Privacy Policy

Effective date: 18 May 2026

This Privacy Policy explains what personal data we collect when you use zippfeed.com ("Zipp" or the "Service"), how we use it, who we share it with, and what rights you have. It applies to all visitors and registered users.

1. Who We Are (Data Controller)

• Turan Can Ekmekçi — sole proprietorship registered in Türkiye, trading as "Zipp"
• Address: Sultan Selim Mah. Eski Büyükdere Cad. No: 61/2, 34415 Kağıthane / Istanbul, Türkiye
• Tax ID (Vergi No): 3290627132 — Maslak Vergi Dairesi
• Contact: [email protected]

2. What We Collect

When you create an account: email address, password (stored only as a bcrypt hash — never in plain text), optional display name, language preference, marketing-consent flag, and a timestamped record of the Terms / Privacy Policy version you accepted.

Automatically on every visit: IP address, approximate location (country / city), browser and device information, referrer URL, server-side request logs. Account events (login, register, password reset, account deletion) are written to an audit log.

Only with your consent: session recordings and heatmaps via Microsoft Clarity; advertising identifiers via Google AdSense; conversion / measurement events via Google Tag Manager and Microsoft UET. None of this is collected before you grant the matching cookie category.

3. Cookies

Cookies and similar technologies are grouped into four categories:

• Necessary — login session (JWT), CSRF protection, consent decision itself. Required to operate; no opt-in needed (ePrivacy Directive Art. 5(3) / GDPR Recital 32).
• Functional — language / display preferences.
• Analytics — Google Tag Manager, Microsoft Clarity.
• Marketing — Google AdSense, Microsoft UET.

You can withdraw or change your consent at any time via the "Cookie preferences" link in the page footer, or — if you are in the EEA / UK / Switzerland — via Google's "Manage privacy" link injected by its CMP.

4. Why We Process Your Data and Legal Basis

• Operating the Service, account authentication, transactional emails — performance of contract (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)).
• Security, fraud prevention, server logging, audit logs — legitimate interest (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f)).
• Analytics, advertising, session recording, marketing emails — your consent (GDPR Art. 6(1)(a) / KVKK Art. 5(1)). You may withdraw at any time.
• Tax records, lawful requests, ToS-acceptance records — legal obligation (GDPR Art. 6(1)(c) / KVKK Art. 5(2)(ç)).

5. Third Parties

We share personal data with the following processors, each with their own privacy policy. All are based in the United States; data transfers are made under the EU–US Data Privacy Framework and/or Standard Contractual Clauses, and for users in Türkiye under your explicit consent pursuant to KVKK Art. 9.

• Google LLC — AdSense (advertising), Tag Manager (analytics/marketing tags). Policy
• Microsoft Corporation — Clarity (session recording), UET (Bing Ads measurement). Policy
• Cloudflare, Inc. — CDN, DDoS protection, Turnstile CAPTCHA. Policy
• Railway Corp. — application hosting and PostgreSQL database. Policy
• Resend, Inc. — transactional email delivery (verification, password reset). Policy

We will also disclose personal data to government authorities, courts, or law enforcement when legally compelled (subpoena, court order, KVKK Art. 5(2)(ç), or equivalent).

6. Retention

Account data is retained for the life of your account. Upon account deletion we delete or anonymise it within 30 days, except where law requires us to keep specific records (e.g. tax records, proof-of-consent under KVKK Art. 5). Server access logs: up to 90 days. Audit logs (login/register/deletion events): up to 2 years. Email-verification and password-reset tokens are purged automatically after use or expiry. Behavioral data managed by Clarity / AdSense is subject to their own retention schedules.

7. Your Rights

Regardless of where you live, you can email [email protected] to exercise any of the following rights. We respond within 30 days (or sooner where local law requires).

• Access — get a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — delete your account and personal data (also available in your account settings).
• Restriction / Object — limit our processing or object to it.
• Portability — receive your data in a machine-readable format.
• Withdraw consent — at any time, with no effect on prior lawful processing.
• Complain to a supervisory authority — see Section 11.

Users in Türkiye have the additional rights set out in KVKK Article 11 (including the right to learn whether and why personal data is being processed, to be informed about third-party recipients, and to claim compensation for damages from unlawful processing). California residents have the rights to know, delete, and opt out of "sharing" under CCPA — the consent banner provides the opt-out for ad personalisation, which CCPA classifies as a "share".

8. Children

The Service is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact us and we will delete it without delay.

9. Security

We use industry-standard measures: TLS 1.2+ in transit, encryption at rest, bcrypt-hashed passwords, httpOnly + Secure + SameSite-Strict session cookies, Cloudflare WAF and rate limiting, Turnstile CAPTCHA on sensitive endpoints, and audit logging. If a personal-data breach is likely to risk your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay (GDPR Art. 33 / KVKK Art. 12).

10. Changes to This Policy

We may update this Policy. The "Effective date" at the top reflects the latest revision; material changes (e.g. new categories of data collected, new vendors) will be communicated by email to registered users.

11. Contact and Supervisory Authorities

For any question about this Policy or about how we handle your personal data, email [email protected] or write to the postal address in Section 1.

If you are not satisfied with our response you may lodge a complaint with the data protection authority in your country of residence: Türkiye — Kişisel Verileri Koruma Kurumu; EEA — your national DPA via the EDPB list; UK — ICO; Switzerland — FDPIC; California — CPPA.