Privacy Policy

The data controller for personal data processed through usesled.com is Arda Kaan Özcan, an individual operating from the Republic of Türkiye. Contact for any privacy question or rights request: hey@ardakaanozcan.com.

This policy explains what we collect when you use Sled, why we collect it, who we share it with, and how to exercise your rights under Turkish KVKK, the EU GDPR, and equivalent laws.

We try to collect as little as possible. Concretely:

• Account email. Required to sign in (we use magic-link auth, so there are no passwords to store).
• Tenant data you enter. Your program name, slug, commission percentage, webhook secrets, affiliate names and emails, and any payout records you create.
• Conversion data from your billing provider. When Polar.sh, Stripe, or another provider POSTs a webhook to us, we store the order ID, amount, commission, customer email, and the referring affiliate. The customer email comes from your provider; we never collect it directly.
• Click data. When someone clicks an affiliate link and our tracking script fires, we store a hashed IP (SHA-256, salted), the affiliate code, and a timestamp. We do not store raw IP addresses and do not place any cross-site tracking cookies.
• Session cookie. When you sign in, we set a single first-party cookie (ta_session) holding an opaque token. It contains no personal data.
• Operational logs. Our servers keep short-lived request logs (URL, status code, timestamp, IP for ~7 days) to debug and protect against abuse.

We do not collect device fingerprints, do not use third-party analytics, do not run advertising trackers, and do not sell or share your data with data brokers. Ever.

The legal bases for processing your data:

• Contract (KVKK Art. 5/2-c, GDPR Art. 6(1)(b)) — to provide the Sled service you signed up for: authentication, tenant management, attribution, dashboards, billing.
• Legitimate interest (KVKK Art. 5/2-f, GDPR Art. 6(1)(f)) — to operate the service reliably (logs, abuse prevention, security monitoring) and to communicate transactional emails about your account.
• Legal obligation (KVKK Art. 5/2-ç, GDPR Art. 6(1)(c)) — to retain billing records as required by Turkish tax law.
• Consent (KVKK Art. 5/1, GDPR Art. 6(1)(a)) — only for optional things like product newsletters, which require explicit opt-in. We don’t send any today.

Sled is a small operation. We use a few specialized providers to run the service. We’ve picked vendors with strong privacy reputations, but you should know they exist:

• Hetzner Cloud (Falkenstein, Germany) — application hosting. EU-located.
• Neon (US, AWS us-east-1) — managed Postgres for your tenant data.
• Polar.sh — payment processing and merchant of record for paid subscriptions.
• Resend (US) — transactional email delivery.
• Cloudflare — DNS, edge routing, inbound email forwarding for our admin contacts.

Some of these are located outside Türkiye and the EU. Transfers outside the EU are made under appropriate safeguards (Standard Contractual Clauses) or based on the provider’s adequacy framework. We’ll publish a more detailed sub-processor list on request.

• Account and tenant data: as long as your account is active. If you delete your account, we delete the data within 30 days, except where retention is required by law.
• Click records: 12 months from the click event, after which they are aggregated and removed.
• Conversion and payout records: as long as your account is active. After deletion, billing-related records may be retained up to 10 years to comply with Turkish tax law.
• Operational logs: 7 days.
• Backups: rolling 30-day window, then overwritten.

Under KVKK and GDPR (where applicable to you) you can:

• Request access to your personal data and a copy of it.
• Ask us to correct inaccurate data.
• Ask us to delete your data (where there is no overriding legal obligation to keep it).
• Ask us to restrict processing or object to processing based on legitimate interest.
• Request a copy of your data in a portable, machine-readable format.
• Withdraw consent at any time, where consent is the legal basis.
• Lodge a complaint with the Turkish Personal Data Protection Authority (KVKK’n Kişisel Verileri Koruma Kurulu) or your local EU data-protection authority.

To exercise any of these rights, email hey@ardakaanozcan.com from the address tied to your account. We’ll respond within 30 days.

We use HTTPS for all traffic, hashed (not encrypted) tokens for sessions, hashed IPs for clicks, and least-privilege database access. Magic-link auth means we never see or store your password.

That said, no online service is completely secure. If you discover a vulnerability, please report it responsibly to hey@ardakaanozcan.com before disclosing it publicly.

Sled is not directed to children under 16 and we do not knowingly collect data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

We’ll update this page when our practices change. If the change is material (new sub-processor categories, new data categories, expanded purposes), we’ll notify account holders by email at least 14 days before it takes effect.