Privacy Policy
Your data, our responsibility.
Cittopia ("Cittopia", "we", "us") respects your privacy and is committed to protecting personal data in line with the EU General Data Protection Regulation (GDPR) and equivalent international standards. This policy explains what data we collect, why, how we store it, who we share it with, and the rights you have over it.
1. Data controller
The data controller for personal data processed via cittopia.com is:
Cittopia
Founder & data protection contact: Tunc Meric
Email: hello@cittopia.com
2. What we collect
2.1 Public visitors (citizens browsing the City Atlas)
- Technical data: IP address (truncated for analytics), browser type, device type, operating system, referrer URL, pages visited, session duration. Used solely for security monitoring and aggregated analytics.
- Cookies: see our Cookies Policy. Strictly-necessary cookies only by default; analytics and preference cookies require your consent.
2.2 Proof of Belief signers
If you sign the Proof of Belief / "Be a Cittopian" form, we collect:
- Name (displayed publicly on the Wall of Belief)
- City & country (displayed publicly)
- Email address (kept private — used to contact you about platform updates if you opt in)
- Affiliation (optional, displayed publicly if provided)
- Tier selection (Cittopian / Champion / Pilot City / Founding Institution)
- Optional "why" comment (displayed publicly on your card)
2.3 Municipal subscribers (City Login users)
If your municipality subscribes to the Cittopia SaaS, we collect:
- Administrator name, role, official email, municipal affiliation
- City data you upload or override (live municipal telemetry)
- Activity logs (matchmaking searches, projects published, invitations sent)
- Subscription billing data (held by our payment processor — see §5)
2.4 What we explicitly do NOT collect
- Sensitive personal data (race, religion, political views, sexual orientation, biometric, health) — unless explicitly volunteered by a subscriber for legitimate municipal purposes
- Children's data (see §10)
- Tracking across third-party sites
- Browsing behaviour outside cittopia.com
3. Why we collect it
- Provide the service: render city profiles, run AI matchmaking, host invitations and joint events.
- Communicate: respond to enquiries, send subscriber updates, notify Proof of Belief signers about milestones.
- Improve: aggregated anonymous analytics to understand which features matter most.
- Protect: detect abuse, fraud, and security threats.
- Legal compliance: meet our obligations under EU and Turkish data-protection law.
4. Legal basis (GDPR Art. 6)
| Processing activity | Lawful basis |
|---|---|
| Strictly-necessary cookies, security | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies, marketing | Your explicit consent (Art. 6(1)(a)) |
| Proof of Belief sign-ups | Your consent + legitimate interest |
| Municipal SaaS account data | Contract performance (Art. 6(1)(b)) |
| Billing & tax records | Legal obligation (Art. 6(1)(c)) |
5. Who we share it with
We do not sell personal data. We share it only with:
- Hosting providers — Netlify (current), to be migrated to a cPanel host on cittopia.com
- Email providers — for transactional and update emails
- Analytics — Google Analytics 4 (anonymised IPs), only if you accept analytics cookies
- Payment processors — for SaaS subscriptions; payment card data never touches our servers
- Legal authorities — only when required by law and after legal review
All sub-processors are bound by data-processing agreements and operate under GDPR-equivalent protections.
6. How long we keep it
- Public visitor analytics: 14 months (Google Analytics default), then aggregated and anonymised
- Proof of Belief sign-ups: until you ask us to remove your entry
- Municipal accounts: for the duration of your subscription + 6 years (legal/tax)
- Email correspondence: 3 years from last contact
7. Your rights (GDPR Articles 15–22)
You have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Object — to processing based on legitimate interest, including direct marketing
- Withdraw consent — at any time, where consent is the legal basis
- Lodge a complaint — with your national data protection authority
To exercise any right, email hello@cittopia.com. We respond within 30 days.
8. International data transfers
Cittopia operates across multiple jurisdictions. Where data is transferred outside the EEA, we rely on EU Standard Contractual Clauses (SCCs) and adequacy decisions. Our hosting providers maintain GDPR-equivalent safeguards.
9. Security
- HTTPS (TLS 1.3) everywhere
- Server-side authentication for all admin/private pages
- Passwords hashed with industry-standard algorithms — never stored in plaintext
- Regular security audits + dependency scanning
- Incident notification within 72 hours per GDPR Art. 33
10. Children
Cittopia is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please email hello@cittopia.com and we will delete it.
11. Changes to this policy
We may update this policy as the platform evolves. Material changes will be announced on the homepage and emailed to registered users. The "Last updated" date at the top of this page reflects the most recent revision.
12. Contact
For any privacy-related question, request, or complaint:
📧 hello@cittopia.com
Reply within 30 days for GDPR requests · 5 working days for general queries
This privacy policy is provided in good faith. It is not legal advice. Subscribing municipalities will receive a more detailed Data Processing Agreement at contract signing.