Pumpynotes Privacy Policy

1. Who We Are and the Scope of This Policy

Pumpynotes is a web-based software-as-a-service (SaaS) productivity application that brings together a calendar, block-based notes, and multi-currency personal and business finance tracking in a single workspace, along with shared workspaces for teams. In this Privacy Policy, "Pumpynotes", "we", "us", and "our" refer to the operator of the Pumpynotes service, and "you" or "your" refers to any individual who uses the service or otherwise interacts with us.

For the purposes of GDPR, Pumpynotes acts as the "data controller" for the personal data described in this policy, and under KVKK it acts as the "data controller" (veri sorumlusu). This means we are responsible for deciding how and why your personal data is processed.

This Privacy Policy applies to all personal data we process in connection with the Pumpynotes application, our website, and any services, features, or communications we provide. It describes what data we collect, why we collect it, the legal grounds we rely on, how long we keep it, with whom we share it, and the rights you have. The service is currently offered as a public beta, and this policy applies during the beta period and thereafter unless we publish an updated version.

Our service is offered to a global audience with a significant presence in the European Union and Türkiye. Because of this, we have designed this policy to be aware of and consistent with the requirements of both GDPR and KVKK. Where the two frameworks use different terminology for similar concepts, we have aimed to address both.

2. The Data We Collect

Account data. When you create and maintain a Pumpynotes account, we collect the information needed to set up and operate that account. This typically includes your email address, your name or display name, your password in securely hashed form, your account and workspace settings, your chosen language and preferences, and, where relevant, information about the workspace you belong to and your role within a shared team workspace.

Content you create. The core purpose of Pumpynotes is to let you create and organize your own content. This includes the notes and note blocks you write, the calendar events you schedule, and the finance entries you record, including amounts, currencies, categories, descriptions, and any personal or business financial details you choose to enter. This content belongs to you, and we process it on your behalf to provide the service. We do not use the content you create for advertising, and we do not sell it.

Usage and technical data. When you use the application, we automatically collect certain usage and technical information. This may include your device and browser type, operating system, IP address, approximate location derived from your IP address, language settings, the pages and features you use, the dates and times of your activity, referring and exit pages, and diagnostic and log data generated when the service is used or when errors occur. This information helps us operate, secure, and improve the service.

Billing data. When you purchase a paid subscription (Free, Pro, Enterprise, or Enterprise+, billed monthly or yearly), payments are processed by Paddle.com, which acts as the Merchant of Record and the seller of the subscription. Paddle handles checkout, billing, subscription renewals, and the calculation and remittance of applicable taxes and VAT. Pumpynotes does not collect, see, or store your full payment card numbers. We receive from Paddle the limited billing-related information needed to manage your subscription, such as your subscription plan and status, billing country, the last few digits or card type where provided, invoice references, and renewal or cancellation events. For details on how Paddle processes your data as a controller in its own right, please refer to Paddle's privacy notice.

3. How We Use Your Data

We use your personal data to provide, operate, and maintain the Pumpynotes service, including creating and authenticating your account, storing and displaying the notes, events, and finance entries you create, enabling shared team workspaces, and synchronizing your data across your sessions and devices.

We use account and billing data to manage your subscription, process and confirm payments through Paddle, send you transactional messages such as account confirmations, security alerts, billing and renewal notices, and important service announcements, and to provide customer support when you contact us.

We use usage, technical, and log data to monitor and ensure the security, stability, and performance of the service, to detect, prevent, and investigate fraud, abuse, and technical problems, to debug and fix errors, and to understand how the service is used so that we can improve existing features and develop new ones.

Where you have given consent, we may use your contact details to send you optional product updates, newsletters, or other non-essential communications. You can withdraw this consent at any time. We may also use aggregated or anonymized data, which can no longer identify you, for statistical and analytical purposes.

4. Legal Bases for Processing

Under GDPR (Article 6) and the corresponding provisions of KVKK (Articles 5 and 6), we only process your personal data when we have a valid legal basis to do so. The bases we rely on are described below.

Performance of a contract. We process your account data, the content you create, and your billing and subscription data because it is necessary to provide the Pumpynotes service to you and to perform our contract with you under our Terms of Service. Without this data, we cannot create your account, store your content, or deliver the subscription you have chosen.

Consent. Where the law requires consent, or where we ask for it, we rely on your consent, for example for optional marketing communications and for non-essential cookies or analytics. You can withdraw your consent at any time, and doing so does not affect the lawfulness of processing carried out before withdrawal.

Legitimate interests. We process certain usage, technical, and log data on the basis of our legitimate interests in keeping the service secure, preventing fraud and abuse, maintaining and improving the service, and communicating with you about your account. When we rely on legitimate interests, we balance our interests against your rights and freedoms and will not use this basis where your interests override ours.

Legal obligations. We process some data, such as billing and transaction records, where necessary to comply with legal obligations to which we are subject, including tax, accounting, and record-keeping requirements, and to respond to lawful requests from competent authorities. Under KVKK, processing may also be carried out where it is expressly permitted by law or is mandatory for us to comply with a legal obligation.

5. Cookies and Analytics

We use cookies and similar technologies, such as local storage and similar identifiers, to operate the service and to understand how it is used. Strictly necessary cookies are required for core functionality, such as keeping you signed in, maintaining your session, remembering your preferences, and protecting the security of the service. These are essential and cannot be disabled if you wish to use the application.

We may also use analytics and performance cookies or technologies to collect information about how visitors and users interact with the service, such as which features are used and how the application performs. This helps us identify problems and improve the user experience. Where these technologies are not strictly necessary, we will request your consent before using them, in line with applicable law.

You can control or delete cookies through your browser settings, and where we offer a cookie or consent banner, you can manage your preferences there. Please note that disabling certain cookies may affect the availability or functionality of parts of the service. Where we use third-party analytics providers, those providers process data on our behalf under appropriate agreements.

6. How We Share Data and Our Sub-Processors

We do not sell your personal data. We share personal data only as described in this policy and only with parties that help us operate the service or where we are legally required to do so. The third parties that process personal data on our behalf, or in connection with the service, act as our sub-processors or, where applicable, as independent controllers.

Payments: Paddle. Paddle.com acts as the Merchant of Record for our paid subscriptions and processes all payments, checkout, billing, renewals, and applicable taxes and VAT. Paddle handles your payment details directly; Pumpynotes does not collect or store your full card data. Paddle processes the relevant personal and payment data to fulfil your purchase and to meet its own legal obligations as the seller of record.

Hosting provider. We use a reputable cloud hosting and infrastructure provider to host the Pumpynotes application, store your data, and run the servers and databases that power the service. This provider processes personal data on our behalf strictly to provide hosting and infrastructure services, under a data processing agreement that requires appropriate confidentiality and security measures.

Email delivery provider. We use a third-party email delivery service to send transactional and, where applicable, optional communications, such as account verification messages, security and billing notices, and product updates. This provider processes the email address and message content needed to deliver these emails on our behalf.

Other disclosures. We may also disclose personal data where necessary to comply with applicable law, regulation, legal process, or an enforceable governmental or judicial request; to enforce our Terms of Service; to protect the rights, property, or safety of Pumpynotes, our users, or others; or in connection with a merger, acquisition, financing, or sale of assets, in which case we will take steps to ensure your data continues to be protected.

7. International Data Transfers and Safeguards

Because we operate globally and use service providers that may be located in different countries, your personal data may be transferred to, stored in, or processed in countries outside your own, including outside the European Economic Area (EEA) and outside Türkiye. The data protection laws in those countries may differ from those in your jurisdiction.

When we transfer personal data internationally, we take steps to ensure it remains protected to a standard consistent with this policy and with applicable law. For transfers from the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, transfers to countries recognized by the European Commission as providing an adequate level of protection, or other lawful transfer mechanisms, together with supplementary measures where necessary.

For transfers of personal data abroad that are subject to KVKK, we carry out such transfers in accordance with the conditions set out in Turkish data protection law, which may include obtaining your explicit consent where required, relying on an adequacy decision, or putting in place written undertakings or other safeguards approved by the competent Turkish authority. You may contact us to obtain more information about the safeguards we apply to a particular transfer.

8. Data Retention

We retain personal data only for as long as it is necessary for the purposes for which it was collected, including providing the service to you, complying with our legal, tax, and accounting obligations, resolving disputes, and enforcing our agreements.

While your account is active, we retain your account data and the content you create (your notes, events, and finance entries) so that the service can function. If you delete specific content, it is removed from your active workspace, although residual copies may remain in backups for a limited period before they are overwritten or deleted in the ordinary course of our backup cycle.

When you close your account, or after a period of prolonged inactivity, we will delete or anonymize your personal data within a reasonable timeframe, except where we are required or permitted to retain certain data for longer. For example, billing and transaction records may be retained for the period required by applicable tax and accounting laws. Once retention is no longer necessary or legally required, we securely delete or irreversibly anonymize the data.

9. Security Measures

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized or unlawful access, disclosure, alteration, loss, or destruction. These measures include encryption of data in transit using industry-standard protocols, encryption of data at rest where appropriate, secure password hashing, access controls that limit access to personal data to those who need it, network and application security controls, logging and monitoring, and regular review of our security practices.

We require our sub-processors to maintain appropriate security measures and to process personal data only under our instructions and subject to confidentiality obligations. We restrict access to your content to authorized personnel and processes that need it to operate the service.

While we work hard to protect your data, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. You also play an important role in keeping your data safe by using a strong, unique password, keeping your credentials confidential, and notifying us promptly if you suspect any unauthorized use of your account. In the event of a personal data breach that is likely to affect your rights, we will notify the relevant supervisory authority and, where required, affected users in accordance with applicable law.

10. Your Rights Under GDPR and KVKK

Depending on your location and applicable law, you have a number of rights in relation to your personal data. Under GDPR and KVKK, these include the right to access your personal data and obtain information about how it is processed; the right to rectification, meaning the correction of inaccurate or incomplete data; and the right to erasure, allowing you to request deletion of your data in certain circumstances.

You also have the right to restriction of processing in certain situations; the right to data portability, allowing you to receive certain data you have provided in a structured, commonly used, and machine-readable format and to have it transmitted to another controller where technically feasible; and the right to object to processing carried out on the basis of our legitimate interests, as well as to object to direct marketing at any time.

Where we rely on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal. Under KVKK, you additionally have the right to learn whether your data is being processed, to request information about the processing, to learn the purpose of processing and whether your data is used in accordance with that purpose, to know the third parties to whom your data is transferred domestically or abroad, to request notification of corrections or deletions to such third parties, and to object to any result that arises against you due to analysis of your data solely by automated means, as well as to claim compensation for damages arising from unlawful processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframes required by applicable law. We may need to verify your identity before acting on your request, and in some cases we may be unable to fully comply where the law allows or requires us to retain certain data. There is normally no charge for exercising your rights, although we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive, to the extent permitted by law.

If you believe your rights have not been respected, you have the right to lodge a complaint with a supervisory authority. In the European Union, this is the data protection authority in your country of residence, place of work, or the place where the alleged infringement occurred. In Türkiye, this is the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, KVKK). We would, however, appreciate the chance to address your concerns directly before you approach an authority, so we encourage you to contact us first.

11. Children's Privacy

Pumpynotes is not directed to children, and we do not knowingly collect personal data from children below the age required to provide consent under applicable law. In the European Union, the relevant minimum age for consenting to online services may range from 13 to 16 depending on the country, and in Türkiye similar protections apply to minors.

If you are below the applicable age in your jurisdiction, you should not use the service or provide us with any personal data without the involvement and consent of a parent or legal guardian. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at [email protected] so we can take appropriate action.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the service, or legal and regulatory requirements. When we make changes, we will update the date or version indicated in the policy and, where the changes are significant, we will provide a more prominent notice, such as a notification within the application or by email.

We encourage you to review this policy periodically to stay informed about how we protect your personal data. Your continued use of Pumpynotes after an updated policy takes effect indicates your awareness of the revised policy, and where the changes require your consent under applicable law, we will seek that consent before relying on the relevant processing.

13. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, or if you wish to exercise any of your rights, you can contact us at [email protected]. We act as the data controller responsible for your personal data, and this email address is the primary point of contact for all privacy-related matters, including requests under GDPR and KVKK.

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Türkiye, without prejudice to any mandatory data protection rights and remedies available to you under the laws of your country of residence, including under GDPR for users in the European Economic Area.