Privacy Policy

The data controller for additive.tools is:

Account data

When you register, we collect your email address, a hashed password (we never store your password in plain text), and your chosen display name (optional). If you sign in via Google OAuth, we receive your name and email from Google — no password is stored.

Usage analytics

We use Plausible Analytics — a privacy-first, cookieless analytics service. Plausible does not use cookies, does not track users across sites, and does not collect personal data or IP addresses. The aggregated pageview data we receive cannot be used to identify you.

Payment data

Payments are handled by Paddle.com Market Ltd. We do not receive or store your card number, bank details, or any other payment instrument. Paddle provides us with subscription status and a transaction reference only. Paddle's own privacy policy applies to payment data.

Support communications

If you contact us by email, we retain that correspondence to resolve your enquiry.

• To create and manage your account.
• To deliver the Service and personalise your experience (e.g. saved calculations).
• To send transactional emails — account confirmation, password reset, subscription receipts. We do not send marketing emails without your explicit consent.
• To understand aggregate usage patterns and improve the platform (via Plausible).
• To comply with legal obligations.

Legal basis (GDPR): Contract performance (account and service delivery); Legitimate interests (security, fraud prevention, aggregate analytics); Legal obligation (tax and record-keeping).

We use a single session cookie to keep you logged in. No advertising cookies, no cross-site tracking cookies, and no third-party marketing pixels are set. Plausible Analytics does not use cookies.

Blocking all cookies will prevent login but will not affect your ability to browse public content.

We do not sell your data. We share limited data with the following processors:

• Vercel Inc. — hosting and serverless infrastructure (EU and US regions). Vercel processes your requests to serve the platform.
• Neon / Supabase (or similar PostgreSQL provider) — stores account and saved-calculation data in encrypted databases.
• Paddle.com Market Ltd — payment processing and tax compliance.
• Plausible Analytics — cookieless, anonymous usage metrics. Plausible is GDPR-compliant and processes no personal data.
• Google LLC — only if you use Google OAuth sign-in. Google provides your name and email to authenticate you.

All processors are bound by data processing agreements and are prohibited from using your data for their own purposes.

Some of our processors (Vercel, Google, Paddle) may store or process data in the United States. Where required, transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards recognised by applicable data protection law.

• Account data: retained for as long as your account is active, plus 90 days after deletion to allow for recovery.
• Support correspondence: up to 3 years.
• Billing records: 7 years, as required by Turkish and EU tax law.
• Analytics data (Plausible): rolling 24-month window; anonymised and non-personal.

Under GDPR and applicable Turkish data protection law (KVKK) you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Erasure — ask us to delete your account and personal data (subject to legal retention requirements).
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interests.
• Restriction — ask us to restrict processing in certain circumstances.

To exercise any right, email hello@additive.tools. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority — in Turkey, the Personal Data Protection Authority (KVKK); in the EU, your national data protection authority.

Passwords are hashed using bcrypt. Connections are encrypted via TLS. Database access is restricted to application-layer connections only. We apply reasonable technical and organisational measures to protect your data against unauthorised access, disclosure, or loss.

We may update this policy from time to time. Material changes will be notified by email or prominent notice at least 14 days in advance. The date at the top of this page always reflects the current version.

For any privacy-related questions or requests, contact hello@additive.tools.