Privacy Policy

1. Introduction

Cestra (“we”, “us”) processes personal data in accordance with the Turkish KVKK (Law No. 6698) and the EU General Data Protection Regulation (GDPR). This policy explains what we collect, why, and how we safeguard it.

2. Data we collect

• Identity & contact: name, email, billing details.
• Account: credentials (hashed), API keys, org membership.
• Usage: flow executions, prompts, outputs, credit consumption.
• Technical: IP address, browser user-agent, session cookies.

3. How we use your data

To authenticate you, deliver the service, bill you, provide support, send transactional communications, and meet legal obligations. We do not sell personal data to third parties.

4. Retention

Account data is retained while your account is active and for a reasonable grace period afterwards. Billing records are retained per tax law. Execution logs follow the retention window configured on your workspace.

5. Security

TLS in transit, bcrypt-hashed credentials, encrypted API keys at rest (AES-256), least-privilege access, and periodic security reviews.

6. Your rights

You can request access, correction, deletion, export, or objection to processing. Email kvkk@cestra.ai.