KVKK Notice

1) Who we are (Data Controller details)

Data Controller (Veri Sorumlusu): LegalX Yapay Zeka Teknolojileri A.Ş. Address: APY Tekmer, Ataşehir Bulvarı, Atatürk, Ertuğrul Gazi Sk. D:2 Blok No:13, 34758 Ataşehir/İstanbul, Türkiye. KVKK contact: support@harmonity.ai

2) When we act as "Data Controller" vs "Data Processor"

Controller (Veri Sorumlusu): We act as a controller for personal data processed to operate our website, run sales/support, manage accounts, billing, security, and platform operations (e.g., admin contact data, authentication logs, support communications).

Processor (Veri İşleyen): When customers use Harmonity to upload/manage contract documents that may contain personal data (e.g., names, emails, signatures in contracts), we typically process that data on behalf of the customer, and the customer is typically the controller. This is governed by our DPA.

3) What personal data we may process (typical categories)

Depending on how you interact with Harmonity, we may process categories such as: Identity & contact: name, work email, phone (if provided), company, title/role. Account & authentication: user IDs, login timestamps, workspace membership, access rights. Usage & device data: IP address, device/browser identifiers, event logs, audit records. Sales/support records: tickets, emails, call/meeting notes, chat transcripts (where used), and meeting recordings (where used). Billing & tax: invoicing contact details, payment/admin metadata, tax/VAT information as applicable. Customer content: documents, templates, clause libraries, and metadata—may include personal data depending on the customer's documents.

4) Why we process personal data (purposes) and KVKK legal grounds

We process personal data for purposes such as: Service delivery & security: account provisioning, authentication, access control, audit trails, troubleshooting. Customer support & relationship management: responding to requests, managing tickets, quality review/training for support (including recordings where used). Billing & tax compliance: invoicing and legally required financial records. Reliability & abuse prevention: monitoring, incident response, fraud/abuse detection, security investigations. Website operations: demo requests, website analytics and marketing where enabled by cookie choices.

Processing is carried out based on applicable KVKK legal grounds (e.g., necessity for contract/performance, compliance with legal obligations, legitimate interests, and explicit consent where required—especially for certain cookies/marketing and certain cross-border transfer scenarios).

5) AI features and data boundaries (KVKK-relevant summary)

Harmonity includes AI-enabled features ("Harmony AI"). Our AI approach is designed to keep contract work explainable and governed: Permission-aware: AI follows the same access boundaries as users/documents. Evidence-linked outputs: outputs are designed to point back to relevant text for verification. No silent edits: suggestions are shown transparently before changes occur. No training on customer data: we do not use customer contract content to train general AI models for the benefit of other customers.

6) International transfers (Yurt dışına aktarım)

Our vendors/subprocessors and infrastructure may process data in Türkiye, the EU/EEA, and sometimes other regions depending on configuration. Where cross-border transfer rules apply, we rely on appropriate KVKK transfer mechanisms (e.g., adequacy decisions or appropriate safeguards such as standardized transfer tools and/or other lawful mechanisms recognized by KVKK). We provide transparency through our Subprocessors page and contractual terms through our DPA.

7) Security measures (high-level)

We use technical and organizational measures appropriate for sensitive contract workflows, including (high-level): Access controls / least privilege. Encryption in transit and at rest (high-level). Audit logs / attributable actions. Monitoring and incident handling processes.

8) Retention (high-level)

We keep personal data only as long as necessary for the purposes described above, unless a longer period is required by law (e.g., accounting/tax). Sales/support records & meeting recordings (where used): up to 365 days (consistent with our operational approach). Customer content & platform data: retention depends on account status, configuration, and contractual terms (see DPA and Terms).

9) Your KVKK rights (Article 11) and how to exercise them

KVKK grants "data subject" rights, including the right to request information about processing, request correction/deletion under conditions, and other rights under Article 11.

How to submit: Email support@harmonity.ai with the subject "KVKK Request". Include enough detail for us to verify and process your request (e.g., relationship to the account, relevant workspace, and the nature of the request). Response timeline: We aim to respond as soon as possible and, in line with KVKK practice, no later than 30 days.

If you are dissatisfied (complaint route): If the request is rejected, the response is insufficient, or no response is provided in time, KVKK guidance describes the ability to complain to the Authority within 30 days of learning our response and in any case within 60 days from the application date.

10) Personal data breaches (high-level)

If personal data is obtained by others through unlawful means, we follow internal incident processes for investigation and response, and we handle notifications where required under applicable guidance and obligations.

Updates and Contact

We may update this page from time to time. The Last Updated date at the top reflects the most recent revision.

Questions about this page? Reach us at: support@harmonity.ai