Reference translation
Privacy Policy
Last updated:
This English version is provided as a reference for English-speaking readers. For Turkish-domiciled parties, the binding text is the Turkish version. Where this translation conflicts with the Turkish original, the Turkish original prevails.
View the binding Turkish version →1. Data controller
Akitle is the "data controller" (KVKK art. 3; GDPR Art. 4(7)) for the personal data of account holders, their users, and platform visitors. For renter data collected on behalf of an account holder via a share link, Akitle is the "data processor" (KVKK art. 3; GDPR Art. 4(8)) — the account-holder company is the controller. See the Data Processor Agreement (DPA) for the controller-processor terms.
Contact: support@akitle.com.
2. What we collect
- Account information: full name, email, password hash (Convex Auth), preferences such as locale.
- Company profile: trade name, slug, logo, preferred contract locale.
- Contract content: templates, fields, and the text you upload — this is your content; Akitle stores and processes it solely to provide the Service.
- Renter information: the data the renter enters when they open a share link (identity, fillable-field values, signature image, KVKK acknowledgement).
- Payment metadata: iyzico-issued tokens and transaction references — Akitle does not store full card numbers or CVCs.
- Audit signals: IP, user-agent, timestamps, and event types (created, sent, opened, signed) recorded to an immutable audit chain.
3. Legal basis and purpose
Personal data is processed to provide the contract service, verify signatures, bill account holders, and comply with Turkish tax and KVKK obligations. The legal basis varies by framework:
| Framework | Recognition | Evidentiary effect |
|---|---|---|
| Türkiye — KVKK Law No. 6698 | Art. 5/2-c: processing necessary for performance of a contract; art. 5/2-f: processing necessary for the controller's legitimate interest (audit trail, security) | Art. 6 (special-category data) does NOT apply — Akitle does not require sensitive categories. Art. 9 cross-border transfers governed by the express consent or adequacy decision |
| EU — GDPR Regulation 2016/679 | Art. 6(1)(b): contract performance; Art. 6(1)(c): legal obligation (tax retention); Art. 6(1)(f): legitimate interest (audit trail, fraud prevention) | Art. 9 special-category data does NOT apply; Chapter V governs international transfers if applicable |
| US — CCPA / CPRA | Business-purpose processing for contract performance; service-provider exemption applies between Akitle and account holders | Sale/share opt-out (§1798.120) does NOT apply — Akitle does not sell personal information |
5. International transfers
Personal data may be stored in regions outside of Türkiye depending on the Convex region in use. For EU/UK data subjects, transfers outside the EEA / UK are based on the European Commission's Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism under UK GDPR. For Turkish data subjects, cross-border transfers follow KVKK art. 9 (express consent or adequacy decision by the KVKK Authority).
6. Retention
Personal data is retained while the account is active, plus the minimum periods required by Turkish tax and KVKK law (typically 10 years for contract content under Turkish Commercial Code art. 82). Audit-trail records are retained for the same period. On account closure, data is deleted or anonymized after the statutory minimum has elapsed.
7. Your rights
Depending on the framework that applies to you, you have the following rights:
| Framework | Recognition | Evidentiary effect |
|---|---|---|
| Türkiye — KVKK art. 11 | Right to: learn whether data is processed, request information, learn the purpose, learn third-party recipients, request correction, request deletion, restrict processing, request notification to third parties, object to automated decisions, claim damages from unlawful processing | Apply via the procedure on the KVKK Disclosure page; KVKK Authority appeal possible if response is unsatisfactory |
| EU/UK — GDPR Arts. 15–22 | Right of access (15), rectification (16), erasure / right to be forgotten (17), restriction (18), data portability (20), objection (21), automated decisions (22) | Apply via the contact email below; complaint to your supervisory authority possible if unsatisfactory |
| US — CCPA §§1798.100–.135 | Right to know, right to delete, right to correct, right to opt out of sale/share (N/A here), right to limit sensitive-data use, right to non-discrimination | Apply via the contact email below; California AG complaint possible if unsatisfactory |
To exercise any right, email support@akitle.com. We respond within 30 days (KVKK art. 13 allows a 30-day window; GDPR Art. 12(3) allows 30 days extendable by 60).
9. Security
Personal data is processed under technical and organizational measures appropriate to the risk (KVKK art. 12; GDPR Art. 32), including:
- Encrypted transport (TLS 1.2+) for all client connections;
- Encrypted-at-rest storage in the Convex infrastructure;
- Strict tenant isolation enforced at every Convex function entry (requireCompany / requirePlatformAdmin);
- Immutable audit chain for every contract event (creation, send, open, sign) with timestamp and IP;
- Password storage via the @convex-dev/auth password adapter (bcrypt-equivalent);
- Principle of least privilege for sub-processor access.
10. Data-breach notification
In the event of a personal-data breach, Akitle notifies affected account holders without undue delay and in any case within 72 hours of becoming aware (matching GDPR Art. 33 and the KVKK Authority Decision 2019/271 timing).
11. Changes
Akitle may amend this Privacy Policy. Material changes will be announced in-app or by email before they take effect.
12. Contact and complaints
For privacy questions, requests, or complaints: support@akitle.com. You may also lodge a complaint with the Turkish Personal Data Protection Authority (KVKK), your EU supervisory authority, the UK ICO, or the California Attorney General as applicable.