3D-AR-AI Platform
Privacy Policy
BASE BROS Bilişim Hizmetleri A.Ş. (the "Company", "we", "us", or "our"), a company incorporated under the laws of the Republic of Turkey with its registered office in Istanbul, Turkey, operates the BASE 3D-AR-AI Platform (the "Platform" or "Service").
This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal data when you access or use the Platform. This Policy applies to all users of the Platform, including visitors, registered users, and subscribers.
We are committed to safeguarding your privacy and processing your personal data in compliance with applicable data protection laws, including but not limited to the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable international data protection legislation.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, you must discontinue use of the Platform.
1. Data Controller
For the purposes of applicable data protection legislation, the data controller is:
BASE BROS Bilişim Hizmetleri A.Ş.
Istanbul, Republic of Turkey
Email: [email protected]
Web: www.basebros.com
2. Categories of Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Information You Provide Directly
- Account Registration Data: Full name, email address, username, and password (stored exclusively as a cryptographic hash; we never store plaintext passwords).
- Profile Information: Profile picture, display name, company name, and other optional details you choose to provide.
- Authentication via Third Parties: If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.
- Payment Information: When you subscribe to a paid plan, payment processing is handled by our third-party payment processors. We do not directly store full credit card numbers or complete payment credentials on our servers.
- Communications: Content of emails, support requests, or feedback you send to us.
2.2 User-Generated Content
- 3D model files (.glb, .gltf, and related formats)
- Textures, images, and material configurations
- Scene and page configurations
- Project metadata and settings
- AI-generated 3D content created through Platform tools
2.3 Automatically Collected Data
- Device & Browser Information: Browser type and version, operating system, device type, screen resolution, and preferred language.
- Network Data: IP address, approximate geographic location (city/country level, derived from IP), and internet service provider.
- Usage Data: Pages and features accessed, actions performed, timestamps of interactions, session duration, referral URLs, and navigation paths within the Platform.
- Performance Data: Page load times, errors encountered, and technical performance metrics.
2.4 Cookies and Similar Technologies
We use cookies and similar tracking technologies as follows:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential / Strictly Necessary | Authentication, session management, security (CSRF protection) | Session / up to 30 days |
| Functional / Preferences | Theme preference (light/dark mode), language settings, UI state | Up to 1 year |
| Analytics / Performance | Visitor analytics for published 3D viewer pages, Platform usage metrics | Up to 12 months |
You can manage cookie preferences through your browser settings. Disabling essential cookies may impair Platform functionality.
3. Legal Bases for Processing
We process your personal data based on the following legal grounds, as applicable under KVKK, GDPR, and other relevant legislation:
- Performance of a Contract (KVKK Art. 5/2-c; GDPR Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill our contractual obligations to you.
- Legitimate Interests (KVKK Art. 5/2-f; GDPR Art. 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Platform, ensuring security, preventing fraud, and conducting analytics, where such interests are not overridden by your fundamental rights and freedoms.
- Consent (KVKK Art. 5/1; GDPR Art. 6(1)(a)): Where we rely on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Legal Obligation (KVKK Art. 5/2-ç; GDPR Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, court orders, or regulatory requirements.
4. Purposes of Processing
We process your personal data for the following purposes:
- Providing, operating, and maintaining the Platform and its features
- Creating and managing your user account
- Authenticating your identity and maintaining session security
- Hosting, rendering, processing, and delivering your 3D and AR content
- Processing AI-powered 3D generation requests
- Processing subscription payments and managing billing
- Sending transactional communications (e.g., account verification, password resets, subscription confirmations)
- Providing customer support and responding to inquiries
- Monitoring Platform performance, diagnosing technical issues, and preventing abuse
- Generating aggregated, anonymized analytics to improve the Platform
- Enforcing our Terms of Use and preventing unauthorized or fraudulent activity
- Complying with legal obligations and responding to lawful requests from authorities
5. Data Sharing and Disclosure
We do not sell, rent, lease, or trade your personal data to third parties for their marketing purposes.
We may share your personal data only in the following circumstances:
5.1 Service Providers (Data Processors)
We engage trusted third-party service providers who process personal data on our behalf under strict contractual obligations:
- Cloud Infrastructure: DigitalOcean (object storage for 3D assets and files)
- Database Hosting: MongoDB Atlas (account and project data)
- Authentication: Google OAuth (when you choose to sign in with Google)
- Payment Processing: Third-party payment processors for subscription billing
- Email Services: Transactional email delivery providers
All data processors are contractually required to process personal data only as instructed by us, maintain confidentiality, and implement appropriate technical and organizational security measures.
5.2 Legal Requirements
We may disclose personal data when required to do so by law, regulation, or valid legal process (e.g., court order, subpoena, or government request), or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, or to investigate fraud.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and ensure the successor entity is bound by at least equivalent privacy obligations.
5.4 Published Content
When you publish a 3D viewer page, AR experience, or other content through the Platform, that content becomes publicly accessible via the generated URL. Any information contained in published content is visible to anyone with the link.
6. International Data Transfers
Your personal data may be processed and stored in countries other than your country of residence, including but not limited to the United States and European Union member states, where our infrastructure providers maintain their data centers.
For transfers of personal data outside of Turkey, we comply with KVKK requirements, including obtaining necessary approvals from the Personal Data Protection Board where required. For transfers from the EEA, we rely on:
- Adequacy decisions by the European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Other appropriate safeguards as permitted under applicable law
You may request information about the specific safeguards in place for international transfers by contacting us.
7. Data Security
We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including but not limited to:
- Encryption of all data in transit using TLS/SSL protocols
- Encryption of sensitive data at rest
- Cryptographic hashing of passwords using industry-standard algorithms (bcrypt)
- JWT-based authentication with configurable token expiration
- Role-based access control and principle of least privilege
- Regular security assessments and code reviews
- Comprehensive audit logging of administrative actions
- Secure, isolated cloud infrastructure with firewall protection
- Rate limiting and abuse detection mechanisms
While we implement industry-standard security practices, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge this inherent risk when using any internet-based service.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:
| Data Category | Retention Period |
|---|---|
| Account Data | Duration of active account + 30 days after deletion request |
| User Content (3D models, assets) | Duration of active account + 30 days after deletion request |
| Usage / Analytics Logs | Up to 12 months (rolling) |
| Visitor Analytics (published pages) | Up to 24 months (aggregated/anonymized) |
| Audit Logs | Up to 24 months |
| Billing Records | As required by applicable tax and commercial law (minimum 5 years under Turkish Commercial Code) |
| Support Communications | Up to 24 months after resolution |
Upon account deletion, we will erase or irreversibly anonymize your personal data within 30 days, except for data that must be retained to comply with legal obligations or to establish, exercise, or defend legal claims.
9. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
9.1 Rights Under KVKK (Turkey)
In accordance with Article 11 of Law No. 6698, you have the right to:
- Learn whether your personal data is being processed
- Request information about the processing of your personal data
- Learn the purpose of processing and whether it is used in accordance with its purpose
- Know the third parties to whom your personal data has been transferred domestically or abroad
- Request correction of incomplete or inaccurate data
- Request deletion or destruction of your personal data under conditions set forth in Article 7
- Object to results against you arising from the analysis of your data exclusively through automated systems
- Claim compensation for damages arising from unlawful processing of your personal data
9.2 Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area, you additionally have the right to:
- Access: Request a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate or incomplete data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Restriction: Request restriction of processing in certain circumstances
- Data Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests or direct marketing
- Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
- Withdraw Consent: Withdraw previously given consent at any time
- Lodge a Complaint: File a complaint with your local supervisory authority
9.3 Rights Under CCPA (California Residents)
If you are a California resident, you have the right to:
- Know: Request disclosure of the categories and specific pieces of personal information we have collected
- Delete: Request deletion of your personal information
- Opt-Out: Opt out of the sale of personal information (we do not sell personal information)
- Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights
California residents may also designate an authorized agent to make requests on their behalf.
9.4 How to Exercise Your Rights
To exercise any of the above rights, please contact us at [email protected] with the subject line "Data Subject Request." We will verify your identity and respond within the legally required timeframe (30 days under KVKK, 30 days under GDPR, 45 days under CCPA). Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act.
10. Children's Privacy
The Platform is not directed at, and is not intended for use by, individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at [email protected]. Upon verification, we will promptly delete such data.
11. Third-Party Services and Links
The Platform may contain links to, or integrations with, third-party websites and services (including Google Sign-In, payment processors, and cloud storage providers). This Privacy Policy does not apply to third-party services. We strongly encourage you to review the privacy policies of any third-party services you access through the Platform. We are not responsible for the privacy practices, content, or security of third-party services.
12. AI Services and Data Processing
When you use our AI-powered features (text-to-3D generation, image-to-3D conversion, AI-assisted editing), the following applies:
- Input data (text prompts, reference images) is processed to generate 3D output and is not used for purposes other than fulfilling your request and improving the AI system
- AI-generated outputs are stored as part of your User Content and subject to the same data handling practices
- We may use anonymized, aggregated usage patterns to improve AI model performance, but individual inputs are not shared with third parties
- AI processing may be performed by third-party AI infrastructure providers under strict data processing agreements
13. Published 3D Viewer Analytics
When you publish a 3D viewer page or AR experience, we collect anonymized analytics data from visitors to your published pages, including:
- Page view counts and unique visitor counts
- Geographic distribution of visitors (country/city level)
- Device and browser types used to access the content
- Interaction metrics (e.g., 3D rotation, AR activation, session duration)
- Referral sources
This data is presented to you through the Platform's analytics dashboard. Visitor data is processed in an aggregated and anonymized manner and is not used to identify individual visitors.
14. Do Not Track Signals
Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how companies should respond to DNT signals, we do not currently respond to DNT signals. However, you can manage tracking preferences through cookie settings and browser controls as described in Section 2.4.
15. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (including the Turkish Personal Data Protection Authority, "KVKK Board") within 72 hours of becoming aware of the breach, as required by applicable law
- Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- Document the breach, its effects, and remedial actions taken
16. Automated Decision-Making
The Platform does not engage in fully automated decision-making that produces legal effects or similarly significantly affects you. Certain automated processes are used for:
- Fraud detection and security monitoring
- Subscription quota enforcement
- AI content generation based on your inputs
You have the right to request human review of any automated decisions that materially affect you.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users via email or through an in-platform notification at least 15 days prior to the effective date of the changes.
We encourage you to review this Policy periodically. The "Effective Date" at the top of this page indicates when the Policy was last revised. Your continued use of the Platform after any changes constitutes your acceptance of the updated Policy.
18. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:
BASE BROS Bilişim Hizmetleri A.Ş.
Istanbul, Republic of Turkey
General Inquiries: [email protected]
Technical & R&D: [email protected]
Web: www.basebros.com
For complaints regarding the processing of your personal data in Turkey, you may also apply to the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — www.kvkk.gov.tr). For EEA residents, you may lodge a complaint with your local data protection supervisory authority.