Color the Picture LogoColor the Picture

Privacy and Personal Data Protection Policy

Privacy and Personal Data Protection Policy

Last Updated: 14.06.2026

This Privacy and Personal Data Protection Policy (“Policy”) has been prepared by Color the Picture (“Platform”, “Data Controller”, or “Company”) as a legally and technically binding declaration to determine the procedures and principles regarding the processing of personal data of users (“Data Subject”), with the aim of ensuring full compliance with the provisions of relevant national and international legislation, including but not limited to the Law on the Protection of Personal Data No. 6698 of the Republic of Turkey (“KVKK”), the European Union General Data Protection Regulation (“GDPR” - Regulation 2016/679), the United States Children’s Online Privacy Protection Act (“COPPA”), and the California Consumer Privacy Act (“CCPA”).

1. Purpose and Scope

The primary purpose of this Policy is to inform all individuals who visit, register on, or in any way benefit from the services of the Platform, within the framework of transparency and fairness, about the legal bases, purposes, and methods of processing their personal data.

2. Personal Data Processed

Within the scope of transactions carried out through the Platform, only the minimum personal data required for the relevant purpose is processed, in adherence to the “Data Minimization” principle. As a rule, the Platform does not request or process special categories of personal data.

  • Identity and Contact Data: To fully use the Platform’s features (e.g., saving an in-progress coloring, premium subscription), when you log in via Google (OAuth), the name, surname, email address, and profile picture provided by Google are processed.
  • Transaction Security Data: To ensure system security, fulfill obligations under Law No. 5651, and prevent cyber-attacks, IP addresses, connection date, and time (log records) are processed.
  • User-Generated Content (UGC): Drafts saved by the user of their own free will, badges earned, and digital coloring artworks submitted to the “From Our Users” gallery are processed.
  • Financial / Subscription Data: If you use premium subscription and e-commerce (Print on Demand) services, your email address and membership ID are transferred to our global payment infrastructure provider, Lemon Squeezy, for billing purposes. The Platform never stores sensitive payment data such as credit card numbers or financial passwords on its own servers.

3. Children’s Privacy and COPPA Compliance Statement

The Platform offers a service accessible to children as part of its target audience and commits to strict compliance with the United States Children’s Online Privacy Protection Act (COPPA), GDPR Article 8, and other international child protection regulations.

  • Explicit Consent and Parental Control: The Platform does not knowingly collect personal data from children under the age of 13 (or between 13 and 16 in the European Economic Area, depending on the national laws of the member state) without “verifiable parental consent” from a legal parent or guardian. Parents can log in with their own (parental) Google accounts to manage their children’s progress.
  • Permission to Publish Artwork: The publication of coloring artworks (“UGC”) created by children on the Platform can only occur with the explicit consent (Opt-in) of the legal parent or guardian. Parents can request the permanent deletion of all data (Right to Erasure) at any time by contacting privacy@colorthepicture.com or by using the “Delete My Account” button on the profile screen.
  • Restrictions: The Platform does not engage in behavioral advertising, retargeting, or unauthorized profiling in areas of interest to children.

4. Purposes and Legal Bases for Processing Personal Data

Your personal data is processed based on the following legal grounds under Article 5 of the KVKK and Article 6 of the GDPR:

  • Explicitly Provided for by Law: Maintaining traffic logs in accordance with Law No. 5651 and processing subscription billing data as required by commercial/tax legislation.
  • Performance of a Contract: Providing premium membership services and operating user accounts.
  • Legitimate Interest of the Data Controller: Maintaining the core functionalities of the Platform, monitoring system performance, and ensuring information security.
  • Explicit Consent: Publishing artworks submitted by you and the use of cookies.

5. Domestic and International Transfer of Personal Data

Your processed personal data may be transferred in accordance with Articles 8 and 9 of the KVKK and Chapter 5 of the GDPR, with all necessary administrative and technical measures taken to ensure data security.

  • Legal Authorities: Data may be shared with relevant administrative and legal authorities as required by legal obligations arising from legislation.
  • International Transfer (Service Providers): Due to the Platform’s infrastructure and business models, your data is transferred to Google LLC for identity verification, Lemon Squeezy for payment/subscription processing, and server companies based in Europe/USA for hosting services. These transfers are conducted under frameworks that guarantee international security standards, such as an “Adequacy Decision” or “Standard Contractual Clauses” (SCCs) as per the GDPR.

6. Data Security, Breach Notification, and Retention Periods

The Platform implements advanced technical measures, such as SSL/TLS encryption protocols, to prevent the unlawful processing of and access to the personal data it handles.

  • Breach Notification: In the event of any data breach, the relevant Data Protection Authorities and the affected data subjects will be notified within the legally prescribed timeframes.
  • Retention and Deletion: Your data is stored as long as your membership is active. When you delete your account (or when legal statute of limitation periods expire), your data is deleted, destroyed, or anonymized in accordance with our Company’s Personal Data Retention and Deletion Policy.

7. Rights of the Data Subject and Application Procedure

As a data subject, you have the following rights under Article 11 of the KVKK, GDPR (Articles 15-22), and the CCPA:

  • Right to Information and Access (Right to Access)
  • Right to Rectification
  • Right to Erasure / Right to be Forgotten
  • Right to Restrict Processing and to Object (Right to Object/Restrict)
  • Right to Data Portability (Data Portability)

8. Dispute Resolution and Jurisdiction

The laws of the Republic of Turkey shall apply to the resolution of any legal disputes arising from the implementation and interpretation of this Policy, and the Istanbul Courts and Enforcement Offices shall have exclusive jurisdiction in the settlement of such disputes.

9. Contact Information

You may submit your requests regarding your rights through the communication channels specified below:

The Platform will process your request free of charge within thirty (30) days at the latest, depending on the nature of your request.

Color the Picture

© 2026 All rights reserved.

İletişim