DATA PROTECTION
Privacy Policy
How OpenSeaPiranha Teknoloji Ltd. Şti. collects, uses and protects personal data — under Türkiye's KVKK (Law No. 6698) and the EU GDPR.
01Data Controller
The data controller is OpenSeaPiranha Teknoloji Ltd. Şti. ("OpenSeaPiranha", "we"), registered at Atatürk Mah. Alemdağ Cad. No:39, 34764 Ümraniye / Istanbul, Türkiye.
For any question or request about your personal data, write to info@openseapiranha.com. We answer within 30 days, and within the statutory period required by KVKK.
02What We Collect
We only collect what you type into a form. We do not buy data, and we do not build profiles.
- Contact form: your name, email address, company (optional), subject and message.
- Startup application (Join the Swarm): startup name, founder name, email address, website or LinkedIn (optional), sector, stage, project description, and why you chose OSP (optional).
- Newsletter: your email address and preferred language.
- Technical data: your IP address is processed transiently to rate-limit form submissions and to block abuse. Your browser's Accept-Language header is read to select a language.
03Why We Process It, And On What Basis
- To answer your message or evaluate your application — necessary for taking steps at your request prior to entering into a contract (GDPR Art. 6(1)(b); KVKK Art. 5(2)(c)).
- To send the newsletter — only with your explicit consent, which you may withdraw at any time (GDPR Art. 6(1)(a); KVKK Art. 5(1)).
- To keep the site secure and prevent abuse (rate-limiting by IP) — our legitimate interest (GDPR Art. 6(1)(f); KVKK Art. 5(2)(f)).
04No Tracking. No Analytics. No Cookie Banner.
This site runs no analytics, no advertising pixels and no third-party tracking scripts — not Google Analytics, not Meta Pixel, not Hotjar, nothing. There is nothing to consent to, which is why you see no cookie banner.
We set exactly one cookie, and only if you sign in to the investor area: `osp-auth`, an HttpOnly, Secure, SameSite=Strict session token that expires after 4 hours. It carries no personal data and cannot be read by scripts.
Fonts are self-hosted. We embed no maps, videos or widgets, so no third party sees you simply for visiting a page.
05Where It Goes
Form submissions are emailed to us and, where our database is available, stored so we can retrieve them later. Name, email and message content are encrypted at rest with AES-256-GCM. Newsletter addresses are stored unencrypted, because we must be able to recognise a duplicate subscription.
- Cloudflare (Workers, R2, KV) — hosting and edge delivery. If our database and mail service are both unreachable, your submission is queued in Cloudflare KV, encrypted, for up to 90 days so that it is not lost.
- Resend — delivers the notification email to our inbox.
- Supabase (PostgreSQL, EU region) — stores submissions when the database is online.
- Cloudflare Email Routing — forwards mail sent to info@openseapiranha.com to our team inbox.
06International Transfers
Our providers operate outside Türkiye. Under KVKK Art. 9, transferring personal data abroad requires your explicit consent or another lawful ground; by submitting a form you consent to this transfer. Under the GDPR, transfers rely on Standard Contractual Clauses where no adequacy decision applies.
07How Long We Keep It
- Contact messages and applications: kept while the enquiry is live and up to 2 years afterwards, then deleted.
- Newsletter: until you unsubscribe.
- Rate-limit records (IP): automatically deleted within 1 hour.
- Session cookie: 4 hours.
08Your Rights
Under KVKK Art. 11 and GDPR Arts. 15–22 you may ask us whether we hold data about you, request a copy, have it corrected, deleted or restricted, object to processing, request portability, and withdraw consent at any time.
Send any request to info@openseapiranha.com. If you are unsatisfied, you may complain to the Turkish Personal Data Protection Authority (KVKK Kurumu) or to your local EU supervisory authority.
09Security
- TLS in transit; AES-256-GCM encryption at rest for names, emails and message bodies.
- A strict Content-Security-Policy that blocks third-party scripts and framing.
- Rate limiting, origin checks and input validation on every public endpoint.
- Vulnerability reports: security@openseapiranha.com.
10Children
This site is not directed at children under 18, and we do not knowingly collect their data.
11Changes
If we change how we handle personal data, we update this page and the date above. Material changes are announced on the site.
Last updated: 2026-07-09
This notice describes what the site actually does, verified against its source code. It is provided for transparency and is not legal advice.