[toolgenx]
Open menu

Legal

Privacy policy

This page explains what we collect, why, where it lives, and how to ask for it back or delete it. Written plainly. If anything here is unclear, email support@toolgenx.com and we will explain.

Last updated:

Who we are

ToolGenX is operated by İsmail Günaydın from Istanbul, Turkey. The legal entity is a Turkish sole proprietorship. For data protection questions, email support@toolgenx.com.

What we collect

  • Account data: email, name (optional), preferred locale. Source: you give it to us when you sign up or check out.
  • Order data: product purchased, amount, currency, billing country, payment method type (never the full card number — that stays with the gateway).
  • License + download data: license key issued, download count, IP and user-agent at the moment of download. Required to prevent license abuse.
  • Consent records: the exact text version of consent checkboxes you ticked at checkout, plus timestamp and IP. Required by EU CRD Art 16(m) to prove that you waived your right of withdrawal when you started a download.
  • Analytics: aggregate page views and Web Vitals through Plausible, which does not set cookies and does not identify individuals.

Why we collect it (legal basis under GDPR + KVKK)

  • To perform the contract you entered into when you bought a product (Art 6(1)(b)).
  • To meet our legal obligations around tax, refund, and consent records.
  • For our legitimate interest in preventing fraud, license sharing, and improving the product. You can object — see “Your rights” below.

Who we share it with (data processors)

  • Supabase (EU region): database, authentication, file storage.
  • Stripe: card payment processing (global Visa, Mastercard, Amex). PCI-DSS Level 1.
  • Iyzico: card payment processing (global Visa, Mastercard, Amex; plus Turkish lira pricing, taksit, and e-fatura for buyers in Türkiye). BRSA-licensed in Türkiye and PCI-DSS compliant.
  • Resend: transactional email (order confirmation, password reset).
  • Vercel (Frankfurt region): hosting + edge network.
  • Plausible: analytics. No cookies, no personal identifiers.
  • Sentry: error tracking. IP truncated, no payload bodies.

Where your data lives

Primary storage is in the European Union (Supabase EU, Vercel Frankfurt). Payment data passes through US-based gateways under the EU-US Data Privacy Framework. We do not transfer identifiable data outside these regions for marketing purposes.

How long we keep it

  • Account + order data: as long as you have an account, plus 10 years for tax records.
  • Consent + download logs: 6 years (matches refund/legal claim window in EU + TR).
  • Analytics: aggregate only, no per-visitor retention.

Your rights

Under GDPR + KVKK + UK Data Protection Act + CCPA + similar laws, you can:

  • Access the data we hold about you.
  • Correct it if it is wrong.
  • Delete it (“right to be forgotten”) — except records we must keep for legal compliance.
  • Export it in a portable format.
  • Withdraw consent for processing where consent is the legal basis.
  • Lodge a complaint with your supervisory authority (e.g., KVKK, ICO, CNIL).

Send any request to support@toolgenx.com. We aim to respond within 7 days, must respond within 30.

Children

ToolGenX is not directed at children under 16. If you believe a minor created an account, email us and we will remove it.

Changes

We update this policy when our processors, jurisdictions, or features change. Material changes are emailed to active customers at least 14 days before they take effect.