Privacy Policy

1. Overview & Data Controller

This Privacy Policy describes how Aceris Studio ("we", "us", or "our") collects, uses, and protects your personal information when you use our website (getaceris.com) and our digital product design and development services.

For the purposes of the General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK), the primary Data Controller for your information is:

2. Information We Collect

We collect information in the following ways:

• Information you provide directly: Name, email address, project requirements, and files (such as brand assets) submitted through our contact and onboarding forms.
• Transaction information: When you purchase a package, payment is processed securely through our integrated payment gateway (see Section 5). We receive confirmation of the payment and order details, but we never see or store your credit card information.
• Automatically collected information: We temporarily determine your country code based on your IP address to automatically display our website in an appropriate language. This geographical lookup is done on-the-fly, and your IP address is not stored in our databases.

3. How We Use Your Information

We use your personal data to:

• Deliver the web design and development services you have purchased.
• Create and manage your secure client dashboard account.
• Communicate with you regarding project updates, requirements, and revisions.
• Send essential transactional emails (e.g., magic link login emails, order confirmations).
• Comply with our legal and accounting obligations.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Performance of a Contract: Necessary to provide the services you ordered (e.g., fulfilling the design package, maintaining your client dashboard).
• Legal Obligation: Necessary to comply with tax and accounting laws in Turkey and internationally.
• Legitimate Interests: Necessary for security (e.g., authentication) and providing a localized user experience.
• Consent: Where required by law, we will obtain your explicit consent before using your data for specific purposes (such as marketing communications).

5. Third-Party Services & Payment Processing

To operate our business effectively, we use carefully selected third-party service providers. These providers only have access to the personal data necessary to perform their functions.

We also use the following service providers:

• Supabase: For secure database storage and user authentication (magic links).
• Vercel: For website hosting and edge functions.
• Formspree: For processing initial contact form submissions securely.
• Resend: For delivering transactional emails.
• ipapi.co: For non-persistent IP geolocation to provide language localization.

6. Cookies & Local Storage

We prioritize your privacy and do not use invasive tracking or advertising cookies. We only use essential mechanisms required for the website to function:

• Authentication Cookies: Secure cookies set by Supabase to keep you logged into the client dashboard.
• Local Storage (`aceris_locale`): A tiny file saved in your browser to remember your language preference so we don't switch the language abruptly on your next visit.

Because these are strictly necessary for the technical functioning of the site and the service you requested, they are exempt from cookie consent banner requirements.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Client Account Data: Retained for the lifetime of your account to facilitate ongoing access to project files and retainers. If you request account deletion, data is removed within 30 days.
• Order & Billing Records: Retained for a minimum of 6 years to comply with Turkish and international tax and accounting laws.
• Contact Form Inquiries: Retained for up to 12 months for customer service context, after which non-converting inquiries are deleted.

8. International Data Transfers

Our service operates globally. Data we collect may be routed, stored, and processed in secure data centers located in the United States and the European Union (via our providers Supabase and Vercel). By using our services, you consent to the transfer of information to countries outside of your country of residence, knowing that we strictly use providers fully compliant with GDPR data transfer safeguards (such as Standard Contractual Clauses).

9. Data Security

We implement robust security measures to protect your data. All data transmitted to and from our website is encrypted using standard TLS/SSL (HTTPS). Our database utilizes Row-Level Security (RLS) policies, ensuring that you can only access your own project files and messages, and that unauthorized users cannot read your data. We use passwordless authentication (magic links) to eliminate the risk of password breaches.

10. Your Rights

Depending on your location (including the EU and UK), you have significant rights regarding your personal data:

• Right to Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can ask us to correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): You can request the deletion of your data (subject to legal retention requirements).
• Right to Restriction: You can ask us to suspend processing your data.
• Right to Data Portability: You can request your data in a structured, machine-readable format.
• Right to Object: You can object to processing based on legitimate interests.

To exercise any of these rights, please contact us at contact@getaceris.com. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

11. Children's Privacy

Our services are strictly meant for businesses and individuals over the age of 18. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly.

12. Marketing Communications

We only send marketing communications if you have explicitly opted in. If you receive marketing emails from us, you may opt-out at any time by clicking the "unsubscribe" link at the bottom of the email or contacting us directly. Please note that even if you opt out of marketing, we will still send you essential transactional emails related to your active projects.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. When we make material changes, we will update the "Last updated" date at the top of this page and, if necessary, notify active clients via email.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please reach out to us: