Privacy Policy

The data controller responsible for processing your personal data under this Privacy Policy is Tapy. Email: [email protected] Web: tapy.to

2.1. Identity and Contact Information • Full name • Email address • WhatsApp phone number (optional, for notifications) 2.2. Account and Authentication Data • Hashed password • Email verification status • Session tokens (JWT) 2.3. Usage and Technical Data • IP address • Browser type and version, operating system • Platform interactions • AI chat history (within project scope) • Error logs 2.4. Payment Data Payments are processed through Stripe Inc. Tapy does not store sensitive payment details such as card numbers or CVV codes. 2.5. User-Generated Content • Project files (HTML, CSS, JavaScript, images) • Content editor data • Published website content

• Account creation and authentication — Performance of contract • Service provision and project hosting — Performance of contract • AI-powered website creation — Performance of contract • Payment and billing — Performance of contract, legal obligation • Forwarding contact form data via WhatsApp — Explicit consent • Technical support and customer service — Legitimate interest • Platform security (rate limiting, logging) — Legitimate interest

Tapy does not sell or commercially transfer your personal data to third parties. Data is shared only with the following: • Anthropic: Chat messages are sent to the Anthropic API for website creation. Anthropic does not use this data for model training. • Stripe: Billing details required for payment processing. PCI DSS Level 1 certified. • Kapso (WhatsApp): Form data is forwarded for contact form notifications. • Google Cloud / Cloudflare: Server hosting and security. Data is stored encrypted. • Legal requirements: May be shared upon court order or regulatory authority request.

Your personal data may be transferred outside Turkey depending on server locations and third-party providers. Such transfers are carried out within the framework of applicable data protection law.

• All data transmission is protected with TLS 1.2+ encryption • Passwords are stored using one-way bcrypt hashing • JWT-based authentication and session management • Rate limiting on API access • Security headers: CSP, HSTS, X-Frame-Options • Access to data is restricted on a minimum privilege basis

• Account information: While account is active + 30 days after deletion • Project data and files: While account is active + 30 days after deletion • Chat history: Until the project is deleted • Billing and payment records: 10 years (Tax Procedure Law) • Server access logs: 2 years • Contact form data: 1 year

You have the following rights regarding your personal data: • Right to know whether your data is being processed • Right to information about the purpose and scope of processing • Right to know third parties to whom data has been transferred • Right to request correction of inaccurate or incomplete data • Right to request deletion or destruction of data • Right to claim damages in case of unlawful processing To exercise these rights, contact [email protected]. Requests are answered within 30 days.

Tapy does not provide services targeting individuals under 18. We do not knowingly collect personal data from minors.

This Privacy Policy may be revised from time to time. Material changes will be notified to your registered email address at least 15 days before taking effect.