Privacy Policy
Version 2.0 · Last updated: 14 July 2026
This Privacy Policy explains what personal data is processed, when, why, and on what legal basis when you use the Keyra keyboard application (the "App") on Android or iOS, and when you visit this website. Keyra is operated by Yunus Gülbüz (the "Controller", "we", "us"). For any privacy matter, contact us at aioffice.apps@gmail.com.
Keyra is built on a simple engineering principle: a keyboard should see as little as possible. This policy is written to be read; where a technical safeguard backs a claim, we say so.
1. Scope
This policy covers (a) the Keyra app for Android, distributed via Google Play; (b) the Keyra app for iOS, distributed via the Apple App Store, where and when available; and (c) this website. It does not cover third-party services that operate under their own privacy policies (see Section 9).
2. Data we do not collect
- Keystrokes and typed content. Everything you type is processed exclusively on your device in order to render the keyboard, apply auto-capitalisation, and show word suggestions. Typed content is never logged, never stored on our servers, and never transmitted while you type. There is no telemetry attached to typing.
- Clipboard, in the background. The clipboard is read at exactly one moment: when you tap the Reply (💬) action, in order to draft a reply to the message you copied. The App never reads the clipboard proactively or in the background.
- Secure and password fields. In fields detected as password or sensitive inputs, AI features, word suggestions, and word learning are disabled automatically.
- Contacts, call logs, location, browsing history, advertising identifiers. Not accessed, not collected.
3. Content you submit through AI actions
When you explicitly trigger an AI action — Fix, Tone, Dictate, Compose, Reply, or Translate — the relevant text (your selection, the contents of the current text field, your spoken instruction as transcribed text, or the copied message in the case of Reply) is transmitted over an encrypted connection (TLS) to our backend, hosted on Google Cloud (Firebase) in the European Union (europe-west1, Belgium).
Our backend forwards the text to Google's Gemini API to generate the result and returns the result to your keyboard. We do not store, log, or otherwise retain the content of your requests or the generated output on our systems; the content is processed transiently, for the sole purpose of fulfilling the request you initiated. Google's processing of API data is governed by the Gemini API Additional Terms. We do not permit our providers to use your content for advertising.
Input is limited to 4,000 characters per request, enforced on both the client and the server.
4. Dictation and the microphone
Android: the microphone is activated only while you are actively dictating, after you tap the microphone and grant Android's runtime microphone permission. Speech-to-text is performed by your device's speech recognition service (typically provided by Google); Keyra receives only the resulting transcript. Audio is never recorded by Keyra and never reaches our servers.
iOS: Apple does not allow keyboard extensions to access the microphone. Where dictation is offered on iOS, it is provided through the main Keyra app or the system's own voice input, under the same principle: Keyra processes only transcribed text, never audio.
5. iOS "Full Access" (Allow Full Access)
On iOS, a keyboard extension needs the "Allow Full Access" permission to make network requests. Keyra requests it solely so that the AI actions you trigger can reach our backend. With Full Access disabled, the keyboard continues to work fully as a regular keyboard — typing, suggestions, and the personal dictionary are entirely offline features. Full Access is never used to collect or transmit what you type.
6. Data stored only on your device
- Personal dictionary and prediction data. Words you use and next-word patterns are learned locally to improve suggestions. They are stored in encrypted storage on your device (hardware-keystore-backed where available), are excluded from cloud backups and device-to-device transfers, are never transmitted to our servers, and are deleted when you uninstall the App. Learning is disabled in password fields.
- Settings. Keyboard languages, theme, haptics, and similar preferences.
- Display counters. A local, cosmetic copy of your daily usage numbers shown on the App's usage page.
7. Account and usage data we store on our servers
To enforce fair daily limits and manage subscriptions, we maintain a minimal server-side record keyed to an anonymous account identifier created through Firebase Anonymous Authentication. By default no name, e-mail address, or phone number is requested or collected. The record contains:
- a per-day counter of AI actions used (a number — never the content);
- if you subscribe to Keyra Pro: your entitlement status and the subscription metadata provided by the store (plan identifier, validity dates, order/purchase references, renewal state).
Database access rules deny all direct client access; this data is written and read exclusively by our backend services.
Optional: linking a Google account
In Settings you may optionally link a Google account. This is not required to use Keyra — every feature, including Pro, works with the anonymous account. Its only purpose is to let you keep your quota and Pro entitlement when you change device or reinstall.
If you link one, the authentication service stores the e-mail address and display name from your Google profile alongside your account identifier. We do not receive your Google password, contacts, or any other Google data. You can disconnect the account at any time in Settings, or delete the account entirely (Section 10).
8. Purchases and payments
Keyra Pro subscriptions are sold and processed by the platform stores — Google Play on Android and the Apple App Store on iOS. We never receive or store your payment card details. We receive a purchase token or transaction receipt, which we verify directly with the respective store before activating your Pro entitlement, and we receive subscription lifecycle notifications (renewal, cancellation, expiry, refund) so your entitlement remains accurate. Refunds and billing disputes are handled by the store under its own policy.
9. Processors and third-party services
We use the following providers, strictly as processors for the purposes described in this policy:
- Google Firebase / Google Cloud — backend hosting (EU region), anonymous authentication, database, remote configuration, and abuse protection (Play Integrity / App Check; Apple device attestation on iOS where applicable).
- Google Gemini API — generation of the AI results you request.
- Google Play (Android) and Apple App Store (iOS) — distribution, billing, and subscription management under their own terms and privacy policies.
We use no third-party advertising SDKs, no third-party analytics SDKs, and no social media trackers — in the App or on this website. This website sets no cookies and runs no visitor tracking.
10. Retention and deletion
- AI request content: not retained (processed transiently; see Section 3).
- Daily usage counters: one value per day per account; superseded when the day ends.
- Subscription records: kept while the subscription is active and thereafter only as long as necessary for accounting, dispute resolution, and fraud prevention.
- On-device data: deleted by uninstalling the App.
Deleting your account. You can delete your account and all server-side data at any time, permanently: in the App, go to Settings → “Delete account and data”. This immediately deletes your account (including a linked e-mail address and name), your usage counters, and your subscription record. If you no longer have the App installed, you can request deletion by e-mail. Full instructions, and what deletion does and does not cover, are on our account & data deletion page.
Note that deleting your account does not cancel an active subscription — subscriptions are managed by the store and must be cancelled there.
11. Security
All network traffic is encrypted in transit (TLS 1.2+). AI provider credentials are stored in server-side secret management and are never embedded in the App. Backend endpoints verify that requests originate from genuine, unmodified installs of the App. The on-device personal dictionary uses the platform's encrypted storage. Access to production systems is limited to the Controller.
12. International transfers
Our servers are located in the European Union. Where a processor (such as Google) transfers data outside the EU/EEA in the course of providing its service, such transfers take place under that processor's compliance mechanisms, including the European Commission's Standard Contractual Clauses.
13. Legal bases (GDPR) and KVKK
Where the EU/UK General Data Protection Regulation applies, we rely on: performance of a contract (Art. 6(1)(b) — providing the keyboard and the AI features you request, managing your subscription) and legitimate interests (Art. 6(1)(f) — preventing abuse, enforcing fair-use limits, securing the service). We do not use personal data for profiling, automated decision-making producing legal effects, or advertising.
For users in Türkiye, personal data is processed in accordance with Law No. 6698 on the Protection of Personal Data (KVKK), on the legal grounds of Article 5(2)(c) (processing necessary for the performance of a contract) and Article 5(2)(f) (processing necessary for the legitimate interests of the controller). The Turkish version of this policy at /tr/gizlilik also serves as the KVKK information notice (aydınlatma metni).
14. Your rights
Subject to applicable law, you have the right to: access the personal data we hold about you; obtain a copy; request rectification or erasure; request restriction of processing; object to processing based on legitimate interests; and data portability. You also have the right to lodge a complaint with a supervisory authority — in the EEA, your local data protection authority; in Türkiye, the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu).
To exercise any right, e-mail us at aioffice.apps@gmail.com. We respond within the statutory period (30 days under KVKK; one month under GDPR, extendable where the law allows). Because accounts are anonymous, we may need the identifier shown in the App to locate data attributable to you.
15. Children
Keyra is not directed at children under 13 (or the higher minimum age applicable in your jurisdiction), and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will delete it.
16. Changes to this policy
We will post any changes on this page and update the version and date above. For material changes, we will provide notice in the App or on this website before the changes take effect. The version applicable to you is the one in force at the time of use.
17. Contact
Controller: Yunus Gülbüz
E-mail: aioffice.apps@gmail.com