EN / TR
Özge Karasu Özge Karasu

Curiosity leads me. I follow and write.

Privacy Policy

Updated: 28 Oct 2025

This Privacy Policy explains how ozgekarasu.com (“Site”, “I”, “me”, or “my”) collects, uses, shares, and protects personal data.
It complies with the EU GDPR, UK GDPR, California CCPA/CPRA, and Türkiye’s KVKK (Law No. 6698).
It should be read together with the Site Rules / Terms of Use and the KVKK Notice available at /tr/kvkk.

This document is informational and does not constitute legal advice.

Data Controller

Özge Karasu
Email: contact@ozgekarasu.com

For EU/UK residents, I act as the data controller under GDPR and UK GDPR.

What Data I Collect

I collect only the minimum data required to operate the Site and respond to visitors:

  • Contact data: name (optional), email address, message content, language preference.
  • Subscription data: email address, subscription status, language, and consent status.
  • Usage data / logs: browser and device type, anonymized IP address, time, visited pages, and basic diagnostic data.
  • Analytics data: aggregated statistics from Google Analytics 4 (IP anonymization active).
  • Cookies:
    • Essential cookies – required for session, form security, and reCAPTCHA.
    • Optional cookies – analytics cookies enabled only with consent.
  • Security data: behavioral patterns analyzed by Google reCAPTCHA v2/v3 to detect bots.

I do not collect sensitive categories (e.g., health, biometrics, political views) or knowingly collect data from children under 13 (COPPA).

Sources:

  • Directly from you via forms or email.
  • Automatically from your browser or device when you visit the Site.

Why and How I Use It

Purposes

  • To respond to messages or subscription requests.
  • To operate, secure, and maintain the Site.
  • To analyze aggregate traffic and performance trends.
  • To comply with legal obligations.

Legal Bases (Art. 6 GDPR)

  • Legitimate interest – ensuring security, preventing spam, and improving performance.
  • Contract necessity – responding to contact or subscription requests.
  • Legal obligation – compliance with lawful requests or retention rules.
  • Consent – for analytics cookies or newsletter emails (you can withdraw anytime).

Cookies and Similar Technologies

  • Only essential cookies run by default.
  • Analytics cookies operate only with your explicit consent, where required by law.
  • Some browsers support a Global Privacy Control (GPC) signal; this Site respects GPC as an opt-out for optional analytics.

You can block cookies via browser settings; essential features may stop working if you do.

Disclosures to Service Providers

I share limited personal data with trusted processors who assist in providing secure and reliable services:

  • Supabase

    • Purpose: Stores contact & subscription form data
    • Data Processed: email, message, consent, timestamps
    • Security: Row-Level Security (RLS) enabled; only server-side access; 30-day token auto-clean

  • Brevo (Sendinblue)

    • Purpose: Sends subscription confirmation & notification emails
    • Data Processed: email, language, subscription status
    • Security: API key stored only on server; GDPR-compliant processor

  • Cloudflare

    • Purpose: DNS, firewall, and SSL/TLS protection
    • Data Processed: anonymized IPs, logs (24–48h)
    • Security: DDoS protection; ISO 27001 certified

  • Google Workspace (Gmail)

    • Purpose: Business email communication
    • Data Processed: email metadata
    • Security: 2FA enabled; Google Workspace enterprise security

  • Google reCAPTCHA v2/v3

    • Purpose: Prevents spam and bot abuse
    • Data Processed: behavioral/interaction data
    • Security: Data processed under Google’s Privacy Policy

  • Google Analytics 4

    • Purpose: Aggregated analytics (IP anonymized)
    • Data Processed: page views, browser/device info
    • Security: EU data region; no personal IDs stored

These providers process data only on my instructions and under strict confidentiality and security obligations.

International Transfers

Some providers host data outside your country (e.g., EU or U.S.).
When GDPR/UK GDPR applies, I rely on appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs),
  • UK International Data Transfer Addendum (IDTA), and
  • Additional technical safeguards like encryption and access limitation.

Retention

I retain personal data only as long as necessary for the stated purposes, then delete or anonymize it:

  • Contact or subscription data: until correspondence or subscription ends, or after a reasonable retention period.
  • Supabase tokens: automatically deleted after 30 days if unused.
  • Cloudflare security logs: retained for 24–48 hours.
  • Analytics data: stored only in aggregate, anonymized form.

When data is no longer needed, it is securely deleted or irreversibly anonymized.

Security

I implement appropriate technical and organizational measures including HTTPS/TLS encryption, access control, audit logging, and 2FA for administrative accounts.
Supabase, Cloudflare, Brevo, and Google all maintain ISO 27001, SOC 2, and GDPR-compliant infrastructures.

While no system is 100% secure, I regularly review and update these safeguards.

Your Rights

Under EU/UK GDPR

You may exercise the following rights:

  • Access your personal data,
  • Request correction or deletion,
  • Restrict or object to processing,
  • Request data portability,
  • Withdraw consent (where applicable),
  • Lodge a complaint with your local Data Protection Authority.

Under CCPA/CPRA (California)

You may:

  • Request to know/access, correct, or delete your personal information,
  • Opt out of the sale or sharing of personal information (I do not sell or share),
  • Exercise your rights without discrimination,
  • Designate an authorized agent to submit a request on your behalf.

To exercise any of these rights, email contact@ozgekarasu.com.
Identity verification may be required for security.

U.S. “Notice at Collection” (CCPA/CPRA)

Categories collected: Identifiers (name, email, anonymized IP), Internet activity (pages, interactions), and limited device data.
Purposes: Site operation, communication, security, debugging, and optional analytics (with consent).
Retention: For the periods described above.
Sale/Share: I do not sell or share personal data.
Sensitive data: Not used for profiling or targeted advertising.

Third-Party Links

External links on this Site lead to third-party websites governed by their own privacy policies.
I am not responsible for their content or practices.

Children

This Site is not intended for children under 13. If you believe a child has provided personal data, please contact me for deletion.

Changes to This Policy

This Policy may be updated periodically. The “Updated” date above shows the latest revision. Significant changes will be announced on this page.

Contact

For any privacy-related questions or data requests, please email:
contact@ozgekarasu.com