AstronAlgo
Start Free Trial

Privacy Policy

Last updated: 2026-05-15

This Privacy Policy (the "Policy") explains how AstronAlgo ("AstronAlgo", "we", "us", "our") collects, uses, stores, discloses, and otherwise processes personal data when you visit astronalgo.com, use the AstronAlgo platform, or interact with us in any other way (collectively, the "Service"). It is drafted to comply with the EU/UK General Data Protection Regulation ("GDPR"), the Turkish Personal Data Protection Law No. 6698 ("KVKK"), and other applicable data protection laws.

Effective date: 2026-05-15. Capitalised terms used but not defined here have the meanings given in the Terms of Service.

1. Controller & Contact

1.1 Data Controller. The data controller responsible for processing your personal data under this Policy is AstronAlgo.

1.2 Contact. For questions about this Policy, to exercise your rights, or to lodge a complaint, contact us at support@astronalgo.com. We aim to respond within 30 days as required by GDPR Article 12(3) and KVKK Article 13.

2. Categories of Personal Data We Process

We process the following categories of personal data:

  • 2.1 Identification & Account Data: email address, hashed password, display name, account identifiers, third-party authentication provider IDs (if you sign in via Google, GitHub, or similar).
  • 2.2 Subscription & Billing Data: billing email, plan, payment status, subscription identifiers, invoices, last 4 digits of payment method (provided by the Payment Provider). Full card numbers are processed by our Payment Provider and are never stored on our servers.
  • 2.3 Usage Data: pages and features accessed, scan queries, watchlist items, configuration choices, session timestamps, referrer URLs, and other interactions with the Service.
  • 2.4 Device & Technical Data: IP address, approximate geolocation derived from IP, browser type and version, operating system, screen resolution, timezone, language preference, cookies, and similar identifiers.
  • 2.5 Communications Data: emails, support tickets, contact form submissions, and any other messages you send to us.
  • 2.6 Marketing Preferences: consent or objection signals for marketing emails and cookie categories.

We do not process special categories of personal data (e.g. health, biometric, political opinion) and do not knowingly collect data from children under 18.

3. How We Collect Personal Data

  • 3.1 Directly from you when you create an Account, submit forms, contact us, or use the Service.
  • 3.2 Automatically when you interact with the Service, via cookies, server logs, and the analytics tools described in our Cookie Policy.
  • 3.3 From third parties such as authentication providers (if you use social login) or the Payment Provider (for subscription state).

4. Purposes & Legal Bases

We process personal data only for the purposes and on the legal bases set out below:

  • 4.1 Provide the Service (account creation, authentication, delivering features, processing payments) — legal basis: performance of a contract(GDPR Art. 6(1)(b); KVKK Art. 5(2)(c)).
  • 4.2 Security & abuse prevention (detecting fraud, rate-limiting, intrusion prevention, account recovery) — legal basis: legitimate interests (GDPR Art. 6(1)(f); KVKK Art. 5(2)(f)).
  • 4.3 Service improvement & analytics (understanding which features are used, debugging, performance monitoring) — legal basis: legitimate interests for aggregate/anonymised analytics, or consent for non-essential tracking (GDPR Art. 6(1)(a); KVKK Art. 5(1)).
  • 4.4 Communications (transactional emails, account notifications, security alerts) — legal basis: performance of a contract andlegitimate interests.
  • 4.5 Marketing (product updates, newsletters) — legal basis:consent. You may withdraw consent at any time via the unsubscribe link in any marketing email.
  • 4.6 Legal compliance (tax records, accounting, responding to lawful requests) — legal basis: legal obligation (GDPR Art. 6(1)(c); KVKK Art. 5(2)(a)).

5. Cookies & Similar Technologies

We use a limited set of cookies and similar technologies. Strictly necessary cookies are loaded by default for authentication and security. Analytics cookies (Google Analytics) are only loaded after you grant consent via the cookie banner. You may change your choice at any time using the "Cookie settings" link in the footer. Full details, including a table of specific cookies, are in our Cookie Policy.

6. Disclosure to Recipients & Sub-processors

6.1. We do not sell personal data. We disclose personal data only to the following categories of recipients:

  • Service providers (sub-processors) that help us deliver the Service, listed and described in our public Sub-processors page.
  • Payment Provider for subscription billing, acting as Merchant of Record where applicable.
  • Authentication providers if you use social login (Google, GitHub, etc.).
  • Professional advisers (auditors, lawyers) bound by confidentiality obligations.
  • Authorities where required by Applicable Law (court order, lawful government request).
  • Acquirers in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and post-transaction protections.

6.2. All sub-processors are bound by written contracts containing data protection terms equivalent to those in this Policy and consistent with Article 28 of GDPR.

7. International Transfers

Some sub-processors operate outside the European Economic Area ("EEA"), the United Kingdom, or Türkiye. Where personal data is transferred to a country that has not received an adequacy decision, we rely on appropriate safeguards required by GDPR Chapter V and KVKK Article 9, including the European Commission's Standard Contractual Clauses (2021/914) and additional technical and organisational measures.

8. Retention

We retain personal data only as long as necessary for the purposes set out in this Policy and in line with Applicable Law:

  • Account & subscription data — for the duration of your Account plus up to 12 months after deletion for security, accounting, and legal reasons.
  • Billing & invoice records10 years as required by Turkish tax law (or the period required by your local tax law if longer).
  • Server logs — up to 90 days.
  • Backups — rotated and overwritten within 90 days.
  • Support communications — up to 3 years after last contact.

After the applicable retention period we delete or irreversibly anonymise the data.

9. Your Rights

Subject to limits in Applicable Law, you have the right to:

  • 9.1 access the personal data we hold about you (GDPR Art. 15; KVKK Art. 11);
  • 9.2 request correction of inaccurate or incomplete data (GDPR Art. 16; KVKK Art. 11);
  • 9.3 request erasure ("right to be forgotten") (GDPR Art. 17; KVKK Art. 7);
  • 9.4 request restriction of processing (GDPR Art. 18);
  • 9.5 object to processing based on legitimate interests (GDPR Art. 21);
  • 9.6 receive your data in a machine-readable format and transmit it to another controller (data portability, GDPR Art. 20);
  • 9.7 withdraw consent at any time where processing is based on consent (GDPR Art. 7(3); KVKK Art. 5(1));
  • 9.8 lodge a complaint with a supervisory authority — in Türkiye the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK Kurumu), or in the EU your local data protection authority.

To exercise any of these rights, contact support@astronalgo.com. We may need to verify your identity before fulfilling certain requests.

10. Automated Decision-Making

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing (GDPR Art. 22). The scores and signals we display are analytical observations, not decisions about you.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • encryption in transit (HTTPS/TLS) and at rest where supported by our infrastructure;
  • password hashing with industry-standard algorithms;
  • role-based access controls and the principle of least privilege;
  • regular dependency and infrastructure updates;
  • logging and monitoring for suspicious activity.

No method of transmission or storage is 100% secure. You are responsible for using a strong unique password and enabling two-factor authentication when available.

12. Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms we will notify the competent supervisory authority within 72 hours as required by GDPR Article 33, and notify affected individuals where required by GDPR Article 34 or KVKK Article 12.

13. Children

The Service is not intended for children under 18. We do not knowingly collect personal data from minors. If you believe we have collected data from a child please contact us and we will delete it.

14. Changes to This Policy

We may update this Policy from time to time. The "last updated" date at the top indicates the most recent revision. We will notify you of material changes by email or via an in-product banner at least 30 days before they take effect.

15. Contact

Questions, requests, or complaints: support@astronalgo.com.