Ecopyright
Legal · Last updated May 13, 2026

Privacy Policy

How we handle your personal data, in plain language.

Who we are

Ecopyright is operated by Sistem Patent, a company registered in Türkiye. Our office handles all data-protection matters for the service at legal@ecopyright.io. We comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and Türkiye's Kişisel Verilerin Korunması Kanunu (KVKK).

What we collect

To operate the service, we collect:

  • Account information. Email address, password (hashed, never stored in plaintext), name, country of residence, and any optional profile details you provide.
  • Files you upload. The actual creative works you register with Ecopyright. These are stored encrypted at rest, accessible only to you.
  • File metadata. SHA-256 hashes, file names, file sizes, and embedded metadata (EXIF, document properties) for files you upload.
  • Payment information. Processed by Stripe. We do not store your full card number or CVV. We store only the last four digits, the card type, and the Stripe customer reference.
  • Usage data. Pages visited, certificates generated, dates of activity, IP address, browser information. Used for service operation and abuse prevention.
  • Communications. Emails you send us, support tickets, chat transcripts.

How we use it

We use your personal data only for purposes you would reasonably expect:

  • Operating your account and generating your certificates.
  • Processing your subscription payment and renewal.
  • Sending service-related emails (certificate confirmations, billing notices, security alerts).
  • Responding to support requests.
  • Preventing abuse and protecting the service from fraud or misuse.
  • Complying with legal obligations (tax records, lawful disclosure requests).

We do not sell your personal data. We do not share it with advertisers. We do not use your uploaded files for any purpose other than generating your certificate and storing them for your access.

Legal basis for processing (GDPR)

Under GDPR, we process your personal data on the following legal bases:

  • Contract. Most of what we do (operating your account, generating certificates) is necessary to provide the service you signed up for.
  • Legitimate interests. Abuse prevention, security monitoring, and product improvement.
  • Consent. Optional marketing emails or features that ask for explicit opt-in.
  • Legal obligation. Retaining records for tax and accounting purposes.

Sharing your data

We share personal data only with service providers necessary to operate Ecopyright:

  • Stripe for payment processing.
  • Cloud infrastructure providers for hosting and storage.
  • Email service providers for transactional emails.
  • Public blockchains for tamper-evident anchoring (only SHA-256 hashes, never your files or identity).
  • Law enforcement when we receive a valid legal request and have a legal obligation to comply.

We do not transfer personal data to third parties for marketing, advertising, or analytics purposes beyond what is necessary to operate the service.

Where we store your data

Your data is primarily stored on servers located in Germany (Hetzner) with backup mirrors in additional EU locations. We do not store personal data of EU residents outside the EU unless legally required to do so.

The SHA-256 hashes of your files are anchored to public blockchains (Bitcoin and Ethereum). These hashes do not contain any personal information; they cannot be reversed to identify you or your file's contents.

How long we keep it

We keep your personal data as long as your account is active. After account closure:

  • Account profile data: deleted after 30 days, except where retention is legally required.
  • Uploaded files: deleted after 30 days unless you choose to keep your certificates active.
  • Financial records: retained for up to 10 years for tax compliance.
  • Certificate verification records: retained indefinitely so existing certificates remain verifiable.
  • Blockchain anchors: permanent and cannot be removed by anyone, including us.

Your rights

Under GDPR, KVKK, and similar regimes, you have the following rights:

  • Access. Request a copy of all personal data we hold about you.
  • Rectification. Correct inaccurate personal data.
  • Erasure. Request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.
  • Restriction. Restrict processing of your personal data in certain circumstances.
  • Portability. Export your personal data in a machine-readable format.
  • Objection. Object to processing based on legitimate interests.
  • Withdraw consent. For data processed under consent, withdraw at any time.
  • Lodge a complaint. With a data protection authority in your country.

To exercise any of these rights, email legal@ecopyright.io. We respond within 30 days as required by GDPR.

Security

We protect your data with:

  • 256-bit SSL/TLS encryption for all data in transit.
  • Encryption at rest for all stored files and personal data.
  • Two-factor authentication available for your account.
  • Regular security audits and penetration testing.
  • Restricted internal access on a need-to-know basis.
  • Daily, weekly, and monthly backups, geographically distributed.

No system is perfectly secure. In the unlikely event of a data breach affecting your information, we notify you within 72 hours as required by GDPR, and provide details of what was affected and what we are doing in response.

Children's privacy

Ecopyright is not designed for children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data, contact us and we will delete it.

Cookies

We use a small number of cookies that are strictly necessary for the service to function. See our Cookie Policy for details.

Changes to this policy

We update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes are also announced via email to active members.

Contact us

Questions, concerns, or requests about your personal data:
Email: legal@ecopyright.io
Subject line: "Privacy" or "Data Protection"