1. Overview
Cproat ("we", "our", or "us") is a business-to-business (B2B) lead generation platform operated from Turkey. We provide businesses with the ability to discover potential customers by searching publicly available business data filtered by region, industry, and other criteria.
This Privacy Policy explains what personal data we collect when you use our website and platform at cproat.com, how we use it, with whom we share it, and the rights you have regarding your data.
We are committed to protecting your privacy and processing your personal data in a transparent, lawful, and fair manner. We comply with the General Data Protection Regulation (GDPR) of the European Union and the Turkish Personal Data Protection Law (KVKK — Kişisel Verilerin Korunması Kanunu, Law No. 6698).
Data Controller: Cproat — Turkey
Contact: info@cproat.com
2. Data We Collect
We collect personal data in the following categories:
2.1 Account Information
When you register for a Cproat account, we collect:
- Full name — so we can address you and personalize your experience.
- Email address — used for account authentication, transactional emails, and support.
- Password (hashed) — stored in encrypted form via Supabase; we never store plain-text passwords.
- Account creation date and last login timestamp.
2.2 Usage Data
As you use the platform, we record information about how you interact with our service:
- Search queries — the keywords, industry categories, and geographic locations you enter when searching for leads.
- Search history — a log of past searches associated with your account, used to display your history and improve suggestions.
- Saved leads — business records you explicitly save or export, linked to your account.
- Credit consumption — records of how many credits your account has used, including timestamps of each search result viewed.
- Feature interactions — pages visited, filters applied, and actions taken within the platform (e.g., clicking a result, exporting a CSV).
2.3 Technical Data
Certain technical information is collected automatically when you access our service:
- IP address — collected at login and during requests for security purposes and approximate geolocation.
- Browser type and version — to ensure compatibility and diagnose errors.
- Operating system — for technical diagnostics.
- Referrer URL — the page you came from, used to understand how users find us.
- Session tokens and cookies — authentication session identifiers managed by Supabase (see Section 9 for details).
- Timezone and preferred language — stored in your browser's local storage for UI personalization.
2.4 Business Data from Searches
Cproat surfaces publicly available business information from sources such as Google Places (via Apify) and location data from OpenStreetMap Nominatim. This data includes business names, addresses, phone numbers, websites, and category information. This business data relates to companies and organizations, not to individual private persons.
We do not collect special categories of personal data (such as health, religious, or political information) and do not knowingly collect personal data from private individuals who are not using our platform.
3. How We Use Your Data
We use the personal data we collect for the following purposes:
- Account management: Creating and maintaining your user account, authenticating your identity at login, and enabling account recovery.
- Service delivery: Processing your lead searches, displaying results, managing your credit balance, and providing search history and saved leads functionality.
- Billing and payments: Recording credit purchases, managing subscription plans, and issuing receipts.
- Customer support: Responding to your support requests, troubleshooting errors, and communicating important service updates.
- Security and fraud prevention: Detecting unauthorized access, preventing abuse of the platform, and protecting the integrity of our service.
- Legal compliance: Meeting our obligations under Turkish and EU law, responding to lawful requests from authorities, and enforcing our Terms of Service.
- Product improvement: Analyzing aggregated, anonymized usage patterns to improve our platform's features, performance, and user experience. We do not make decisions solely based on automated profiling that would legally affect you.
- Communications: Sending transactional emails (e.g., account verification, credit alerts, password reset) and, where you have given consent or where permitted by law, service-related announcements. We do not send unsolicited marketing emails.
4. Legal Bases for Processing
Under the GDPR, we must have a valid legal basis for each processing activity. Our legal bases are:
| Processing Activity | Legal Basis |
|---|---|
| Creating and maintaining your account | Contract performance (Art. 6(1)(b) GDPR) |
| Delivering search results and managing credits | Contract performance (Art. 6(1)(b) GDPR) |
| Sending transactional emails (password reset, billing) | Contract performance (Art. 6(1)(b) GDPR) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f) GDPR) |
| Analyzing usage patterns to improve the service | Legitimate interests (Art. 6(1)(f) GDPR) |
| Storing language preference in local storage | Legitimate interests / Consent |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
Under KVKK, we process personal data on the bases of explicit consent where required, necessity for the performance of a contract to which the data subject is a party, fulfillment of our legal obligations, and our legitimate interests where those interests do not override the fundamental rights of the data subject.
5. Third-Party Data Processors
We work with carefully selected third-party service providers who process personal data on our behalf. Each processor is bound by data processing agreements and is required to maintain appropriate security measures.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase, Inc. | Database hosting, user authentication, and storage of account and usage data | Name, email, hashed password, usage logs, search history, saved leads | EU data centers (Frankfurt, Germany) |
| Apify Technologies s.r.o. | Google Places data crawling to populate business search results | Search query parameters (location, category); no personal user data is transmitted directly to Apify | United States |
| OpenStreetMap Nominatim | Geocoding and location lookup for search queries | Location strings entered in searches (no account-linked personal data) | Distributed (operated by the OpenStreetMap Foundation) |
We do not sell your personal data to any third party. We do not share your personal data with advertisers, data brokers, or any party not listed above, except where required by law.
5.1 Supabase
Supabase is our primary infrastructure provider. Your account data, authentication tokens, and all data you create within Cproat (searches, saved leads, credits) are stored in Supabase's PostgreSQL database hosted in the EU. Supabase processes this data solely on our instructions and may not use it for their own purposes. Supabase is SOC 2 Type II certified and compliant with GDPR.
5.2 Apify
Apify is used to execute web scraping actors that retrieve publicly available business information from Google Maps and Google Places on our behalf. When you perform a search, your search parameters (such as a location name and business category) are transmitted to Apify's infrastructure to run the relevant actor. No account-identifying personal data (such as your name or email) is shared with Apify. Apify is based in the United States; data transfers are governed by Standard Contractual Clauses.
5.3 OpenStreetMap Nominatim
We use the Nominatim geocoding API provided by the OpenStreetMap Foundation to convert place names entered by users into geographic coordinates. Only the location string you type is sent to Nominatim; no account data accompanies these requests. Nominatim usage is subject to the OSM Nominatim Usage Policy.
6. International Data Transfers
Cproat is based in Turkey. Some of our third-party processors operate outside the European Economic Area (EEA) and outside Turkey. Specifically:
- Supabase stores data within the EU (Germany), so no international transfer outside the EEA occurs for this processor.
- Apify is based in the United States. Data transmitted to Apify for search processing is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, which provide appropriate safeguards for the transfer of personal data.
Turkey is not currently recognized by the European Commission as providing an adequate level of data protection equivalent to the EU. Where personal data of EU residents is transferred from Supabase's EU servers to our systems in Turkey for processing, we rely on Standard Contractual Clauses as the transfer mechanism.
Under KVKK, transfers of personal data abroad require either the explicit consent of the data subject or an adequate level of protection in the destination country, or the use of binding corporate rules or contractual undertakings approved by Turkey's Personal Data Protection Board (KVKK Kurulu). We comply with these requirements for all cross-border transfers.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Account information (name, email) | Until account deletion, plus 30 days for recovery, then permanently deleted |
| Search history and saved leads | Until account deletion; deleted simultaneously with account data |
| Credit transaction records | 10 years (required for financial record-keeping under Turkish commercial law) |
| Server access and application logs (IP, timestamps) | 90 days, then automatically purged |
| Support correspondence | 3 years from the date of resolution |
| Authentication tokens (Supabase session) | Session duration; refresh tokens expire per Supabase defaults |
When you delete your account, we initiate deletion of your account data immediately. A 30-day grace period exists to allow account recovery in case of accidental deletion. After this period, all personal data linked to your account is permanently and irreversibly deleted from our systems, including Supabase's databases, except where retention is required by law (e.g., billing records).
8. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data. EU/EEA residents have these rights under the GDPR; Turkish residents have equivalent rights under KVKK.
8.1 Right of Access
You have the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about how and why it is processed. We will respond to access requests within 30 days.
8.2 Right to Rectification
If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it. You may update your name and email directly from your account settings, or contact us for other corrections.
8.3 Right to Erasure ("Right to be Forgotten")
You have the right to request that we delete your personal data when: (i) the data is no longer necessary for the purposes it was collected; (ii) you withdraw your consent and no other legal basis applies; (iii) you object to processing based on legitimate interests and we have no overriding legitimate grounds; or (iv) the data has been unlawfully processed. You can delete your account at any time from the account settings page, which triggers deletion of your personal data subject to the retention periods in Section 7.
8.4 Right to Restriction of Processing
You have the right to request that we restrict the processing of your data in certain circumstances — for example, while you contest the accuracy of the data, or while we evaluate an objection you have raised.
8.5 Right to Data Portability
Where processing is based on consent or contract performance and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit that data to another controller. You may export your saved leads and search history at any time from within your account dashboard.
8.6 Right to Object
You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
8.7 Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8.8 Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority:
- For EU/EEA residents: your local Data Protection Authority (DPA). A list of EU supervisory authorities is available at edpb.europa.eu.
- For Turkish residents: Turkey's Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK), at kvkk.gov.tr.
We encourage you to contact us first at info@cproat.com so we can resolve your concern directly.
Exercise Your Rights
Send your data request to info@cproat.com. We respond within 30 days. Please include your account email address so we can verify your identity.
9. Cookies and Local Storage
We use a minimal set of cookies and browser local storage strictly necessary to operate the service. We do not use any tracking, advertising, or analytics cookies. For full details, please see our Cookie Policy.
- sb-access-token (Supabase): Authentication access token. Essential for keeping you logged in. Session cookie.
- sb-refresh-token (Supabase): Used to silently renew your session without requiring a new login. Essential. Persistent with a rolling expiry.
- localStorage — language preference: Stores your chosen language (e.g., "en" or "tr") in your browser's local storage. Not a cookie; no data is sent to our servers.
10. Security Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or disclosure. Our measures include:
- All data in transit is encrypted using TLS 1.2 or higher.
- Passwords are hashed and salted using bcrypt via Supabase Auth and are never stored in plain text.
- Database access is restricted to authorized application services only; no direct public database access is permitted.
- Authentication tokens are stored as secure, HTTP-only cookies where possible and have short expiry windows.
- Access to production infrastructure is limited to authorized personnel with multi-factor authentication enabled.
- We review and update our security practices on a regular basis.
While we take every reasonable precaution, no internet transmission or electronic storage system is 100% secure. If you discover a potential security vulnerability, please disclose it responsibly to info@cproat.com.
11. Children's Privacy
Cproat is a professional B2B service intended solely for use by businesses and adults. We do not knowingly collect personal data from anyone under the age of 18. If you are under 18, please do not register for an account or provide us with any personal information.
If we become aware that we have inadvertently collected personal data from a minor, we will take prompt steps to delete it. If you believe a minor has provided personal data to us, please contact us at info@cproat.com.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make significant changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify registered users by email at least 14 days before the changes take effect.
- In some cases, request fresh consent if the changes require it under applicable law.
We encourage you to review this policy periodically. Continued use of the service after the effective date of any changes constitutes your acceptance of the updated policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact our privacy team:
Cproat — Privacy Team
Email: info@cproat.com
Country: Republic of Turkey
Response time: within 30 days of receipt of your request
For GDPR-related requests from EU residents, we aim to respond within the mandatory 30-day period. In complex cases, we may extend this by a further two months and will inform you of any such extension within the initial 30-day period.
For KVKK-related requests from Turkish residents, we will respond within 30 days as required by Turkish law.