Legal

Privacy Policy

Last updated: 26 April 2026 · Effective: 26 April 2026

This Privacy Policy describes how Tanzi Co. ("AUTOPSY", "we", "us", "our") collects, uses, shares, and protects personal information when you use the AUTOPSY iOS application or visit autopsyapp.com (together, the "Service"). It is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA), and other applicable data-protection laws.

Please read this policy together with our Terms of Service. By using the Service, you acknowledge the practices described here.

1. Who we are

The data controller for the Service is Tanzi Co. You can reach us, our privacy contact, and our representatives at support@autopsyapp.com for any privacy-related question, request, or complaint.

2. Scope

This policy applies to data collected through the AUTOPSY iOS app and the autopsyapp.com website. It does not apply to third-party services that integrate with AUTOPSY (such as Apple, Google, OpenAI, or RevenueCat); those services have their own privacy policies, summarized in section 7.

3. Information we collect

3.1 Account & profile data

• Authentication identifiers from Sign in with Apple, Google Sign-In, or email and password. We receive a unique user ID, an email address (which may be Apple's relay address if you use Hide My Email), and, for Apple sign-in, a one-time hint of your full name that we discard before storage.
• An auto-generated pseudonymous handle (for example, "SilentCoroner4F2"), which you can edit at any time from Settings. We do not store or display your real name.
• An avatar selection (an index into a fixed icon set; we never collect a profile photo).
• Your declared date of birth, used solely to enforce our 17+ age gate. The date is stored on your account record.
• Optional interests chosen during onboarding to personalize your feed.
• Notification preference and Firebase Cloud Messaging push token, stored on your account record so we can deliver opted-in notifications.
• Block list, used by the app to hide content from accounts you have blocked.

3.2 User-generated content

• Case screenshots. Before any image leaves your device, our on-device redaction pipeline detects and obscures faces, person names from a Turkish and English dictionary, phone numbers, email addresses, IBANs, credit-card numbers, license plates, QR codes, and avatar headers. Only the redacted image is uploaded; the original is never transmitted to our servers. Redaction is best-effort and not guaranteed — you are responsible for reviewing the redacted preview before publishing.
• Case titles, descriptions, and category.
• Comments and reactions you post on cases.
• Votes you cast. Each vote is recorded against your user ID so we can prevent duplicate voting and so the app can show you which cases you have already voted on. Aggregate vote counts and percentages are public; the identity of individual voters is not displayed in the feed but is technically associated with the vote record.
• Reports you submit against other content or users, including the category and any free-text explanation.

3.3 Device, network, and diagnostic data

• Device model, operating-system version, app version, language, and time zone.
• A Firebase Installation ID and a Firebase Cloud Messaging push token.
• Your IP address at the time of authentication, upload, and other server-side actions.
• Crash reports and stack traces collected by Firebase Crashlytics.
• Standard server logs from Cloud Functions (timestamps, status codes, request paths).

3.4 Usage and gamification data

Voting history, comment activity, daily-streak progress, XP and rank changes, badges earned, and notification interactions. We use this to operate the gamification system, calculate rank-weighted vote totals, and detect abuse such as automated voting.

3.5 Purchase data

When you buy a subscription or in-app product, your purchase is processed by Apple. We receive a transaction status, product identifier, and entitlement state from RevenueCat (our subscription-management provider). RevenueCat is keyed by your Firebase user ID. We do not see your payment card or Apple ID password.

3.6 Website data

Visitors to autopsyapp.com encounter a Cloudflare functional cookie used for security and bot mitigation. If a Google Analytics 4 measurement ID is configured, we load the GA4 script with IP anonymization on; GA4 stores a randomized client identifier in your browser and reports aggregate, non-identifying traffic metrics. We honor the Global Privacy Control browser signal.

4. How we use your information

• To provide the core Service: authentication, case publishing, voting, commenting, AI verdicts, and gamification.
• To moderate content, prevent abuse, and enforce our Terms of Service.
• To deliver notifications you have opted in to.
• To provide customer support.
• To debug crashes, investigate security incidents, and improve performance.
• To process subscriptions and refund inquiries through Apple and RevenueCat.
• To comply with legal obligations and respond to lawful requests from competent authorities.

5. Legal bases (EEA / UK)

• Performance of a contract (GDPR Art. 6(1)(b)) — for account creation, case publishing, voting, comment posting, AI verdict generation, and subscription delivery.
• Legitimate interests (GDPR Art. 6(1)(f)) — for safety, fraud and abuse prevention, anonymized analytics, and debugging. You may object on grounds relating to your particular situation.
• Consent (GDPR Art. 6(1)(a)) — for push notifications and any optional analytics that go beyond what is strictly necessary. You can withdraw consent at any time without affecting prior processing.
• Legal obligation (GDPR Art. 6(1)(c)) — for retention of records we are required to keep, fulfilling court orders, and complying with App Store policies.

6. AI processing — what gets sent to OpenAI

AI verdicts ("AI Psychologist", "AI autopsy", "AI analysis") are generated by OpenAI's GPT-4o model accessed through OpenAI's API. AI verdicts are a paid feature available to subscribers.

• What we send to OpenAI: the case title, description, category, and aggregate vote split, plus any text our optical-character-recognition pipeline extracts from the redacted screenshots. This text passes through a server-side scrubber that removes person names, phone numbers, email addresses, IBANs, credit-card numbers, license plates, and similar identifiers a second time before the request leaves our infrastructure.
• What we do not send: screenshot images, audio, video, your account email, your Firebase UID, your IP address, or your device identifiers.
• Caching: the AI output is cached on the case record so repeat views do not re-call OpenAI.
• Rate limits: capped per user per day to prevent runaway cost and abuse.
• OpenAI's role: OpenAI processes the request as our processor under its API terms. Per OpenAI's policy for API customers, OpenAI does not train its models on AUTOPSY API traffic.

AI output is generated text that may be inaccurate, biased, or out of date. It is entertainment and discussion only and is not medical, psychological, psychiatric, legal, or financial advice. See section 6 of the Terms of Service for the full disclaimer.

7. Sharing & sub-processors

We do not sell or rent your personal information. We share it only with the following categories of recipients:

7.1 Service providers (sub-processors)

• Google LLC (Firebase) — Authentication, Firestore, Cloud Storage, Cloud Functions, Cloud Messaging, Crashlytics, and Analytics. Firebase processes data primarily in the United States.
• OpenAI, L.L.C. — generation of AI verdicts via the OpenAI API as described in section 6. United States.
• RevenueCat, Inc. — subscription receipt validation and entitlement management, keyed by your Firebase user ID. United States.
• Apple Inc. — In-App Purchase processing, Sign in with Apple, App Store delivery, and push-notification relay. United States.
• Cloudflare, Inc. — autopsyapp.com hosting, DNS, TLS, and security. Global edge network.

7.2 Public visibility

Anything you publish — your handle, avatar, case content, comments, reactions, badges, rank, and aggregate vote counts on cases you participate in — is visible to other users of the Service. Treat it as public.

7.3 Legal disclosures

We may disclose information when we have a good-faith belief that disclosure is required by a binding court order, prosecutor request, regulatory order, or other legal process from a competent authority. AUTOPSY brands itself as pseudonymous, not anonymous: we maintain the records described in this policy and will produce them in response to a valid legal instrument. Where permitted, we will notify the affected user.

7.4 Business transfers

If Tanzi Co. is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will require the recipient to honor commitments equivalent to those in this policy and will notify you of any material change.

8. International transfers

AUTOPSY is operated from Türkiye and uses sub-processors based in the United States and the European Economic Area. When personal data is transferred from the EEA, the United Kingdom, or Switzerland to a country that the European Commission has not deemed to provide an adequate level of protection, we rely on:

• The European Commission's Standard Contractual Clauses (Module 2 — controller-to-processor — or Module 3 where applicable);
• The UK International Data Transfer Addendum where the transfer is from the United Kingdom;
• The EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Framework where the recipient is certified.

We have conducted Transfer Impact Assessments and apply supplementary measures including encryption in transit and at rest, access controls, and contractual flow-downs to onward sub-processors. You may request a copy of the safeguards from support@autopsyapp.com.

9. How long we keep it

• Active cases: retained while live and for 180 days after the verdict closes; then archived or deleted unless flagged for moderation review.
• Comments and votes: retained while the underlying case exists; votes are anonymized at the case level when the case is deleted.
• Account record: retained until you delete your account.
• Authentication logs, IP addresses, device fingerprints: 12 months, primarily to support cooperation with lawful requests from competent authorities and abuse investigation.
• Crash and diagnostic logs: 90 days.
• Aggregate, de-identified analytics: retained indefinitely; cannot be used to re-identify you.
• Encrypted backups: overwritten on a 90-day rolling cycle.
• Post-deletion residue: a minimal record (account ID hash, deletion timestamp, IAP receipt hash) is retained for up to 24 months solely to comply with tax, fraud-prevention, and App Store reconciliation obligations.

10. Security

• TLS 1.2+ in transit; AES-256 at rest for Firebase Cloud Storage and Firestore.
• On-device PII redaction prior to upload, plus a server-side re-scrub before any text is sent to OpenAI.
• Server-side moderation rate limiting and abuse heuristics in Cloud Functions.
• Principle of least privilege for staff access; production database access requires two-factor authentication.
• Crash and Cloud Functions logs are reviewed for anomaly detection.

No system can be made perfectly secure. We do not promise that the Service will be free of vulnerabilities or that data will never be exposed by an attack, an unintended disclosure, or a service-provider incident. If a security incident affects your data, we will notify you and the relevant authorities as required by law.

11. Your rights

11.1 Rights under the GDPR and UK GDPR

If you are in the EEA, the United Kingdom, or Switzerland, you have the right to:

• Access the personal data we hold about you (Art. 15);
• Request correction of inaccurate data (Art. 16);
• Request erasure (Art. 17);
• Restrict processing (Art. 18);
• Object to processing based on legitimate interests (Art. 21);
• Receive your data in a portable, machine-readable format (Art. 20);
• Withdraw consent at any time, where processing is based on consent (Art. 7(3));
• Lodge a complaint with your local data-protection supervisory authority.

11.2 Rights under the CCPA / CPRA

If you are a California resident, you have the right to:

• Know what personal information we have collected about you and how we use it;
• Request deletion of your personal information, subject to legal exceptions;
• Request correction of inaccurate personal information;
• Opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising — we do not sell or share personal information in this sense, and the Service does not run targeted advertising;
• Limit our use of "sensitive personal information" — we do not use sensitive personal information for purposes outside those allowed by §7027(m) of the CCPA regulations;
• Exercise these rights through an authorized agent;
• Be free from retaliation for exercising your rights.

Categories of personal information we have collected in the past 12 months: identifiers, internet/electronic activity, geolocation (city-level inferred from IP), inferences drawn from voting and gamification, commercial information (purchase history), and user content (screenshots, comments, votes).

11.3 How to exercise your rights

Most rights can be exercised inside the app: Settings → Account → Delete Account and Settings → Account → Export My Data. For anything else — including objection, restriction, or authorized-agent requests — email support@autopsyapp.com. We will verify your identity using the email associated with your account and respond within 30 days. There is no fee unless your request is manifestly unfounded or excessive.

12. Children

AUTOPSY is rated 17+ on the App Store and is not directed at, intended for, or designed to attract children under 17. We refuse signups where the declared date of birth indicates the user is under 17. You agree, when uploading a screenshot, that every person depicted in the conversation is 18 or older. If we become aware that we have collected personal information from a child under 17, we will delete it. To report a suspected underage user or a screenshot involving a minor, email support@autopsyapp.com.

13. iOS permissions, Sign in with Apple, and tracking

• Photo Library — requested when you upload a case so you can pick screenshots. We request limited access where possible.
• Notifications — requested after your first meaningful action so we can deliver opted-in alerts.
• App Tracking Transparency (ATT) — AUTOPSY does not track you across apps and websites owned by other companies. We do not present an ATT prompt and do not use IDFA for advertising.
• Sign in with Apple — when you choose Sign in with Apple, Apple may share a relay email address rather than your real address. We accept the relay address and rely on it for support correspondence. Apple's privacy practices for Sign in with Apple are governed by Apple's policy.
• Privacy Manifest. The app ships with an Apple Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data types we collect, the linkage and tracking status of each, and the required-reason APIs we call. The App Store "App Privacy" nutrition label on our App Store page summarizes this disclosure.

14. Cookies and similar technologies

The iOS app does not use cookies; it stores authentication tokens in the iOS Keychain and uses identifiers maintained by the iOS SDKs we integrate (Firebase Installation ID, Firebase Cloud Messaging push token). On autopsyapp.com we set a single Cloudflare functional cookie for security and, when configured, a Google Analytics client identifier with IP anonymization enabled.

15. Account deletion

You can delete your account at any time from Settings → Account → Delete Account. When you confirm:

• We immediately disable login and remove your profile and uploaded screenshots from public view;
• We queue your account record, screenshots, comments, reports, and gamification state for deletion from our production systems within 30 days;
• Encrypted backups containing residual copies are overwritten on a 90-day rolling cycle;
• Your votes are anonymized rather than deleted, so jury integrity and aggregate verdicts are preserved;
• We retain a minimal residue (account ID hash, deletion timestamp, IAP receipt hash) for up to 24 months solely for tax, fraud-prevention, and App Store reconciliation.

16. Changes to this policy

We may update this policy as the Service, our sub-processors, or applicable law evolves. For material changes, we will announce them inside the app and on this page at least 14 days before they take effect, and where required by law we will seek renewed consent. The "Last updated" date at the top of this page reflects the most recent revision.

17. Contact and complaints

For any privacy question, request, or complaint, write to support@autopsyapp.com. If you are in the EEA, the United Kingdom, or California, you have the right to lodge a complaint with your local data-protection or consumer-protection authority.

This document is provided in English. A translation in your language can be requested at support@autopsyapp.com.