Privacy Policy

1) Scope and Key Concepts

1.1 Scope. This Privacy Policy explains how we collect and use Personal Data relating to (i) visitors to our websites and digital properties, (ii) our business contacts (including prospects, customer contacts, and partners), and (iii) individuals whose Personal Data is processed in connection with our services, where we act as a processor on behalf of our customers.

1.2 Personal Data. "Personal Data" means any information relating to an identified or identifiable natural person, directly or indirectly (e.g., name, business email, phone number, IP address, device identifiers).

1.3 Applicable law. We process Personal Data in accordance with applicable privacy laws, including the Turkish Law on the Protection of Personal Data No. 6698 ("KVKK"). Where the GDPR or UK GDPR applies, we also comply with those requirements for the relevant processing.

2) Roles: Controller vs Processor

2.1 Controller activities. For the processing described in Sections 3 and 4 (website, marketing, sales, business relationship management), we act as the data controller.

2.2 Processor activities. When customers use Harmonity and upload or process content (including contracts and related personal data) within the service, we generally act as a data processor on behalf of the customer (the controller).

2.3 Customer instructions. Where we act as a processor, we process Personal Data only on the customer's documented instructions and as set out in our Data Processing Agreement ("DPA").

3) How We Collect Personal Data

3.1 Sources. We collect Personal Data: (i) directly from you (forms, emails, calls, meetings); (ii) from your organization (admins, billing contacts, invitations); (iii) automatically (cookies, logs, device data, usage data); (iv) from integrations you enable; and (v) from partners (where permitted).

3.2 External platforms. If you interact with our pages on third-party platforms (e.g., social networks), we may receive Personal Data such as your profile information and messages/comments you choose to share.

4) Purposes, Categories, and Legal Bases

4A) Website visitors and digital properties

4.1 Website functionality and analytics. We process technical data (e.g., IP address, device/browser info, logs, cookie identifiers, page interactions) to operate, secure, and improve our websites, and to understand how visitors interact with them. Legal basis: legitimate interests (and consent for non-essential cookies where required).

4.2 Contact and demo requests. If you submit a contact form or request a demo, we process identifiers and professional info (e.g., name, business email, phone, company, role) and the content of your message to respond and manage the request. Legal basis: legitimate interests and/or steps prior to entering into a contract.

4.3 Marketing communications. We may send business communications about our services. Legal basis: legitimate interests or consent where required; you may opt out at any time.

4B) B2B relations (prospects, customers, partners)

4.4 Relationship management. We process business contact data (name, business email, phone, company, title, notes of interactions) to establish, administer, and maintain our business relationship. Legal basis: legitimate interests and/or contract.

4.5 Account, billing, and compliance. We process billing and transactional data, and limited identity/verification information where necessary, to manage subscriptions, invoices, payments, and to meet legal obligations (e.g., accounting, tax). Legal basis: contract and legal obligation.

4.6 Recorded sales/support meetings and calls. We may record online meetings or calls with customer/prospect representatives with notice, for internal note-taking, training, quality assurance, and to improve customer support and service delivery. Legal basis: legitimate interests (and consent where required by law). You may object to such recordings as described in Section 10.

4C) Service data where we are a processor (customer content)

4.7 Customer content and service operation. When acting as a processor, we process personal data contained in customer content (e.g., contracts, counterparties, signatories, email threads) and service metadata (user IDs, audit logs) to provide, secure, and maintain the service. Legal basis: as determined by the customer (controller); we rely on our contract/DPA with the customer.

4.8 No training on customer content. We do not use customer content (including contracts and related personal data) to train general-purpose AI models for the benefit of other customers.

5) Cookies and Similar Technologies

5.1 Cookies. We use cookies and similar technologies to operate our websites and, where applicable, to provide analytics and marketing functionality. Where required by law, we obtain your consent for non-essential cookies.

5.2 Cookie Statement. Additional details are provided in our Cookie Statement.

5.3 Do Not Track. Some browsers offer "Do Not Track" signals. Because there is no consistent industry standard, we do not currently respond to DNT signals.

6) Sharing and Recipients

6.1 No sale. We do not sell your Personal Data.

6.2 Service providers (processors). We may share Personal Data with vendors who provide services on our behalf (e.g., hosting, analytics, customer support tooling, communications, security). They process Personal Data under our instructions and contractual safeguards.

6.3 Independent controllers. In limited circumstances, we may share Personal Data with independent controllers such as professional advisors (lawyers, auditors) or authorities, who process Personal Data under their own legal obligations.

6.4 Corporate transactions. If we undergo a corporate change (e.g., merger, acquisition), Personal Data may be disclosed as part of that process subject to appropriate protections.

7) International Transfers

7.1 Cross-border transfers. Personal Data may be processed in Türkiye and may be transferred to other countries depending on our vendors and customer configurations. Where required, we implement appropriate legal and technical safeguards for cross-border transfers.

7.2 External platforms. If you interact with us on third-party platforms, those platforms may process data outside your country under their own terms.

8) Security

8.1 Security measures. We use reasonable administrative, technical, and organizational measures designed to protect Personal Data (e.g., access controls, logging, encryption in transit where applicable).

8.2 No absolute security. No method of transmission or storage is 100% secure.

9) Retention

9.1 General rule. We retain Personal Data only as long as necessary for the purposes described, unless a longer period is required by law or needed to establish, exercise, or defend legal claims.

9.2 Website support enquiries. Personal Data processed for customer service enquiries via website forms or email is retained for up to 365 days.

9.3 Demo requests. Personal Data processed for demo requests is retained for up to 365 days.

9.4 External platforms. Messages/comments/reactions on external platforms are retained until you delete them (or we remove them if necessary for legal compliance or platform moderation).

9.5 Sales/support call recordings. Recordings of online meetings/calls are retained only as long as necessary for the stated purposes, and for a maximum of 365 days.

9.6 B2B relations. We process Personal Data about business contacts for as long as we have an active business relationship and thereafter for up to 365 days (or earlier if you are replaced as a contact person or request deletion where applicable), except where longer retention is required by law (e.g., tax/accounting).

9.7 Customer service data in the product. When we act as processor, retention for customer content is governed by the customer's instructions and our DPA/contract. Certain metadata (e.g., security logs) may be retained for limited periods for security and compliance.

10) Your Rights and How to Exercise Them

10.1 KVKK rights. Subject to applicable law, you may have rights including: to learn whether Personal Data is processed; request information; request correction; request deletion or anonymization under conditions; object to unlawful processing; and request compensation for damages where permitted by law.

10.2 GDPR/UK GDPR rights (where applicable). Where GDPR/UK GDPR applies, you may have additional rights (access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where relevant), and the right to lodge a complaint with a supervisory authority.

10.3 Exercising rights. To exercise your rights, contact us at support@harmonity.ai with the subject "Privacy". We may request verification to protect you and others.

10.4 Processor requests. If your Personal Data is processed in the service under a customer account (e.g., your employer), please direct requests to the relevant customer (controller). We will assist the customer as required under our DPA.

10.5 Objection to recordings. You may object to recorded meetings/calls. If you object, we will offer a reasonable alternative (e.g., proceeding without recording) where feasible.

11) Children / Age

11.1 Not directed to minors. Our websites and services are not intended for individuals under 18, and we do not knowingly collect Personal Data from individuals under 18. If you believe a minor has provided Personal Data, contact us to request deletion.

12) Changes to This Policy

12.1 Updates. We may update this Privacy Policy from time to time. The "Last Updated" date above indicates when it was most recently revised. For material changes, we will provide notice as appropriate (e.g., on our website).

13) Contact and Complaints

13.1 Contact. Questions or requests: support@harmonity.ai (Subject: "Privacy").

13.2 Complaints. Where applicable, you may lodge a complaint with the relevant supervisory authority, including the Turkish Personal Data Protection Authority (KVKK Authority).