Home Features Pricing About Contact Log In Get Started
Legal

Privacy Policy.

How Amber Makina collects, uses, stores, and protects your personal data when you use LOP — in compliance with KVKK Law No. 6698 and the GDPR.

Last updated April 28, 2026 Effective April 28, 2026 ~12 min read

01 Introduction

This Privacy Policy describes how AMBER MAKİNA İNŞAAT İTHALAT İHRACAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ ("Amber Makina," "we," "us," or "our") collects, uses, stores, and protects personal data when you use LOP™ (Logistics Optimization Platform), available at lop.tools and app.lop.tools (the "Service").

We take your privacy seriously. This document explains exactly what data we collect, how we use it, who we share it with, and the rights you have over your information.

Data Controller (per Article 10 of Türkiye's KVKK Law No. 6698 and Article 4 of the GDPR):

  • Amber Makina (full name: AMBER MAKİNA İNŞAAT İTHALAT İHRACAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ)
  • Cinnah Caddesi No: 49/1, Çankaya, Ankara, Türkiye
  • Email: privacy@lop.tools

This Privacy Policy is also available in Turkish at lop.tools/tr/privacy.

For questions about how we handle your data, contact privacy@lop.tools. We respond to all inquiries within 30 days.

02 Information We Collect

We collect different categories of information depending on how you use the Service. We distinguish clearly between data you provide about yourself, data you upload about your business, and data we collect automatically.

2.1 Account Data

When you create an account, we collect:

  • Your name
  • Your email address
  • Your organization name
  • Your role within the organization
  • Authentication credentials (passwords are hashed using bcrypt and never stored in readable form)
  • Subscription tier and billing history

Billing information (credit card numbers, bank details) is never stored on our servers. Payment data is collected directly by our payment processors — iyzico for Turkish customers and Stripe for international customers — and we receive only confirmation of payment status.

For this category of data, Amber Makina is the Data Controller.

2.2 Customer Data — Load Planning Information

When you use the Service, we store the data you create:

  • Load plans (items, containers, placements, optimization parameters)
  • Item library (your products, dimensions, weights, descriptions, custom properties)
  • STEP/CAD files you upload for 3D rendering
  • Pallet definitions, container configurations, and business preferences
  • Templates and saved configurations

This is your business data. You retain all ownership and intellectual property rights. We process this data solely to provide the Service to you.

For this category of data, Amber Makina is the Data Processor and you (or your organization) are the Data Controller.

2.3 Usage Data

To operate, secure, and improve the Service, we automatically collect:

  • Pages visited and features used
  • Solve performance metrics (e.g., how long an optimization took)
  • Browser type, operating system, and device type
  • IP address (used for security, abuse prevention, and approximate geo-location for performance routing)
  • Error logs (sanitized — no passwords, no payment information, no full request bodies)

2.4 Cookies and Local Storage

LOP uses only essential cookies and local storage required for the Service to function:

  • Authentication cookiehttpOnly, secure, SameSite=Lax, scoped to .lop.tools domain. Used to keep you signed in.
  • Refresh token cookie — same security attributes as above. Used to refresh your session.
  • Theme preference — stored in browser localStorage (light/dark mode). Never transmitted to our servers.
  • Language preference — used to remember whether you chose the English or Turkish version.

We do not use:

  • Advertising cookies
  • Analytics tracking cookies (Google Analytics, Facebook Pixel, etc.)
  • Third-party social media cookies
  • Cross-site tracking technology

Because we use only essential cookies, no cookie consent banner is shown. This is consistent with both GDPR (Article 7) and KVKK guidance — consent is not required for cookies that are strictly necessary to provide a service explicitly requested by the user.

03 How We Use Your Data

We use your data only for the purposes listed below. We do not use your data for any other purpose without your explicit consent.

Service delivery

  • Store and retrieve your load plans, items, and configurations
  • Render 3D visualizations in your browser
  • Run the optimization solver to generate load plans
  • Process and visualize STEP/CAD files you upload
  • Apply your subscription's plan limits and features

Account management

  • Authenticate your sign-in attempts
  • Manage subscription status and billing cycles
  • Enforce plan limits

Service-related communications

  • Send transactional emails: welcome messages, billing receipts, password resets, security alerts, account notifications, plan-limit warnings
  • We do not send marketing emails without your explicit opt-in consent

Platform improvement

  • Aggregate, anonymized analytics to understand which features are used and where users encounter friction
  • Performance monitoring and error tracking
  • We do not perform any analysis on your individual customer data for product improvement purposes

Billing

  • Process subscriptions via iyzico (Turkish customers) or Stripe (international customers, when integration completes)
  • Maintain billing records as required by Turkish tax law (Vergi Usul Kanunu)

Security and fraud prevention

  • Detect and block abuse (excessive API calls, login brute-force attempts, suspicious activity)
  • Investigate suspected fraud or violations of our Terms of Service
  • Maintain audit logs for security incident response

Legal compliance

  • Respond to valid data subject requests under KVKK or GDPR
  • Comply with court orders, regulatory inquiries, or other legal obligations
  • Maintain records required by Turkish law

What we do NOT do

  • We do not sell your data to third parties under any circumstances
  • We do not share your customer data (load plans, STEP files, business information) with anyone except the service providers listed in Section 5, and only as required to deliver the Service
  • We do not use your customer data to train our own AI models or anyone else's AI models (see Section 4 for AI processing details)
  • We do not track you across other websites
  • We do not profile users for advertising

04 AI Processing (Anthropic Claude API)

LOP uses Anthropic's Claude API to provide AI-powered features, including load plan analysis, optimization suggestions, and natural-language plan input. This section explains exactly what happens when you use these features.

What is sent to Anthropic

When you trigger an AI feature (e.g., "Analyze this load plan" or asking for AI suggestions), the following data is transmitted to Anthropic's API:

  • Relevant load plan details (containers, items, placements, weight, dimensions)
  • Container configuration
  • Your prompt or request (e.g., the text of your question)

We do not transmit:

  • Your name, email, or account credentials
  • Billing information
  • Other load plans not relevant to the current request
  • STEP/CAD geometry files (only summary metadata is sent if needed for context)

How Anthropic handles your data

Amber Makina operates under Anthropic's Commercial API terms. Under these terms:

  • Retention: Anthropic stores API inputs and outputs for a maximum of 7 days, then permanently deletes them (as of September 2025).
  • No model training: Your data is never used to train Anthropic's AI models.
  • Encryption: Data is encrypted in transit and at rest within Anthropic's infrastructure.
  • No employee access: Anthropic personnel do not access your data except in narrow cases (e.g., to investigate a flagged abuse violation).

For Anthropic's complete data handling terms, see:

AI features are optional

You can use LOP without any AI features. AI is enabled by default but can be disabled in Settings. If you disable AI features, no data is ever sent to Anthropic.

AI is advisory only

AI suggestions and analyses are advisory recommendations. You retain full responsibility for final loading decisions. LOP is not a substitute for human judgment in safety-critical or regulated logistics contexts.

05 Third-Party Services

LOP relies on the following service providers to deliver the Service. Each is bound by contractual obligations to protect your data and process it only for the purposes listed.

Provider Purpose Data Location Notes
DigitalOcean Hosting infrastructure (servers, database, file storage) Frankfurt, Germany (EU) Primary data residency
Anthropic AI processing (see Section 4) United States 7-day retention, no training
iyzico Payment processing for Turkish customers Türkiye PCI DSS compliant
Stripe Payment processing for international customers (planned) United States PCI DSS compliant
Resend Transactional email delivery (receipts, password resets, notifications) United States Email metadata only
Sentry Error tracking and application monitoring United States PII auto-scrubbed before storage

We may add new service providers as the Service evolves. Material additions affecting how your personal data is handled will be communicated via email to all active accounts.

06 Data Storage and Security

Where your data is stored

Your data is stored primarily in Frankfurt, Germany, in a data center operated by DigitalOcean within the European Union. This provides EU-level data protection by default.

How your data is protected

  • Encryption in transit: All connections to and from LOP use TLS 1.2 or higher
  • Encryption at rest: Database and file storage are encrypted at rest
  • Password hashing: Passwords are hashed using bcrypt before storage (industry standard, computationally expensive to reverse)
  • Authentication tokens: JWT tokens with short expiration (60 minutes for access, 7 days for refresh)
  • Cookie security: All authentication cookies are httpOnly, secure, and SameSite=Lax
  • Security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy applied across the platform
  • Rate limiting: Login and signup endpoints rate-limited per IP to prevent brute-force attacks
  • Backups: Encrypted, retained for 90 days, then automatically deleted

Breach notification

If we become aware of a personal data breach affecting your information, we will notify you and the relevant data protection authority within 72 hours, in accordance with Article 33 of the GDPR and Article 12 of the KVKK.

Your role in security

You are responsible for:

  • Choosing a strong password (minimum 10 characters, our system rejects common passwords)
  • Keeping your credentials confidential
  • Notifying us immediately at security@lop.tools if you suspect unauthorized access to your account

07 Data Retention

We retain different categories of data for different periods, based on the purpose for which the data was collected.

Data Category Retention Period
Active account dataRetained as long as your account is active
Cancelled account dataDeleted within 30 days of account closure request
Customer data (load plans)Exportable for 30 days post-cancellation, then deleted
Encrypted backups90 days, then automatically deleted
Billing records10 years (required by Turkish Tax Procedure Law / Vergi Usul Kanunu)
Server access logs90 days
Anonymized aggregate analyticsRetained indefinitely (no personal identification possible)
Email communications3 years

Account deletion is permanent. Once your data is purged from our active systems and backups have expired, we cannot recover it. Export your load plans before requesting account deletion if you want to retain them.

08 Cross-Border Data Transfers

Your personal data is stored primarily in the European Union (Frankfurt, Germany). However, certain processing involves transfers to other jurisdictions:

  • United States: Anthropic (AI processing), Stripe (payment processing for international customers, planned), Resend (email delivery), Sentry (error tracking)
  • Türkiye: Amber Makina headquarters (customer support, account management, business operations)

Legal basis for transfers

Per the 2024 amendments to KVKK and applicable GDPR provisions, these transfers occur under the following legal bases:

  • Explicit user consent (for AI processing — you choose to use AI features)
  • Contractual necessity (transfers required to deliver the Service you've subscribed to)
  • Standard Contractual Clauses (SCCs) where applicable for transfers to third countries
  • Adequacy decisions where the European Commission or KVKK has determined the destination country provides adequate data protection

You can request a list of specific transfer destinations and the safeguards in place by contacting privacy@lop.tools.

09 Your Rights

This section is critical. Article 11 of the KVKK and Articles 15–22 of the GDPR grant you specific rights over your personal data. We are committed to honoring these rights promptly and fully.

Your rights under KVKK and GDPR

  • Right of access: Request confirmation of whether we process your personal data and obtain a copy of that data
  • Right to rectification: Request correction of inaccurate or incomplete personal data
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data when there is no compelling reason for us to continue processing it
  • Right to restriction of processing: Request that we limit how we process your data in certain situations
  • Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format. Our Export feature satisfies this right for load plan data.
  • Right to object: Object to processing of your personal data based on legitimate interests
  • Rights related to automated decision-making: Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. LOP's AI features are advisory only, not automated decision-making.
  • Right to withdraw consent: Where processing is based on consent (e.g., AI features), withdraw your consent at any time
  • Right to lodge a complaint: File a complaint with your local data protection authority

How to exercise your rights

To exercise any of these rights, contact us at privacy@lop.tools with:

  • A clear description of the right you wish to exercise
  • Verification of your identity (we will request this to prevent unauthorized requests)
  • Specific data or processing activity you are inquiring about

We respond to all rights requests within 30 days. Complex requests may take up to 60 days, in which case we will inform you of the extension and the reasons for it.

There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive (e.g., repetitive requests), in which case we may charge a reasonable administrative fee or refuse to act.

Data protection authorities

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with:

  • Türkiye: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
  • European Union: Your country's national data protection authority — list available at edpb.europa.eu

10 Children

LOP is a B2B platform designed for logistics and supply chain professionals. The Service is not directed at children, and we do not knowingly collect personal data from anyone under the age of 16 (KVKK age threshold) or under 13 (where applicable in other jurisdictions).

If you become aware that a child has provided us with personal data, please contact privacy@lop.tools and we will promptly delete the information from our systems.

11 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify all active account holders by email at least 30 days before the changes take effect
  • Provide a summary of what changed and why

For non-material changes (e.g., clarifications, formatting improvements, contact info updates), we will update the policy without separate notification, but the new "Last updated" date will reflect the change.

Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy. If you disagree with the changes, you may cancel your subscription before they take effect, with full data export available.

12 Contact Us

For questions about this Privacy Policy, your data, or to exercise your rights:

Privacy & Data Subject Requests

privacy@lop.tools

Data Protection Officer (DPO)

privacy@lop.tools
Currently combined; will be designated as a separate role as the company grows.

General Inquiries

info@lop.tools

Security Incidents

security@lop.tools

Billing Questions

billing@lop.tools

Legal Matters

legal@lop.tools

Postal address

Amber Makina (AMBER MAKİNA İNŞAAT İTHALAT İHRACAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ)
Cinnah Caddesi No: 49/1
Çankaya, Ankara
Türkiye

VERBIS Registration

Amber Makina is registered with the Turkish Data Controller Registry (VERBIS). Registration details available upon request to privacy@lop.tools.

Data Protection Authorities

Disclaimer

This Privacy Policy is provided for informational purposes and reflects our current data practices. While we have made every effort to ensure accuracy and compliance with applicable laws including KVKK Law No. 6698, the General Data Protection Regulation (GDPR), and other relevant regulations, this document does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.

LOP is a trademark of Amber Makina, with applications pending.