Sky Synthesis
Back to home

Privacy Policy

Effective date: May 28, 2026

This is a convenience translation. In case of any discrepancy, the Turkish version prevails.

This text is the privacy policy and disclosure notice for activities carried out under the Sky Synthesis brand, within the scope of Türkiye’s Law on the Protection of Personal Data No. 6698 (“KVKK”) and the European Union General Data Protection Regulation (“GDPR”). AstraDeck and our other hardware products are also covered by this policy.

1. Identity of the Data Controller

Data Controller: Aytunç Burak Yüksel (a natural person resident in Türkiye, operating under the “Sky Synthesis” brand).

Contact: hello@skysynthesis.com
Location: İstanbul, Türkiye

2. Personal Data We Collect

We process the following categories of data only for the purposes stated in this text:

  • Identity data: Name and surname (for order and delivery, when provided by you).
  • Contact data: Email address (for order communication, configurator link delivery, and status updates).
  • Order and design data: Order ID, the colours, texts, font preferences, Spotify URIs, and personal photos/images you upload through the configurator for your card/hardware (only values entered by you; we do not access your Spotify account).
  • Marketplace orders: For orders from Etsy or other authorised sales channels, the buyer name, email, and order/buyer message provided by the platform.
  • Technical information: IP address (kept temporarily only for rate limiting and security).

We do not use cookie analytics, advertising tracking, or third-party tracking cookies.

3. Purposes of Processing and Legal Bases

Your personal data is processed for the following purposes and legal bases:

  • Order fulfilment (product design, printing, production, packaging, and handover to shipping) — performance of a contract (KVKK Art. 5/2-c; GDPR Art. 6(1)(b)).
  • Customer communication (configurator link, status notifications, support replies) — performance of a contract (KVKK Art. 5/2-c; GDPR Art. 6(1)(b)).
  • Legal obligations (tax and commercial record retention requirements) — compliance with a legal obligation (KVKK Art. 5/2-ç; GDPR Art. 6(1)(c)).
  • Fraud prevention and service security (rate limiting, session verification) — legitimate interest (KVKK Art. 5/2-f; GDPR Art. 6(1)(f)).

4. Third Parties with Whom Data Is Shared

Your data is never sold for marketing purposes. It is shared only to the limited extent necessary to perform the service, with the following service providers:

  • Vercel Inc. (USA) — hosting the web application.
  • Cloudflare, Inc. (USA) — domain management and email routing infrastructure.
  • Supabase, Inc. (EU — hosted in Ireland) — storage of order and design data.
  • Resend (Resend Inc., USA) — transactional email delivery.
  • Authorised Sales Channels (e.g. Etsy, Shopier, etc.) — access to order and receipt data when a sale is made through the relevant platform.
  • Printing and Logistics Partners — The images and design data you upload may be shared with authorised printing/print partners solely for producing and printing your physical card, limited to order fulfilment. These partners may not use or retain the data for any other purpose.

These providers act as “processors” and are subject to their own privacy policies. Our obligation to respond to lawful requests from authorised public authorities is reserved.

5. International Transfers

Some of the service providers above are located outside Türkiye (USA, EU). Transfers occur only to the extent necessary to perform the service and are based on internationally accepted standard contractual clauses with service providers. If KVKK Art. 9 requires Board approval or explicit consent for specific categories, your separate approval will be requested for those categories.

6. Retention Periods

  • User-uploaded images and card designs: Your raw uploaded images are processed when the card design is created. Final print files are stored securely for up to 1 month (30 days) after order completion against potential shipping, damage, or reprint requests. After this period, all images and print files are permanently and irreversibly deleted.
  • Order, design data, and tax records: 5 years (for artisan tax exemption and record retention under Turkish Tax Procedure Law Art. 253).
  • Operational and security logs: up to 1 year.
  • IP address (rate limiting): up to 7 days, in transient memory.

7. Your Rights as a Data Subject

Under KVKK Art. 11 and GDPR Art. 15-22, you have the following rights:

  • To learn whether your personal data is processed and, if processed, to request information.
  • To learn the purpose of processing and whether it is used in accordance with that purpose.
  • To know the third parties to whom data is transferred domestically or abroad.
  • To request correction of incomplete or inaccurate data.
  • To request deletion or destruction within the conditions set out under KVKK.
  • To request notification of correction/deletion operations to third parties to whom data was transferred.
  • To object to a result against you arising from analysis exclusively by automated systems.
  • To request compensation if you suffer damage due to unlawful processing.

Under GDPR, you also have rights to data portability, restriction of processing, and to lodge a complaint with a supervisory authority (in Türkiye, the Personal Data Protection Authority; in the EU, the data protection authority of your country). To exercise your rights, write to hello@skysynthesis.com. Your request will be answered free of charge within 30 days at the latest.

8. Cookie Policy

Our marketing site (skysynthesis.com) does not place cookies in your browser. The configurator (astradeck.skysynthesis.com) uses only strictly necessary cookies and local storage required for the service to function:

  • Spotify session: server-only (httpOnly) cookies that hold session/access information so you can connect your Spotify account and prepare your card.
  • Local storage: your language preference, cookie notice acknowledgement, and minor UI preferences.
  • Admin area (/orders): session cookies used only for operator authentication (not customer-facing).

We do not use advertising, analytics, or third-party tracking cookies. Because these cookies are strictly necessary to provide the service, they do not require explicit consent.

9. Security Measures

  • All end-to-end traffic is encrypted with HTTPS (TLS 1.2+).
  • Our database provider (Supabase) applies at-rest encryption.
  • Service account keys are stored only in server-side environment variables.

10. Children’s Data

Our services are intended for users aged 18 or older. We do not knowingly collect personal data from children. If you believe we have processed data belonging to your child, please contact us at hello@skysynthesis.com.

11. Changes to This Policy

This policy may be updated according to changes in our services or legal regulations. The current version is always published on this page; the effective date at the top reflects the latest update.

12. Contact and Requests

Email: hello@skysynthesis.com
Data Controller: Aytunç Burak Yüksel (under the Sky Synthesis brand)
Location: İstanbul, Türkiye