Privacy Policy

1. Data Controller

This Privacy Policy describes how TopoKit Software ("TopoKit", "we", "us", or "our") collects, uses, discloses, and protects personal data when you visit topokit.io (the "Site"), use the TopoKit software development kit (the "SDK"), or otherwise interact with us (collectively, the "Services").

For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Turkish Personal Data Protection Law No. 6698 ("KVKK"), and the California Consumer Privacy Act of 2018 ("CCPA"), TopoKit is the data controller of personal data processed in connection with the Services.

You can reach our data protection contact at [email protected]. Where required by law, you may also contact our EU/UK representative or our local data protection authority.

2. Scope

This Policy applies to personal data we collect through the Site, the SDK distribution channels, our customer-support and sales communications, and any commercial license you purchase from us.

The Services are intended for business and developer use and are not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us so we can delete it.

3. Personal Data We Collect

We collect only the data we need to provide and improve the Services. Specifically:

• Account and contact data. Name, email address, employer, role, and country, where you provide them to create an account, request a quote, sign a commercial-license agreement, or contact support.
• Billing and tax data. Company name, billing address, VAT/tax identifiers, and the last four digits of the payment instrument. Full payment-card data is collected directly by our payment processor and is not stored on our servers.
• License-administration data. License keys, license-tier, seat counts, and activation metadata necessary to administer your commercial license and prevent abuse.
• Support communications. The content of emails, support tickets, and contact-form submissions, including any attachments or system information you choose to provide.
• Site-usage data. Aggregated, pseudonymous information about your visit to topokit.io: referrer, country, page URL, browser family, operating-system family, and screen size. We use a privacy-preserving analytics tool that does not set cookies or use a persistent identifier.
• Server logs. IP address, timestamp, HTTP method, requested URL, status code, and user-agent string, retained on a short-term basis for security, abuse prevention, and operational diagnostics.

The SDK itself does not transmit any data to TopoKit servers. The SDK does not contain telemetry, analytics, error reporting, "phone-home" functionality, or remote license verification at runtime. Whatever graph data you visualize with the SDK stays in your environment.

4. Legal Bases for Processing

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)). To deliver licenses, process payments, provide support, and otherwise perform our obligations under a license agreement with you.
• Legitimate interests (Art. 6(1)(f)). To operate, secure, and improve the Services, prevent fraud and license abuse, communicate with prospects who request information, and protect our legal rights. We balance these interests against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)). To comply with applicable tax, accounting, anti-money-laundering, export-control, and other legal requirements.
• Consent (Art. 6(1)(a)). Where we ask for your explicit consent, for example to receive optional marketing emails, you may withdraw it at any time without affecting the lawfulness of prior processing.

Where the KVKK applies, we process personal data based on the equivalent legal grounds in Article 5 of the KVKK, including the explicit consent of the data subject and the legitimate interests of the data controller.

5. How We Use Personal Data

• To provide the Services. Delivering license keys, processing payments, sending invoices, providing technical support, and operating the Site.
• To secure the Services. Detecting, preventing, and responding to fraud, abuse, unauthorized access, and security incidents.
• To improve the Services. Analyzing aggregated usage of the Site and documentation to prioritize content, fix bugs, and improve performance.
• To communicate with you. Responding to inquiries, sending transactional messages, license-renewal reminders, and (with your consent) occasional product updates.
• To comply with the law. Meeting our tax, accounting, regulatory, and other legal obligations, and responding to lawful requests from public authorities.

We do not use personal data for automated decision-making that produces legal or similarly significant effects, and we do not engage in profiling.

6. Cookies and Similar Technologies

We use only strictly necessary technologies on topokit.io. We do not set advertising cookies, tracking cookies, or third-party social-network cookies. Where a cookie is set, it is limited to the technical operation of the Site (for example, remembering your theme preference) and does not require consent under most privacy laws.

Our analytics provider (Plausible Analytics) is configured to operate without cookies and without storing or transmitting a persistent identifier from your browser.

7. Sharing and Disclosure

We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as those terms are defined under the CCPA. We disclose personal data only:

• To our service providers (processors). Payment processing, transactional email (e.g., Postmark), cloud hosting and CDN (e.g., Cloudflare, Inc., AWS), customer-support tooling, and accounting/tax providers, in each case under a written agreement that restricts use to the services they perform for us.
• For legal reasons. To comply with valid legal process, enforce our license terms, protect our and others' rights, property, or safety, or in response to a public-authority request.
• In a corporate transaction. In connection with a merger, acquisition, financing, or sale of all or part of our assets, subject to standard confidentiality protections and continued application of this Policy.

8. International Data Transfers

We are based in Türkiye and operate the Services using infrastructure located in the European Union, the United Kingdom, and the United States. When we transfer personal data outside of your country of residence, we rely on appropriate safeguards required by applicable law, which may include Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement, KVKK-compliant explicit consent or undertakings, and additional technical and organizational measures.

A copy of the applicable transfer safeguards is available on request at [email protected].

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements:

• Account and license data. For the duration of your license, plus the period required by applicable tax and accounting law (typically up to ten (10) years).
• Billing and tax records. Up to ten (10) years, as required by applicable tax and commercial law.
• Support communications. Up to three (3) years from the date of the last interaction.
• Server logs. Up to thirty (30) days, except where retained longer for security investigations.
• Aggregated analytics. Retained indefinitely in aggregated, non-identifying form.

At the end of the applicable retention period, we delete, anonymize, or aggregate the data so it can no longer be associated with you.

10. Security

We maintain commercially reasonable technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, and destruction. These include encryption in transit (TLS) and at rest, least-privilege access controls, secrets management, logging and monitoring, regular dependency updates, and periodic security reviews.

No method of transmission over the internet or method of electronic storage is one hundred percent secure. We cannot guarantee absolute security, but we work to maintain the integrity and confidentiality of personal data entrusted to us.

To report a vulnerability, please contact [email protected].

11. Your Rights

Depending on where you live, you may have the following rights with respect to your personal data:

• Access. Request confirmation of whether we process personal data about you and a copy of it.
• Rectification. Request that inaccurate or incomplete personal data be corrected.
• Erasure. Request deletion of personal data, subject to legal retention obligations.
• Restriction. Request that we limit how we process your personal data.
• Portability. Receive your personal data in a structured, machine-readable format and ask that it be transmitted to another controller where technically feasible.
• Objection. Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent. Withdraw any consent you previously gave, without affecting the lawfulness of processing carried out before withdrawal.
• CCPA rights. If you are a California resident, you have the right to know what personal information we collect, request its deletion or correction, opt out of sale or sharing (we do not sell or share), and not be discriminated against for exercising your rights.
• KVKK rights. If you are in Türkiye, you have the rights set out in Article 11 of the KVKK, including the right to be informed about whether your personal data is processed, the purposes of processing, and recipients of disclosure.

To exercise any of these rights, please email [email protected] with sufficient information to verify your identity. We respond within the timeframes required by applicable law (typically thirty (30) days). You also have the right to lodge a complaint with your local supervisory authority — in Türkiye, the Personal Data Protection Authority (KVKK Kurumu); in the EU, your member-state data protection authority; in the UK, the Information Commissioner's Office.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we do, we will update the "Last updated" date above and, if the changes are material, provide additional notice (for example, by email to active license holders or a banner on the Site). Your continued use of the Services after the effective date of any update constitutes acceptance of the updated Policy.

13. Contact

For questions about this Policy or about how we handle personal data, please contact us at [email protected]. For general inquiries, see our /contact page.