Privacy Policy

Last updated: February 12, 2026

1. Overview

Octomag ("we", "platform", "service") is committed to protecting the privacy of its users. This Privacy Policy has been prepared to inform you about the personal data collected, processed, and stored when you use the Octomag platform. By using our platform, you agree to this policy.

Octomag is a Turkey-based software service (SaaS) that operates in compliance with the Turkish Personal Data Protection Law No. 6698 (KVKK) and the European Union General Data Protection Regulation (GDPR).

2. Data Controller

Octomag is responsible for the processing of your personal data. You can find our contact information in the "Contact" section at the end of this policy.

3. Data Collected and Legal Basis

Our platform collects data in the following categories:

Identity and account information: Name, surname, email address, password (hashed), profile photo. When signing in with Google or social media, basic profile information from the relevant account.
Platform integration data: Product, order, customer, message, comment, and analytics data from third-party platforms you connect (Instagram, Facebook, TikTok, Google Ads, Trendyol, Hepsiburada, N11, WooCommerce, etc.).
Social media messages: Instagram Direct messages, Facebook Messenger messages, and other platform messages. This data is processed only with your consent and within the API permissions of the relevant platform.
Usage data: Session information, login times, features used, browser and device information, IP address.
AI generation data: Images, texts, videos created with AI tools, and their generation parameters.
Payment information: Billing information required for subscription transactions. Credit card information is not stored by us; it is processed by the payment infrastructure provider.

4. Purposes of Data Use

We use the data we collect for the following purposes:

To provide, maintain, and improve platform services
To help you manage your e-commerce operations
To enable you to manage messages from your social media accounts (Instagram DM, Facebook Messenger, etc.)
To provide AI-powered content generation (images, videos, text)
To create analytics reports and sales analyses
To optimize your advertising campaigns
To perform customer segmentation and CRM operations
To provide technical support and customer service
To fulfill legal obligations

5. Third-Party Service Providers

We do not sell or share your data for advertising purposes. We use third-party providers in the following categories for service delivery:

Infrastructure: Supabase (database), Vercel (hosting)
AI services: OpenAI, Anthropic, Google AI, fal.ai, ElevenLabs — used only for content generation
Email: Resend — for notification and verification emails
Platform APIs: Meta (Instagram/Facebook), TikTok, Google, Trendyol, Hepsiburada, N11 — for integration services

Data shared with these providers is processed only to the extent and duration required by the relevant service. Each provider is subject to its own privacy policy.

6. Meta Platform Data (Instagram / Facebook)

In accordance with Meta Platform Policy for Instagram and Facebook integrations:

Data received from Meta (messages, profile information, page data) is processed solely for your use through our platform
This data is not sold, transferred, or used for advertising purposes to third parties
Instagram Direct messages and Facebook Messenger data are stored encrypted
You can remove the Meta integration at any time; upon removal, related data will be deleted within 30 days
Only you and your authorized team members can access Meta data

7. Data Security

The following measures are applied to protect your data:

All data communication is protected with SSL/TLS encryption (HTTPS)
API keys and platform credentials are stored with AES-256-GCM encryption
Row Level Security (RLS) ensures each user can only access their own data
Session management is handled with HTTP-only, Secure cookies
No third-party tracking cookies or advertising tracking pixels are used
Regular security audits and updates are performed

8. Cookies

Our platform uses only the following essential cookies:

Session cookie: To maintain your login status (HTTP-only, Secure, 7 days)
CSRF protection cookie: For form security

No analytics, marketing, or third-party tracking cookies are used.

9. Data Retention Period

Account data is retained as long as your account is active
When your account is closed, all your personal data will be permanently deleted within 30 days
Platform integration data is deleted within 30 days when the relevant connection is removed
Data that must be retained due to legal obligations (billing information, etc.) is kept for the period stipulated by the relevant legislation

10. Your Rights (KVKK Article 11 / GDPR)

Regarding your personal data, you have the right to:

Learn whether your data is being processed
Request information about your processed data
Learn the purpose of data processing and whether it is used in accordance with its purpose
Know the third parties to whom data is transferred
Request correction of incomplete or incorrectly processed data
Request deletion or destruction of your data
Request data portability (GDPR)
Remove your platform connections at any time
Close your account at any time

To exercise these rights, you can contact us through the communication channels below.

11. International Data Transfer

Within the scope of our service infrastructure, your data may be processed on servers located abroad (Supabase — AWS infrastructure, Vercel — Edge Network). These transfers are carried out within the framework of security measures and standard contractual clauses required by KVKK and GDPR.

12. Policy Updates

This Privacy Policy may be updated from time to time. When significant changes are made, a notification will be sent to your registered email address. The current policy is always published on this page.

13. Contact

For all questions, requests, and inquiries regarding privacy:

Email: info@octomag.com
Web: octomag.com