Wepha is a student-tracking tool built and maintained by Huseyin Karaarslan, an individual developer based in California, United States (“I”, “me”, “the developer”). This policy explains how Wepha handles information. The short version: Wepha does not collect your data. Your students, notes, meetings, and custom fields stay on your own device and in your own Google Drive. Nothing is sent to me or to any server I control.

When you use Wepha you may enter information about students you mentor — names, contact details, notes, meeting records, and any custom fields you create. This information is stored:

I never receive this information. There is no Wepha server and no Wepha database. Deleting the app (or signing out with “Sign Out & Wipe” on the web) removes the local copy. You can delete the “Wepha App Data” folder from your Drive at any time.

If you choose to connect a Google account to enable Drive sync or Calendar reminders, Wepha receives and stores on your device:

These credentials are stored using your operating system's secure storage (iOS Keychain, Android Keystore) on native apps, and in browser storage on the web. They are not transmitted to me. You can revoke Wepha's access any time at myaccount.google.com/permissions.

Wepha requests the narrowest Google scopes it needs: drive.file (access only to files Wepha itself creates in your Drive, never your other files) and calendar.events (create and update calendar events for reminders you set).

Wepha does not include any analytics, tracking, or advertising SDKs in the mobile or web app itself. The app does not track how you use it, does not build a user profile, does not run advertisements, and does not set tracking cookies. Once the app is running, it does not phone home or report your activity to any server other than Google Drive (for the optional sync you explicitly enable).

The website wephaapp.com is hosted on Cloudflare Pages. Cloudflare provides a privacy-focused Web Analytics service that measures aggregate traffic to the site — page views, referrer, country, browser, and page load time. This service is cookieless, does not fingerprint visitors, and cannot identify individual users. I use it only to understand how many people are visiting the site.

Cloudflare, as the hosting provider, also processes standard server access logs (IP address, user agent, request path) for security, abuse prevention, and delivering the site. These logs are managed by Cloudflare under their own privacy policy and are not used by me to profile individual users.

Wepha is intended for use by mentors, educators, and other adults to keep notes about people they support. It is not directed at children under 13, and I do not knowingly collect data from children under 13. Because Wepha does not collect data at all, there is no mechanism through which such information could reach me. Adult users are responsible for complying with applicable law (including COPPA and FERPA in the United States) when entering information about minors into their own device.

If you are a California resident, the California Consumer Privacy Act gives you the right to know what personal information a business has collected about you, to request deletion, to request correction, and to opt out of the sale or sharing of your personal information. Because Wepha does not collect, store, sell, or share personal information:

If you use Wepha from the European Union or the United Kingdom: under the GDPR, you (the user) are the “controller” of any personal data you enter about students. I am not a controller and not a processor, because the data never reaches me. Google, through Google Drive, acts as a processor for the data you choose to back up there; your existing Google Workspace / Google account agreement governs that relationship. You may exercise your GDPR rights (access, rectification, erasure, portability, objection) directly on your own device and Google Drive. For written confirmation or questions, email ask.wephaapp@gmail.com.

Wepha encrypts your Drive-synced data end-to-end using AES-256-GCM. The encryption key is generated on your first device and shared only between your own devices via a protected file in your Google Drive. Neither I nor Google can decrypt your data without access to your devices. No system is completely secure; you are responsible for keeping your Google account and your devices themselves secure (strong password, two-factor authentication, up-to-date operating system).

I may update this policy as Wepha evolves. The effective date at the top of this page will change whenever I do. Material changes will be announced in the app release notes and through any email address associated with your Google account if you have connected one. Continued use of Wepha after an update constitutes acceptance of the updated policy.

Questions about this policy or about Wepha's data handling in general: email ask.wephaapp@gmail.com. A mailing address is available on written request.