Privacy Policy
BASE BROS Bilişim Hizmetleri A.Ş. (the "Company", "we", "us", or "our"), a company incorporated under the laws of the Republic of Turkey with its registered office in Istanbul, Turkey, operates the BASE 3D-AR Platform (the "Platform" or "Service").
This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal data when you access or use the Platform. This Policy applies to all users of the Platform, including visitors, registered users, and subscribers.
We are committed to safeguarding your privacy and processing your personal data in compliance with applicable data protection laws, including but not limited to the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable international data protection legislation.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, you must discontinue use of the Platform.
1. Data Controller
For the purposes of applicable data protection legislation, the data controller is:
BASE BROS Bilişim Hizmetleri A.Ş.
Istanbul, Republic of Turkey
Email: [email protected]
Web: www.basebros.com
2. Categories of Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Information You Provide Directly
- Account Registration Data: Full name, email address, username, and password (stored exclusively as a cryptographic hash; we never store plaintext passwords).
- Profile Information: Profile picture, display name, company name, and other optional details you choose to provide.
- Authentication via Third Parties: If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.
- Payment Information: When you subscribe to a paid plan, payment processing is handled by our third-party payment processors. We do not directly store full credit card numbers or complete payment credentials on our servers.
- Communications: Content of emails, support requests, or feedback you send to us.
2.2 User-Generated Content
- 3D model files (.glb, .gltf, and related formats)
- Textures, images, and material configurations
- Scene and page configurations
- Project metadata and settings
- AI-generated 3D content created through Platform tools
2.3 Automatically Collected Data
- Device & Browser Information: Browser type and version, operating system, device type, screen resolution, and preferred language.
- Network Data: IP address, approximate geographic location (city/country level, derived from IP), and internet service provider.
- Usage Data: Pages and features accessed, actions performed, timestamps of interactions, session duration, referral URLs, and navigation paths within the Platform.
- Performance Data: Page load times, errors encountered, and technical performance metrics.
2.4 Cookies and Similar Technologies
We use cookies and similar tracking technologies as follows:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential / Strictly Necessary | Authentication, session management, security (CSRF protection) | Session / up to 30 days |
| Functional / Preferences | Theme preference (light/dark mode), language settings, UI state | Up to 1 year |
| Analytics / Performance | Visitor analytics for published 3D viewer pages, Platform usage metrics | Up to 12 months |
You can manage cookie preferences through your browser settings. Disabling essential cookies may impair Platform functionality.
3. Legal Bases for Processing
We process your personal data based on the following legal grounds, as applicable under KVKK, GDPR, and other relevant legislation:
- Performance of a Contract (KVKK Art. 5/2-c; GDPR Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill our contractual obligations to you.
- Legitimate Interests (KVKK Art. 5/2-f; GDPR Art. 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Platform, ensuring security, preventing fraud, and conducting analytics, where such interests are not overridden by your fundamental rights and freedoms.
- Consent (KVKK Art. 5/1; GDPR Art. 6(1)(a)): Where we rely on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Legal Obligation (KVKK Art. 5/2-ç; GDPR Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, court orders, or regulatory requirements.
4. Purposes of Processing
We process your personal data for the following purposes:
- Providing, operating, and maintaining the Platform and its features
- Creating and managing your user account
- Authenticating your identity and maintaining session security
- Hosting, rendering, processing, and delivering your 3D and AR content
- Processing AI-powered 3D generation requests
- Processing subscription payments and managing billing
- Sending transactional communications (e.g., account verification, password resets, subscription confirmations)
- Providing customer support and responding to inquiries
- Monitoring Platform performance, diagnosing technical issues, and preventing abuse
- Generating aggregated, anonymized analytics to improve the Platform
- Enforcing our Terms of Use and preventing unauthorized or fraudulent activity
- Complying with legal obligations and responding to lawful requests from authorities
5. Data Sharing and Disclosure
We do not sell, rent, lease, or trade your personal data to third parties for their marketing purposes.
We may share your personal data only in the following circumstances:
5.1 Service Providers (Data Processors)
We engage trusted third-party service providers who process personal data on our behalf under strict contractual obligations:
- Cloud Infrastructure: DigitalOcean, LLC (object storage for 3D assets, source images, and platform files; servers located in the United States)
- Database Hosting: MongoDB Atlas (account, project, and analytics data)
- Authentication: Google LLC — Google OAuth (when you choose to sign in with Google)
- AI 3D Generation Providers: Meshy, Inc. (San Francisco, California, USA — www.meshy.ai) and VAST AI / Tripo (operator of www.tripo3d.ai) — process text prompts and reference images you submit to generate 3D models. See Section 12 for details.
- Payment Processing & Merchant of Record: Polar Software, Inc. (3500 South DuPont Highway, Dover, DE 19901, USA, polar.sh), using Stripe, Inc. as its underlying payment infrastructure provider, see Section 5.2 below for the full scope of data handling, certifications and international transfers.
- Email Services: Transactional email delivery providers
All data processors are contractually required to process personal data only as instructed by us, maintain confidentiality, and implement appropriate technical and organizational security measures.
5.2 Payment Data and Polar (Merchant of Record)
The marketing website at basebros.com does not itself collect or process payment information. All paid subscriptions and one-time purchases are processed through Polar, operated by Polar Software, Inc., a Delaware-incorporated company headquartered at 3500 South DuPont Highway, Dover, DE 19901, United States. Polar acts as the Merchant of Record (MoR) for these transactions, which has direct privacy implications you should be aware of:
- Categories of personal data Polar and Stripe collect from you at checkout: first and last name; email address; phone number (where required); billing address; payment-card type and last four digits; full payment-card details (primary account number, expiry, CVV) which are collected and tokenized by Stripe; IP address; browser type and operating system; geolocation derived from your IP address; commercial / purchase history; and, where applicable, tax-identification number for B2B invoicing. We never receive or store full payment-card numbers, the CVV, or the card expiry.
- What we (BASE BROS) receive from Polar: non-sensitive transaction references only — checkout ID, order ID, subscription ID, product / plan, status, billing country, customer ID assigned by Polar, and the last four digits of the payment-card brand for customer-support purposes. This is the minimum information needed for us to provision your subscription and grant the entitlements you paid for.
- Security certifications: Stripe, Inc., the underlying payment infrastructure, is certified to PCI DSS Level 1 (the highest level defined by the Payment Card Industry Security Standards Council, renewed annually) and produces annual SOC 1 Type II and SOC 2 Type II attestation reports. Polar and Stripe implement PSD2 / Strong Customer Authentication (SCA) for European cardholders.
- International transfers: Polar and Stripe store and process personal data on infrastructure located primarily in the United States, with Stripe additionally operating service-provider infrastructure in the European Union and India. Polar relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission, together with required additional safeguards, for transfers from the EEA, the United Kingdom, or Switzerland to the United States. Stripe relies on a combination of SCCs, the UK International Data Transfer Addendum, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, the Swiss-U.S. Data Privacy Framework, and Cross-Border Privacy Rules (CBPR / PRP) certifications. Stripe's full sub-processor list is available at stripe.com/service-providers/legal.
- Tax processing: Polar calculates, collects, files, and remits applicable VAT, GST, sales tax, digital service tax, and similar consumption taxes in the jurisdictions where it is registered, on our behalf, based on your billing address and the relevant tax-nexus rules.
- Data retention by Polar: Polar retains payment-related personal data for as long as your customer account with Polar remains open, or for longer where this is necessary to comply with legal, accounting, or tax obligations, to resolve disputes, or to enforce its agreements.
- Independent privacy policy: Polar's processing of your data is governed by Polar's own privacy policy, available at polar.sh/legal/privacy. The separate agreement that governs the purchase itself is the Polar Checkout Buyer Terms. We strongly recommend that you review both before completing a purchase.
Exercising your rights against Polar: Because Polar holds the underlying payment records, GDPR / UK GDPR rights (access, rectification, erasure, portability, restriction, objection) with respect to that data should generally be exercised by emailing [email protected]. You may also submit such a request to us at [email protected] (see Section 9), and we will forward it to Polar or refer you to Polar directly so that it can be fulfilled. For billing or transaction questions, Polar can be reached at [email protected].
5.2 Legal Requirements
We may disclose personal data when required to do so by law, regulation, or valid legal process (e.g., court order, subpoena, or government request), or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, or to investigate fraud.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and ensure the successor entity is bound by at least equivalent privacy obligations.
5.4 Published Content
When you publish a 3D viewer page, AR experience, or other content through the Platform, that content becomes publicly accessible via the generated URL. Any information contained in published content is visible to anyone with the link.
6. International Data Transfers
Your personal data may be processed and stored in countries other than your country of residence, including but not limited to the United States and European Union member states, where our infrastructure providers maintain their data centers.
For transfers of personal data outside of Turkey, we comply with KVKK requirements, including obtaining necessary approvals from the Personal Data Protection Board where required. For transfers from the EEA, we rely on:
- Adequacy decisions by the European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Other appropriate safeguards as permitted under applicable law
You may request information about the specific safeguards in place for international transfers by contacting us.
7. Data Security
We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including but not limited to:
- Encryption of all data in transit using TLS/SSL protocols
- Encryption of sensitive data at rest
- Cryptographic hashing of passwords using industry-standard algorithms (bcrypt)
- JWT-based authentication with configurable token expiration
- Role-based access control and principle of least privilege
- Regular security assessments and code reviews
- Comprehensive audit logging of administrative actions
- Secure, isolated cloud infrastructure with firewall protection
- Rate limiting and abuse detection mechanisms
While we implement industry-standard security practices, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge this inherent risk when using any internet-based service.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:
| Data Category | Retention Period |
|---|---|
| Account Data | Duration of active account + 30 days after deletion request |
| User Content (3D models, assets) | Duration of active account + 30 days after deletion request |
| Usage / Analytics Logs | Up to 12 months (rolling) |
| Visitor Analytics (published pages) | Up to 24 months (aggregated/anonymized) |
| Audit Logs | Up to 24 months |
| Billing Records | As required by applicable tax and commercial law (minimum 5 years under Turkish Commercial Code) |
| Support Communications | Up to 24 months after resolution |
Upon account deletion, we will erase or irreversibly anonymize your personal data within 30 days, except for data that must be retained to comply with legal obligations or to establish, exercise, or defend legal claims.
9. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
9.1 Rights Under KVKK (Turkey)
In accordance with Article 11 of Law No. 6698, you have the right to:
- Learn whether your personal data is being processed
- Request information about the processing of your personal data
- Learn the purpose of processing and whether it is used in accordance with its purpose
- Know the third parties to whom your personal data has been transferred domestically or abroad
- Request correction of incomplete or inaccurate data
- Request deletion or destruction of your personal data under conditions set forth in Article 7
- Object to results against you arising from the analysis of your data exclusively through automated systems
- Claim compensation for damages arising from unlawful processing of your personal data
9.2 Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area, you additionally have the right to:
- Access: Request a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate or incomplete data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Restriction: Request restriction of processing in certain circumstances
- Data Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests or direct marketing
- Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
- Withdraw Consent: Withdraw previously given consent at any time
- Lodge a Complaint: File a complaint with your local supervisory authority
9.3 Rights Under CCPA / CPRA and Other U.S. State Privacy Laws
If you are a resident of California or another U.S. state with a comprehensive privacy law, you have the right to:
- Know: Request disclosure of the categories and specific pieces of personal information we have collected
- Delete: Request deletion of your personal information
- Correct: Request correction of inaccurate personal information (CPRA and most newer state laws)
- Portability: Receive a copy of your personal information in a portable, machine-readable format
- Opt-Out of Sale / Share: Opt out of the sale or sharing of personal information for cross-context behavioural advertising (we do not sell personal information for monetary benefit; however, third-party cookies may constitute a "sale" or "share" under some state laws — see Section 2.4 for cookie controls)
- Limit Use of Sensitive Personal Information
- Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights
- Authorized Agent: Designate an authorized agent to make requests on your behalf
The above rights are honored under, as applicable: CCPA / CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), OCPA (Oregon), TDPSA (Texas), FDBR (Florida), MTCDPA (Montana), IADPA (Iowa), DEPDPA (Delaware), NEDPA (Nebraska), NHPA (New Hampshire), NJDPA (New Jersey), TNIPA (Tennessee), MNCDPA (Minnesota), MDODPA (Maryland), INCDPA (Indiana), KYCDPA (Kentucky), and RIDTPPA (Rhode Island). Payment-data requests under these laws should be directed to Polar at [email protected] because Polar holds those records as Merchant of Record (see Section 5.2).
9.4 How to Exercise Your Rights
To exercise any of the above rights, please contact us at [email protected] with the subject line "Data Subject Request." We will verify your identity and respond within the legally required timeframe (30 days under KVKK, 30 days under GDPR, 45 days under CCPA). Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act.
10. Children's Privacy
The Platform is not directed at, and is not intended for use by, individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at [email protected]. Upon verification, we will promptly delete such data.
11. Third-Party Services and Links
The Platform may contain links to, or integrations with, third-party websites and services (including Google Sign-In, payment processors, and cloud storage providers). This Privacy Policy does not apply to third-party services. We strongly encourage you to review the privacy policies of any third-party services you access through the Platform. We are not responsible for the privacy practices, content, or security of third-party services.
12. AI Services and Third-Party AI Providers
When you use our AI-powered features (text-to-3D generation, single-image-to-3D, multi-view image-to-3D, AI-assisted editing), the Platform acts as an interface that orchestrates the request, while the actual 3D generation is performed by independent third-party AI providers acting as our data sub-processors. The following applies:
12.1 AI Generation Sub-Processors
To deliver AI 3D generation features, we transmit your inputs to one of the following providers, depending on the model you select in the Generator interface:
| Provider | Operator | Processing Location | Data Sent |
|---|---|---|---|
| Meshy (Meshy 6, image-to-3D, multi-view-to-3D) | Meshy, Inc., a Delaware corporation headquartered in San Francisco, California, United States — www.meshy.ai | United States (and provider's contracted cloud regions) | Text prompts, reference image URLs (presigned, time-limited), generation parameters (style, polycount, texture options) |
| Tripo (Tripo v3.0, image-to-3D, multi-view-to-3D) | VAST AI Research / Tripo3D, an artificial intelligence company operating the Tripo3D service — www.tripo3d.ai | Provider's contracted cloud regions (may include the United States and the People's Republic of China) | Text prompts, reference image URLs (presigned, time-limited), generation parameters |
The list of AI providers may be expanded, replaced, or discontinued at our discretion as we evaluate model quality, performance, and compliance posture. Material changes will be reflected by an updated version of this Policy.
12.2 What Is Sent and What Is Not
- Sent to the AI provider: the text prompt you typed and/or a temporary, expiring (≤ 30 minutes) URL to the reference image(s) you uploaded, plus the generation parameters you chose.
- NOT sent to the AI provider: your account email, username, payment data, or any other personal account information. The provider receives only the inputs strictly necessary to fulfill the generation.
- Storage on our side: the source image(s) you uploaded are stored on our DigitalOcean Spaces infrastructure under your account so that you and our administrators can review, re-download, or delete them later.
- Provider's own retention: third-party providers may retain prompts, reference images, and generated outputs in accordance with their own privacy policies and terms of service. We strongly recommend that you review them: Meshy Privacy Policy, Tripo Privacy Policy.
12.3 Functional Equivalence
Because we integrate directly with the official APIs of these providers, every type of 3D model that can be created on the original Meshy or Tripo platforms can also be created through our Platform — including text-to-3D, image-to-3D, multi-view-to-3D (up to four reference images), PBR / non-PBR textures, multiple polycount tiers, and quad/triangle topology options. We do not restrict the underlying generation capabilities; we expose them through a unified interface that adds project management, model library, AR publishing, and analytics on top.
12.4 International Data Transfers for AI Processing
Use of these AI services necessarily involves transferring your inputs to processing infrastructure located outside of Turkey and outside of the European Economic Area. By using AI features, you acknowledge and consent to such international transfers. Where required, we rely on Standard Contractual Clauses or other appropriate safeguards permitted under KVKK and GDPR. If you do not wish your inputs to be transferred to a particular jurisdiction, you may simply refrain from using AI generation features — all non-AI Platform features (manual GLB upload, scene editing, page designer, AR publishing, analytics) operate entirely on our own infrastructure.
12.5 Outputs and Your Rights
- AI-generated 3D models are stored as part of your User Content and are subject to the same access, export, and deletion rights described in Section 9.
- Source images you uploaded for image-to-3D generation are retained alongside the resulting model so that the link between input and output remains traceable. Deleting the model also deletes its associated source images from our storage.
- We may use anonymized and aggregated usage patterns (e.g., success rates, average generation duration, popular generation types) to improve the Platform; we do not share individual prompts, images, or outputs with third parties beyond the AI sub-processors named above.
- You retain the rights described in our Terms of Use regarding ownership and licensing of AI-generated content.
- No human pre-screening: generation requests are forwarded directly to the selected provider's API and the resulting model is returned to your account without human review on our side. The applicable provider's content rules and acceptable-use policies (Meshy, Tripo) apply with equal force on this Platform — see Section 8 of our Terms of Use for the full incorporation by reference.
13. Published 3D Viewer Analytics
When you publish a 3D viewer page or AR experience, we collect anonymized analytics data from visitors to your published pages, including:
- Page view counts and unique visitor counts
- Geographic distribution of visitors (country/city level)
- Device and browser types used to access the content
- Interaction metrics (e.g., 3D rotation, AR activation, session duration)
- Referral sources
This data is presented to you through the Platform's analytics dashboard. Visitor data is processed in an aggregated and anonymized manner and is not used to identify individual visitors.
14. Do Not Track Signals
Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how companies should respond to DNT signals, we do not currently respond to DNT signals. However, you can manage tracking preferences through cookie settings and browser controls as described in Section 2.4.
15. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (including the Turkish Personal Data Protection Authority, "KVKK Board") within 72 hours of becoming aware of the breach, as required by applicable law
- Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- Document the breach, its effects, and remedial actions taken
16. Automated Decision-Making
The Platform does not engage in fully automated decision-making that produces legal effects or similarly significantly affects you. Certain automated processes are used for:
- Fraud detection and security monitoring
- Subscription quota enforcement
- AI content generation based on your inputs
You have the right to request human review of any automated decisions that materially affect you.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users via email or through an in-platform notification at least 15 days prior to the effective date of the changes.
We encourage you to review this Policy periodically. The "Effective Date" at the top of this page indicates when the Policy was last revised. Your continued use of the Platform after any changes constitutes your acceptance of the updated Policy.
18. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:
BASE BROS Bilişim Hizmetleri A.Ş.
Istanbul, Republic of Turkey
General Inquiries: [email protected]
Technical & R&D: [email protected]
Web: www.basebros.com
For complaints regarding the processing of your personal data in Turkey, you may also apply to the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — www.kvkk.gov.tr). For EEA residents, you may lodge a complaint with your local data protection supervisory authority.