Privacy Policy
Last updated: 2026-06-19
1. Who we are
GST CRANES DIŞ TİCARET LİMİTED ŞİRKETİ (operating gstcranes.com)
is the data controller for personal data processed through this marketplace. Contact us at [email protected] for all privacy matters, or [email protected] for general questions.
GST Cranes is operated by GST CRANES DIŞ TİCARET LİMİTED ŞİRKETİ, using the business operator disclosed on invoices, order forms or company disclosures. GST Cranes supports GDPR, UK GDPR, CCPA/CPRA and other applicable privacy rights where they apply.
Sinanpaşa Mah. Süleyman Seba Cad. No: 14 İç Kapı No: 5, Beşiktaş/İstanbul, Türkiye
EU/EEA and UK residents may contact us at the email above for any data subject rights request. We respond within one month under GDPR/UK GDPR timing rules unless a shorter mandatory period applies. If an EU Article 27 representative becomes required for the final launch structure, we will publish the representative's name, address and contact details here before relying on that structure.
2. Data we collect
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account | Email, name, company, country | Login, contact, KYB | Contract (Art. 6(1)(b)) |
| Listings | Crane brand/model/photos/location/price/specs | Marketplace publication | Contract |
| Inquiries | Buyer email/phone/message | Connect buyer↔seller | Legitimate interest (Art. 6(1)(f)) |
| Image uploads | Vision-identify input photos | Auto-suggest brand/model | Consent (Art. 6(1)(a)) |
| Web Push subscription | VAPID endpoint + keys | Listing alerts, agent replies | Consent |
| Email marketing | Recipient address, open/click events | Newsletter, promotional blast | Consent (opt-in only) |
| Engagement events | Page views, listing views, agent chats | Lead intelligence, ranking | Legitimate interest |
| Payment | Hosted checkout charges, refunds, billing address | Subscription, promotion fees | Contract |
| Server logs | IP (hashed), user-agent, request path | Security, abuse prevention | Legitimate interest |
3. Sub-processors
- Cloudflare, Inc. — hosting, DB (D1), object storage (R2), CDN. EU + US data residency. privacy policy
- Anthropic, PBC — Claude API for agent responses. US-based. privacy policy
- OpenAI, OpCo LLC — gpt-image-2 brochure generation. US-based. privacy policy
- Roboflow, Inc. — crane image classification. US-based.
- Postmark (Wildbit, LLC) — transactional email. US-based.
- SendGrid (Twilio Inc.) — marketing email blast (EU-pinned subuser for EU recipients).
- Payment provider — Hosted checkout and payment processing where enabled for eligible paid services.
- Hetzner Online GmbH — email infrastructure backend, Germany. privacy policy
- Google LLC, LinkedIn Corporation, Apple Inc., Meta Platforms Ireland Ltd — OAuth login (only if you choose social login).
- Google Analytics 4 & Google Ads (Google LLC) — website analytics and ad-conversion measurement — loaded only if you accept analytics/marketing cookies (off by default; Global Privacy Control honoured).
4. Retention
- Account data — for the lifetime of your account + 6 months after deletion (for legal claims).
- Listings — until you delete them or 12 months after expiry.
- Inquiries — 24 months (for dispute resolution).
- Server logs / engagement events — 12 months.
- Payment records — 7 years (tax law).
- Email marketing — until you unsubscribe + 30 days for confirmation.
- Consent log — for the lifetime of the consent + 3 years after withdrawal.
5. Your rights (GDPR Articles 15-22)
- Access — request a copy of your data. Use the data export page.
- Rectification — correct inaccurate data via your account settings.
- Erasure ("right to be forgotten") — delete your account and all associated data via account delete.
- Restriction — pause processing while you contest accuracy. Email [email protected].
- Portability — receive your data in JSON via the data export tool.
- Object — opt out of marketing emails via the unsubscribe link, or object to legitimate-interest processing via email.
- Complaint — lodge a complaint with your local supervisory authority (e.g., CNIL in France, BfDI in Germany, ICO in UK).
6. California residents (CCPA / CPRA)
California residents have additional rights:
- Right to Know — categories of personal information collected, sources, business purposes, third parties shared with. See sections 2-3 above.
- Right to Delete — same as GDPR erasure, via account delete.
- Right to Opt-Out of Sale/Sharing — we do not sell your personal information. We honor the Global Privacy Control (GPC) browser signal automatically.
- Right to Limit Use of Sensitive Information — we do not process sensitive information beyond what's contractually necessary.
- Right to Non-Discrimination — exercising your rights does not affect service.
Do Not Sell or Share My Personal Information
7. International transfers
Personal data may be transferred outside the EEA/UK to service providers in the US (Cloudflare, Anthropic, OpenAI, Roboflow, Postmark, SendGrid, Payment provider) and other adequate jurisdictions where required (Payment provider). We rely on Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum where needed, adequacy decisions where available, and supplemental measures. Where available we prefer EU data residency endpoints (Cloudflare EU, SendGrid EU subuser, Hetzner Germany).
8. Sanctions and export control
GST Cranes complies with US OFAC and EU sanctions. Access from embargoed countries (Iran, Cuba, North Korea, Syria, Crimea/Donetsk/Luhansk, Belarus) is blocked. Crane sales involving dual-use items (mobile cranes >200 t lift capacity) may require an End User Statement under EAR Article 744 / EU Council Regulation (EC) 428/2009.
9. Security
All data in transit is TLS 1.2+. At rest, Cloudflare D1 + R2 are encrypted. Webhook signatures are HMAC-verified with constant-time compare. Web Push uses VAPID-signed JWT. Passwords are Argon2id-hashed via Lucia. Sub-processors are bound by DPAs.
10. Breach notification
In the unlikely event of a personal data breach, we will notify the supervisory authority within 72 hours per GDPR Article 33, and affected individuals without undue delay per Article 34 when the breach poses a high risk to rights and freedoms.
11. Changes
Material changes will be announced via email and a banner on the site for 30 days. The "last updated" date at the top reflects the current version.
For cookies specifically, see our Cookie Policy.