Privacy Policy

Effective Date: February 23, 2026 Version 2.0

BASE BROS Bilişim Hizmetleri A.Ş. (the "Company", "we", "us", or "our"), a company incorporated under the laws of the Republic of Turkey with its registered office in Istanbul, Turkey, operates the BASE 3D-AR Platform (the "Platform" or "Service").

This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal data when you access or use the Platform. This Policy applies to all users of the Platform, including visitors, registered users, and subscribers.

We are committed to safeguarding your privacy and processing your personal data in compliance with applicable data protection laws, including but not limited to the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable international data protection legislation.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, you must discontinue use of the Platform.

1. Data Controller

For the purposes of applicable data protection legislation, the data controller is:

BASE BROS Bilişim Hizmetleri A.Ş.
Istanbul, Republic of Turkey
Email: [email protected]
Web: www.basebros.com

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Information You Provide Directly

Account Registration Data: Full name, email address, username, and password (stored exclusively as a cryptographic hash; we never store plaintext passwords).
Profile Information: Profile picture, display name, company name, and other optional details you choose to provide.
Authentication via Third Parties: If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.
Payment Information: When you subscribe to a paid plan, payment processing is handled by our third-party payment processors. We do not directly store full credit card numbers or complete payment credentials on our servers.
Communications: Content of emails, support requests, or feedback you send to us.

2.2 User-Generated Content

3D model files (.glb, .gltf, and related formats)
Textures, images, and material configurations
Scene and page configurations
Project metadata and settings
AI-generated 3D content created through Platform tools

2.3 Automatically Collected Data

Device & Browser Information: Browser type and version, operating system, device type, screen resolution, and preferred language.
Network Data: IP address, approximate geographic location (city/country level, derived from IP), and internet service provider.
Usage Data: Pages and features accessed, actions performed, timestamps of interactions, session duration, referral URLs, and navigation paths within the Platform.
Performance Data: Page load times, errors encountered, and technical performance metrics.

2.4 Cookies and Similar Technologies

We use cookies and similar tracking technologies as follows:

Cookie Type	Purpose	Duration
Essential / Strictly Necessary	Authentication, session management, security (CSRF protection)	Session / up to 30 days
Functional / Preferences	Theme preference (light/dark mode), language settings, UI state	Up to 1 year
Analytics / Performance	Visitor analytics for published 3D viewer pages, Platform usage metrics	Up to 12 months

You can manage cookie preferences through your browser settings. Disabling essential cookies may impair Platform functionality.

3. Legal Bases for Processing

We process your personal data based on the following legal grounds, as applicable under KVKK, GDPR, and other relevant legislation:

Performance of a Contract (KVKK Art. 5/2-c; GDPR Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill our contractual obligations to you.
Legitimate Interests (KVKK Art. 5/2-f; GDPR Art. 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Platform, ensuring security, preventing fraud, and conducting analytics, where such interests are not overridden by your fundamental rights and freedoms.
Consent (KVKK Art. 5/1; GDPR Art. 6(1)(a)): Where we rely on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Legal Obligation (KVKK Art. 5/2-ç; GDPR Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, court orders, or regulatory requirements.

4. Purposes of Processing

We process your personal data for the following purposes:

Providing, operating, and maintaining the Platform and its features
Creating and managing your user account
Authenticating your identity and maintaining session security
Hosting, rendering, processing, and delivering your 3D and AR content
Processing AI-powered 3D generation requests
Processing subscription payments and managing billing
Sending transactional communications (e.g., account verification, password resets, subscription confirmations)
Providing customer support and responding to inquiries
Monitoring Platform performance, diagnosing technical issues, and preventing abuse
Generating aggregated, anonymized analytics to improve the Platform
Enforcing our Terms of Use and preventing unauthorized or fraudulent activity
Complying with legal obligations and responding to lawful requests from authorities

5. Data Sharing and Disclosure

We do not sell, rent, lease, or trade your personal data to third parties for their marketing purposes.

We may share your personal data only in the following circumstances:

5.1 Service Providers (Data Processors)

We engage trusted third-party service providers who process personal data on our behalf under strict contractual obligations:

Cloud Infrastructure: DigitalOcean, LLC (object storage for 3D assets, source images, and platform files; servers located in the United States)
Database Hosting: MongoDB Atlas (account, project, and analytics data)
Authentication: Google LLC — Google OAuth (when you choose to sign in with Google)
AI 3D Generation Providers: Meshy, Inc. (San Francisco, California, USA — www.meshy.ai), VAST AI / Tripo (operator of www.tripo3d.ai), and Deemos Corporation / Hyper3D Rodin (operator of hyper3d.ai — API at api.hyper3d.com) — process text prompts and reference images you submit to generate 3D models. See Section 12 for details.
Payment Processing & Merchant of Record: Polar Software, Inc., a Delaware corporation; registered office: 3500 South DuPont Highway, Dover, DE 19901, USA; principal place of business: 548 Market Street, PMB 61301, San Francisco, CA 94104, USA; EU VAT identification: EU372061545; [email protected] · polar.sh. Merchant of Record (MoR) acting as both an independent data controller for its own checkout and customer-portal activities, and as a data processor on our behalf for subscription provisioning. Underlying card processing is performed by Stripe — the applicable Stripe entity is Stripe, Inc. / Stripe, LLC for U.S. transactions and Stripe Payments Europe, Limited for EEA cardholders (per Stripe Services Agreement). See Section 5.2 below for the full scope of data handling, certifications and international transfers.
Email Services: Transactional email delivery providers

All data processors are contractually required to process personal data only as instructed by us, maintain confidentiality, and implement appropriate technical and organizational security measures.

5.2 Payment Data — Polar (Merchant of Record) and Stripe (Card Processor)

All paid subscriptions, renewals, and one-time purchases on the Platform are processed through a two-layer payment stack:

Polar Software, Inc. — Delaware corporation; registered office: 3500 South DuPont Highway, Dover, DE 19901, USA; principal place of business: 548 Market Street, PMB 61301, San Francisco, CA 94104, USA; EU VAT: EU372061545. Polar is the Merchant of Record (MoR) and is named as the seller on your invoice / receipt and as the descriptor on your bank or card statement (line item typically "Polar" / "polar.sh"). Privacy / data-subject contact: [email protected]; general support: [email protected].
Stripe — operating through the Stripe entity applicable to your jurisdiction (Stripe, Inc. / Stripe, LLC in the United States; Stripe Payments Europe, Limited in the EEA). Stripe is Polar's underlying PCI-compliant card processor.

The privacy implications of this arrangement are as follows:

Roles and responsibility: Polar processes payment data partly as an independent data controller (for its own MoR, tax, fraud-prevention, accounting and statutory record-keeping obligations) and partly as a data processor acting on our instructions (to provision and renew your subscription). Stripe processes cardholder data as an independent controller for its own legal, fraud-prevention and PCI compliance purposes, and as a service provider/processor for Polar.
Card data collected directly by Polar / Stripe: Your full payment instrument data — primary account number (PAN), card expiry, card verification value (CVV/CVC), card type and brand, last four digits, billing name and address, contact phone/email, and (where required) tax identification number — is collected and held directly on Polar's and Stripe's infrastructure. This data is never seen, stored or processed by us; we have no access to raw cardholder data.
What we receive from Polar: We only receive a non-sensitive transaction reference sufficient to provision and manage your subscription. This typically includes: Polar customer ID, Polar subscription ID, plan (Plus / Pro), billing interval (monthly / yearly), subscription status (active / past_due / canceled), current period end, billing country (for tax determination), and, where applicable, the last four digits and brand of the card so that we can show "Visa •••• 4242" in your account UI. We do not receive the full PAN, CVV, or full billing address.
Security certifications (Stripe): Stripe maintains PCI DSS Level 1 certification (the highest tier defined by the PCI Security Standards Council, attested annually) and produces annual SOC 1 Type II and SOC 2 Type II reports. Stripe enforces PSD2 / Strong Customer Authentication (SCA) via 3-D Secure for cardholders in the European Economic Area and the United Kingdom, applies Stripe Radar machine-learning fraud screening, and uses TLS for data in transit with AES-class encryption at rest. Stripe's full security posture is documented at stripe.com/docs/security.
International transfers (EEA / UK / Switzerland → United States): Polar and Stripe store and process payment data on infrastructure located primarily in the United States. For transfers from the EEA, United Kingdom, or Switzerland to the U.S.:
- Stripe, LLC is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework — listed on the official dataprivacyframework.gov registry. Stripe additionally executes EU Standard Contractual Clauses (Commission Decision 2021/914) and the UK International Data Transfer Addendum where DPF coverage does not apply.
- Polar relies on EU Standard Contractual Clauses (with the UK IDTA and Swiss supplementary clauses) for any transfer of personal data originating in the EEA/UK/Switzerland, together with the additional safeguards described in Polar's privacy policy.
Tax processing: Polar (using Stripe Tax) calculates, collects, files and remits applicable VAT, GST, sales tax, digital service tax, and similar consumption taxes globally, on our behalf. The amount of tax collected is determined by your billing country and the rules in force there. Your tax invoice is issued by Polar and is available from Polar's customer portal.
Retention: Polar and Stripe retain transaction records for as long as required by statutory accounting, tax, anti-money-laundering, fraud-prevention and consumer-protection obligations (typically multiple years; the exact retention period is determined by their own policies and applicable law). Our records of your subscription metadata (status, plan, period end) are retained for the lifetime of your BASE account plus a residual period required for our own audit and compliance obligations.
Polar's subprocessors: Polar engages Stripe (payment processing), Google (analytics, where applicable), and other vendors as documented in Polar's own privacy policy. Stripe's current list of sub-processors is published at stripe.com/service-providers/legal.
Independent privacy notices: Polar's and Stripe's own privacy notices govern their processing of your payment data and apply in addition to this Privacy Policy. We strongly recommend reading them before completing a payment:
- Polar — polar.sh/legal/privacy
- Stripe — stripe.com/privacy
Exercising your rights with respect to payment data: If you wish to exercise data-subject rights (access, rectification, erasure, restriction, portability, objection — see Section 9) over information held by Polar or Stripe, you may contact us at [email protected] and we will forward your request to Polar where appropriate. You may also contact Polar's privacy team directly at [email protected], or Stripe via the contact channels in Stripe's privacy notice. Note that statutory record-keeping obligations may limit erasure of certain payment records.

5.3 Legal Requirements

We may disclose personal data when required to do so by law, regulation, or valid legal process (e.g., court order, subpoena, or government request), or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, or to investigate fraud.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and ensure the successor entity is bound by at least equivalent privacy obligations.

5.5 Published Content

When you publish a 3D viewer page, AR experience, or other content through the Platform, that content becomes publicly accessible via the generated URL. Any information contained in published content is visible to anyone with the link.

6. International Data Transfers

Your personal data may be processed and stored in countries other than your country of residence, including but not limited to the United States and European Union member states, where our infrastructure providers maintain their data centers.

For transfers of personal data outside of Turkey, we comply with KVKK requirements, including obtaining necessary approvals from the Personal Data Protection Board where required. For transfers from the EEA, we rely on:

Adequacy decisions by the European Commission
Standard Contractual Clauses (SCCs) approved by the European Commission
Other appropriate safeguards as permitted under applicable law

You may request information about the specific safeguards in place for international transfers by contacting us.

7. Data Security

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including but not limited to:

Encryption of all data in transit using TLS/SSL protocols
Encryption of sensitive data at rest
Cryptographic hashing of passwords using industry-standard algorithms (bcrypt)
JWT-based authentication with configurable token expiration
Role-based access control and principle of least privilege
Regular security assessments and code reviews
Comprehensive audit logging of administrative actions
Secure, isolated cloud infrastructure with firewall protection
Rate limiting and abuse detection mechanisms

While we implement industry-standard security practices, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge this inherent risk when using any internet-based service.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

Data Category	Retention Period
Account Data	Duration of active account + 30 days after deletion request
User Content (3D models, assets)	Duration of active account + 30 days after deletion request
Usage / Analytics Logs	Up to 12 months (rolling)
Visitor Analytics (published pages)	Up to 24 months (aggregated/anonymized)
Audit Logs	Up to 24 months
Billing Records	As required by applicable tax and commercial law (minimum 5 years under Turkish Commercial Code)
Support Communications	Up to 24 months after resolution

Upon account deletion, we will erase or irreversibly anonymize your personal data within 30 days, except for data that must be retained to comply with legal obligations or to establish, exercise, or defend legal claims.

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

9.1 Rights Under KVKK (Turkey)

In accordance with Article 11 of Law No. 6698, you have the right to:

Learn whether your personal data is being processed
Request information about the processing of your personal data
Learn the purpose of processing and whether it is used in accordance with its purpose
Know the third parties to whom your personal data has been transferred domestically or abroad
Request correction of incomplete or inaccurate data
Request deletion or destruction of your personal data under conditions set forth in Article 7
Object to results against you arising from the analysis of your data exclusively through automated systems
Claim compensation for damages arising from unlawful processing of your personal data

9.2 Rights Under GDPR (EEA Residents)

If you are located in the European Economic Area, you additionally have the right to:

Access: Request a copy of the personal data we hold about you
Rectification: Request correction of inaccurate or incomplete data
Erasure: Request deletion of your personal data ("right to be forgotten")
Restriction: Request restriction of processing in certain circumstances
Data Portability: Receive your data in a structured, machine-readable format
Objection: Object to processing based on legitimate interests or direct marketing
Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
Withdraw Consent: Withdraw previously given consent at any time
Lodge a Complaint: File a complaint with your local supervisory authority

9.3 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

Know: Request disclosure of the categories and specific pieces of personal information we have collected
Delete: Request deletion of your personal information
Opt-Out: Opt out of the sale of personal information (we do not sell personal information)
Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

California residents may also designate an authorized agent to make requests on their behalf.

9.4 How to Exercise Your Rights

To exercise any of the above rights, please contact us at [email protected] with the subject line "Data Subject Request." We will verify your identity and respond within the legally required timeframe (30 days under KVKK, 30 days under GDPR, 45 days under CCPA). Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act.

10. Children's Privacy

The Platform is not directed at, and is not intended for use by, individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at [email protected]. Upon verification, we will promptly delete such data.

11. Third-Party Services and Links

The Platform may contain links to, or integrations with, third-party websites and services (including Google Sign-In, payment processors, and cloud storage providers). This Privacy Policy does not apply to third-party services. We strongly encourage you to review the privacy policies of any third-party services you access through the Platform. We are not responsible for the privacy practices, content, or security of third-party services.

12. AI Services and Third-Party AI Providers

When you use our AI-powered features (text-to-3D generation, single-image-to-3D, multi-view image-to-3D, AI-assisted editing), the Platform acts as an interface that orchestrates the request, while the actual 3D generation is performed by independent third-party AI providers acting as our data sub-processors. The following applies:

12.1 AI Generation Sub-Processors

To deliver AI 3D generation features, we transmit your inputs to one of the following providers, depending on the model you select in the Generator interface:

Provider	Operator	Processing Location	Data Sent
Meshy (Meshy 6, image-to-3D, multi-view-to-3D)	Meshy, Inc., a Delaware corporation headquartered in San Francisco, California, United States — www.meshy.ai	United States (and provider's contracted cloud regions)	Text prompts, reference image URLs (presigned, time-limited), generation parameters (style, polycount, texture options)
Tripo (Tripo v2.5 / v3.0, image-to-3D, multi-view-to-3D)	VAST AI Research / Tripo3D, an artificial intelligence company operating the Tripo3D service — www.tripo3d.ai	Provider's contracted cloud regions (may include the United States and the People's Republic of China)	Text prompts, reference image URLs (presigned, time-limited), generation parameters
Rodin (Hyper3D Rodin Gen-2 / Gen-2.5, text-to-3D, image-to-3D, multi-view-to-3D up to five images)	Deemos Corporation, a Delaware corporation, operator of the Hyper3D Rodin generative-3D service — hyper3d.ai (API endpoint api.hyper3d.com)	Provider's contracted cloud regions (may include the United States and the People's Republic of China)	Text prompts and the reference image file(s) themselves (fetched by us and uploaded directly to the provider as multipart image data, not as a URL), plus generation parameters (Gen-2 / Gen-2.5 tier, polycount, mesh mode (Quad / Raw), material / PBR, HD texture)

The list of AI providers may be expanded, replaced, or discontinued at our discretion as we evaluate model quality, performance, and compliance posture. Material changes will be reflected by an updated version of this Policy.

12.2 What Is Sent and What Is Not

Sent to the AI provider: the text prompt you typed and/or the reference image(s) you uploaded — transmitted either as a temporary, expiring (≤ 30 minutes) URL or as the image file itself, depending on the selected provider's API — plus the generation parameters you chose.
NOT sent to the AI provider: your account email, username, payment data, or any other personal account information. The provider receives only the inputs strictly necessary to fulfill the generation.
Storage on our side: the source image(s) you uploaded are stored on our DigitalOcean Spaces infrastructure under your account so that you and our administrators can review, re-download, or delete them later.
Provider's own retention: third-party providers may retain prompts, reference images, and generated outputs in accordance with their own privacy policies and terms of service. We strongly recommend that you review them: Meshy Privacy Policy, Tripo Privacy Policy, Hyper3D Rodin Privacy Policy.

12.3 Functional Equivalence

Because we integrate directly with the official APIs of these providers, every type of 3D model that can be created on the original Meshy, Tripo, or Rodin platforms can also be created through our Platform — including text-to-3D, image-to-3D, multi-view-to-3D (up to five reference images, depending on provider), PBR / non-PBR textures, multiple polycount tiers, and quad/triangle topology options. We do not restrict the underlying generation capabilities; we expose them through a unified interface that adds project management, model library, AR publishing, and analytics on top.

12.4 International Data Transfers for AI Processing

Use of these AI services necessarily involves transferring your inputs to processing infrastructure located outside of Turkey and outside of the European Economic Area. By using AI features, you acknowledge and consent to such international transfers. Where required, we rely on Standard Contractual Clauses or other appropriate safeguards permitted under KVKK and GDPR. If you do not wish your inputs to be transferred to a particular jurisdiction, you may simply refrain from using AI generation features — all non-AI Platform features (manual GLB upload, scene editing, page designer, AR publishing, analytics) operate entirely on our own infrastructure.

12.5 Outputs and Your Rights

AI-generated 3D models are stored as part of your User Content and are subject to the same access, export, and deletion rights described in Section 9.
Source images you uploaded for image-to-3D generation are retained alongside the resulting model so that the link between input and output remains traceable. Deleting the model also deletes its associated source images from our storage.
We may use anonymized and aggregated usage patterns (e.g., success rates, average generation duration, popular generation types) to improve the Platform; we do not share individual prompts, images, or outputs with third parties beyond the AI sub-processors named above.
You retain the rights described in our Terms of Use regarding ownership and licensing of AI-generated content.
No human pre-screening: generation requests are forwarded directly to the selected provider's API and the resulting model is returned to your account without human review on our side. The applicable provider's content rules and acceptable-use policies (Meshy, Tripo, Rodin) apply with equal force on this Platform — see Section 8 of our Terms of Use for the full incorporation by reference.

13. Published 3D Viewer Analytics

When you publish a 3D viewer page or AR experience, we collect anonymized analytics data from visitors to your published pages, including:

Page view counts and unique visitor counts
Geographic distribution of visitors (country/city level)
Device and browser types used to access the content
Interaction metrics (e.g., 3D rotation, AR activation, session duration)
Referral sources

This data is presented to you through the Platform's analytics dashboard. Visitor data is processed in an aggregated and anonymized manner and is not used to identify individual visitors.

14. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how companies should respond to DNT signals, we do not currently respond to DNT signals. However, you can manage tracking preferences through cookie settings and browser controls as described in Section 2.4.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority (including the Turkish Personal Data Protection Authority, "KVKK Board") within 72 hours of becoming aware of the breach, as required by applicable law
Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
Document the breach, its effects, and remedial actions taken

16. Automated Decision-Making

The Platform does not engage in fully automated decision-making that produces legal effects or similarly significantly affects you. Certain automated processes are used for:

Fraud detection and security monitoring
Subscription quota enforcement
AI content generation based on your inputs

You have the right to request human review of any automated decisions that materially affect you.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users via email or through an in-platform notification at least 15 days prior to the effective date of the changes.

We encourage you to review this Policy periodically. The "Effective Date" at the top of this page indicates when the Policy was last revised. Your continued use of the Platform after any changes constitutes your acceptance of the updated Policy.

18. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

BASE BROS Bilişim Hizmetleri A.Ş.
Istanbul, Republic of Turkey

General Inquiries: [email protected]
Technical & R&D: [email protected]
Web: www.basebros.com

For complaints regarding the processing of your personal data in Turkey, you may also apply to the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — www.kvkk.gov.tr). For EEA residents, you may lodge a complaint with your local data protection supervisory authority.