Privacy Policy
Prepared in accordance with the EU General Data Protection Regulation (GDPR) for all users of ComplyMate services.
Last Updated: April 28, 2026
1. Identity of the Data Controller
Within the scope of this Privacy Policy, the data controller is DNS Group Yatırım ve İnovasyon Anonim Şirketi ("DNS Group", "Company", "Data Controller").
| Company | DNS Group Yatırım ve İnovasyon Anonim Şirketi |
| Product | ComplyMate (EU AI Act Compliance Platform) |
| Address | Şenlikköy Mahallesi Saçı Sokak No:9/3 Florya/Bakırköy, Istanbul, Türkiye |
| info@dnsgroup.tr | |
| Phone | 0 (212) 854 01 64 |
2. Categories of Personal Data Processed
When using ComplyMate services, the following personal data may be processed:
a) Identity Information
- First and last name (from Google OAuth users)
- Username / email display name
b) Contact Information
- Email address (mandatory — for account creation and magic link)
c) Customer Transaction Information
- Account creation, login, and logout records
- Service usage history (registered AI systems, classification requests, FRIA reports)
- AI system inventory (system names, descriptions, providers, departments entered by user)
d) Transaction Security Information
- IP address
- Browser information (User-Agent, language preference)
- Cookie information
- Session identifiers
e) Marketing Information (only with explicit consent)
We currently do not collect data for marketing purposes. If we begin collecting data in this category in the future, your explicit consent will be obtained separately.
3. Purposes of Processing Personal Data
Your personal data is processed for the following purposes:
- Provision and improvement of ComplyMate services
- Creation, management, and security of user accounts
- Authentication and session management via magic link
- AI system inventory management and automatic classification under the EU AI Act
- Generation of FRIA (Fundamental Rights Impact Assessment) reports
- Communication with users (support, updates, service notifications)
- Compliance with legal obligations (tax legislation, GDPR, KVKK)
- Measurement and improvement of service quality
- Prevention of potential fraud or misuse
- Protection of rights and interests in legal disputes
4. Legal Basis for Processing
Your personal data is processed based on the following legal grounds under GDPR Article 6:
- Performance of a contract (GDPR Art. 6(1)(b)): Necessary for fulfilling our service agreement
- Compliance with legal obligation (GDPR Art. 6(1)(c)): Tax legislation, accounting requirements
- Legitimate interests (GDPR Art. 6(1)(f)): Service security, fraud prevention, service improvement
- Explicit consent (GDPR Art. 6(1)(a)): For cross-border data transfers (detailed in Section 5)
- Vital interests of data subject (GDPR Art. 6(1)(d)): In emergency situations
5. Transfer of Personal Data
5.1 Domestic Transfer
Your personal data is not transferred to third parties within Türkiye.
5.2 Cross-Border Transfer (Requires Explicit Consent)
To deliver ComplyMate services, your personal data is transferred to the following US-based service providers under GDPR Article 49 with appropriate safeguards (Standard Contractual Clauses):
| Service Provider | Location | Purpose | Data Type |
|---|---|---|---|
| Supabase Inc. | USA | Database hosting | All user data (encrypted) |
| Vercel Inc. | USA (CDN: global) | Web hosting | IP address, page views |
| Anthropic PBC | USA | AI classification (Claude API) | AI system descriptions (during classification) |
| Google LLC | USA | Google OAuth + magic link email | Email, Google profile information |
Consent Notice: Using ComplyMate constitutes explicit consent to the cross-border data transfers listed above. You may withdraw your consent at any time, which will result in account closure.
These US-based service providers maintain industry-standard certifications (SOC 2 Type II, ISO 27001) and comply with GDPR through Standard Contractual Clauses (SCC) approved by the European Commission.
6. Method of Data Collection
Your personal data is collected through the following methods:
- Directly from you: Registration form, profile updates, AI system entry forms
- Automatically: Cookies, server logs, session identifiers
- From third-party services: Name, surname, and email information from Google when you sign in with Google OAuth
7. Data Retention Period
Your personal data is retained for the following periods:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account information (email, name) | Active account + 10 years | Tax legislation |
| AI system inventory | Active account + 10 years | Tax legislation |
| Classification records | Active account + 10 years | EU AI Act Art. 12 |
| FRIA reports | Active account + 10 years | EU AI Act Art. 27 |
| Session logs | 6 months | Legitimate interest (security) |
| Cookies | 12 months (consent period) | GDPR Art. 6 |
At the end of these periods, your personal data will be deleted, destroyed, or anonymized.
8. Your Rights Under GDPR Articles 15-22
Under GDPR Articles 15-22, you have the following rights regarding your personal data:
- Right of access (Art. 15): Confirm whether your data is being processed
- Right to information about processing purposes and recipients
- Right to know about cross-border transfers and recipients
- Right to rectification (Art. 16): Correct incomplete or inaccurate data
- Right to erasure / 'right to be forgotten' (Art. 17): Request deletion under certain conditions
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to object to automated decision-making (Art. 22)
- Right to lodge a complaint with the supervisory authority and seek compensation for damages
9. How to Exercise Your Rights
To exercise the rights listed above, you may contact us through the following channels:
Written Application:
DNS Group Yatırım ve İnovasyon Anonim Şirketi Şenlikköy Mahallesi Saçı Sokak No:9/3 Florya/Bakırköy, Istanbul, Türkiye
Email:
info@dnsgroup.trPhone:
0 (212) 854 01 64Your application must include identification information and a clear description of your request. We will respond within 30 days, free of charge. If your request requires additional cost, fees may be charged according to applicable regulations.
If your application is rejected, the response is deemed insufficient, or no timely response is provided, you have the right to file a complaint with the relevant supervisory authority (such as the Turkish Data Protection Authority for users in Türkiye, or your local EU data protection authority).