N
News Analysis

Privacy Policy

Last updated: 2026-05-10

At News Analysis ("we", "the service") we process personal data in accordance with GDPR, KVKK, and other applicable data protection regulations. This policy describes the categories of data we process, the purposes, the recipients, retention periods, and your rights.

Data We Process

  • Account: name, email, profile photo (via Google OAuth)
  • Usage: topics followed, notification preferences, country, language
  • Technical: anonymized IP address, browser type, device info, session cookies
  • AI assistant conversations: messages you send and our responses, the model used, token counts
  • Analytics & session recordings (opt-in): page views, click events, performance metrics, and privacy-masked replays of your interactions; form input contents are masked
  • Advertising (opt-in): Google AdSense cookies for personalised ads

Purposes & Lawful Basis

  • Operating the service, authenticating users, and delivering news and notifications — performance of contract
  • Service quality, error diagnosis, abuse prevention — legitimate interests
  • Analytics, session recordings, advertising — your consent (withdrawable at any time)
  • Compliance with legal obligations — legal obligation

Administrative Account Access ("Act-As" / Impersonation)

To resolve support requests we cannot reproduce on our own accounts (e.g. "my feed appears empty"), an authorised member of our staff may, under specific conditions, temporarily view your account as if they were you. We refer to this internally as an act-as or impersonation session.

Lawful basis: performance of contract (resolving the support request you raised) and our legitimate interests in maintaining service quality — GDPR Art. 6(1)(b), 6(1)(f); KVKK Art. 5(2)(c), 5(2)(f). We process the minimum scope of personal data needed for the support purpose.

What this means in practice:

  • A trained staff member can view your account. During an act-as session, an admin sees the same data you would see — your feeds, topics, alerts, assistant conversations, settings. They never see your password or authentication credentials.
  • Each session is time-limited. Sessions automatically expire after no more than thirty (30) minutes. To continue, the staff member must open a new session and record a new reason.
  • Each session is logged. Identity of the staff member, start and end timestamps, the reason entered, and limited technical metadata (IP, browser fingerprint) are recorded for as long as your account is active and anonymised on account-deletion request.
  • You can review the history at any time. Open Account → Security → Activity in the application. You will see a chronological list of every act-as session that targeted your account, with start / end timestamps and the reason the session ended.
  • You will not receive an active notification when a session begins. This is a deliberate design choice. We determined that an interruption-style alert is more likely to alarm users about routine support work than to inform them, and that it is not an effective consent channel — by the time you would receive a notification, the action would already be under way. The Account → Security → Activity page is the permanent, passive record. If you wish to be notified actively in the future, please contact us; we will reassess this design choice in light of demand.
  • Staff cannot perform certain actions on your behalf, even during a session. The application enforces a deny-list at the server level. While impersonating you, a staff member cannot:
    • change your email address or password
    • delete your account
    • cancel your subscription
    • accept legal consents on your behalf (Terms of Service, KVKK / GDPR consents, marketing opt-ins)
    • link or unlink your authentication providers (e.g. Google sign-in)
    • generate, view, or revoke API keys
    • change your account role
    • modify your push-notification routing or preferences
    • modify your account profile (name, language, country, time zone)
    Any attempt to perform these actions returns an error and is logged for review.

Your rights regarding this processing. Under KVKK Art. 11 and GDPR Art. 12–22 you may, in particular: access the records of staff access to your account (already available passively at Account → Security → Activity; for a formal copy, write to [email protected]); request rectification or erasure; object to or restrict processing; or lodge a complaint with the competent supervisory authority (in Türkiye, the KVKK Kurumu). We respond within thirty (30) days as required by KVKK Art. 13.

Recipients

We share data with the following processors; their own privacy policies apply:

  • Google (OAuth, AdSense, FCM)
  • GDELT Project — news data source
  • OpenObserve — analytics & error monitoring (self-hosted, consent-based)

Some processors are based outside the EU/UK. Such transfers rely on Standard Contractual Clauses or equivalent safeguards under GDPR Art. 46.

Cookies

A mandatory session cookie keeps you signed in. On first visit we ask consent for analytics, session recordings, and advertising cookies; you can change preferences at any time via the cookie banner.

Retention

  • Account, usage, AI conversations: until you delete them or your account
  • Session recordings: 30 days
  • Analytics events: 90 days
  • Longer where required by law (e.g. tax, fraud)

Security

Data is transmitted over TLS-encrypted channels; access is limited to authorised personnel.

Your Rights (GDPR / KVKK)

You have the right to access, correct, delete, restrict, port, or object to the processing of your data, to withdraw consent at any time, and to lodge a complaint with your local data protection authority. You can delete AI conversations from the assistant page; account deletion removes all associated data. For other requests, write to [email protected].

Contact

[email protected]