Privacy Policy
01Data Controller
This Privacy Policy governs the processing of personal data relating to the uptime monitoring service provided by Anchor Uptime (the "Service").
| Trade Name | Anchor Uptime |
| Contact | [email protected] |
| Website | anchoruptime.com |
| KVKK Role | Data Controller |
02Data Collected
The following personal and technical data is collected during your use of the Service:
2.1 Account Data
- Email address (for registration, login and notifications)
- Encrypted password (hashed with bcrypt, not stored in plain text) - only when registration by email is preferred
- Google account email and profile name - only when Google OAuth login is preferred; password is not stored
- Account creation date and last login time
2.2 Monitoring Data
- Site URLs and descriptive names you add
- HTTP response times, status codes and probe results
- SSL certificate expiration dates and domain WHOIS records
- WordPress plugin heartbeat signals and timestamps
- WordPress and PHP version information (for compatibility and error detection purposes)
- Plugin activation status
- Fatal error type and line number (file path or full stack trace is not stored)
- Incident records: start/end time, duration, type
2.3 Technical and Log Data
- IP address (for session security and abuse prevention purposes)
- Browser type and operating system (User-Agent)
- Account actions and in-platform transaction logs (adding/deleting sites, opening/closing maintenance, etc.)
- Error logs and system events
2.4 Payment Data
Payment processing is handled directly by Paddle.com Market Limited. Anchor Uptime does not receive credit card number, CVV or full card information. Only subscription status, plan type and billing ID are received from Paddle.
03Intended Use of Data
| Objective | Data Used | Basis |
|---|---|---|
| Service delivery | Account, monitoring data | Contract performance |
| Email notifications (alarm) | Email address | Contract performance |
| Subscription management | Email, Paddle subscription ID | Contract performance |
| Security and fraud prevention | IP, User-Agent, logs | Legitimate interest |
| Service optimization and debugging | Technical logs | Legitimate interest |
| Fulfillment of legal obligations | Invoice, account information | Legal obligation |
Your personal data will not be used for marketing, profiling or sales to third parties, except for the purposes mentioned above.
04Legal Basis
Your personal data is processed within the scope of the following legal bases:
- Contract performance (Art.5/2-c of KVKK; Art.6/1-b of GDPR): Provision of services, sending notifications and subscription management.
- Motivated interest (KVKK art.5/2-f; GDPR art.6/1-f): Protection of security, system stability and service quality.
- Legal obligation (KVKK art.5/2-ç; GDPR art.6/1-c): Tax, invoice and legal retention obligations.
- Explicit consent (when necessary): You will be explicitly informed and your consent will be obtained prior to procedures requiring consent.
05Third Party Services and Paddle
Certain third party providers are used for the provision of the Service. These providers process only the minimum necessary data and are subject to their own privacy policies.
| Provider | Objective | Transferred Data | Location |
|---|---|---|---|
| Paddle.com Market Ltd. | Payment transaction, Merchant of Record | Email, billing information | UK / EU |
| Google LLC (OAuth) | Social login - only when preferred | Email address, profile name | USA (assurance with SCCs) |
| Hetzner GmbH (Server) | Application and data hosting, email delivery | All application data | Germany (intra-EU) |
Paddle's Merchant of Record Role
Paddle.com Market Limited acts as a Merchant of Record for payment transactions. Within this framework, Paddle;
- Stores and processes payment card information in its PCI-DSS compliant infrastructure,
- Fulfills VAT and other tax obligations,
- It manages returns and payment disputes under its own policy.
For Paddle's privacy policy: paddle.com/legal/privacy
All transactions are carried out in USD ($). Paddle calculates local tax (VAT, etc.) based on your location and reflects it on the invoice.
06Data Retention Periods
| Data Type | Storage Time | Rationale |
|---|---|---|
| Account details | + 30 days until account is deleted | Access redundancy, error compensation |
| Ham probe records (checks) | 1 day after summary calculation; up to 90 days in summary-free mode | Service functionality |
| Signal change events (check_events) | 180 days | Live panel, event timeline |
| Hourly/daily summary metrics (rollup) | 90 days | Historical reporting and graphs |
| Incident records | According to operational retention policy (approximately 90 days) | Service history |
| Invoice and payment record | 10 years | Tax legislation obligation |
| Security logs (IP etc.) | 90 days | Security and abuse prevention |
| Unverified accounts | 30 days | Automatic cleaning |
07Data Security
The following technical and administrative measures are implemented to protect your personal data:
- All data transmission is encrypted with TLS 1.2+ (HTTPS mandatory).
- Passwords are hashed and stored with bcrypt; plaintext passwords are not stored anywhere.
- Access to the API is protected with a Bearer token; each token site is managed comprehensively and separately.
SsrfSafeHttpClientis used for SSRF (Server-Side Request Forgery) protection.- Security headers (
SecurityHeadersmiddleware) are attached to all responses. - Database access is only possible through the application layer.
- Regular backup and disaster recovery procedures are in place.
08Cookies
Anchor Uptime uses only essential cookies for session management and service functionality. No third party cookies are used for analytics or marketing purposes.
| Cookie | Type | Objective | Duration |
|---|---|---|---|
| session | Mandatory | User session | End of session |
| remember_token | Mandatory | "Remember me" session | 30 days |
| XSRF-TOKEN | Mandatory | CSRF protection | End of session |
09International Data Transfer
Your personal data may be transferred to the following locations outside Turkey:
- Germany - Hetzner GmbH: The application servers and database are hosted in Germany (EU). Within the scope of Article 9 of the LPPD, Germany is considered to have an adequate level of protection as it is an EU member state.
- UK/EU - Paddle.com Market Ltd.: Payment data is processed in the Paddle infrastructure. The transfer is based on EU Standard Contractual Clauses (SCCs) and Paddle's GDPR/UK GDPR compliant data processing agreement.
- US - Google LLC (OAuth): Valid only when Google login is preferred. Google manages EU-US data transfer under SCCs. For Google's privacy policy: policies.google.com/privacy
Data is not transferred to countries that do not have an adequate level of protection other than those mentioned above.
10Your rights
You have the following rights under KVKK and GDPR:
- Access: You can request access to the personal data processed about you.
- Correction: You can request correction of incorrect or missing data.
- Deletion: You can request deletion of your data in certain circumstances.
- Restriction of processing: You can request to stop processing in certain circumstances.
- Portability: You can request your data in machine-readable format.
- Objection: You can object to actions based on legitimate interest.
- Revocation of consent: You can always revoke your consent in consensual transactions.
- Complaint: You can file a complaint with the Turkish Personal Data Protection Authority (KVKK).
You can send your requests to [email protected]. Applications are responded within 30 days.
11Changes
You will be notified of any material changes to this policy at least 30 days prior to the effective date at your registered email address. Your continued use of the Service following the change constitutes your acceptance of the updated policy.
12Contact
For privacy related questions, requests or complaints: