Macro Handler

Macro Handler

Android Automation Platform

Privacy Policy

Son guncelleme: 2026-04-05Last updated:

1. Introduction

This Privacy Policy explains how your personal data is collected, processed, stored, and protected by the Macro Handler application ("App") and the macrohandler.com website ("Website"). Macro Handler is an automation platform for Android devices that provides macro creation, editing, execution, and sharing features.

By using the App or the Website, you acknowledge and agree to the data processing practices described in this Privacy Policy. We encourage you to read this policy carefully to understand how we handle your data.

This policy has been prepared in accordance with the Turkish Personal Data Protection Law No. 6698 (KVKK) and the European Union General Data Protection Regulation (GDPR).

2. Data Controller

The data controller within the meaning of Article 3 of the KVKK and Article 4 of the GDPR is:

  • Operator / Business: ESAT ACAR
  • Website: macrohandler.com
  • Email: support@macrohandler.com
  • Address: 50. YIL MAH. 2004. SK. NO:34 IC KAPI NO:2 SULTANGAZI/ISTANBUL
  • Country: Turkey
  • Registration Number: 0030575719
  • Tax Number: 0030575719

In this policy, "Macro Handler" refers to the service provided by ESAT ACAR. You may direct all questions, requests, and complaints regarding the processing of your personal data to the email address above. You may also use this contact channel to exercise your right of application to the data controller under the KVKK.

3. Information We Collect

3.1. Account Data

To use sharing and license features, you are required to sign in with your Google account. During this process, the following data is collected:

  • Google user identifier (UID)
  • Email address
  • Display name
  • Profile photo URL or profile photo data

This data is obtained through Firebase Authentication and is used for account verification, license management, and sharing functionality.

If you provide a profile photo, it may be used to display your account identity in the profile interface, forum, and community surfaces. Any profile photo shown on community content is processed as part of the public-facing identity of your account.

3.2. Device Data

The following device information is collected for the purpose of license binding and ensuring macro compatibility:

  • Install-scoped device binding identifier
  • Device model and manufacturer
  • Screen resolution and DPI value
  • Android version

On new installs, license binding uses an install-scoped identifier stored in the app no-backup area; it is not derived from a hardware identifier. Screen resolution and DPI information are necessary to ensure macros function correctly across different devices.

3.3. Usage Data

The following data is collected for the purpose of improving application stability and service quality:

  • Crash reports collected via Firebase Crashlytics (error stack traces, device state, operating system version)
  • Anonymous analytics events collected via Firebase Analytics (feature usage frequency, session duration)

3.4. Macro Sharing Data

When you use the macro sharing feature, the following data is stored in Firebase Firestore:

  • Shared macro metadata (name, description, creation date)
  • Recipient account identifier (recipient UID) and masked recipient contact hints when needed
  • Sharing duration and expiry date
  • Identity of the sharing user

Direct macro shares are authorized primarily through the recipient account identifier (recipient UID). If an email address is used to find the target account or manage a pending share, it is not shown publicly and may be retained only as routing metadata, a masked contact hint, or for backward compatibility.

3.5. Macro Content

During the sharing process, macro content (script files, template images, and settings) is stored in encrypted form in Firebase Storage. This data is accessible only by authorized recipients.

3.6. Screen Capture Data

IMPORTANT: Screen capture data is processed ONLY on-device for the purpose of image matching (template matching). This data is NEVER uploaded to our servers, stored externally, or shared with third parties. All image processing operations occur entirely in the local memory of your device.

4. Legal Basis for Processing

Your personal data is processed on the basis of the following legal grounds under Article 5 of the KVKK and Article 6 of the GDPR:

4.1. Explicit Consent

When you sign in with your Google account, you provide explicit consent for the collection and processing of your account data (UID, email, display name). You may withdraw this consent at any time by deleting your account.

4.2. Legitimate Interest

Crash reports and analytics data are processed under our legitimate interest to improve our service, fix errors, and enhance user experience. This processing is proportionate to user rights and is carried out in accordance with the data minimization principle.

4.3. Contract Performance

License management, device binding, and macro sharing features fall under data processing necessary for the performance of the service contract offered to you. Without this processing, the relevant features cannot be provided.

4.4. Legal Obligation

In the event that we have a legal obligation under Turkish law or applicable legislation, your personal data may be transferred to the relevant authorities and institutions.

5. How We Use Your Information

The collected personal data is used for the following purposes:

  • Authentication and account management: Secure sign-in with your Google account and management of account operations
  • License management: Verification of your license status, device binding, and access control for premium features
  • Macro sharing: Secure sharing of your macros with designated recipients, management of access durations and permissions
  • Crash analysis: Detection of application errors, investigation of root causes, and implementation of fixes
  • Service improvement: Improvement of application features and performance based on anonymous usage statistics
  • Security: Prevention of unauthorized access, fraud, and abuse attempts
  • Communication: Informing you about important service changes, security notifications, or policy updates

6. Data Sharing and Third Parties

6.1. Firebase (Google)

The following Firebase services form the foundation of our data processing infrastructure. These services operate under Google's privacy policy and data processing terms:

  • Firebase Authentication: User authentication and session management
  • Firebase Firestore: Macro sharing metadata, license information, and user preferences
  • Firebase Storage: Storage of shared macro content (scripts, templates, settings)
  • Firebase Crashlytics: Application crash reports and error diagnostics
  • Firebase Analytics: Anonymous usage statistics and event tracking

6.1.1. Data Processing Roles of Firebase Services

  • Firebase Analytics: Collects and reports anonymous usage data. Does not directly identify users; analyzes events in aggregate.
  • Firebase Crashlytics: Collects application crash reports. Processes technical data including error stack traces, device state, and operating system information.
  • ML Kit (on-device): Image processing operations are performed entirely on-device. Data is not sent outside the device.
  • Firebase Auth: Provides user authentication and session management. Processes Google account information (UID, email, display name).

Data processed through Google Firebase services is subject to Google's data processing policies.

6.1.2. Subprocessors

The subprocessors used in our data processing chain are listed below. These services are used only to technically deliver the service and satisfy security requirements.

  • Google Firebase: Authentication, Firestore, Storage, Crashlytics, Analytics
  • Google Cloud Functions: Server-side licensing, security, rate-limiting, and audit flows
  • Google Cloud Platform (altyapi): Infrastructure, networking, and logging layer

Google/Firebase data processing terms and regional transfer rules are defined in their official documentation. Data is processed only for the purposes described in this policy.

6.2. Optional AI Providers

The AI assistant in the app runs only when you explicitly use it. Macro Handler does not provide the required API credentials; you enter your own API key for the selected provider, such as Google AI Studio, OpenAI, Anthropic, or OpenRouter.

When you send an AI request, the prompt content, relevant chat context, and generated response are transmitted directly to the third-party provider you selected. This flow is not advertising-related data sharing. Your AI API keys are stored in encrypted local storage on your device and are not routinely uploaded to our service backend.

6.3. We Do Not Sell Your Data

Your personal data is never sold, rented, or commercially marketed to third parties under any circumstances. Your data is processed solely for the purposes stated in this policy.

6.4. Legal Requirements

Your personal data may be transferred to relevant authorities upon the lawful request of competent courts, prosecutors, or administrative authorities under Turkish law. Such transfers are carried out solely for the purpose of fulfilling legal obligations and within the limits prescribed by applicable legislation.

7. Data Retention

Your personal data is retained for the duration required by the purpose of collection or within the periods determined by our legal obligations:

  • Account data: Retained for as long as your account remains active. Once your deletion request is verified, eligible remote account data is removed within 30 days at the latest; records subject to legal retention may be kept separately.
  • Support / appeal drafts: Support or appeal drafts are kept in temporary browser storage and automatically expire after 30 minutes.
  • Auth and admin portal recovery entries: Auth redirect recovery markers, short-lived auth/callable incident records, and admin portal handoff session keys are stored primarily in sessionStorage; they are cleared when the browser session ends or when the related recovery flow completes.
  • Local admin summary cache: A local admin dashboard summary cache may be stored in localStorage only for the relevant administrator account and is removed when the sign-in context changes, when a newer summary replaces it, or when browser storage is cleared.
  • Shared macros: Retained until the sharing period expires or the sharing user revokes the share. Data of expired shares is automatically cleaned up.
  • Crash data: Crash reports collected by Firebase Crashlytics are retained for 90 days and are automatically deleted at the end of this period.
  • Analytics data: Anonymous usage data collected by Firebase Analytics is retained for 14 months.
  • Audit and security logs: Hot logs retained for fraud prevention, abuse analysis, and operational audit are stored for 90 days; longer retention applies only to separate record classes that must be preserved by law.
  • Device data: The install-scoped device binding identifier used for license binding is retained for as long as the associated license remains active.

8. Your Rights Under KVKK

In accordance with Article 11 of the Personal Data Protection Law No. 6698, you may exercise the following rights by applying to us as the data controller:

  • Right to be informed: The right to learn whether your personal data is being processed.
  • Right to request information about processing: The right to request information regarding the processing of your personal data if it has been processed.
  • Right to know purpose and compliance: The right to learn the purpose of processing your personal data and whether it is used in accordance with that purpose.
  • Right to know third-party transfers: The right to know the third parties to whom your personal data has been transferred domestically or abroad.
  • Right to correction: The right to request correction of your personal data if it has been processed incompletely or inaccurately.
  • Right to deletion and destruction: The right to request deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7 of the KVKK.
  • Right to notification: The right to request that correction, deletion, or destruction operations be notified to third parties to whom personal data has been transferred.
  • Right to object to automated processing: The right to object to any result that arises against you through the exclusive analysis of processed data via automated systems.
  • Right to compensation: The right to claim compensation for damages incurred due to the unlawful processing of your personal data.

You may submit your application in writing to support@macrohandler.com along with information that verifies your identity. Applications are concluded free of charge within 30 days at the latest. If the process requires an additional cost, a fee may be charged based on the tariff determined by the Personal Data Protection Board.

8.1. Data Deletion Request SLA

Your request for deletion of personal data will be processed within 30 (thirty) days. You will be notified via email once the deletion is complete.

8.2. Data Retained After Deletion

Due to legal obligations (tax, accounting, crime prevention), certain data may be retained for the duration of legally mandated retention periods. This data includes invoice information, license activation records, and audit records that must be preserved separately by law.

8.3. Data Portability

Under KVKK Article 11/c and GDPR Article 20, you may request your personal data in a structured, commonly used, and machine-readable format.

8.4. How to Submit a Request to the Data Controller

You may submit your requests to support@macrohandler.com or through the in-app Settings > Account > Delete Account flow. Your request will be concluded within 30 days.

9. Your Rights Under GDPR

For users located within the European Economic Area (EEA), the following additional rights apply under the GDPR:

  • Right of access (Article 15): The right to request a copy of your personal data being processed.
  • Right to rectification (Article 16): The right to request rectification of inaccurate or incomplete personal data.
  • Right to erasure / Right to be forgotten (Article 17): The right to request erasure of your personal data under certain conditions.
  • Right to restriction of processing (Article 18): The right to request restriction of processing of your personal data in certain circumstances.
  • Right to data portability (Article 20): The right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object (Article 21): The right to object to processing based on legitimate interest.
  • Right not to be subject to automated decision-making (Article 22): The right not to be subject to decisions based solely on automated processing that produce legal effects.

9.1. Data Portability Details

Under KVKK Article 11/c and GDPR Article 20, you may request your personal data in a structured, commonly used, and machine-readable format. You may submit this request to support@macrohandler.com or through the in-app Settings > Account > Delete Account flow.

9.2. Automated Decision-Making

The application does not use any automated decision-making (profiling) mechanism. No profiling, automated evaluation, or automated decisions affecting users are made on user data.

10. Screen Capture and Accessibility Permissions

Macro Handler uses the Android operating system's screen capture and accessibility services to perform automation functions. Important information regarding the use of these permissions is provided below:

10.1. Screen Capture

  • Screen capture is used ONLY to run image matching (template matching) algorithms.
  • Captured screen images are processed only in the device's temporary memory (RAM).
  • Screen images are NEVER transmitted outside the device, uploaded to servers, or permanently stored.
  • Screen capture data is NOT shared with third parties in ANY way.
  • After processing is complete, the image data is immediately cleared from memory.

10.2. Accessibility Service

  • The accessibility service is used ONLY to perform automation actions such as taps and swipes.
  • There is NO keylogging functionality through the accessibility service.
  • Text fields, passwords, or other personal data are NOT collected through the accessibility service.
  • The accessibility service does not perform any operation outside of user-created macro instructions.

In summary: These permissions are used solely for macro automation functions. They are ABSOLUTELY NOT used for surveillance, data collection, content analysis, or user behavior tracking purposes.

11. Children's Privacy

Macro Handler is not directed at children under the age of 13. We do not knowingly collect personal data from individuals under the age of 13. If we become aware that an individual under the age of 13 has provided us with personal data, we will take immediate steps to delete such data.

Users between the ages of 13 and 18 may use the application only with the consent of a parent or legal guardian. Parents or legal guardians may exercise their rights regarding the processing of their children's data by contacting support@macrohandler.com.

12. International Data Transfer

Macro Handler uses the Firebase (Google) infrastructure. Firebase servers may be located in countries outside of Turkey (including the United States). This means that your personal data may be transferred abroad.

The following safeguards are in place during such transfers:

  • Google is a participant in the EU-US Data Privacy Framework.
  • Data processing agreements with Google include Standard Contractual Clauses (SCCs) under Article 46 of the GDPR.
  • Data is protected with encryption both during transfer and on servers.
  • In accordance with Article 9 of the KVKK, transfers are made to countries with an adequate level of protection or in cases where an adequate protection commitment is provided.

13. Data Security

We implement the following technical and administrative measures to ensure the security of your personal data:

  • All data transfers are encrypted using HTTPS/TLS protocols.
  • Database and storage access is controlled through Firebase security rules.
  • User data is stored encrypted on Firebase servers.
  • Authentication operations are securely performed through Google's OAuth 2.0 infrastructure.
  • Data access is restricted using the principle of least privilege.
  • Regular security assessments and updates are performed.

Despite all these measures, we would like to note that no data transmission over the internet or electronic storage method is 100% secure. In the event of a possible data breach, the Personal Data Protection Board and the relevant data subjects will be notified as soon as possible in accordance with Article 12 of the KVKK.

14. Cookies and Local Storage

The macrohandler.com website does not create its own traditional cookie files. However, third-party services used for authentication and analytics (Firebase Authentication, Firebase Analytics) may place their own technical cookies. Additionally, it may use browser storage (localStorage and sessionStorage) for the following purposes:

  • Language preference: To remember your selected interface language.
  • Cookie consent preference: To store your cookie and analytics preferences.
  • Theme preference: To remember your selected display theme.
  • Auth and admin portal recovery state: To preserve redirect state, incident recovery, and the active admin portal session.
  • Support and moderation drafts: To hold short-lived support or appeal drafts and cached local admin summaries.

We also use browser storage: the keys macrohandler_cookie_consent, theme, and macrohandler_web_lang are stored in localStorage until you change or clear them; support or appeal drafts are stored first in sessionStorage under macrohandler.appealDraft.<draftId> and may be recovered only from legacy localStorage entries for backward compatibility; forum_topic_view_<topicId> debounce markers are stored in localStorage; mh_auth_redirect_pending and mh_auth_redirect_pending_at are stored in sessionStorage first, but a short-lived localStorage fallback may be used only when the browser blocks sessionStorage during redirect recovery; mh_auth_last_incident and mh_secure_callable_last_incident are short-lived sessionStorage entries used for failed auth or secure callable recovery; mh_admin_portal_google_handoff, mh_admin_portal_unlock_token, and mh_admin_portal_client_session_id are stored only in sessionStorage for the active admin portal session; and mh_admin_dashboard_summary:<uid> may be stored in localStorage for cached admin dashboard summaries. These items are not used for advertising or cross-site tracking.

These entries remain primarily in browser storage on your device; they are not copied to the server unless the related backend flow itself submits data separately. You can clear localStorage and sessionStorage from your browser settings at any time, but doing so may reset sign-in recovery, support draft continuity, or the active admin portal session.

15. KVKK Disclosure Obligation (Article 10)

In accordance with Article 10 of the KVKK No. 6698, we have the obligation to inform you as the data controller regarding the following matters related to the processing of your personal data:

  • Identity of Data Controller: ESAT ACAR - support@macrohandler.com
  • Processing Purpose: Account management, license verification, macro sharing, service improvement, security
  • Legal Basis: Explicit consent, contract performance, legitimate interest, legal obligation (KVKK Article 5/2)
  • Collection Method: Google account sign-in, Firebase SDK, automatic device information collection
  • Parties Data Is Transferred To: Firebase/Google (infrastructure service), legal authorities (in case of legal obligation)
  • Data Subject Rights: All rights under KVKK Article 11 as detailed in Section 8 of this policy

This disclosure text has been prepared within the scope of Article 10 of the KVKK and the Communique on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation. The disclosure obligation is fulfilled independently of obtaining explicit consent.

16. Data Controllers Registry (VERBiS)

In accordance with Article 16 of the KVKK, data controllers that process personal data are required to register with the Data Controllers Registry Information System (VERBiS). Macro Handler follows the legislation regarding the VERBiS registration obligation and will complete the necessary registration procedures in a timely manner if the required thresholds are met.

You may contact us at support@macrohandler.com for current information about our VERBiS registration.

17. Data Breach Notification Procedure

In accordance with Article 12, paragraph 5 of the KVKK, the following procedure is applied in the event that processed personal data is obtained by others through unlawful means:

  1. Board Notification: The Personal Data Protection Board is notified as soon as possible and in any case within 72 hours after the data breach is detected.
  2. Notification of Data Subjects: Personal data subjects affected by the breach are informed as soon as possible through appropriate methods (email, in-app notification, or website announcement).
  3. Notification Content: Notifications include the nature of the breach, affected data categories, potential consequences, measures taken and recommended, and contact information.
  4. Corrective Measures: Necessary technical and administrative measures are immediately taken to prevent recurrence of the breach and reported to the Board.

18. Changes to This Policy

We reserve the right to update this Privacy Policy from time to time. In the event of material changes, we will inform you through one or more of the following methods:

  • In-app notification
  • Publication of the updated policy on the website
  • Change of the "last updated" date

Your continued use of the App or Website after changes constitutes your acceptance of the updated policy. For material changes, additional explicit consent may be requested.

19. Contact

If you have any questions, requests, or complaints about this Privacy Policy or the processing of your personal data, you may contact us through the following contact information:

  • Operator: ESAT ACAR
  • Email: support@macrohandler.com
  • Website: macrohandler.com
  • Address: 50. YIL MAH. 2004. SK. NO:34 IC KAPI NO:2 SULTANGAZI/ISTANBUL

To exercise your right of application to the data controller under the KVKK, you need to submit your request in writing to the email address above together with information that verifies your identity. Responses to applications will be provided within the legal time limits (no later than 30 days).

In the event that your application is rejected, you find the response insufficient, or no response is given within the allotted time; you have the right to file a complaint with the Personal Data Protection Board within 30 days from the date you learn of the response and in any case within 60 days from the date of application.