Privacy Policy.

Cyduck is operated by Veri Maden Bilişim A.Ş., a Turkish joint-stock company headquartered at Ostim OSB Mah. 1251 Sk. No: 15, Yenimahalle, Ankara, Türkiye. In this Privacy Policy, "Cyduck", "we", "us", and "our" refer to Veri Maden Bilişim A.Ş.

We are the data controller for personal data processed through the Services within the meaning of GDPR Article 4(7), KVKK Article 3, and applicable US state privacy laws. For data protection enquiries, contact us at [email protected].

2.1 Data you provide directly

• Email address — when you create an account or use our email breach checker.
• Phone number — if you add a phone asset to your dashboard. We send a one-time SMS verification code to confirm ownership of the number. See Section 2.5 for details.
• Social profile URLs — if you add a social account asset to your dashboard.
• Security declarations — your self-reported answers about password age, two-factor authentication status, and account recovery settings. These are declarations only; we never ask for or store your actual passwords.

2.2 Data generated by your use of the Services

• Breach findings — results of breach lookups performed against your verified assets via Have I Been Pwned.
• Security score and history — your Personal Cyber Score and its historical trend over time.
• Actions and declarations — records of remediation actions you declare (e.g. "changed my password").
• Streak and activity data — your daily engagement streak and check-in dates.
• Notification preferences — your chosen notification settings.

2.3 Data collected automatically

• Usage analytics — anonymized, aggregated data about how features are used, collected via Google Analytics. No personally identifiable information is included in these analytics reports.
• Authentication tokens — session tokens issued by Clerk for the purpose of keeping you securely signed in. These are not used for any purpose other than authentication.

2.4 Data we do NOT collect

• We do not collect or store your actual passwords at any point.
• We do not collect payment information (Cyduck is currently free).
• We do not build advertising profiles or sell your data.
• Free tools at cyduck.com operate without any account or tracking — consistent with our Duck Law.

2.5 SMS Communications

Cyduck sends SMS messages only for one-time phone number verification, initiated by the user inside the dashboard. We send a verification code when:

• You add a phone number as a monitored asset to your dashboard.
• You designate a phone number as a recovery method or two-factor authentication factor for an existing asset, and we have not previously verified that number for you.

SMS messages are user-initiated and transactional. We do not send marketing, promotional, or recurring notifications by SMS. Standard message and data rates may apply, depending on your mobile carrier.

We do not share or sell phone numbers with third parties for marketing purposes. Phone numbers are used solely for account verification and security.

We use your personal data only for the following purposes:

We do not use your data for automated decision-making that produces legal or similarly significant effects without human review.

Legal basis under KVKK (Türkiye)

For Türkiye-based users, the equivalent legal bases under KVKK Article 5(2) are: performance of a contract to which you are a party (Art. 5(2)(c)), legitimate interests of the data controller balanced against your fundamental rights (Art. 5(2)(f)), and compliance with legal obligations (Art. 5(2)(ç)). Where none of these apply, we rely on your explicit consent (KVKK Art. 5(1)).

We share data with the following trusted processors only to the extent necessary to operate the Services:

All processors are bound by Data Processing Agreements and are required to handle your data in compliance with GDPR and applicable law. We do not sell your data to any third party.

Some of our processors are based in the United States. Where we transfer personal data from the European Economic Area (EEA) or the United Kingdom to the US, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms recognized under UK law.

For Türkiye-based users, transfers of personal data abroad are carried out in accordance with KVKK Article 9, including based on standard contracts published by the Turkish Personal Data Protection Authority, binding corporate rules, or — where required — the explicit consent of the data subject.

You may request details of the safeguards we rely on by contacting [email protected].

We retain your personal data only for as long as necessary for the purposes described in this policy:

• Account data — retained for the lifetime of your account, plus 30 days following deletion to allow for recovery.
• Breach findings and score history — retained for the lifetime of your account.
• Security declarations and actions — retained for the lifetime of your account.
• Anonymized analytics data — retained for up to 26 months by Google Analytics, per their standard retention settings.
• Authentication logs — retained for up to 90 days for security and fraud prevention.

When you delete your account, we delete your personal data within 30 days, except where retention is required by law.

Rights under GDPR (EU and UK users)

If you are located in the EU or UK, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — request deletion of your data, subject to certain legal exceptions.
• Right to restriction of processing — request that we limit how we use your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
• Right to lodge a complaint — with your local data protection supervisory authority.

Rights under CCPA / CPRA (California residents)

If you are a California resident, under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), you have the right to:

• Know what personal information we collect, use, disclose, or sell.
• Delete personal information we have collected from you, subject to certain exceptions.
• Correct inaccurate personal information we hold about you.
• Limit the use and disclosure of sensitive personal information.
• Opt out of the sale or sharing of personal information. Cyduck does not sell or share personal information for cross-context behavioral advertising.
• Non-discrimination for exercising your privacy rights.

Rights under other US state privacy laws

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or Utah (UCPA), you have rights similar to those under CCPA, including the right to access, correct, and delete personal data we hold about you, the right to data portability, and the right to opt out of targeted advertising and the sale of personal data. The specific scope of each right is determined by your state's law. To exercise any of these rights, contact us using the details below.

Rights under KVKK (Türkiye residents)

If you are located in Türkiye, under the Personal Data Protection Law No. 6698 (KVKK), Article 11, you have the right to:

• Learn whether your personal data is being processed.
• Request information about how your personal data is being processed.
• Learn the purpose of processing and whether the data is used in accordance with that purpose.
• Know the third parties (in Türkiye or abroad) to whom your personal data is transferred.
• Request correction of incomplete or inaccurate personal data.
• Request deletion or destruction of your personal data within the framework of KVKK Article 7.
• Request notification of correction, deletion, or destruction operations to third parties to whom data has been transferred.
• Object to results that arise solely from automated processing of your data.
• Claim compensation for damages arising from unlawful processing of your personal data.
• File a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurulu) at kvkk.gov.tr if you believe your rights have been violated.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR / KVKK) or 45 days (CCPA and other US state laws) of receiving a verifiable request.

This section explains how to exercise your right to delete data described in Section 7. You can delete your Cyduck account and all associated data at any time. This includes data collected through connected social accounts (Facebook, LinkedIn, X) as required by Meta Platform Terms and applicable privacy laws.

Option 1 — Disconnect a single social account

If you only want to remove data related to one specific social account (for example, your connected Facebook account) while keeping your Cyduck account active:

1. Sign in to dashboard.cyduck.com.
2. Open the connected social account from your dashboard.
3. Tap Remove this asset at the bottom of the detail page and confirm removal.

All data related to that social account will be deleted from our primary database within 24 hours.

Option 2 — Delete your entire Cyduck account

To delete your entire Cyduck account and all associated data (email assets, phone assets, social assets, breach findings, posture history, and score history):

1. Send an email to [email protected] from the email address linked to your Cyduck account.
2. Use the subject line: Delete my Cyduck account.
3. We will verify your identity and delete all data within 30 days of the request.

What gets deleted

When you delete your account or disconnect a social asset, we permanently remove:

• All asset records (emails, phone numbers, social profile links).
• All breach findings associated with your assets.
• Posture declarations (password freshness, 2FA status, recovery methods).
• Account settings and preferences.
• Score history.
• Data fetched from connected platforms (email address from Facebook OAuth, profile identifiers).

Data retention after deletion

Once a deletion request is processed, data is purged from our primary database (Cloudflare D1) within 24 hours. Backups are rotated every 30 days, so any residual copies in backup archives are fully removed within 30 days from the deletion date.

Meta-specific deletion

If you disconnect your Facebook account from Cyduck through Facebook's Apps and Websites settings, Meta notifies us and we delete all data related to your Facebook connection within 30 days. You can trigger this directly from your Facebook Settings → Apps and Websites → Cyduck → Remove.

Cyduck uses a minimal set of cookies and local storage:

• Authentication cookies — set by Clerk to maintain your signed-in session. These are strictly necessary and cannot be disabled without breaking the dashboard.
• Analytics cookies — set by Google Analytics to collect anonymized usage data. These are not linked to any personally identifiable information.
• Local storage — used to cache your dashboard state (score, assets) on your device to improve load times. This data stays on your device and is not transmitted to third parties.

The free tools at cyduck.com operate without cookies or account tracking, in line with our Duck Law.

We take the security of your data seriously. We implement appropriate technical and organizational measures including:

• Encrypted data transmission via HTTPS/TLS.
• Authentication handled by Clerk, a dedicated identity provider with industry-standard security practices.
• Database access restricted to authenticated, authorized requests only.
• No storage of plaintext passwords at any point in our system.

No system is completely secure. If you discover a security vulnerability, please report it responsibly to [email protected].

Cyduck is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or via the Services.

Your continued use of the Services after any change constitutes acceptance of the updated policy.

For any privacy-related questions, requests, or complaints, contact us at:

If you are in the European Union or United Kingdom

If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your national data protection authority. A list of EU data protection authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

If you are in the United States

You may file a complaint with:

• California residents: the California Attorney General at oag.ca.gov or the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
• Other state residents (Virginia, Colorado, Connecticut, Utah and others): contact your state attorney general's office.
• Federal complaints: the Federal Trade Commission (FTC) at reportfraud.ftc.gov.

If you are in Türkiye

You have the right to lodge a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurulu) at kvkk.gov.tr. Note that under KVKK Article 13, you must first apply directly to us as the data controller; we will respond within 30 days. If our response is unsatisfactory or we fail to respond, you may then file a complaint with the Authority within 30 days of our response (or 60 days from the date of your application).