Privacy Policy

Last updated: May 16, 2026

QueueUp is a hosted waitlist service operated by Abdullah Canakci, sole proprietor, in Turkey ("QueueUp", "we", "us"). This Privacy Policy explains what personal data we process, why, and how to exercise your rights over it. You can reach us at [email protected].

The two roles we play

QueueUp acts in two distinct capacities under data protection law.

When you sign in to the QueueUp panel to run a waitlist for your business, we are the controller of your personal data (your account information, billing, panel activity).

When someone joins a waitlist that you run on QueueUp, you are the controller of that subscriber's personal data and we are the processor acting on your instructions. The Data Processing Addendum at Annex A of our Terms of Use sets out the contractual processor terms.

What we collect about panel users

Identity and authentication. Our authentication provider Clerk collects your email, name, and the password you choose, and shares your email, name, organization membership, and role with us. We never see your password.
Organization information. The name of your organization, the plan you choose, and the configuration you save in the panel (waitlist settings, themes, integration destinations such as webhook URLs and transactional-email API keys). Sensitive credentials in integration configuration are encrypted at rest.
Billing information. Your subscription status, plan, and invoice history, supplied to us by Polar (our billing merchant of record). We do not see your card details.
Panel activity. An audit trail of administrative actions performed in your organization (the action, the actor, and a timestamp).
Request logs. We keep short-term server logs for security and debugging. These logs include non-identifying request metadata (path, status, latency, request ID) but not your IP address.

What we collect about waitlist subscribers (on the tenant's behalf)

When someone signs up to a waitlist that uses QueueUp, the embed form or public subscribe API collects the following on the tenant's behalf:

The subscriber's email address.
The time and date of signup, and the waitlist they joined.
A short referral code we generate for the subscriber, plus a private link token that lets them check their position on the waitlist.
A position-influencing score that increases when other people sign up using the subscriber's referral code.
The website (origin) from which the signup was submitted.
If the tenant has turned on email confirmation, a one-time confirmation token that expires after seven days.

We additionally inspect the following per request but do not persist them to our database:

The subscriber's IP address.
Their browser User-Agent.
A country code provided by Cloudflare, which sits in front of the QueueUp API.

These signals are used only to decide whether a signup is a real person, to enforce rate limits, and to block disposable email domains. They appear briefly in operational logs and are otherwise discarded.

We do not run any third-party analytics, advertising trackers, device fingerprinting, or cross-site cookies. The marketing site, the embed widget, and the hosted status page set zero tracking cookies. The panel uses session cookies set by Clerk for authentication; these are essential to the service and not used for tracking.

How we use this data

To operate the Service: store waitlist signups, render the panel, deliver outbound integrations such as webhooks and transactional emails.
To send transactional email to subscribers (confirmation, welcome) when the tenant has configured email confirmation or a transactional-email integration. We never use subscriber email addresses for our own marketing.
To prevent abuse: rate limit, block disposable domains, geographically gate signups where the tenant has asked us to.
To bill, comply with tax and accounting obligations, and respond to support requests.

Legal bases (GDPR Art. 6, KVKK Art. 5)

Performance of a contract with you for running the Service and billing for it.
Legitimate interest for operational security, fraud prevention, and minimal logging.
Legal obligation for tax, accounting, and lawful disclosure requirements under Turkish and applicable foreign law.
Consent only where the law requires it. We do not currently process personal data on the basis of consent. If we add a use that requires it (for example, marketing emails to subscribers), we will ask for it explicitly.

Subprocessors

We use a small set of third-party services to operate QueueUp. Each is bound by its own data-protection commitments. Links go to each subprocessor's privacy policy.

Hetzner Online GmbH (Falkenstein, Germany). Cloud hosting; primary processing of all customer data happens here. Privacy
Clerk Inc. (United States). Authentication and organization management. Privacy
Polar Software Inc. (United States). Billing merchant of record. Privacy
Resend Inc. (United States). Transactional email, only when a tenant configures it. Privacy
Cloudflare Inc. (United States). Reverse proxy and DDoS protection in front of the QueueUp API; provides the country signal used by anti-abuse checks. Privacy

We may add or replace subprocessors with at least 30 days' notice through the panel or by email, which gives tenants the opportunity to object on legitimate data-protection grounds.

Where your data is processed, and international transfers

Primary processing of customer data happens on Hetzner Cloud servers in Falkenstein, Germany (European Union). Some subprocessors are based in the United States. Transfers to those subprocessors rely on the European Commission's Standard Contractual Clauses, supplemented by the UK International Data Transfer Addendum where applicable, and by the EU-US Data Privacy Framework where the subprocessor self-certifies. We are happy to provide a copy of the relevant transfer mechanism on request.

How long we keep data

Subscriber records on a Free plan waitlist: 90 days from signup.
Subscriber records on a Pro or Team plan waitlist: 365 days from signup.
Confirmation tokens (where email confirmation is enabled): 7 days, or until the subscriber confirms.
Tenant account information and audit trail: for the life of the subscription, plus a reasonable period afterwards for legal, accounting, and dispute-resolution purposes.
Operational request logs: up to 30 days.

We will action a deletion request from a subscriber or tenant within 30 days of receiving it.

Security

We protect personal data with measures appropriate to its sensitivity, including encryption in transit (HTTPS), encryption at rest for integration secrets, one-way hashing of customer API keys, signed webhook payloads, and access controls on the panel. No system is perfectly secure, and we cannot guarantee absolute security.

Your rights

Depending on where you live, you have some or all of the rights described below. If you are a waitlist subscriber rather than a tenant, the tenant who runs the waitlist controls your personal data; you should contact them first. We can route your request to the tenant if helpful.

European Union and United Kingdom (GDPR, UK GDPR). Access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right not to be subject to a decision based solely on automated processing. QueueUp does not perform automated decision-making.

Turkey (KVKK Art. 11). The equivalent rights under Turkish data protection law: learn whether your personal data is being processed, request information about it, correct inaccurate data, request deletion, and object to results derived from automated processing.

California (CCPA / CPRA). The right to know, delete, correct, and limit our use of sensitive personal information; the right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law.

To exercise any of these rights, email [email protected]. We may ask you to verify your identity to protect your data. We will respond within 30 days. If you believe we have not handled your data appropriately, you can lodge a complaint with your local supervisory authority (the Personal Data Protection Authority in Turkey, your national DPA in the EU or UK, or the California Attorney General).

Children

QueueUp is not directed at children. Tenants must not use QueueUp to collect signups from individuals below the local age of digital consent (16 in the EU, 13 in the United States) without verifiable parental consent.

Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. We will notify tenants of material changes through the panel or by email.

Contact

Privacy questions, data-subject requests, and complaints: [email protected]. A postal address is available on request.