Privacy Policy

Last updated: July 7, 2026

This Privacy Policy explains how Entrobase (entrobase.ai and its subdomains — the "Platform", "we", "us") collects, uses, stores, and protects your personal data when you use our services.

Entrobase is an AI-powered website builder. It lets you create professional Next.js websites by chatting, and add modules such as databases, blogs, e-commerce, domains, and advertising analytics.

We process your data in accordance with the Turkish Personal Data Protection Law (KVKK No. 6698) and — if you are in the European Union — the General Data Protection Regulation (GDPR). By using the Platform, you agree to the practices described here.

01. Data Controller and Scope

The data controller of your personal data, within the meaning of KVKK and GDPR, is:

  • Legal entity: PNZ GROUP BİLİŞİM LİMİTED ŞİRKETİ
  • Tax ID (VKN): 7300836173
  • Brand: Entrobase is a registered trademark of PNZ GROUP BİLİŞİM LİMİTED ŞİRKETİ.
  • Address: Yeşilbağlar Mah. D 100 Blv. Pendik Pera Residence A Blok No: 20 İç Kapı No: 29 Pendik / Istanbul, Türkiye
  • Privacy contact: privacy@entrobase.aiLegal contact: legal@entrobase.ai

This policy covers registered users, visitors, and people who receive services through the Platform. Data of end users who visit websites you build with Entrobase is the responsibility of that site's owner (see "User Sites").

02. Personal Data We Collect

To provide the service, we process the following categories of data:

CategoryExample DataSource
Identity & accountEmail address, name, profile image, authentication provider (Google/GitHub/email)You / OAuth provider
Usage & contentYour projects, chat messages (prompts), generated files, credit/usage counters, settingsYou / usage
Site dataContent of sites you build: blog posts, products, form submissions, collection recordsYou / your site visitors
Google Ads dataWhen connected via OAuth: read-only campaign/ad performance data and encrypted access tokensGoogle Ads API
Domain registrationWhen you register a domain: registrant (WHOIS) contact details such as name, address, phone, emailYou
Technical dataIP address, browser/device info, session cookies, coarse location (country/language)Automatic
CommunicationsSupport requests and correspondenceYou
Payment (future)When paid features launch, billing/transaction data processed by a payment provider. Card details are not stored on our servers.Payment provider

Authentication is passwordless: a one-time code (OTP) by email, or sign-in with Google/GitHub. We therefore do not store passwords.

04. Google User Data and the Google Ads API

When you use the Entro Ads module and connect your Google account, we access certain data through Google API Services. This section explains, in detail and to satisfy the Google API Services User Data Policy and its Limited Use requirements, how we handle Google user data.

Data we access

  • Basic profile: your email address and name when you sign in with Google (for authentication).
  • Google Ads account data: read-only access to campaigns, ad groups, keywords, search terms, device/geo/demographic breakdowns, and performance metrics (impressions, clicks, conversions, cost, etc.).

How we obtain it

Access is granted only through OAuth 2.0, with your explicit consent and the narrowest necessary scopes. We read Google Ads data only when you request it (by connecting an account and asking for analysis); we do not create or modify ads.

How we use it

We use Google Ads data solely to produce analytics, insights, and AI-powered evaluations for you within the dashboard (e.g. wasted-spend detection, inefficient keywords, CPA/ROAS trends). We do not use the data for ad targeting, profiling, credit assessment, or similar purposes.

How we store it

OAuth access/refresh tokens are stored encrypted with AES-256-GCM. Query results are cached for performance, isolated per user via Row Level Security (RLS); no other user can access them.

How we share it

We do not sell, rent, or transfer Google user data to advertising networks or data brokers. To generate the AI evaluation you request, data is passed only to our infrastructure sub-processors (e.g. our AI model gateway), and such transfer is subject to the Limited Use restrictions.

Limited Use statement: Entrobase's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Revoking access

You may disconnect at any time from the Entro Ads settings inside the Platform, or revoke access from the Google Account Permissions page. After revocation, stored tokens are deleted and cached Google Ads data is purged within a reasonable period.

05. AI Processing

Entrobase uses AI models through a gateway (OpenRouter). When you request site generation, editing, content, or analysis, the prompts, relevant project files, and context you send are transmitted to the selected model provider (e.g. Anthropic, OpenAI, Google, and others).

  • Your data is transmitted only to fulfill your request.
  • We prefer enterprise/API terms under which model providers do not use your data to train their models.
  • We recommend not entering sensitive personal data (national IDs, health, card details, etc.) into prompts or site content.

06. Who We Share Data With (Sub-processors)

We do not sell your personal data. To provide the service, we share data only with the following categories of contractually bound service providers (sub-processors):

ProviderPurposeLocation
SupabaseAuthentication, platform database, file storageEU / US
NeonIsolated databases for user sitesEU (Frankfurt)
OpenRouter (+ model providers: Anthropic, OpenAI, Google, Alibaba, Moonshot)AI model callsUS / global
CloudflareDNS, CDN, site hosting (Pages), DDoS protectionGlobal (edge)
RenderApplication and API server hostingEU / US
Fly.ioSite build workersGlobal
UpstashBuild queue (Redis)EU / US
DomainNameAPIDomain registration and WHOIS contact dataTürkiye
Serper, Jina AIWeb research and content fetching for AutoBlogUS / global
Voyage AIEmbeddings for file similarityUS
Google Ads APIAd performance data when you connectGlobal
Email providerLogin codes and transactional emailsEU / US

We may also share data with competent authorities where required by law (court order, lawful request) or to protect our rights.

07. International Data Transfers

Some of our sub-processors may be located outside Türkiye and the EU (e.g. the US). In such cases, transfers are made under KVKK's cross-border transfer rules and, under GDPR, using Standard Contractual Clauses (SCCs) or equivalent safeguards. User site databases are hosted primarily in the EU (Frankfurt) region.

08. Data Retention

  • Account and content data: retained while your account is active.
  • Deletion: when you delete your account, your data is deleted within a reasonable period (including removal from backups). Records subject to a legal retention obligation (e.g. invoices) are kept for the statutory period.
  • Google Ads token/cache: deleted/purged when you disconnect.
  • Logs: security and debugging logs are kept for a limited time.

09. Data Security

  • TLS/HTTPS encryption in transit.
  • Sensitive credentials (Neon connections, Google Ads tokens) encrypted with AES-256-GCM.
  • User isolation at the database level via Row Level Security (RLS).
  • JWT authentication for WebSocket connections; dangerous-pattern blocking on user SQL queries.
  • Privileged keys (service_role) only on the server side; never sent to the client.

No system is 100% secure, but we apply industry-standard measures to protect your data. In the event of a breach, we will notify as required by applicable law.

10. Your Rights

Under KVKK Art. 11 and the GDPR, you have the following rights:

  • To learn whether your data is processed and to access it.
  • To request rectification of inaccurate/incomplete data.
  • To request erasure or destruction of your data.
  • To request restriction of and to object to processing.
  • To receive your data in a portable format (data portability).
  • To withdraw consent you have given (without retroactive effect).
  • To lodge a complaint with a competent supervisory authority.

To exercise your rights, contact privacy@entrobase.ai. In Türkiye, if your request is refused you may complain to the Personal Data Protection Board (KVKK); in the EU, to your local data protection authority.

11. Cookies

The Platform uses strictly necessary cookies to keep you signed in; non-essential cookies such as analytics/marketing run only with your explicit consent. See our Cookie Policy for details.

12. Children's Privacy

Entrobase is not directed to individuals under 18, and we do not knowingly collect data from minors. If we learn we have processed a child's data, we will delete it.

14. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you via the Platform or by email. The current version is always published on this page with the "Last updated" date shown above.

15. Contact

For privacy questions, requests, or complaints, reach us at: