Privacy

The short, honest version.

What this site collects, why, who I share it with, and how you can pull it back. No dark patterns, no fine print games.

TL;DRLast updated · 11 June 2026
  • • I run this site myself. No ad networks, no data brokers, nothing sold.
  • • Analytics (Google Analytics 4) only run if you accept cookies.
  • • If you fill in a form, sign in, or upload a file, I keep it as long as we work together — then it goes.
  • • You can email hi@alperenzekigokmen.com any time to see, change, or delete your data.

1. Who I am

This site (alperenzekigokmen.com) is run by Alperen Zeki Gokmen, an independent operator based in Helsinki, Finland. I am the data controller for everything described on this page.

You can reach me at hi@alperenzekigokmen.com for anything privacy-related.

2. What I collect

It depends on what you do on the site. Concretely:

Just browsing

If you don't accept cookies: effectively nothing. The hosting provider sees standard HTTP request data (IP, user-agent, referrer) for security and abuse-prevention purposes, but I don't store it.

Fit-check (the AI mini-tool)

Who you are (founder, coach, etc.), what you're stuck on, a one-line context, and — only if you choose to share it after the verdict — your email. Stored so I can follow up if you ask me to.

Discovery brief (pre-call form)

Name, optional company/role, your problem categories, budget range, tech stack, and the context you write for me. Used to prep our call.

Product waitlist (Atlas / AZG)

Email and optionally your name + a short note about your use-case.

Client portal (only if we work together)

  • Account: email + password (hashed, never stored in plain text).
  • Profile: name, company, phone, notification preference.
  • Files you upload: stored in private buckets, only you and I can access them.
  • Messages/tickets: subject and body you write.
  • Signed agreements: signature image, timestamp, IP, browser. Required by Finnish e-signature law for the agreement to be enforceable.
  • Invoices: PDFs I upload for you, plus amount, due date, status.

I never collect special-category data (health, religion, political views, etc.) and there's no scenario where you should send me any.

3. Why I collect it (legal bases)

Under GDPR I need a reason for every piece of data. Here they are:

  • Consent (Art. 6(1)(a)) — analytics cookies, the fit-check email follow-up, newsletter sign-ups.
  • Contract (Art. 6(1)(b)) — the client portal, agreements, invoices, project files: I need this to deliver the work you hired me for.
  • Legitimate interest (Art. 6(1)(f)) — preventing abuse, basic site operation, replying when you email me. Balanced against your privacy and minimal in scope.
  • Legal obligation (Art. 6(1)(c)) — keeping invoice records as required by Finnish bookkeeping law.

4. Cookies & tracking

You'll see a cookie banner the first time you land here. By default everything except strictly-necessary cookies is off. Google Consent Mode v2 is wired in, so until you opt in, Google services don't receive identifiable signals.

CategoryWhat it doesDefault
NecessaryAuth session, your cookie choice. Required.On
AnalyticsGoogle Analytics 4 via GTM. Anonymous page-views.Off
MarketingReserved for any future remarketing tags. Currently unused.Off

You can change your mind any time — there's a link in the footer of every page.

The site also uses a couple of local-storage flags (e.g. to remember that you already saw the fit-check popup, or that you turned off the cursor cloud). These never leave your browser.

5. Who I share it with

I don't sell data. Ever. The only third parties involved are the tools I need to run the site:

  • Supabase — database, authentication, and file storage. Servers in the EU.
  • Google (Tag Manager + Analytics 4) — only if you accept analytics cookies. IP anonymisation is on.
  • Email delivery — for transactional emails (login links, invoice notifications) sent from notify.alperenzekigokmen.com.
  • Google Calendar — when you book a call. You're using Google's booking widget on Google's domain, so Google's privacy policy applies there.
  • Substack — if you subscribe to the newsletter. You're handing your email to Substack directly; their policy applies.

No data is shared with advertisers, brokers, "AI training" pipelines, or anyone else not listed here.

6. How long I keep it

  • Fit-check, discovery, waitlist: up to 24 months, then deleted.
  • Client portal data: for the duration of our engagement, plus 12 months after — so we can pick up where we left off if you come back.
  • Files you uploaded: same as above, then permanently deleted from storage.
  • Invoices & signed agreements: 6 years, as required by Finnish bookkeeping law (Kirjanpitolaki).
  • Analytics: Google's default GA4 retention (14 months) if you opted in.

You can ask for early deletion any time — see your rights below.

7. Security

Traffic is HTTPS-only. Passwords are hashed (bcrypt, via Supabase Auth) — even I can't see them. File storage buckets are private, served via short-lived signed URLs. Database access is restricted by row-level security so one client can never see another's data.

That said, no system is bulletproof. If something happens that affects your data, I'll notify you and the Finnish data protection authority within 72 hours, as GDPR requires.

8. Your rights (GDPR)

If you're in the EU/EEA, UK, or Switzerland you have the right to:

  • Access — a copy of everything I hold about you.
  • Rectify — fix anything that's wrong.
  • Erase — "the right to be forgotten" (within legal limits).
  • Restrict — pause processing while we sort something out.
  • Port — get your data in a machine-readable format.
  • Object — say no to processing based on legitimate interest.
  • Withdraw consent — for anything I do under consent, any time.
  • Complain to the Finnish Data Protection Ombudsman (tietosuoja.fi) — though I'd prefer you came to me first.

Email hi@alperenzekigokmen.com and I'll respond within 30 days. No special form needed.

9. International transfers

I keep data in the EU wherever possible (Supabase EU region). Google Analytics and GTM may transfer data to the US under the EU-US Data Privacy Framework, which Google is certified under. If you don't want this, just decline analytics cookies.

10. Children

This site isn't aimed at people under 16. If you're under 16, don't sign up or fill in forms. If you're a parent and think your child has, email me and I'll delete the account.

11. Changes to this policy

If I change anything material, I'll bump the "last updated" date at the top and — for clients — notify you by email before the change takes effect. Cosmetic edits get the date bump only.

12. Contact

Alperen Zeki Gokmen
Helsinki, Finland
hi@alperenzekigokmen.com

I read every privacy email personally. Aim is 48-hour turnaround, 30 days max.

← Back to home