This Privacy Policy explains what personal data Drasyn collects, why, and what rights you have over it. It is written to reflect how the service actually works — much of Drasyn runs directly between your own devices and never reaches our servers, and we have designed the cloud features to hold as little of your data as possible.
1. Who we are
Drasyn is operated by Gokhan Kurt, acting as an individual (sole proprietor) and as the data controller for the purposes of the Turkish Personal Data Protection Law No. 6698 (“KVKK”) and, where it applies, the EU/UK General Data Protection Regulation (“GDPR”). You can reach us at support@drasyn.com for any privacy matter.
2. What this policy covers
This policy covers the Drasyn cloud services and websites — cloud.drasyn.com (the cloud dashboard), app.drasyn.com (the browser client), api.drasyn.com (the API), and i.drasyn.com (file serving) — together with the cloud-connected features of the Drasyn desktop application (accounts, file sharing, and optional remote access).
It does not change the terms under which you use the service; those are in our Terms of Service and Acceptable Use Policy.
3. Local and peer-to-peer use
Drasyn’s core screen-sharing, remote-viewing, remote-input, drawing, and recording features work directly between devices. When you share within your local network, and when you reach a computer remotely through the Drasyn broker, the screen, audio, input, and drawing data travels peer-to-peer (over WebRTC) and does not pass through our servers.
- Local network sharing involves no Drasyn server at all — we neither see nor store any part of that session.
- Remote access uses our broker only to help two devices find and connect to each other (signaling). The broker relays opaque connection-setup messages it cannot read; it never carries your screen or the contents of a session. Media is peer-to-peer or the connection simply fails — we do not operate relay (TURN) servers that would route your session through us.
- Screen recordings are written to your own device. They only leave it if you explicitly upload a file to the cloud file service.
4. Information we collect
Account information
When you create a Drasyn Cloud account we process your email address and a display name (which may be derived from your email). If you sign in with a password we store only a salted hash of it, never the password itself. If you sign in with GitHub or Google, we receive a basic identifier and the email associated with that account from the provider — we do not receive your provider password.
Authentication and device data
To keep you signed in and to support the CLI and desktop app we process session records, API keys (stored as hashes; the full key is shown to you once at creation), and device-login records (RFC 8628). Each connected surface holds its own key so you can revoke them independently from the dashboard.
Files and file metadata
If you use the file service, we store the file bytes you upload and metadata about each file: size, declared content type, timestamps, storage tier, and status.
- Public-tier files are stored so we can serve them from a stable public URL.
- Private-tier files are encrypted on your device before upload. We store only the ciphertext plus a hash of the share token — we never receive the decryption key, which travels only in the link fragment your client generates and is never sent to us. This means we cannot read your private files.
Billing information
Payments are handled by our payment provider, Polar. We do not receive or store your full card number or other payment-instrument details. We store a mirror of your subscription state (plan, status, and the identifiers needed to reconcile it) so we can apply the right storage quota to your account.
Remote-access registry and connection data
If you enable remote access for a computer, we store a record linking that computer’s host identifier to your account (so only you can reach it), along with a live online/offline indicator. During a connection attempt, network address information (including IP addresses and candidate addresses gathered via STUN) is exchanged between the peers to establish the direct connection; this is inherent to how peer-to-peer networking works.
Technical and log data
Like any internet service, our infrastructure processes technical data such as IP addresses, request timestamps, and basic request metadata, primarily for security, abuse prevention, and reliability. This is handled at our infrastructure provider’s edge (see Sharing).
We do not use advertising or cross-site tracking cookies, and we do not build advertising profiles.
5. How we use information
- To provide, maintain, and secure the service and your account.
- To authenticate you and the devices you connect.
- To store and serve the files you choose to upload, and to enforce plan quotas.
- To process subscriptions and apply the correct entitlements.
- To detect, prevent, and respond to abuse, security incidents, and violations of our Acceptable Use Policy — including a content-safety scan of public-tier files.
- To communicate with you about the service (e.g. sign-in links, security notices).
- To comply with legal obligations and respond to lawful requests.
6. Legal bases
Where KVKK or GDPR requires a legal basis, we rely on:
- Performance of a contract — to give you the service you signed up for (accounts, file storage, remote access, billing).
- Legitimate interests — to keep the service secure, prevent abuse, and operate it reliably, balanced against your rights.
- Legal obligation — to meet accounting, tax, and lawful-request requirements.
- Consent — where we specifically ask for it (e.g. optional communications); you may withdraw consent at any time.
7. Cookies and local storage
We use a small number of strictly necessary cookies and browser storage entries — chiefly to keep you signed in and to remember interface state. We do not set advertising or third-party tracking cookies, so we do not show a consent banner for non-essential tracking (there is none to consent to). Blocking essential cookies will prevent sign-in from working.
8. Sharing and service providers
We do not sell your personal data and we do not share it for advertising. We share data only with the service providers (processors) that make Drasyn work, each for the limited purpose described below:
- Cloudflare — compute, database, object storage, and content delivery (Workers, D1, R2, Durable Objects, Pages). This is where accounts, file metadata, file bytes, and the broker run. Privacy policy.
- Polar — subscription payments and billing (acting as merchant of record). Polar receives the data needed to process your payment. Privacy policy.
- Resend — delivery of transactional email (such as sign-in links), when email delivery is enabled. Receives your email address and message content. Privacy policy.
- GitHub and/or Google — only if you choose to sign in with them, to verify your identity. GitHub · Google.
- Public STUN server(s) — used during connection setup to discover network addresses for peer-to-peer connections. A STUN server sees the IP addresses involved but not your session content.
We may also disclose data where required by law, to enforce our terms, or to protect the rights, safety, and property of our users, the public, or us.
9. International transfers
Our providers operate globally. Your data may be processed on servers located outside Türkiye and outside the European Economic Area, including at edge locations chosen for performance. Where such transfers occur, we rely on our providers’ legal transfer mechanisms (such as standard contractual clauses) and, where required under KVKK, on the applicable legal basis for cross-border transfer. Contact us for more detail.
10. How long we keep data
- Account data — for as long as your account exists. When you delete your account, we delete your stored files and account data; we pre-delete your stored objects so no file bytes are stranded.
- Uploaded files — incomplete uploads are purged automatically (within about 24 hours). Private-tier files expire after a default retention period (30 days unless configured otherwise). When you delete a file, public files are removed after a short grace period (about 7 days) because they may be embedded elsewhere, while incomplete or private files are reclaimed promptly.
- Billing records — kept as long as required by accounting and tax law.
- Logs and technical data — kept for a limited period for security and reliability, then rotated out.
- Taken-down content — when content is removed for a policy or legal reason, the bytes are deleted but a minimal record of the action may be retained as an audit trail.
11. Security
We design for data minimisation and defence in depth:
- Private-tier files are encrypted on your device; we never hold the keys.
- Passwords, API keys, and share tokens are stored only as hashes.
- Remote-access sessions are authenticated end-to-end, and their media never traverses our servers.
- Traffic to our services is encrypted in transit (TLS).
No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach that is likely to create a risk to you, we will notify you and the competent authority as required by law.
12. Public files and share links
A public-tier file is served from a URL that acts as a capability: anyone who has the link can open the file, and such links may be cached by browsers and intermediaries or indexed by third parties. A private-tier share link likewise grants access to whoever holds it. Treat any file you upload for sharing as potentially reachable by anyone you give the link to — do not put anything in a public file that you would not want to be publicly available.
13. Your rights
Subject to KVKK (Article 11), GDPR, and other applicable laws, you have the right to:
- learn whether we process your personal data, and access a copy of it;
- have inaccurate data corrected;
- request erasure of your data (“right to be forgotten”), subject to legal retention;
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent where processing is based on consent;
- request information about parties to whom data has been transferred;
- not be subject to solely automated decisions producing legal effects (we do not make such decisions).
You can delete your account and its data yourself from the dashboard, or exercise any of these rights by emailing support@drasyn.com. We will respond within the time limits set by applicable law. If you are a California resident, you have similar rights under the CCPA/CPRA (to know, delete, correct, and opt out of “sale”/“sharing” — which we do not do); we do not discriminate against you for exercising them.
14. Children
Drasyn is not directed to children. You must be at least 18 years old to create an account and use the service. We do not knowingly collect personal data from children; if you believe a child has provided us data, contact us and we will delete it.
15. Changes to this policy
We may update this policy as the service evolves. When we make material changes, we will update the “Last updated” date and, where appropriate, notify you. Continuing to use the service after an update means you accept the revised policy.
16. Contact and complaints
For any privacy question or request, contact support@drasyn.com. If you are in Türkiye and believe your rights under KVKK have been infringed, you may lodge a complaint with the Turkish Personal Data Protection Authority (KVKK). If you are in the EEA or UK, you may lodge a complaint with your local data protection authority.