← Back to Home

Privacy Policy

Last Updated: May 29, 2026 — This policy applies to your Steep Account and the unified identity service operated by Steep Technologies. Each Steep product (e.g. Orion, Research, Blog, News) may publish a supplementary privacy notice for product-specific data.

1. Who We Are (Data Controller)

Your data is controlled by Steep Technologies ("Steep", "we", "us"), the operator of the Steep Account identity service at account.steepofficial.com. For any privacy request or question, contact us at [email protected].

This policy is written to meet the Turkish Personal Data Protection Law (KVKK No. 6698) and the EU/UK General Data Protection Regulation (GDPR). A Turkish-language clarification text is available at /kvkk.

2. Information We Collect

We collect only what is necessary to operate a secure identity service:

  • Account & identity — email address, username, and display name. Your password is never stored in readable form; we keep only a one-way bcrypt hash.
  • Profile (optional) — first/last name, avatar, phone number, date of birth, timezone, and locale, if you choose to provide them.
  • Authentication & recovery — multi-factor settings (TOTP secrets stored AES-256-GCM encrypted, or email one-time codes), passkey/WebAuthn public keys, and hashed recovery codes.
  • Security & device signals — IP address, browser/user-agent, device fingerprints, login timestamps, and security events (logins, password changes, MFA changes, new-device detections). Used to protect your account.
  • Connected apps — the third-party and Steep apps you authorize via "Login with Steep", and the exact permissions (scopes) you grant each one.
  • Subscription & payment status — when you buy through our payment provider, we receive the order ID, buyer email, product, and payment status. We never see or store your card or bank details.
  • Rewards & preferences — Steep Points balance and your notification preferences.
  • Support communications — emails you send to support are stored so we can help you and keep a record of the request.

3. How We Use Your Data — Steep Intelligence

We use your data to empower and protect you, not to track you for advertising. Internally we call this Steep Intelligence:

  • Security identity — we use device and security signals to detect and block unauthorized access in real time.
  • Ecosystem harmony — we use which Steep apps you connect to provide seamless single sign-on, account-level settings, and product updates.
  • Service delivery & support — to create and maintain your account, verify your identity, and respond to your requests.
  • Legal compliance — to meet our legal obligations and respond to lawful requests.

We NEVER sell your data and we do NOT use it for third-party advertising. Your data stays within Steep to fuel your own experience.

4. Legal Bases for Processing

Under GDPR Art. 6 and KVKK Art. 5, we process your data on these bases:

  • Performance of a contract — to provide the account service you signed up for.
  • Legitimate interests — to keep the platform secure and to improve our products (balanced against your rights).
  • Legal obligation — to comply with applicable law.
  • Consent — where we ask for it explicitly (e.g. optional features); you may withdraw consent at any time.

5. Cookies & Local Storage

We use only essential cookies and storage to run the service: a short-lived access token and a refresh token (both httpOnly), and a device identifier for multi-account switching. We do not use advertising or third-party tracking cookies.

6. Sharing & Service Providers

We do not sell, rent, or trade your personal data. We share it only with trusted processors who help us operate, under confidentiality obligations:

  • Payment provider (Shopier) — to process purchases. They receive only what is needed to complete the transaction.
  • Email delivery (Resend) — to send verification codes, security alerts, and account emails.
  • Network & security (Cloudflare) — for content delivery, DDoS protection, and secure tunneling.

We may also disclose data when required by a valid legal process, or to protect the rights and safety of our users. We publish aggregate counts of such requests in our Transparency Report.

7. International Data Transfers

Some of our providers (such as Cloudflare and Resend) may process data on servers outside Türkiye and the EEA, including in the United States. Where this happens, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the providers' own compliance frameworks.

8. Data Retention

We keep your account data for as long as your account is active. Security and audit logs are kept for a limited period for security and legal purposes. When you request deletion, your account enters a 30-day grace period (so you can cancel), after which your personal data is erased, except where we are legally required to retain certain records.

9. Security

All traffic is encrypted in transit with TLS. Passwords are stored as one-way bcrypt hashes, MFA secrets are AES-256-GCM encrypted, and session/refresh tokens are stored only as hashes. We continuously monitor for unauthorized access and enforce account lockout after repeated failed logins.

10. Your Rights

Under KVKK Art. 11 and GDPR Art. 15–22, you have the right to:

  • Access the personal data we hold about you and request a copy (data portability).
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") and delete your account.
  • Restrict or object to certain processing, and withdraw consent.
  • Revoke access to any connected app at any time from your Dashboard.

To exercise these rights, email [email protected]. We respond within 30 days. If you are unsatisfied, you may complain to the Turkish Data Protection Authority (KVKK Kurumu) or your local EU supervisory authority.

11. Children's Privacy

Steep Account is not intended for children under 13. Minors who are old enough to use the service should do so with the involvement and consent of a parent or legal guardian. If we learn that we have collected data from a child without proper consent, we will delete it.

12. Automated Decisions & AI Features

Steep Account does not make automated decisions that produce legal effects about you. Some Steep products offer AI assistants (for example Orion's Soark and the Research Lab). Where you use those features:

  • Your interactions with the AI are stored only to provide the feature and your own history.
  • You can turn AI features off while using the product, and you can delete your AI history at any time.
  • The private content you share with an AI feature is used only to generate your response — it is never used to train models or for any other secondary purpose.

Each product's privacy notice describes its AI behaviour in detail.

13. Data Breach Notification

If a personal data breach is likely to put your rights at risk, we will notify the relevant authority and affected users without undue delay, in line with KVKK and GDPR (generally within 72 hours of becoming aware).

14. Changes & Contact

We may update this policy from time to time; material changes will be announced on this page. Continued use after an update means you accept the revised policy.

Questions? Contact [email protected].