Privacy Policy

Last updated: 2026-05-25 · Effective immediately

1. Who we are

StitchKit is operated by MavenWright Studio ("we", "us"), based in Istanbul, Türkiye. We are the data controller for personal data processed via mavenwright.com and the StitchKit applications. Contact: [email protected].

2. What we collect

We aim to collect the minimum data needed to provide and improve the service.

  • Account data (when you create an account): email, name, password hash, billing country.
  • Billing data: payment is processed by Polar Software Inc. (our merchant of record); we receive only the last 4 digits and expiry for receipts.
  • Usage analytics (anonymous): page views, referrer, country, device class via Plausible (no cookies, no cross-site tracking).
  • Product-improvement analytics (consent required): when you click "Accept all" in the cookie banner, we use Google Firebase Analytics to log page views and product events (e.g. which pricing tier you clicked, which installer arch you downloaded). Used to improve the product. You can decline ("Only essential") and nothing extra is collected.
  • Support communications: emails to us, Chatwoot chat transcripts.
  • Application telemetry (opt-in only): crash reports and feature usage counts.

We do not collect: your embroidery designs, client lists, stitch patterns, or any creative content. The StitchKit desktop app is local-first.

3. Third-party data processors

  • Polar Software Inc. (USA) — merchant of record (payment, invoicing, tax compliance) via Stripe + Adyen rails.
  • Plausible Insights OÜ (Estonia) — privacy-friendly analytics.
  • Google LLC / Firebase (USA) — product event analytics (consent-gated).
  • Cloudflare, Inc. (USA) — CDN, DDoS protection.
  • Resend (USA) — transactional email.
  • Chatwoot (self-hosted) — live chat support.
  • Hostinger — application hosting.

International transfers use EU Standard Contractual Clauses where applicable.

4. Legal basis (GDPR Art. 6 / KVKK Art. 5)

  • Contract performance — account, billing, license.
  • Legitimate interest — fraud prevention, security, basic analytics.
  • Consent — opt-in telemetry, marketing emails.
  • Legal obligation — tax records.

5. Your rights

Under GDPR (EU/EEA users) and KVKK Art. 11 (Türkiye users):

  • Access your personal data
  • Correct inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability (machine-readable export)
  • Withdraw consent at any time
  • Lodge a complaint with your national data protection authority (in Türkiye: KVK Kurumu)

Email [email protected]. We respond within 30 days.

6. Data retention

  • Account data: while account active; deleted within 90 days of closure.
  • Billing records: 10 years (Turkish tax law).
  • Support communications: 24 months from last interaction.
  • Anonymous analytics: aggregated indefinitely; raw logs purged after 30 days.

7. Cookies

  • Strictly necessary: language preference, session, cookie-consent state.
  • Functional: Chatwoot session (only when widget opened).
  • Analytics — cookieless: Plausible (always on).
  • Analytics — cookies: Firebase Analytics / Google Analytics (only if you click "Accept all"). Used to log product events. Decline by clicking "Only essential" in the banner.

8. Security

TLS 1.3 for all traffic, encrypted backups, least-privilege access controls, periodic review. Reportable breaches disclosed within 72 hours per GDPR Art. 33 / KVKK Art. 12.

9. Changes to this policy

Material changes notified via email and in-app banner. Continued use after notice constitutes acceptance.

10. Contact

Privacy: [email protected]
General: [email protected]

MavenWright Studio · Istanbul, Türkiye