Privacy Policy

Last updated: 2026-05-07

1. Data Controller

The data controller for personal data processed via the Service is the Operator of volumecatcher.com, reachable at info@volumecatcher.com. Within the meaning of GDPR Art. 4(7), the Operator alone determines the purposes and means of processing.

2. Data Collected

• Account: email, display name, Argon2id-hashed password, timestamps.
• Authentication: session tokens, IP (truncated), user-agent (90-day audit retention).
• Subscription: tier, expiry, payment metadata, USDT transaction hashes (public on-chain).
• Usage: anonymized analytics via self-hosted Matomo (no third-party trackers).
• Communication: support emails, optional Telegram username for notifications.

The Service does not collect: payment cards, biometrics, government IDs, precise geolocation, contacts.

3. Legal Bases (GDPR Art. 6)

• Contract performance · account, signal delivery, subscriptions.
• Legitimate interest · security monitoring, fraud detection.
• Consent · marketing emails, non-essential cookies.
• Legal obligation · tax records, AML, court orders.

4. Retention

• Account: account lifetime + 12 months legal hold.
• Session logs: 90 days.
• Payment records: 10 years (Turkish Tax Procedure Law Art. 253).
• Marketing consent: until withdrawn + 6 months.

5. Your Rights

Under GDPR, KVKK, and CCPA you have the right to:

• Access · copy of your data
• Rectification · correct inaccuracies
• Erasure · subject to legal hold
• Restriction · pause processing
• Portability · machine-readable export
• Object to legitimate-interest processing
• Withdraw consent
• Lodge complaint with KVKK / EU DPA / state attorney general

Email info@volumecatcher.com · we respond within 30 days (extendable to 90 for complex requests).

6. International Transfers

Data is hosted in Frankfurt, Germany (DigitalOcean). Email delivery uses Resend (US processor) under Standard Contractual Clauses (SCC 2021/914) with EU Data Protection Addendum. Telegram notifications subject to Telegram's independent privacy policy.

7. Security

Argon2id password hashing · HMAC-signed session and tier cookies (HttpOnly, Secure, SameSite=Strict) · HSTS preload · Content-Security-Policy · daily vulnerability scans · breach response plan with 72-hour notification commitment (GDPR Art. 33).

8. Children

The Service is not directed to persons under 18. We do not knowingly collect data from children. Reports of underage use trigger immediate erasure.

Terms of ServicePrivacy PolicyKVKK NoticeCookie Policy