Privacy Policy

1. Data Controller

Tigrister is operated by Mesut Yakut, a sole proprietorship registered in Istanbul, Turkey. For the purposes of the Turkish Personal Data Protection Law (KVKK), the European General Data Protection Regulation (GDPR), the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, applicable United States state privacy and data protection laws (such as the California, Virginia, Colorado, Connecticut, Utah, Texas, Florida, and New York consumer privacy and data protection statutes, as enacted and amended from time to time), and any other applicable data protection law, Mesut Yakut is the data controller (or, where the term is used in your jurisdiction, the "business") responsible for processing the personal data described in this policy.

2. Scope

This Privacy Policy explains how we collect, use, store, and share personal data in connection with:

• The Tigrister website (tigrister.com)
• The Tigrister customer portal, where accounts, subscriptions, and licenses are managed
• The Tigrister desktop applications — Tigrister SE, Tigrister PRO, and the Tigrister CLI
• The Tigrister license server, which verifies PRO licenses
• Our email communications with you, such as verification, password reset, and license assignment notices

3. The Short Version

Tigrister is a local-first application. Your projects, API requests, flows, and workspace data stay on your device — we have no access to them. The desktop application does not send telemetry or analytics. We only collect the minimum information required to operate your account, verify your license, process your payment, and deliver transactional emails.

4. Data We Collect

Website (tigrister.com)

We use Google Analytics (GA4) on the Tigrister website and customer portal to understand which content is helpful, which pages people land on, and how our marketing reaches them. The data collected is aggregated and anonymised — we use it to improve the product and our communication, not to build individual user profiles or target advertising. We do not use Facebook Pixel, advertising cookies, or any cross-site tracking. You can opt out of Google Analytics at any time using the Google Analytics Opt-out Browser Add-on or your browser's standard privacy controls.

Like any web service, our cloud infrastructure provider may automatically generate short-lived server access logs (such as IP address, user-agent, requested URL, and timestamp) as part of its standard operation, in order to deliver pages and protect the service from abuse. We do not actively read, aggregate, or build profiles from those logs.

Customer Portal and Account

A Tigrister account is required only to purchase and manage a Tigrister PRO license. When you register or use the portal we process:

• Your name and email address
• Your password, stored only as a one-way cryptographic hash — we cannot see or recover your plaintext password
• Email verification and password reset codes
• Authentication session tokens used to keep you signed in
• Subscription metadata returned by our payment provider
• Refund records when you request or receive a refund
• For enterprise accounts: organization name and the list of email addresses to whom you assign licenses

We do not store IP addresses of customer-portal users.

Desktop Applications (SE, PRO, CLI)

The desktop applications store your projects, environments, flows, request history, settings, and all workspace data locally on your device. We have no access to this data and it is never sent to our servers. The applications do not collect analytics, telemetry, or crash reports and do not include any third-party advertising or tracking SDKs.

The only network traffic the applications initiate on our behalf is:

• License verification (Tigrister PRO) — the application contacts our license server to verify that your license is valid. The request contains your license key, a device identifier ("machine id"), and a short operating-system name. No project or request data is sent.
• Trial activation — when you start a PRO trial, a device identifier and operating-system name are sent to the license server so that we can enforce the one-trial-per-machine rule. No account is created.
• Update checks — Tigrister SE, Tigrister PRO, and the Tigrister CLI periodically check whether a newer version is available by downloading a small manifest file from one of our public release repositories under github.com/tigrister. The request contains no account data, project data, or personal identifiers, but as with any HTTPS request, GitHub may receive standard technical metadata (such as your IP address and user-agent) under GitHub's Privacy Statement.

Locally Stored Credentials

The desktop application may store sensitive credentials — such as your Tigrister PRO license key, Git credentials, or HashiCorp Vault connection details — in your operating system's secure credential store (macOS Keychain, Windows Credential Manager, or the Linux Secret Service). This data never leaves your device and is protected by your operating system's built-in security.

Support Requests

If you contact us at [email protected] or another Tigrister email address, we process your email address and the content of your message so that we can reply and keep a record of the conversation.

5. Why We Process Your Data (Legal Basis)

We rely on the following legal bases under the KVKK, the GDPR, the UK GDPR, applicable United States state privacy laws, and any other applicable data protection law:

• Performance of a contract — to create and operate your account, verify your Tigrister PRO license, provide customer support, and process payments and refunds
• Legal obligation — to keep the accounting and tax records we are required to retain under Turkish law for the income we receive from our payment provider, and to respond to lawful requests from competent authorities. Customer-facing invoices are issued by our third-party Merchant of Record, not by us.
• Legitimate interests — to protect our systems and users from fraud and abuse, to enforce our Terms of Service, to detect refund abuse, and to keep our services running securely and reliably
• Consent — where specific consent is required by law. You can withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal

6. Third-Party Service Providers

We use a small number of trusted third-party providers to operate Tigrister. Each of them only processes data in line with our written instructions and their own privacy commitments:

• Merchant of Record (payment provider) — our third-party payment provider handles checkout, payment processing, tax calculation, invoicing, and refunds. When you make a purchase, they collect your payment details, billing address, and other transaction information directly; we do not see or store your full payment details. Their own privacy policy governs how they handle this data.
• Resend — our transactional email provider. Resend delivers account verification, password reset, license assignment, and other service emails. Your email address and the content of the email are shared with Resend for delivery. We do not use Resend for marketing emails. See Resend's Privacy Policy.
• Google Cloud Platform — our cloud infrastructure provider. Our data is hosted in GCP data centres located in Belgium, within the European Union. See Google Cloud's Privacy Notice.
• Google Analytics (GA4) — our website analytics provider. We use it on the Tigrister website and customer portal to measure aggregated traffic and improve our content. Google Analytics may set cookies and process technical metadata such as IP address, page URL, and browser information on our behalf. See Google's Privacy Policy.

We do not sell your personal data to anyone and we do not share it with third parties for their own marketing purposes.

7. International Data Transfers

We are based in Turkey, and our personal data is stored in Google Cloud Platform data centres in Belgium, within the European Union. When you create an account, manage a subscription, or have your license verified, your personal data is stored and processed in the European Union. If you are located in Turkey, your data is transferred to the EU for processing. If you are located in the European Economic Area, your data stays within the EEA.

Our payment provider and Resend are independent processors that operate their own global infrastructure. Any cross-border transfer of your personal data carried out by them as part of payment processing or email delivery is governed by their own privacy policies, which we link to in Section 6.

Where such transfers occur, we rely on our providers' own safeguards, which may include Standard Contractual Clauses approved by the European Commission and equivalent measures required under Turkish law, to ensure that your personal data continues to be protected.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required by law:

• Account data — for as long as your account is active. When an account is deleted, associated personal data is removed from our active systems within a reasonable period, subject to any legal retention obligations.
• Subscription and refund records — retained for the period required by Turkish tax and commercial law (up to 10 years), even after your account is deleted.
• Email verification and password reset codes — expire within minutes of being generated and are deleted automatically.
• Server logs and security records — retained for a short period (typically 30 days) for security, debugging, and abuse prevention.
• Support correspondence — retained for as long as reasonably necessary to provide continuity of support.

9. Data Security

We take technical and organisational measures to protect personal data. All communication between the desktop application, the website, the customer portal, and our license server is encrypted with HTTPS. Passwords are stored only as one-way cryptographic hashes. License server responses are cryptographically signed to prevent tampering. Access to production systems is limited to authorised personnel and protected by strong authentication. No method of transmission or storage is 100% secure, but we continuously work to improve the security of our systems.

10. Cookies and Similar Technologies

We use only strictly necessary cookies and equivalent local storage:

• Session cookies — set when you sign in to the customer portal, used to keep you authenticated during your session
• Security cookies — used to prevent cross-site request forgery and similar attacks

We do not use marketing cookies, advertising cookies, or any cross-site tracking technologies.

11. Your Rights

Depending on where you live, you may have the following rights under the KVKK, the GDPR, the UK GDPR, applicable United States state privacy laws, or any other data protection law that applies to you:

• Access — to obtain confirmation that we process personal data about you and to receive a copy of that data
• Rectification — to have inaccurate or incomplete personal data corrected
• Erasure — to have your personal data deleted where there is no overriding legal reason to retain it
• Restriction — to limit how we process your personal data in certain circumstances
• Portability — to receive your personal data in a structured, commonly used, and machine-readable format
• Objection — to object to processing based on our legitimate interests
• Withdraw consent — where we rely on consent as the legal basis, you can withdraw it at any time
• Lodge a complaint — with your local data protection authority. In Turkey, this is the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK); in the European Union, it is the supervisory authority in your country of residence; in the United Kingdom, it is the Information Commissioner's Office (ICO); in the United States, it is the relevant state Attorney General or equivalent regulator.

To exercise any of these rights, contact us at [email protected]. We will respond within the time limits required by applicable law, usually within 30 days.

Self-service account deletion is not currently available in the customer portal. To request deletion of your account and associated personal data, please email [email protected].

12. Children's Privacy

Tigrister is not intended for individuals under the age of 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will take appropriate steps to delete it.

13. Third-Party Links

Our website and documentation may link to third-party websites. We are not responsible for the privacy practices of those sites. When you follow an external link, we encourage you to review the destination site's own privacy policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes take effect when published on this page. For material changes that affect how we process personal data, we will make reasonable efforts to notify you — for example, by email or via the customer portal. The "Last updated" date at the top of this page will always reflect the current version.

15. Contact

If you have questions or requests about this Privacy Policy or the way we handle your personal data, please contact us:

• Privacy and legal inquiries: [email protected]
• Account and billing support: [email protected]
• General questions: [email protected]