Privacy Policy

1. Introduction

This Privacy Policy explains how Montarist Bilisim Yazilim Proje Danismanlik Ihracat Ithalat ("Company", "we", "us") collects, uses, and protects your personal data when you use CuryLoop ("Service"). We are committed to protecting your privacy and complying with applicable data protection regulations, including the Turkish Personal Data Protection Law (KVKK) and the EU General Data Protection Regulation (GDPR) where applicable.

2. Data Controller

3. Data We Collect

Account Information

• Email address
• Name (optional)
• Profile picture (optional)
• Authentication data (password hash or OAuth provider ID)

Usage Data

• Groups you create or join
• Sessions and items you contribute
• Bookmarks, likes, and collections
• API key usage and access logs

Technical Data

• IP address
• Browser type and version
• Device information
• Login timestamps
• Cookies and similar technologies

4. How We Use Your Data

• To provide and maintain the Service
• To authenticate your identity and secure your account
• To send transactional emails (invitations, password resets, weekly digests)
• To enforce our Terms of Service and prevent abuse
• To improve the Service through aggregated, anonymized analytics
• To process payments through our payment provider (Stripe)
• To respond to your support requests

5. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract: Processing necessary to provide the Service you requested
• Legitimate interest: Improving and securing our Service, preventing fraud
• Consent: For optional features like marketing communications
• Legal obligation: Compliance with applicable laws and regulations

6. Data Sharing

We do not sell your personal data. We share data only with:

• Supabase: Database hosting and authentication (data processed in accordance with their DPA)
• Stripe: Payment processing (PCI-DSS compliant)
• Resend: Transactional email delivery
• AWS (via SST): Application hosting and CDN
• Law enforcement: When required by valid legal process

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, your personal data will be removed within 30 days, except where we are required to retain it by law (e.g., billing records for tax purposes). Aggregated, anonymized data may be retained indefinitely.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interest
• Restriction: Request restriction of processing in certain circumstances
• Withdraw consent: Where processing is based on consent

To exercise these rights, contact us at contact@montarist.com. We will respond within 30 days.

9. Cookies

We use essential cookies for authentication and session management. These are strictly necessary for the Service to function and cannot be disabled. We do not use advertising or tracking cookies. Analytics data, if collected, uses aggregated and anonymized metrics only.

10. Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS), Row Level Security (RLS) at the database level, rate limiting, and secure authentication flows. However, no system is completely secure. If you discover a security vulnerability, please report it to contact@montarist.com.

11. International Data Transfers

Your data may be processed in countries outside of Turkey or the EEA where our service providers operate. In such cases, we ensure appropriate safeguards are in place, including standard contractual clauses approved by relevant authorities.

12. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The updated policy will be effective upon posting.