Last updated: July 7, 2026
This Privacy Policy explains how Entrobase (entrobase.ai and its subdomains — the "Platform", "we", "us") collects, uses, stores, and protects your personal data when you use our services.
Entrobase is an AI-powered website builder. It lets you create professional Next.js websites by chatting, and add modules such as databases, blogs, e-commerce, domains, and advertising analytics.
We process your data in accordance with the Turkish Personal Data Protection Law (KVKK No. 6698) and — if you are in the European Union — the General Data Protection Regulation (GDPR). By using the Platform, you agree to the practices described here.
01. Data Controller and Scope
The data controller of your personal data, within the meaning of KVKK and GDPR, is:
- Legal entity: PNZ GROUP BİLİŞİM LİMİTED ŞİRKETİ
- Tax ID (VKN): 7300836173
- Brand: Entrobase is a registered trademark of PNZ GROUP BİLİŞİM LİMİTED ŞİRKETİ.
- Address: Yeşilbağlar Mah. D 100 Blv. Pendik Pera Residence A Blok No: 20 İç Kapı No: 29 Pendik / Istanbul, Türkiye
- Privacy contact: privacy@entrobase.ai — Legal contact: legal@entrobase.ai
This policy covers registered users, visitors, and people who receive services through the Platform. Data of end users who visit websites you build with Entrobase is the responsibility of that site's owner (see "User Sites").
02. Personal Data We Collect
To provide the service, we process the following categories of data:
| Category | Example Data | Source |
|---|---|---|
| Identity & account | Email address, name, profile image, authentication provider (Google/GitHub/email) | You / OAuth provider |
| Usage & content | Your projects, chat messages (prompts), generated files, credit/usage counters, settings | You / usage |
| Site data | Content of sites you build: blog posts, products, form submissions, collection records | You / your site visitors |
| Google Ads data | When connected via OAuth: read-only campaign/ad performance data and encrypted access tokens | Google Ads API |
| Domain registration | When you register a domain: registrant (WHOIS) contact details such as name, address, phone, email | You |
| Technical data | IP address, browser/device info, session cookies, coarse location (country/language) | Automatic |
| Communications | Support requests and correspondence | You |
| Payment (future) | When paid features launch, billing/transaction data processed by a payment provider. Card details are not stored on our servers. | Payment provider |
Authentication is passwordless: a one-time code (OTP) by email, or sign-in with Google/GitHub. We therefore do not store passwords.
03. Purposes and Legal Bases
We process your data only for specific, legitimate purposes. Legal bases under KVKK Art. 5-6 and GDPR Art. 6 include:
- Providing the service (performance of a contract): creating your account, hosting and publishing your projects and sites, AI generation, and module functionality.
- Legitimate interests: platform security, abuse/fraud prevention, service improvement, and basic aggregated (anonymized) usage analysis.
- Consent: non-essential cookies, marketing communications, and connecting optional integrations such as Google Ads. You may withdraw consent at any time.
- Legal obligation: statutory retention and reporting duties (e.g. tax, commercial, and domain-registration law).
04. Google User Data and the Google Ads API
When you use the Entro Ads module and connect your Google account, we access certain data through Google API Services. This section explains, in detail and to satisfy the Google API Services User Data Policy and its Limited Use requirements, how we handle Google user data.
Data we access
- Basic profile: your email address and name when you sign in with Google (for authentication).
- Google Ads account data: read-only access to campaigns, ad groups, keywords, search terms, device/geo/demographic breakdowns, and performance metrics (impressions, clicks, conversions, cost, etc.).
How we obtain it
Access is granted only through OAuth 2.0, with your explicit consent and the narrowest necessary scopes. We read Google Ads data only when you request it (by connecting an account and asking for analysis); we do not create or modify ads.
How we use it
We use Google Ads data solely to produce analytics, insights, and AI-powered evaluations for you within the dashboard (e.g. wasted-spend detection, inefficient keywords, CPA/ROAS trends). We do not use the data for ad targeting, profiling, credit assessment, or similar purposes.
How we store it
OAuth access/refresh tokens are stored encrypted with AES-256-GCM. Query results are cached for performance, isolated per user via Row Level Security (RLS); no other user can access them.
How we share it
We do not sell, rent, or transfer Google user data to advertising networks or data brokers. To generate the AI evaluation you request, data is passed only to our infrastructure sub-processors (e.g. our AI model gateway), and such transfer is subject to the Limited Use restrictions.
Limited Use statement: Entrobase's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Revoking access
You may disconnect at any time from the Entro Ads settings inside the Platform, or revoke access from the Google Account Permissions page. After revocation, stored tokens are deleted and cached Google Ads data is purged within a reasonable period.
05. AI Processing
Entrobase uses AI models through a gateway (OpenRouter). When you request site generation, editing, content, or analysis, the prompts, relevant project files, and context you send are transmitted to the selected model provider (e.g. Anthropic, OpenAI, Google, and others).
- Your data is transmitted only to fulfill your request.
- We prefer enterprise/API terms under which model providers do not use your data to train their models.
- We recommend not entering sensitive personal data (national IDs, health, card details, etc.) into prompts or site content.
07. International Data Transfers
Some of our sub-processors may be located outside Türkiye and the EU (e.g. the US). In such cases, transfers are made under KVKK's cross-border transfer rules and, under GDPR, using Standard Contractual Clauses (SCCs) or equivalent safeguards. User site databases are hosted primarily in the EU (Frankfurt) region.
08. Data Retention
- Account and content data: retained while your account is active.
- Deletion: when you delete your account, your data is deleted within a reasonable period (including removal from backups). Records subject to a legal retention obligation (e.g. invoices) are kept for the statutory period.
- Google Ads token/cache: deleted/purged when you disconnect.
- Logs: security and debugging logs are kept for a limited time.
09. Data Security
- TLS/HTTPS encryption in transit.
- Sensitive credentials (Neon connections, Google Ads tokens) encrypted with AES-256-GCM.
- User isolation at the database level via Row Level Security (RLS).
- JWT authentication for WebSocket connections; dangerous-pattern blocking on user SQL queries.
- Privileged keys (service_role) only on the server side; never sent to the client.
No system is 100% secure, but we apply industry-standard measures to protect your data. In the event of a breach, we will notify as required by applicable law.
10. Your Rights
Under KVKK Art. 11 and the GDPR, you have the following rights:
- To learn whether your data is processed and to access it.
- To request rectification of inaccurate/incomplete data.
- To request erasure or destruction of your data.
- To request restriction of and to object to processing.
- To receive your data in a portable format (data portability).
- To withdraw consent you have given (without retroactive effect).
- To lodge a complaint with a competent supervisory authority.
To exercise your rights, contact privacy@entrobase.ai. In Türkiye, if your request is refused you may complain to the Personal Data Protection Board (KVKK); in the EU, to your local data protection authority.
12. Children's Privacy
Entrobase is not directed to individuals under 18, and we do not knowingly collect data from minors. If we learn we have processed a child's data, we will delete it.
13. User Sites and Third-Party Links
For visitor data you collect on websites you build with Entrobase (form submissions, e-commerce orders, etc.), you are the data controller. You are responsible for providing the required privacy notices for those sites; Entrobase acts as a processor providing the infrastructure for that data.
The Platform may contain links to third-party sites outside our control; we are not responsible for their privacy practices.
14. Changes to This Policy
We may update this policy from time to time. For material changes, we will notify you via the Platform or by email. The current version is always published on this page with the "Last updated" date shown above.
15. Contact
For privacy questions, requests, or complaints, reach us at:
- Privacy: privacy@entrobase.ai
- Legal: legal@entrobase.ai
- Data controller: PNZ GROUP BİLİŞİM LİMİTED ŞİRKETİ (Tax ID 7300836173)