Privacy Policy

This Privacy Policy explains how Mackbook İnşaat Ltd. Şti., operating the Dimaas service ("Dimaas", "we", "us"), collects, uses and protects personal data. We comply with the EU General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK).

1. Data Controller

Mackbook İnşaat Ltd. Şti., Istanbul, Türkiye. For privacy enquiries email privacy@dimaas.app.

2. Data We Collect

Account data. Name, business name, email, phone, language preference.

Billing data. Processed by Paddle.com Market Limitedas our Merchant of Record. Paddle collects payment instrument details, billing address and tax information directly. We receive only billing identifiers, the last 4 digits of the card and invoice metadata. Paddle's privacy policy: paddle.com/legal/privacy.

Customer data you upload. Lists of business contacts (name, email, phone, company, public profile data) you choose to import or scrape using the Service. You are the data controller of this data; we process it on your behalf as a processor.

Usage data. Login timestamps, feature usage, IP address, device/browser information, error logs.

Communications. Emails and chats you send to support.

3. Why We Process Data

• To provide, maintain and improve the Service (legitimate interest, contract performance);
• To process payments and prevent fraud (contract, legal obligation);
• To comply with KVKK, GDPR, IYS, anti-spam and tax law (legal obligation);
• To send transactional emails such as receipts and security alerts (contract);
• To send product updates, with the option to unsubscribe at any time (consent / legitimate interest);
• To investigate abuse and enforce our Terms (legitimate interest).

4. Sub-processors

We share personal data only with vetted sub-processors who help us operate the Service:

• Paddle — payments & billing (UK / EU)
• Coolify / Hetzner — application hosting (EU)
• Airtable — operational data storage (US, SCCs in place)
• Resend / Postmark — transactional email delivery (EU/US)
• WhatsApp Business API — message delivery on the user's own number (Meta, EU/US)
• Cloudflare — CDN, DNS and DDoS protection (Global)

International transfers rely on Standard Contractual Clauses or adequacy decisions where applicable.

5. Retention

• Account data: for the life of the account plus 6 months after closure.
• Billing records: 10 years (Turkish tax law) / 6 years (UK).
• Customer data you upload: deleted within 30 days of account closure or on request.
• Usage logs: 12 months rolling.
• Suppression / opt-out lists: kept indefinitely to honour unsubscribe requests.

6. Your Rights

Under GDPR and KVKK you have the right to:

• access your personal data;
• request rectification or deletion;
• restrict or object to processing;
• data portability;
• withdraw consent at any time;
• lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu) or your local EU supervisory authority.

To exercise these rights email privacy@dimaas.app. We respond within 30 days.

7. Recipients of Outreach Sent via the Service

If you received a WhatsApp or email message sent through Dimaas by one of our customers, the customer is the data controller of your personal data. To unsubscribe or request deletion, reply "STOP" to the message or contact the sender directly. You may also email privacy@dimaas.app and we will forward your request to the controller within 7 days and add your contact to a global suppression list.

8. Cookies

We use only essential cookies (session token, language preference, CSRF protection). We do not use advertising or third-party tracking cookies.

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access is limited to authorised personnel under confidentiality obligations. We perform periodic security reviews and dependency audits.

10. Changes

We may update this Policy. Material changes are communicated by email or in-product notice at least 14 days before they take effect.

11. Contact

Questions or requests: privacy@dimaas.app.