messages, linking or routing them to the right identity, sending replies, preventing duplicate processing, preserving channel history, diagnosing failures, and supporting deletion workflows. The WhatsApp and Meta section below explains this in more detail.
• To manage paid access, including purchases, subscriptions, entitlements, renewals, cancellations, refunds, chargebacks, billing support, and provider or app-store reconciliation.
• To measure, debug, secure, and improve service reliability, including usage measurement, cost tracking, quota enforcement, error handling, abuse prevention, security monitoring, and platform stability.
• To handle privacy, deletion, legal, and compliance obligations, including rights requests, identity verification for deletion or access requests, support-only WhatsApp deletion, legal or safety reviews, dispute handling, and retention of narrow compliance-proof records where needed. The retention, deletion, and KVKK sections below explain this in more detail.
• To treat ordinary entries, self-logs, work notes, study notes, and reflections primarily as private account records unless you intentionally use a public or shared feature.

Muzluk uses server-managed AI providers to power core product features. The planned main production text model is Google Gemini 3.5 Flash through the Google Gemini API. Muzluk may still route particular features, outages, experiments, quality, cost, reliability needs, transcription, embedding, or future product configurations through OpenAI's GPT API, other OpenAI models, Google Gemini Embedding 2, other Google Gemini models, or another configured provider.

In practice, much of ordinary Muzluk use is AI-assisted. For example, when you send a message, submit a progress entry, add a todo, ask for a plan or summary, transcribe audio, or use a similar product flow, your content may first reach Muzluk's Convex-hosted backend and database, and then the portion needed for that feature may be sent to Google Gemini API, OpenAI GPT API, or another configured provider.

Not every action is an AI call. Sign-in, billing, subscriptions, some settings actions, some security checks, and similar operational flows may work without sending content to an AI model. But much of the normal product experience, especially message, entry, todo, planning, summary, memory, search, transcription, and similar content flows, may involve routing selected content to an AI model.

In that kind of AI processing, the content sent to the provider may include your active input, selected related entries, selected memory facts, session-memory records, open commitments, task or plan context, profile or progress context, audio or visual content, system instructions, and technical usage metadata.

The exact provider and model can change over time inside the configured provider stack. Different tasks may use Gemini 3.5 Flash, other Gemini models, Google Gemini Embedding 2, OpenAI GPT models, OpenAI transcription models, or successor models for classification, summary generation, planning, memory, embeddings, transcription, or quality review. When feed background theme image generation is enabled, the current production configuration uses only Google Nano Banana 2 / Gemini 3.1 Flash Image for that image generation flow. That feature generates reusable feed background themes from limited theme context such as an entry's tags and short snippet; it is not a general user image-editing tool.

AI output affects how Muzluk structures your progress inside the app, including todos, missions, reward summaries, banana amounts, XP, ranks, multipliers, proof labels, and next-step suggestions. Bananas, XP, ranks, leagues, bounties, and multipliers are virtual product mechanics only. They have no cash value, cannot be redeemed for money, and do not represent financial assets, prizes, gambling winnings, or legally transferable value.

Google's Gemini API terms distinguish between free or unpaid services and paid or billing-enabled services. Production user-content processing is intended to use a paid or billing-enabled Gemini API or Google Cloud configuration where Google states prompts and responses are not used to improve Google's products. Google may still log prompts and responses for a limited period for abuse detection, security, legal, or regulatory purposes, and optional log or dataset sharing can have different consequences. Muzluk does not intentionally opt in to share user API logs or datasets with Google for model training.

OpenAI states that API Platform business data is not used to train OpenAI models by default unless the customer opts in. OpenAI may still generate abuse-monitoring logs for API use and retain them for a limited period unless a different approved retention control applies or longer retention is legally required.

You should avoid submitting highly sensitive information into Muzluk unless you are comfortable with it being processed by Muzluk, Convex, Vercel, OpenAI, Google, Meta/WhatsApp, and other service providers we use to operate the service.

We do not use submitted content for third-party advertising. We do not sell personal information.

Muzluk uses automated and AI-assisted processing to structure entries, suggest missions, classify progress, and generate virtual rewards. These outputs may influence your in-app experience, such as what todos are created, how many bananas are shown, what rank progress appears, or what next action is suggested.

These automated outputs do not produce legal, financial, employment, educational, healthcare, credit, housing, insurance, or similarly significant real-world decisions about you. They are used to operate Muzluk's progress and progression experience.

You should not rely on Muzluk's AI outputs as professional advice. Muzluk is not a medical, mental health, legal, financial, academic, or employment advisory service.

Muzluk includes game-like mechanics such as bananas, XP, ranks, leagues, cases, multipliers, bounties, streaks, reward animations, and gravity or decay effects.

These mechanics are designed to make real-life progress feel visible and motivating. They are entirely virtual. They have no monetary value, cannot be exchanged for money, cannot be transferred, cannot be sold, and do not represent property, wages, securities, gambling credits, lottery entries, or prizes.

Muzluk may adjust, rebalance, reduce, remove, reset, or change virtual rewards and progression mechanics at any time to preserve product integrity, prevent abuse, improve scoring, or comply with law.

When you use Muzluk through WhatsApp, Meta delivers webhook events to us through the WhatsApp Cloud API and we send replies through the WhatsApp Cloud API. Muzluk verifies webhook signatures, extracts text messages, stores WhatsApp connection and message records in its backend, and can create or update an anonymous or verified Muzluk identity linked to that channel. Meta also processes WhatsApp data under its own terms and policies.

We use WhatsApp message ids for idempotency so duplicate webhook deliveries do not create duplicate entries. We store enough WhatsApp metadata to route messages, preserve account history, send replies, diagnose failures, and honor deletion requests.

• With Convex for backend hosting, database, authentication, storage, scheduled jobs, and server functions.
• With Vercel to host and deliver parts of Muzluk's web application and related infrastructure.
• With Cloudflare for DNS, security filtering, bot protection, Turnstile challenges, pre-clearance cookies, rate limiting, and related security services.
• With the configured AI providers, primarily Google Gemini API / Gemini 3.5 Flash for planned production text processing, and with OpenAI GPT API, Google Gemini Embedding 2, or other configured providers when enabled for AI-assisted parsing, scoring, reward, summary, next-action, search, memory, transcription, and embedding features.
• With Meta/WhatsApp to receive inbound WhatsApp messages and send outbound WhatsApp replies.
• With email, phone, sign-in, or messaging providers such as Resend, Twilio, Google, and Apple when those integrations are configured.
• With payment and subscription providers such as RevenueCat, Stripe, Apple, Google, app stores, or other payment providers when you buy, manage, renew, cancel, refund, or dispute paid access.
• With other users or the public only when you use public profiles, friend features, messages, or public share links.
• When required by law, legal process, security, fraud prevention, safety, or a business transfer.
• When we reasonably believe disclosure is needed to address abuse, illegal content, credible safety threats, security incidents, or violations of our Terms.

We do not sell personal information and do not share personal information for cross-context behavioral advertising.

We use third-party service providers to operate Muzluk. These providers may process personal data only as needed to provide services to us, comply with law, secure their systems, or perform other purposes described in their agreements with us.

• Convex is our backend and database platform. Information stored or processed through Convex includes account data, entries, todos, missions, pursuits, proof logs, banana balances, XP, ranks, leagues, reward events, profile data, social data, legal-acceptance records, AI usage records, compliance audit records, and other app state. Convex lists infrastructure and database subprocessors including Amazon Web Services and PlanetScale, with processing location depending on the selected deployment region.
• Vercel hosts and delivers parts of Muzluk's web application and related infrastructure. We also use limited analytics and performance tools from Vercel, including Vercel Web Analytics and Vercel Speed Insights, to understand traffic, feature usage, reliability, performance, and Core Web Vitals metrics. Vercel processes technical information such as IP addresses, request logs, deployment logs, device or browser data, analytics or performance events, and customer content as needed to provide hosting, security, performance, infrastructure, analytics, and performance-monitoring services.
• Cloudflare provides DNS, security, bot protection, Turnstile verification, pre-clearance, rate limiting, and related edge services. Cloudflare may process IP address, request metadata, browser or device signals, security challenge results, Turnstile tokens, and cookies such as cf_clearance where enabled. These technologies help distinguish legitimate visitors from automated or abusive traffic and may allow verified visitors to bypass later security challenges for a limited time.
• Google provides the planned primary AI text processing through Gemini 3.5 Flash and may also provide embeddings, transcription, and other Google-backed AI features. When feed background theme image generation is enabled, the current production configuration generates those images with Google Nano Banana 2 / Gemini 3.1 Flash Image. User-submitted text, selected context, embeddings, some audio inputs, derived background-theme tags and short entry snippets, image prompts, and related outputs or usage metadata are sent to Google when the relevant feature uses Google.
• OpenAI provides alternate, fallback, or feature-specific AI processing in deployments configured to use OpenAI or GPT models. User-submitted text, selected context, and some audio inputs are sent to OpenAI when the relevant feature uses OpenAI. OpenAI's enterprise/API privacy commitments state that OpenAI does not train models on API Platform business data by default.
• RevenueCat helps manage subscription status, customer identifiers, offerings, products, purchases, renewals, cancellations, refunds, and entitlement data for paid features. RevenueCat may receive app user id, email address, product identifiers, entitlement status, transaction metadata, subscription status, and related billing events.
• Stripe, Apple, Google, app stores, or other payment providers may process payments depending on where you purchase. These providers may process billing details, transaction identifiers, renewal status, payment status, tax-related information, fraud signals, refund status, and customer-support information. Muzluk does not intentionally collect or store full payment card numbers.
• Other providers may support authentication, email delivery, analytics, crash reporting, customer support, abuse prevention, security monitoring, and app distribution. We will update this policy or related disclosures if our vendor stack changes materially.

• Convex: backend and database. Data includes account data, entries, todos, missions, rewards, legal acceptance records, profile or social state, AI usage rows, compliance audit rows, and other app state. Purpose: store and operate the Muzluk backend.
• Vercel: hosting, web infrastructure, web analytics, and performance monitoring. Data includes IP address, request logs, frontend/app delivery data, aggregate analytics or performance events, referrer data, browser or device data, Core Web Vitals-related metrics, and customer content as needed. Purpose: host and deliver Muzluk, understand traffic and feature usage, and monitor reliability and performance.
• Cloudflare: DNS, edge security, bot protection, Turnstile, pre-clearance, and rate limiting. Data may include IP address, request metadata, browser or device signals, challenge outcomes, Turnstile tokens, and security cookies such as cf_clearance. Purpose: protect Muzluk from bots, spam, scraping, credential attacks, excessive requests, and abusive traffic.
• Google: planned primary AI text provider through Gemini 3.5 Flash, plus AI and embedding provider in deployments configured to use Google. Data includes AI inputs such as user entries, selected context, embeddings, some audio inputs, derived feed-background theme tags and short entry snippets, image prompts, plus resulting AI outputs. Purpose: parse entries, generate structure, suggest rewards and next actions, generate embeddings for search and memory, transcribe audio, generate feed background theme images with Google Nano Banana 2 / Gemini 3.1 Flash Image where enabled, and provide other Google-backed AI features.
• OpenAI: alternate, fallback, or feature-specific AI model provider in deployments configured to use OpenAI or GPT models. Data includes AI inputs such as user entries, selected context, and some audio inputs, plus resulting AI outputs. Purpose: parse entries, generate structure, suggest rewards, transcribe audio, and suggest next actions when OpenAI is the active provider.
• RevenueCat: subscription and entitlement management. Data may include app user id, email address, product identifiers, subscription status, entitlement status, transaction metadata, renewal status, cancellation status, refund status, and billing event records. Purpose: manage paid access.
• Stripe, Apple, Google, app stores, or other payment providers: payment processing. Data may include billing data, payment method details handled by the provider, transaction status, tax-related information, refund or chargeback status, fraud signals, and subscription plan. Purpose: process payments, renewals, cancellations, refunds, and disputes.
• Email provider, if used: email delivery. Data may include email address, account notices, and support messages. Purpose: send account and service emails.
• Analytics or crash provider, if used: product diagnostics. Data may include usage events, device data, and crash logs. Purpose: improve reliability and product quality.

Account content may remain until you delete it, delete your account, request deletion, or we remove it under our operational policies. Anonymous WhatsApp entries may remain attached to the anonymous channel identity until they are claimed, deleted, or removed.

After a verified deletion request, Muzluk aims to remove Muzluk-controlled active product data as soon as reasonably possible and within 30 days, unless a shorter period is required by law or a limited exception applies.

Operational records may be retained as needed for security, abuse prevention, debugging, accounting, legal compliance, and service reliability. When account or verified WhatsApp-only data is deleted, Muzluk keeps limited pseudonymous compliance audit records, without raw submitted content, for up to 24 months to prove deletion handling, security decisions, and legal compliance.

Payment and subscription records may be retained as needed for accounting, tax, fraud prevention, chargeback handling, provider reconciliation, legal compliance, customer support, and proof of paid-access decisions.

If a deletion request involves illegal content, child safety issues, credible threats, fraud, abuse, security incidents, legal process, regulatory obligations, or disputes, we may preserve, restrict, disclose, or report limited information where legally required or reasonably permitted. We try to narrow any preserved material to what is necessary for that purpose.

Backups, provider logs, fraud-prevention records, security records, and legally preserved records may take longer to expire or be overwritten according to their separate retention schedules.

Local browser or device data may remain until you clear local storage or uninstall the app.

Muzluk currently does not use advertising or third-party behavioral advertising cookies.

The service may use essential session, authentication, security, and preference technologies needed to keep you signed in, preserve session state, support abuse-prevention or rate-limit controls, remember core product preferences, and deliver the service safely.

Muzluk uses Cloudflare security technologies, including Turnstile and, where enabled, Cloudflare clearance cookies such as cf_clearance. These are used for security, bot protection, abuse prevention, and to let visitors who pass a security check avoid repeated challenges for a limited time. They are not used by Muzluk for advertising.

Muzluk may use limited analytics and performance tools, including Vercel Analytics and Vercel Speed Insights, to understand traffic, feature usage, reliability, performance, and Core Web Vitals metrics. Based on Vercel's current documentation, these tools are designed for privacy-friendly measurement rather than advertising cookies or cross-site behavioral tracking cookies.

During prelaunch, Muzluk may set an essential HTTP-only access cookie after an invited user opens a private access link. This cookie remembers that the browser is allowed to view the early app for a limited time and is not used for advertising.

Browser local storage, session storage, authentication sessions, security tokens, and similar client-side technologies may be used only to the extent needed to run the service.

If Muzluk later starts using advertising, marketing, or other non-essential cookies beyond the technologies described here, we will update this policy and provide a separate notice or consent mechanism where required.

• You may use anonymous access where available.
• You may choose whether to create a public profile or share specific entries.
• You may request access, correction, export, deletion, or restriction of your personal information by contacting us.
• You may stop using WhatsApp with Muzluk at any time by not messaging the Muzluk WhatsApp number, and you may request deletion of WhatsApp-linked data.
• Depending on where you live, you may have additional rights under laws such as KVKK, GDPR, UK GDPR, or U.S. state privacy laws.

Muzluk provides account deletion controls where available and also accepts deletion requests by email. The data deletion instructions are available at /data-deletion.

Deletion of Muzluk data does not delete your WhatsApp account, Meta account, Google account, Apple account, phone carrier account, email account, or data those providers independently control.

Muzluk is operated from Turkey, so Turkish Personal Data Protection Law No. 6698 applies. Muzluk processes personal data in line with KVKK principles, including lawfulness and fairness, accuracy where necessary, specific and legitimate purposes, relevance and proportionality, and retention only for the period required by the relevant purpose or law.

For KVKK purposes, the data controller is the Muzluk operator. Privacy requests can be sent to hello@muzluk.com. If a formal mailing address or representative becomes required, we will publish it in this policy.

Personal data is collected directly from you through the app, WhatsApp messages, account flows, device or browser storage, automated app events, Convex backend records, and service-provider integrations.

Our legal reasons may include performance of the service contract, legitimate interests that do not harm fundamental rights and freedoms, legal obligations, establishment, exercise, or protection of a right, data you make public through optional public features, and explicit consent where required.

Personal data may be transferred to provider categories described in this policy, including Convex, Vercel, OpenAI, Google, Meta/WhatsApp, authentication providers, email providers, security providers, analytics or crash providers, RevenueCat, Stripe, Apple, Google, app stores, and other payment providers. Some providers may process data outside Turkey.

Where KVKK requires a transfer mechanism for international processing, we will rely on an applicable mechanism such as an adequacy decision, appropriate safeguards, standard contracts, binding corporate rules, explicit consent, or another lawful basis available under KVKK.

• You may ask whether your personal data is processed.
• You may request information about processing and the purpose of processing.
• You may ask who personal data has been transferred to in Turkey or abroad.
• You may request correction of incomplete or inaccurate data.
• You may request deletion or destruction where legally available.
• You may request notification of correction, deletion, or destruction to recipients where legally available.
• You may object to unfavorable results arising from analysis exclusively by automated systems.
• You may request compensation if you suffer damage due to unlawful processing.

We use ownership checks, authentication controls, scoped backend functions, webhook signature verification, provider secrets, rate limits, and duplicate-message protection to reduce unauthorized access and abuse.

We use Cloudflare and Turnstile to help detect and reduce automated abuse, spam, credential attacks, scraping, and excessive request patterns. Passing a Turnstile check may create a Cloudflare clearance cookie that helps avoid repeated security challenges on Muzluk for a limited time.

To report abuse, illegal content, legal process, or urgent safety concerns, use /legal-requests. Do not send passwords, one-time codes, sensitive screenshots, or copies of illegal content unless we specifically ask for them.

No internet service can guarantee perfect security. If you believe your data or account is at risk, contact us promptly.

Muzluk is not intended for children under 13. We do not knowingly collect personal data from children under 13.

Users under 18 may use Muzluk only with permission from a parent or legal guardian, unless a higher minimum age applies in their country.

Because Muzluk uses game-like progression, variable virtual rewards, animations, streaks, ranks, multipliers, and re-engagement mechanics, we may limit or adjust certain features for younger users where required by law or where we believe it is appropriate for safety.

Bananas and other virtual rewards have no cash value and are not gambling, betting, wagering, lottery, sweepstakes, or prize mechanics.

If you believe a child provided personal information improperly, contact us.

We may update this Privacy Policy as the service changes. We will update the effective date and provide additional notice when required by law.