Privacy Policy

1. Introduction

This Privacy Policy describes how Stomaton Bilişim Madencilik Ticaret Ltd. Şti. (Stomaton), as the operator of Go2Stone Pro (the 'Platform'), processes Personal Data. Stomaton is committed to protecting Personal Data in accordance with Turkish Law No. 6698 on the Protection of Personal Data (KVKK), Regulation (EU) 2016/679 (GDPR), the UK Data Protection Act 2018, Brazilian Law No. 13.709 (LGPD), the Mexican Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), and applicable U.S. state privacy laws.

2. Data controller

Stomaton is the controller of Personal Data processed through the Platform. Requests concerning Personal Data should be directed to op@sez.ai.

3. Categories of Personal Data collected

Stomaton collects the following categories of Personal Data directly from users and, in limited cases, from Producers:

• Identity data: full name of the authorised representative.
• Contact data: email address, telephone number, business correspondence address.
• Company data: legal name, registration details, tax number, country of incorporation.

4. Legal Bases for Processing

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases under Article 6(1):

• Performance of a contract (Article 6(1)(b)): to create and operate your account and facilitate quotations, reservations, orders, and support.
• Legitimate interests (Article 6(1)(f)): to operate and improve the platform, ensure platform security, prevent fraud and abuse, and protect our rights.
• Legal obligations (Article 6(1)(c)): to comply with tax, accounting, anti-money-laundering, sanctions, and other applicable laws.
• Consent (Article 6(1)(a)): where we request it, for example for non-essential cookies or optional marketing communications. You may withdraw consent at any time without affecting prior processing.
• Where you are located in Turkey, we rely on the corresponding legal grounds under Law No. 6698 on the Protection of Personal Data (KVKK). Where you are located in another jurisdiction, we rely on analogous legal grounds under applicable local law.

5. How We Use Your Information

We use personal data for the following purposes:

• Create, authenticate, and manage your account and team membership.
• Facilitate quotations, reservations, orders, and communications between buyers and producers.
• Generate and issue proformas, order confirmations, and related commercial documents.
• Calculate shipping estimates and container logistics.
• Maintain security, detect and prevent fraud or abuse, and enforce these Terms.
• Send service notifications such as sign-in alerts, status updates, and important changes to the platform or this policy.
• Comply with tax, accounting, sanctions, and other legal obligations.
• Analyze and improve the platform using aggregated or anonymized data where possible.

6. Recipients of Personal Data

Personal Data is disclosed only to the following categories of recipient and only to the extent necessary:

• Producers: acting as processors on Stomaton's behalf for shipping, customs, and quality handling - limited to the data needed to deliver the Goods.
• Logistics and customs providers: carriers, freight forwarders, customs brokers engaged in the performance of the Contract.
• Banking intermediaries: for payment-related confirmations and, where applicable, sanctions screening.
• Service providers: Convex, Inc. (application backend), Vercel Inc. (hosting), Resend Inc. (transactional email), Google LLC (file storage via service account) - under written data-processing agreements.

7. Third-Party Processors

We engage the following processors to operate the platform. Each is bound by a data-processing agreement restricting their use of personal data to providing the contracted service:

• Convex (EU region) for real-time database, authentication, and file storage.
• Vercel for hosting the Next.js application and delivering it over its content delivery network.
• Resend for delivering transactional email such as account and order notifications.
• PostHog (EU region) for product analytics and error monitoring, with IP addresses truncated where supported.
• Arcjet for bot detection, rate limiting, and abuse prevention, and Google Drive for producer document storage where enabled by the producer.

7. International transfers

Personal Data may be processed in countries outside Türkiye and outside the European Economic Area, including in the United States. Where such transfers involve EEA data subjects, Stomaton relies on the Standard Contractual Clauses approved by the European Commission and, where necessary, supplementary measures identified in a transfer impact assessment. Transfers from Türkiye rely on the data subject's explicit consent under KVKK Article 9 where no adequacy decision or Board-approved undertaking is available.

9. Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to keep you signed in, remember preferences such as language and sidebar state, secure the platform, and understand how it is used. For the full list of categories, our analytics provider, and how to manage your choices, see our Cookie Policy.

8. Retention

Stomaton retains Personal Data only for as long as necessary for the purposes described above. Typical retention periods are as follows:

• Account data: for the life of the account plus ten (10) years, in line with Turkish commercial-code record-keeping requirements.
• Quotation, Proforma, and order data: ten (10) years from the date of the Contract.
• Technical log data: twelve (12) months from the date of collection.
• Marketing consent records: until consent is withdrawn, plus a reasonable period to evidence the withdrawal.

9. Data subject rights

Subject to applicable law, data subjects have the following rights in respect of their Personal Data:

• the right to be informed of processing (KVKK Article 10 / GDPR Articles 13–14);
• the right of access (KVKK Article 11(b) / GDPR Article 15);
• the right to rectification of inaccurate or incomplete data (GDPR Article 16);
• the right to erasure in the circumstances set out in KVKK Article 7 / GDPR Article 17;
• the right to restriction of processing (GDPR Article 18);
• the right to data portability (GDPR Article 20);
• the right to object to processing based on legitimate interests (GDPR Article 21);
• the right to withdraw consent at any time, without affecting the lawfulness of prior processing.

11. Security measures

Stomaton implements appropriate technical and organisational measures proportionate to the risk, including encryption of data in transit, role-based access control, audit logging, credential rotation, and vendor due diligence. No security measure is perfect; Stomaton does not represent that the Platform is free from all risk.

13. Automated Decision-Making

We do not take decisions that produce legal or similarly significant effects on you based solely on automated processing. Some platform features apply automated logic, for example to surface recommended listings, estimate shipping costs, or flag suspicious traffic, but these outputs do not replace human review of material decisions such as account approval, suspension, or pricing.

12. Children

The Platform is directed exclusively at businesses and is not intended for or directed at individuals under the age of eighteen (18). Stomaton does not knowingly collect Personal Data from children.

14. Changes to this Privacy Policy

Stomaton may update this Privacy Policy from time to time. Material changes will be notified to account holders by email. The revision date is shown at the top of this page.

15. Contact and complaints

Questions, access requests, or complaints may be directed to op@sez.ai. Data subjects in Türkiye may lodge a complaint with the Personal Data Protection Authority (KVKK). Data subjects in the European Economic Area may lodge a complaint with their local supervisory authority. This document does not constitute legal advice.

16. Audit log and security events

To preserve the integrity of accounts and trace privileged actions, Stomaton maintains an audit log of security-significant events. Sign-in attempts (whether successful or failed), role and permission changes, administrative actions, and Producer-team invitations are recorded together with the originating IP address, browser user-agent string, timestamp, and outcome. The IP address is captured at the platform edge from the request itself, not from a client-supplied value, so the record cannot be spoofed by the user. Operational write events (cart, favourites, search history) do not trigger audit-log capture; only security and commercial actions are recorded. Audit log entries are processed on the basis of Stomaton's legitimate interest in protecting the platform and its users from fraud, unauthorised access, and account takeover, in accordance with Article 6(1)(f) GDPR, Article 5(2)(f) KVKK, and Article 7(IX) LGPD. Security audit entries are retained for twenty-four (24) months; commercial audit entries linked to orders, quotations, and proformas are retained for the longer period required by applicable tax and commercial law.