Turtleship Logo
Turtleship
Your privacy protected

Privacy Policy

Last updated: February 5, 2025

At TurtleApps, we take your privacy seriously. This privacy policy explains what data we collect, how we use it, and what rights you have. We are a Dutch company and fully comply with the General Data Protection Regulation (GDPR).

1. What data do we collect?

We only collect data that is necessary to provide and improve our service. This falls into three categories:

Account Data

  • Email address (used for authentication via magic link)
  • Name and organization name (optional, during onboarding)
  • Role and preferences (e.g., developer, product owner)
  • Billing information (processed via Stripe, not stored by us)

Project Data

  • Project names, descriptions, and configuration
  • Tickets, reviews, and feedback
  • Code repositories (managed or connected via GitHub)
  • API keys you connect (stored encrypted)

Usage Data

  • Login timestamps and session information
  • Features used and navigation patterns
  • AI ticket usage and credit consumption
  • Device and browser information (for technical support)

2. How do we use your data?

We use your data exclusively for the following purposes:

  • Providing and maintaining the TurtleApps service
  • Authentication and security of your account
  • Processing AI requests for code generation and review
  • Sending transactional emails (login links, notifications)
  • Improving our service based on anonymized usage patterns
  • Complying with legal obligations

3. Third-party services

We work with carefully selected partners to deliver our service:

GitHub

When you connect your own repository, TurtleApps accesses your code via the GitHub API. We use OAuth tokens with minimal permissions. You can revoke access at any time via your GitHub settings.

Anthropic (Claude AI)

AI-generated code and reviews are processed via the Anthropic API. Your ticket descriptions and relevant code context are sent to Anthropic to generate responses. Anthropic does not store this data for training purposes. When using your own API key (BYOK), your own agreement with Anthropic applies.

Stripe (Payments)

All payments are processed by Stripe. We do not store credit card or bank details. Stripe is PCI DSS Level 1 certified. See Stripe's privacy policy at stripe.com/privacy.

Resend (Email)

We use Resend for sending transactional emails, such as login links (magic links) and notifications. Your email address is sent to Resend to deliver these emails. Resend only stores the minimum data required for email delivery. See Resend's privacy policy at resend.com/legal/privacy-policy.

Sentry (Error Tracking)

We use Sentry to monitor and track application errors. When an error occurs, technical information such as error messages, stack traces, and browser/device information may be sent to Sentry. This data is used solely for debugging and improving platform stability. No personal data is intentionally collected. See Sentry's privacy policy at sentry.io/privacy.

PostHog (Analytics)

We use PostHog for privacy-friendly product analytics. We have configured PostHog to respect Do Not Track settings, disable session recording, and minimize data collection. We collect anonymized usage patterns to improve our service. PostHog is self-hostable and GDPR-compliant. See PostHog's privacy policy at posthog.com/privacy.

Hosting & Infrastructure

Our application runs on servers within the European Union. We use encrypted connections (TLS) for all data transfer and encrypted storage for data at rest.

4. Cookies & Tracking

We use a minimal number of cookies to make our service function:

Essential cookies

Session cookies and authentication tokens are strictly necessary for the platform to function. These cannot be disabled.

Functional cookies

Language preference and theme setting (light/dark) are stored locally for a better user experience.

Analytics

We use anonymized, privacy-friendly analytics to understand how our platform is used. We do not track individual users and do not share data with advertisers.

5. Data retention

We do not retain your data longer than necessary:

  • Account data: as long as your account is active, plus 30 days after deletion
  • Project data: as long as the project exists, deleted upon your request
  • Audit logs: maximum 2 years for compliance purposes
  • Billing data: 7 years in accordance with Dutch fiscal legislation

6. Your rights (GDPR)

As a data subject, you have the following rights:

  • Right of accessYou can request which personal data we process about you.
  • Right to rectification You can have incorrect data corrected.
  • Right to erasureYou can request deletion of your personal data.
  • Right to data portability You can request your data in a structured format.
  • Right to restriction You can request restriction of processing of your data.
  • Right to objectYou can object to the processing of your data.

To exercise any of these rights, contact us at privacy@turtleapps.online. We will respond to your request within 30 days.

7. Security

We take the security of your data seriously and implement the following measures:

  • Encryption of all data in transit (TLS 1.3) and at rest (AES-256)
  • Multi-tenant architecture with strict separation between organizations
  • Role-based access control (RBAC) and audit logging
  • Regular security audits and vulnerability scans

8. International data transfers

Your data is primarily processed and stored within the European Economic Area (EEA). When data is transferred to services outside the EEA (such as Anthropic in the US), we do so based on adequacy decisions or Standard Contractual Clauses (SCCs) in accordance with the GDPR.

9. Children

TurtleApps is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you discover that a child has provided data to us, please contact us so we can delete it.

10. Changes to this policy

We may update this privacy policy from time to time. For significant changes, we will notify you via email or a notification in the platform. The most recent version is always available on this page.

11. Contact

Have questions about this privacy policy or about the processing of your data? Contact us:

  • TurtleApps
  • Email: privacy@turtleapps.online
  • Website: turtleapps.online

You also have the right to file a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) if you believe your data is not being processed correctly.