Legal

Privacy Policy

Last updated: 2026-06-19

1. Who we are

GST CRANES DIŞ TİCARET LİMİTED ŞİRKETİ (operating gstcranes.com) is the data controller for personal data processed through this marketplace. Contact us at [email protected] for all privacy matters, or [email protected] for general questions.

GST Cranes is operated by GST CRANES DIŞ TİCARET LİMİTED ŞİRKETİ, using the business operator disclosed on invoices, order forms or company disclosures. GST Cranes supports GDPR, UK GDPR, CCPA/CPRA and other applicable privacy rights where they apply.

Sinanpaşa Mah. Süleyman Seba Cad. No: 14 İç Kapı No: 5, Beşiktaş/İstanbul, Türkiye

EU/EEA and UK residents may contact us at the email above for any data subject rights request. We respond within one month under GDPR/UK GDPR timing rules unless a shorter mandatory period applies. If an EU Article 27 representative becomes required for the final launch structure, we will publish the representative's name, address and contact details here before relying on that structure.

2. Data we collect

CategoryExamplesPurposeLegal basis
AccountEmail, name, company, countryLogin, contact, KYBContract (Art. 6(1)(b))
ListingsCrane brand/model/photos/location/price/specsMarketplace publicationContract
InquiriesBuyer email/phone/messageConnect buyer↔sellerLegitimate interest (Art. 6(1)(f))
Image uploadsVision-identify input photosAuto-suggest brand/modelConsent (Art. 6(1)(a))
Web Push subscriptionVAPID endpoint + keysListing alerts, agent repliesConsent
Email marketingRecipient address, open/click eventsNewsletter, promotional blastConsent (opt-in only)
Engagement eventsPage views, listing views, agent chatsLead intelligence, rankingLegitimate interest
PaymentHosted checkout charges, refunds, billing addressSubscription, promotion feesContract
Server logsIP (hashed), user-agent, request pathSecurity, abuse preventionLegitimate interest

3. Sub-processors

  • Cloudflare, Inc. — hosting, DB (D1), object storage (R2), CDN. EU + US data residency. privacy policy
  • Anthropic, PBC — Claude API for agent responses. US-based. privacy policy
  • OpenAI, OpCo LLC — gpt-image-2 brochure generation. US-based. privacy policy
  • Roboflow, Inc. — crane image classification. US-based.
  • Postmark (Wildbit, LLC) — transactional email. US-based.
  • SendGrid (Twilio Inc.) — marketing email blast (EU-pinned subuser for EU recipients).
  • Payment provider — Hosted checkout and payment processing where enabled for eligible paid services.
  • Hetzner Online GmbH — email infrastructure backend, Germany. privacy policy
  • Google LLC, LinkedIn Corporation, Apple Inc., Meta Platforms Ireland Ltd — OAuth login (only if you choose social login).
  • Google Analytics 4 & Google Ads (Google LLC) — website analytics and ad-conversion measurement — loaded only if you accept analytics/marketing cookies (off by default; Global Privacy Control honoured).

4. Retention

  • Account data — for the lifetime of your account + 6 months after deletion (for legal claims).
  • Listings — until you delete them or 12 months after expiry.
  • Inquiries — 24 months (for dispute resolution).
  • Server logs / engagement events — 12 months.
  • Payment records — 7 years (tax law).
  • Email marketing — until you unsubscribe + 30 days for confirmation.
  • Consent log — for the lifetime of the consent + 3 years after withdrawal.

5. Your rights (GDPR Articles 15-22)

  • Access — request a copy of your data. Use the data export page.
  • Rectification — correct inaccurate data via your account settings.
  • Erasure ("right to be forgotten") — delete your account and all associated data via account delete.
  • Restriction — pause processing while you contest accuracy. Email [email protected].
  • Portability — receive your data in JSON via the data export tool.
  • Object — opt out of marketing emails via the unsubscribe link, or object to legitimate-interest processing via email.
  • Complaint — lodge a complaint with your local supervisory authority (e.g., CNIL in France, BfDI in Germany, ICO in UK).

6. California residents (CCPA / CPRA)

California residents have additional rights:

  • Right to Know — categories of personal information collected, sources, business purposes, third parties shared with. See sections 2-3 above.
  • Right to Delete — same as GDPR erasure, via account delete.
  • Right to Opt-Out of Sale/Sharing — we do not sell your personal information. We honor the Global Privacy Control (GPC) browser signal automatically.
  • Right to Limit Use of Sensitive Information — we do not process sensitive information beyond what's contractually necessary.
  • Right to Non-Discrimination — exercising your rights does not affect service.

Do Not Sell or Share My Personal Information

7. International transfers

Personal data may be transferred outside the EEA/UK to service providers in the US (Cloudflare, Anthropic, OpenAI, Roboflow, Postmark, SendGrid, Payment provider) and other adequate jurisdictions where required (Payment provider). We rely on Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum where needed, adequacy decisions where available, and supplemental measures. Where available we prefer EU data residency endpoints (Cloudflare EU, SendGrid EU subuser, Hetzner Germany).

8. Sanctions and export control

GST Cranes complies with US OFAC and EU sanctions. Access from embargoed countries (Iran, Cuba, North Korea, Syria, Crimea/Donetsk/Luhansk, Belarus) is blocked. Crane sales involving dual-use items (mobile cranes >200 t lift capacity) may require an End User Statement under EAR Article 744 / EU Council Regulation (EC) 428/2009.

9. Security

All data in transit is TLS 1.2+. At rest, Cloudflare D1 + R2 are encrypted. Webhook signatures are HMAC-verified with constant-time compare. Web Push uses VAPID-signed JWT. Passwords are Argon2id-hashed via Lucia. Sub-processors are bound by DPAs.

10. Breach notification

In the unlikely event of a personal data breach, we will notify the supervisory authority within 72 hours per GDPR Article 33, and affected individuals without undue delay per Article 34 when the breach poses a high risk to rights and freedoms.

11. Changes

Material changes will be announced via email and a banner on the site for 30 days. The "last updated" date at the top reflects the current version.

For cookies specifically, see our Cookie Policy.

GST AI Assistant
GST Agent
GST Agent