Privacy Policy

Version 2.0 · Last updated: 14 July 2026

This Privacy Policy explains what personal data is processed, when, why, and on what legal basis when you use the Keyra keyboard application (the "App") on Android or iOS, and when you visit this website. Keyra is operated by Yunus Gülbüz (the "Controller", "we", "us"). For any privacy matter, contact us at aioffice.apps@gmail.com.

Keyra is built on a simple engineering principle: a keyboard should see as little as possible. This policy is written to be read; where a technical safeguard backs a claim, we say so.

Summary. We never log or transmit your keystrokes. Text leaves your device only when you explicitly trigger an AI action, is processed transiently on servers in the European Union solely to produce the result you requested, and is not stored by us. Your personal dictionary never leaves your device. We show no ads, use no third-party advertising or analytics SDKs, and never sell or share personal data for marketing purposes.

1. Scope

This policy covers (a) the Keyra app for Android, distributed via Google Play; (b) the Keyra app for iOS, distributed via the Apple App Store, where and when available; and (c) this website. It does not cover third-party services that operate under their own privacy policies (see Section 9).

2. Data we do not collect

3. Content you submit through AI actions

When you explicitly trigger an AI action — Fix, Tone, Dictate, Compose, Reply, or Translate — the relevant text (your selection, the contents of the current text field, your spoken instruction as transcribed text, or the copied message in the case of Reply) is transmitted over an encrypted connection (TLS) to our backend, hosted on Google Cloud (Firebase) in the European Union (europe-west1, Belgium).

Our backend forwards the text to Google's Gemini API to generate the result and returns the result to your keyboard. We do not store, log, or otherwise retain the content of your requests or the generated output on our systems; the content is processed transiently, for the sole purpose of fulfilling the request you initiated. Google's processing of API data is governed by the Gemini API Additional Terms. We do not permit our providers to use your content for advertising.

Input is limited to 4,000 characters per request, enforced on both the client and the server.

4. Dictation and the microphone

Android: the microphone is activated only while you are actively dictating, after you tap the microphone and grant Android's runtime microphone permission. Speech-to-text is performed by your device's speech recognition service (typically provided by Google); Keyra receives only the resulting transcript. Audio is never recorded by Keyra and never reaches our servers.

iOS: Apple does not allow keyboard extensions to access the microphone. Where dictation is offered on iOS, it is provided through the main Keyra app or the system's own voice input, under the same principle: Keyra processes only transcribed text, never audio.

5. iOS "Full Access" (Allow Full Access)

On iOS, a keyboard extension needs the "Allow Full Access" permission to make network requests. Keyra requests it solely so that the AI actions you trigger can reach our backend. With Full Access disabled, the keyboard continues to work fully as a regular keyboard — typing, suggestions, and the personal dictionary are entirely offline features. Full Access is never used to collect or transmit what you type.

6. Data stored only on your device

7. Account and usage data we store on our servers

To enforce fair daily limits and manage subscriptions, we maintain a minimal server-side record keyed to an anonymous account identifier created through Firebase Anonymous Authentication. By default no name, e-mail address, or phone number is requested or collected. The record contains:

Database access rules deny all direct client access; this data is written and read exclusively by our backend services.

Optional: linking a Google account

In Settings you may optionally link a Google account. This is not required to use Keyra — every feature, including Pro, works with the anonymous account. Its only purpose is to let you keep your quota and Pro entitlement when you change device or reinstall.

If you link one, the authentication service stores the e-mail address and display name from your Google profile alongside your account identifier. We do not receive your Google password, contacts, or any other Google data. You can disconnect the account at any time in Settings, or delete the account entirely (Section 10).

8. Purchases and payments

Keyra Pro subscriptions are sold and processed by the platform stores — Google Play on Android and the Apple App Store on iOS. We never receive or store your payment card details. We receive a purchase token or transaction receipt, which we verify directly with the respective store before activating your Pro entitlement, and we receive subscription lifecycle notifications (renewal, cancellation, expiry, refund) so your entitlement remains accurate. Refunds and billing disputes are handled by the store under its own policy.

9. Processors and third-party services

We use the following providers, strictly as processors for the purposes described in this policy:

We use no third-party advertising SDKs, no third-party analytics SDKs, and no social media trackers — in the App or on this website. This website sets no cookies and runs no visitor tracking.

10. Retention and deletion

Deleting your account. You can delete your account and all server-side data at any time, permanently: in the App, go to Settings → “Delete account and data”. This immediately deletes your account (including a linked e-mail address and name), your usage counters, and your subscription record. If you no longer have the App installed, you can request deletion by e-mail. Full instructions, and what deletion does and does not cover, are on our account & data deletion page.

Note that deleting your account does not cancel an active subscription — subscriptions are managed by the store and must be cancelled there.

11. Security

All network traffic is encrypted in transit (TLS 1.2+). AI provider credentials are stored in server-side secret management and are never embedded in the App. Backend endpoints verify that requests originate from genuine, unmodified installs of the App. The on-device personal dictionary uses the platform's encrypted storage. Access to production systems is limited to the Controller.

12. International transfers

Our servers are located in the European Union. Where a processor (such as Google) transfers data outside the EU/EEA in the course of providing its service, such transfers take place under that processor's compliance mechanisms, including the European Commission's Standard Contractual Clauses.

13. Legal bases (GDPR) and KVKK

Where the EU/UK General Data Protection Regulation applies, we rely on: performance of a contract (Art. 6(1)(b) — providing the keyboard and the AI features you request, managing your subscription) and legitimate interests (Art. 6(1)(f) — preventing abuse, enforcing fair-use limits, securing the service). We do not use personal data for profiling, automated decision-making producing legal effects, or advertising.

For users in Türkiye, personal data is processed in accordance with Law No. 6698 on the Protection of Personal Data (KVKK), on the legal grounds of Article 5(2)(c) (processing necessary for the performance of a contract) and Article 5(2)(f) (processing necessary for the legitimate interests of the controller). The Turkish version of this policy at /tr/gizlilik also serves as the KVKK information notice (aydınlatma metni).

14. Your rights

Subject to applicable law, you have the right to: access the personal data we hold about you; obtain a copy; request rectification or erasure; request restriction of processing; object to processing based on legitimate interests; and data portability. You also have the right to lodge a complaint with a supervisory authority — in the EEA, your local data protection authority; in Türkiye, the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu).

To exercise any right, e-mail us at aioffice.apps@gmail.com. We respond within the statutory period (30 days under KVKK; one month under GDPR, extendable where the law allows). Because accounts are anonymous, we may need the identifier shown in the App to locate data attributable to you.

15. Children

Keyra is not directed at children under 13 (or the higher minimum age applicable in your jurisdiction), and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will delete it.

16. Changes to this policy

We will post any changes on this page and update the version and date above. For material changes, we will provide notice in the App or on this website before the changes take effect. The version applicable to you is the one in force at the time of use.

17. Contact

Controller: Yunus Gülbüz
E-mail: aioffice.apps@gmail.com