Privacy Policy

👋 Want a friendlier read? See the Plain-English Summary.

1. Introduction

This Privacy Policy describes how ProductLog (the "Service") collects, uses, shares, and protects personal data when you visit, register for, or use the Service. It applies to everyone who uses the Service, regardless of where you live.

Throughout this policy, "we", "us", "our", or "the operator" refers to the individual described in Section 2. This policy is published alongside the Terms of Service and the two should be read together.

If you do not agree with this policy, do not use the Service.

2. Data Controller

The Service is operated personally by an individual, not a company. The operator is the data controller under Turkish Personal Data Protection Law No. 6698 ("KVKK") and Article 4(7) of the General Data Protection Regulation ("GDPR") for users to whom GDPR applies.

  • Name: Evren Bal (username @evrenbal)

  • Capacity: Indie developer, sole operator (no legal entity, no employees, no investors)

  • Jurisdiction of residence: Türkiye

  • Contact: [email protected]

The operator does not currently meet the threshold for mandatory VERBİS registration; this position is reviewed periodically.

3. Scope and Definitions

In this policy:

  • "Personal data" means any information relating to an identified or identifiable individual (consistent with KVKK Article 3 and GDPR Article 4(1)).

  • "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

  • "You" means a registered user, a visitor browsing the Service, or any other identified or identifiable individual whose personal data is processed in connection with the Service.

  • "The Service" means the ProductLog website, its associated APIs, and any related interfaces operated by the operator.

This policy covers personal data processed by the Service. It does not cover the data practices of third parties whose websites or services you may reach via links or integrations on the Service; those parties have their own privacy policies.

4. Personal Data We Collect

The operator collects the following categories of personal data:

4.1 Account identity

  • Email address

  • Full name (as you choose to provide)

  • Username

  • Password (stored as a one-way hash; the plain-text password is not retained)

  • Locale and language preference

4.2 Profile content

  • Biography text

  • Profile avatar image

  • Social or external links you choose to add

  • Any extended profile fields you fill in (employer, location, interests, etc.)

4.3 User-generated content

  • Posts, comments, products, replies, and other contributions you submit

  • Votes, follows, bookmarks, and engagement actions

  • Feedback and reports you submit

4.4 Authentication and security technical data

  • IP address (transient request logs and security audit logs)

  • User-agent and basic device/browser metadata

  • Session cookies and authentication tokens

  • Email-verification tokens, password-reset tokens, and similar one-time tokens

  • Audit-log entries describing security-relevant events (e.g. login, password change)

4.5 OAuth credentials (if you choose to connect a third-party account)

  • The provider name (GitHub or Google)

  • The provider's stable account identifier

  • The email address shared by the provider

  • The minimal scopes required to authenticate you

The operator does not request or store provider passwords. Connecting an OAuth account is optional.

4.6 Notifications and preferences

  • In-app notification state

  • Email subscription preferences

  • Notification interaction history (read / unread, dismissed)

4.7 What we do not collect

The operator does not use third-party web analytics, behavioural trackers, advertising pixels, fingerprinting libraries, or session-recording tools. The Service does not have any third-party analytics or telemetry instrumentation as of the date of this policy.

The operator processes personal data only for specific, defined purposes, and only on a recognised legal basis. The following purposes summarise how data is used and the corresponding bases under GDPR Article 6 and KVKK Article 5.

5.1 Account creation, authentication, and basic service delivery

  • Why: so you can register, sign in, and use the Service.

  • GDPR basis: performance of a contract — Article 6(1)(b).

  • KVKK basis: sözleşmenin kurulması veya ifası — Madde 5(2)(c).

5.2 Hosting and displaying your content

  • Why: so other users can see what you publish.

  • GDPR basis: performance of a contract — Article 6(1)(b).

  • KVKK basis: sözleşmenin kurulması veya ifası — Madde 5(2)(c).

5.3 Service-related communications (transactional email)

  • Why: verification emails, security alerts, password resets, important account notices.

  • GDPR basis: performance of a contract — Article 6(1)(b).

  • KVKK basis: sözleşmenin kurulması veya ifası — Madde 5(2)(c).

5.4 Security, fraud, and abuse prevention

  • Why: detecting unauthorised access, abuse, spam, and platform-integrity risks.

  • GDPR basis: legitimate interest — Article 6(1)(f) — balanced against your rights.

  • KVKK basis: meşru menfaat — Madde 5(2)(f).

5.5 Compliance with legal obligations

  • Why: responding to lawful requests, handling takedown notices under Turkish Law No. 5651, and meeting record-keeping obligations.

  • GDPR basis: legal obligation — Article 6(1)(c).

  • KVKK basis: hukuki yükümlülüğün yerine getirilmesi — Madde 5(2)(ç).

5.6 Optional marketing communications (only with your consent)

  • Why: product newsletters or feature announcements where you have opted in.

  • GDPR basis: consent — Article 6(1)(a). You can withdraw consent at any time.

  • KVKK basis: açık rıza — Madde 5(1).

The operator does not sell personal data, does not engage in automated decision-making with legal or similarly significant effects on you, and does not perform profiling for advertising purposes.

6. Cookies and Local Storage

The Service uses only strictly necessary cookies and local storage:

  • Authentication / session: to keep you signed in.

  • Locale preference: to remember your chosen language.

  • CSRF / security tokens: to protect against cross-site request forgery and similar attacks.

The Service does not set cookies for advertising, third-party analytics, or behavioural tracking. Because all cookies in use are strictly necessary for the Service to function, no cookie-consent banner is displayed; consent is obtained for non-essential cookies only when and if any are introduced.

If your browser blocks the strictly necessary cookies, you will not be able to sign in or use authenticated features.

7. Sub-Processors and Third-Party Services

To operate the Service, the operator relies on a small number of third-party sub-processors. The current sub-processors are:

CategoryProvider(s)What is sharedWhere data is processedOAuth sign-inGitHub, Google (only if you choose to connect)provider account identifier, email, basic profileprovider's infrastructureTransactional email deliveryone of: SMTP relay, Brevo, AWS SES (operator-configured)recipient email, message bodyprovider's infrastructureObject storageS3-compatible storage (currently AWS S3 or Cloudflare R2, operator-configured)uploaded files (avatars, attachments)provider's infrastructureHosting / infrastructurethe operator's chosen hosting providerall data in transit and at rest within the hosting infrastructurehosting provider's regions

The list above is the complete list as of the date of this policy. The operator does not use third-party analytics, advertising networks, or behavioural-tracking sub-processors.

If a sub-processor is added, removed, or replaced, this section will be updated and the "Last updated" date refreshed. Material changes will be communicated as described in Section 14.

8. International Data Transfers

The operator is based in Türkiye, and primary processing takes place either in Türkiye or in the regions of the sub-processors listed in Section 7.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data may be transferred to and processed in countries outside those regions, including Türkiye. Where such transfers occur, the operator relies on:

  • Adequacy decisions where applicable;

  • Standard Contractual Clauses ("SCCs") approved by the European Commission with sub-processors located outside the EEA, where the sub-processor's terms include them; and

  • Where neither is available, supplementary measures and a risk-based assessment.

You may request a copy of the relevant transfer safeguards by emailing [email protected].

9. Data Retention

The operator retains personal data only for as long as is necessary for the purposes set out in Section 5, or as required by applicable law:

  • Account data: retained while your account is active. After account deletion, identifying account data is removed within a reasonable period and at the latest within ordinary backup-retention windows (typically 30 days).

  • User-generated content shared in community contexts (such as comments on other users' content): may be anonymised rather than fully removed on request, in order to preserve the integrity of those community contexts.

  • Audit logs for security and abuse prevention: retained for a limited period proportionate to detection and response needs (typically up to 12 months).

  • Transactional email and sub-processor logs: retained according to the sub-processor's standard retention policies.

  • One-time tokens (email verification, password reset): retained only until used or expired, and removed shortly thereafter.

Where applicable law requires longer retention (for example, financial or legal records), data is retained for the legally required period.

10. Your Rights

Subject to applicable law, you have the following rights with respect to your personal data:

  • Right to access (KVKK Article 11(b)/(c); GDPR Article 15) — confirmation of whether your data is processed, and a copy of your data.

  • Right to rectification (KVKK Article 11(d); GDPR Article 16) — correction of inaccurate or incomplete data.

  • Right to erasure ("right to be forgotten") (KVKK Article 11(e); GDPR Article 17) — deletion of your data, subject to lawful retention obligations.

  • Right to restrict processing (GDPR Article 18) — ask the operator to limit processing while a concern is investigated.

  • Right to data portability (GDPR Article 20) — receive your data in a structured, machine-readable format and, where technically feasible, transmit it to another controller.

  • Right to object (KVKK Article 11(g); GDPR Article 21) — object to processing based on legitimate interests, including for direct-marketing purposes.

  • Right to withdraw consent — withdraw any consent you have given at any time, without affecting the lawfulness of prior processing based on that consent.

  • Right to lodge a complaint — see Section 15.

How to exercise your rights

To exercise any of these rights, email [email protected] with your request. Self-service tools (such as in-product data export and one-click account deletion) are in development; until they are available, the operator processes rights requests manually.

The operator will respond to your request within thirty (30) days of receipt, as required by KVKK Article 13 and GDPR Article 12. Where a request is particularly complex or where multiple requests are received from the same person, the operator may extend the response window by up to two further months and will inform you of the extension and the reasons for it within the initial 30-day period.

The operator may need to verify your identity before fulfilling certain requests, in order to protect your data from unauthorised disclosure. Reasonable proof — such as confirmation from your registered email address — is generally sufficient.

There is no fee for exercising your rights. The operator may, however, charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive, in line with KVKK and GDPR.

11. Children's Data

The Service is not intended for, and is not directed at, children under 16 years of age. The operator does not knowingly collect personal data from children under 16.

If the operator learns that personal data of a child under 16 has been collected without verifiable parental or guardian consent, the operator will delete that data and the associated account as soon as reasonably possible. If you believe a child under 16 has provided personal data to the Service, please contact [email protected].

12. Security Measures

The operator applies reasonable, industry-standard technical and organisational measures intended to protect personal data, including:

  • Transport-layer encryption (HTTPS) for all traffic to and from the Service.

  • One-way hashing of passwords; plain-text passwords are not stored.

  • ORM-based query handling to mitigate injection risks.

  • Dependency auditing on the application and its packages.

  • Rate limiting on sensitive endpoints.

  • Restricted operator access to production data, on a need-to-know basis.

No service can be made unhackable, and the operator does not warrant absolute security. You also share responsibility for the security of your account by maintaining a strong, unique password and keeping it confidential. The Service does not currently offer two-factor authentication.

13. Breach Notification

In the event the operator becomes aware of a personal-data breach affecting your data, the operator commits to:

  • Investigating and patching the underlying issue as quickly as is reasonable under the circumstances;

  • Notifying the Turkish Personal Data Protection Authority (KVKK Kurumu) within 72 hours of becoming aware of the breach, where notification is required by KVKK Article 12 and related regulations;

  • Notifying affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms; and

  • Documenting the incident and the remedial steps taken.

Where GDPR applies, equivalent obligations under Articles 33 and 34 are also met.

14. Changes to This Policy

The operator may modify this Privacy Policy from time to time. When changes are made, the "Last updated" date at the top of this document is updated. Material changes (changes that meaningfully affect how your personal data is processed) will be communicated to you in advance, where reasonably practicable, via email to your registered address or via a prominent notice within the Service.

Continued use of the Service after the effective date of any modification constitutes your acknowledgement of the updated policy. If you do not agree with the updated policy, you should stop using the Service and may close your account.

15. Contact and Complaints

For any privacy-related question, request, or concern — including the rights described in Section 10 — please contact:

[email protected]

If you believe the operator has not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a competent supervisory authority:

  • In Türkiye: Kişisel Verileri Koruma Kurumu (KVKK Kurumu)https://www.kvkk.gov.tr.

  • In the European Economic Area: the data-protection authority of the EU/EEA Member State of your habitual residence, place of work, or alleged infringement. A list is maintained by the European Data Protection Board.

  • In the United Kingdom: the Information Commissioner's Office (ICO)https://ico.org.uk.

The operator will endeavour to resolve concerns directly and in good faith before escalation.