Personal Data Protection Notice

Note for International Users: This notice fulfills disclosure obligations under the Turkish Personal Data Protection Law (KVKK). For users in the European Economic Area (EEA) and the United Kingdom, equivalent disclosures under GDPR / UK GDPR are also reflected in this document. For comprehensive information about how we handle your data, please also refer to our Privacy Policy.

1. Data Controller

Pursuant to the Turkish Personal Data Protection Law No. 6698 ("KVKK"), your personal data is processed by BRİFTEK REKLAM YAZILIM TİCARET LİMİTED ŞİRKETİ ("Briftek") as the data controller, in compliance with KVKK and related legislation.

Legal Name	BRİFTEK REKLAM YAZILIM TİCARET LİMİTED ŞİRKETİ
Registered Address	Caferağa Mah. Moda Cad. No:5 Kadıköy/İstanbul, Türkiye
Tax Office / Number	Kadıköy / 1871750630
VERBİS Registration	Registered (Turkish Data Controllers' Registry)
Email	info@briftek.com.tr
Website	https://yasamatlas.app

2. Categories of Personal Data Processed

In connection with the YasamAtlas mobile application ("App"), Briftek processes the following categories of personal data:

2.1. Identity Information

• Email address
• Account username (if any)

2.2. Contact Information

• Email address
• Contact information shared during support requests

2.3. Customer Transaction Information

• Subscription status, plan type, subscription start/end dates
• Payment transaction identifiers (provided by Google Play / Apple App Store)
• In-app credit/quota usage records

2.4. Transaction Security Information

• IP address, login records
• Device information (operating system, app version)
• Security logs

2.5. User-Uploaded Content

• Documents uploaded to the App (insurance policies, contracts, warranty documents, etc.)
• Document metadata (file name, date, size)
• AI query and response history

2.6. Marketing / Preference Information

• Language preference
• Notification preferences
• In-app behavioral data (which features are used, etc.)

Note: Briftek does not knowingly collect special categories of personal data (health, biometric, religious belief, ethnicity, etc.). However, documents you upload may contain such data; in this case, the data is processed under your explicit consent and is given special protection under KVKK Art. 6 (and, where applicable, GDPR Art. 9).

3. Purposes of Processing

Your personal data is processed for the following purposes:

1. Service delivery: Creating your App account, authentication, session management
2. Document management: Storing, displaying, and listing uploaded documents
3. AI analysis: AI-based summarization and Q&A functionality
4. Subscription and payment management: Plan tracking, credit usage, billing records
5. Customer support: Responding to requests and complaints
6. Service improvement: Usage analysis, bug fixing, performance optimization
7. Security: Fraud, abuse, and cyber threat prevention
8. Legal obligations: Tax, commercial, consumer, and KVKK obligations
9. Communication: Important notifications about the Service (legal changes, service announcements, etc.)

4. Legal Basis for Processing

Your personal data is processed under the following legal grounds in KVKK Art. 5 and 6:

4.1. Processing Without Explicit Consent

Legal Basis	Application
Performance of a contract (Art. 5/2-c)	Fulfilling the service agreement, subscription, payment
Legal obligation (Art. 5/2-ç)	Tax law, commercial law, consumer rights obligations
Establishment, exercise, or protection of a right (Art. 5/2-e)	Defense rights in legal disputes
Legitimate interests (Art. 5/2-f)	Service security, fraud prevention, quality improvement

4.2. Processing Based on Explicit Consent

The following processing is carried out under your explicit consent:

• International data transfer (KVKK Art. 9): Transfer of your data to the USA (us-east-1) under AWS infrastructure
• Special categories of personal data: Processing of sensitive information (health, financial, etc.) that may be contained in documents you upload
• AI processing: Subjecting your documents to AI analysis via Amazon Bedrock

By creating an account, you are deemed to have given explicit consent for these processing activities. You may withdraw your consent at any time; however, this may prevent you from using all features of the Service.

For EEA / UK users: GDPR Article 6 legal bases (contract, legal obligation, legitimate interests, consent) and Article 9 conditions for special categories apply equivalently.

5. Recipients of Personal Data and Transfer Purposes

5.1. Domestic Recipients

• Authorized public institutions and authorities: Where required by legal obligation
• Law firms and tax/financial advisors: For legal counsel and accounting services

5.2. International Recipients

Under KVKK Art. 9, with your explicit consent, transfers are made to the following international recipients:

Recipient	Country / Region	Data Transferred	Purpose
Amazon Web Services Inc. (AWS)	USA (us-east-1)	All account, document, and usage data	Cloud infrastructure, storage, authentication
Amazon Bedrock	USA (us-east-1)	Document content, AI queries and responses	AI analysis services
Google LLC	USA / Ireland	Subscription identifier, payment status	Google Play Billing payment infrastructure
Apple Inc.	USA / Ireland	Subscription identifier, payment status	App Store payment infrastructure

Important: AWS and Amazon Bedrock do not use customer data for AI model training. All data is encrypted in transit and at rest.

For EEA / UK users: Transfers outside the EEA / UK are based on AWS's Standard Contractual Clauses and Data Processing Addendum, providing appropriate safeguards under GDPR Articles 44–49.

6. Methods of Data Collection

Your personal data is collected through the following methods:

• Information directly entered by you through the mobile App (email, password, uploaded documents)
• Technical data automatically generated during App use (log records, usage statistics)
• Subscription information received from payment platforms like Google Play / Apple App Store
• Information shared during email correspondence with us

7. Data Retention Periods

Your personal data is retained for the period necessary to fulfill the relevant purposes:

Data Type	Retention Period	Legal Basis
Account information	Active account + 30 days	Performance of contract
Uploaded documents	Active account; deleted immediately upon account closure	Performance of contract
AI query/response history	Active account; deleted upon account closure	Performance of contract
Billing and payment records	10 years	Turkish Commercial Code Art. 82, Tax Procedure Law
Consumer dispute records	3 years	Law No. 6502
Log records	2 years	Law No. 5651, legitimate interests
Marketing consents	Until consent withdrawn	Explicit consent

Data whose retention period has expired is deleted, destroyed, or anonymized under KVKK Art. 7 and the related Regulation.

8. Your Rights Under KVKK Article 11

Under KVKK Art. 11, you may exercise the following rights by applying to the data controller:

1. Right to information: To learn whether your personal data is being processed
2. Right to request information: To request information regarding such processing
3. Right to learn purpose: To learn the purpose of processing and whether it is used for that purpose
4. Right to know recipients: To know third parties to whom your data has been transferred, domestically or internationally
5. Right to rectification: To request rectification of incomplete or inaccurate data
6. Right to erasure: To request erasure or destruction within KVKK conditions
7. Right to notification: To request notification of (d) and (e) actions to third parties to whom data has been transferred
8. Right to object to automated processing: To object to outcomes adverse to you arising from automated analysis
9. Right to compensation: To claim compensation for damages arising from unlawful processing

For EEA / UK users: Additional GDPR / UK GDPR rights also apply, including the right to data portability (Art. 20) and the right to object to processing (Art. 21).

9. How to Apply

9.1. Written Application

Address: BRİFTEK REKLAM YAZILIM TİCARET LİMİTED ŞİRKETİ
Caferağa Mah. Moda Cad. No:5 Kadıköy/İstanbul, Türkiye

You may submit your application together with documents proving your identity, by registered mail or notary.

9.2. Electronic Application

Email: info@briftek.com.tr

You may apply via the email address registered in our system. For security purposes, your application must be sent from the email address linked to your account.

9.3. Information Required in Application

• Name, surname, and signature (for written applications)
• Turkish ID Number (passport number for foreigners)
• Address for service of process
• Email, phone, fax (if applicable)
• Subject of the request

9.4. Resolution of Application

Your application will be processed within 30 days at no cost. However, if the request requires a separate cost, a fee may be charged according to the tariff set by the Personal Data Protection Authority.

9.5. Right to Complain

If your application is rejected, the response is found insufficient, or you do not receive a response within the prescribed time, you have the right to file a complaint with the Personal Data Protection Authority within 30 days of learning the response and in any case within 60 days of the application date.

Personal Data Protection Authority:
Web: https://www.kvkk.gov.tr
Email: kurum@kvkk.gov.tr

For EEA / UK users: You also have the right to lodge a complaint with the data protection authority in your country of residence.

10. Data Security

Briftek has implemented the following technical and organizational measures to ensure the security of your personal data under KVKK Art. 12:

10.1. Technical Measures

• TLS 1.2+ for transport security
• AES-256 for storage encryption
• AWS IAM role-based access control
• User-based data isolation
• Regular security updates and patches
• Penetration testing and security audits

10.2. Organizational Measures

• KVKK awareness training for personnel
• Access authorization matrices
• Confidentiality agreements
• Incident management procedures

11. Updates to This Notice

This Disclosure Notice may be updated due to legislative changes or changes in service scope. The current version will always be available at https://yasamatlas.app/data-protection. Significant changes will be communicated via in-app notification or email.

This document is for informational purposes and does not constitute legal advice. Please consult an attorney for specific situations.