Privacy Policy
Last updated: [DATE] · Version: [v1.0 — draft]
This text is a draft
The text below is a draft and is under legal review; it does not constitute a binding commitment until approved and put into effect. Fields in square brackets [...] will be completed with company information. The final, binding text is pending legal counsel approval.
This Privacy Policy explains for which purposes personal data processed via the Zencron platform ("Platform") is used, with whom it is shared, how long it is retained, and the rights of data subjects. The Platform operates in accordance with Turkish Law No. 6698 on the Protection of Personal Data ("KVKK") and related legislation.
1. Data Controller
The Platform is operated by [Company Legal Name] (the "Company"). Contact details: Address [Address]; e-mail [KVKK e-mail]; registered e-mail (KEP) [KEP]; VERBİS number [if any].
You may direct any questions or requests regarding your personal data to the Company through the channels above.
2. Scope and Our Roles
Zencron is a multi-tenant platform enabling agencies to offer AI-powered tools to their own customers (tenants). Given this structure, the Company assumes two distinct roles:
- For account data of agency and tenant users, the Company is the data controller.
- For data belonging to the tenant businesses' own customers, the Company acts as a data processor on the tenant's instructions. The obligation to inform and obtain consent for such data lies with the relevant tenant (see the Data Processing Agreement).
3. Personal Data Processed
The following categories of data may be processed on the Platform:
- Identity and contact data (name, e-mail, phone, business details).
- Account and usage data (role, preferences, session and activity logs).
- Payment and billing data (invoice details, subscription and credit records).
- Technical data (IP address, device and browser information, approximate location, log records).
- Support and communication content.
- Message content you send to AI-powered chat channels (WhatsApp, Instagram).
4. Purposes and Legal Grounds of Processing
Your personal data is processed for the following purposes and legal grounds:
- Provision of the service and performance of the contract (KVKK art. 5/2-c).
- Security, fraud prevention and statutory record-keeping (legitimate interest / legal obligation).
- Retention obligations arising from legislation (legal obligation).
- Optional marketing, commercial electronic messages and optional cookies (explicit consent).
5. Transfers and Cross-Border Transfers
To provide the service, personal data is transferred to third-party service providers acting as sub-processors. Some of these providers are located abroad (particularly in the USA).
Cross-border transfers are carried out under appropriate safeguards (e.g. standard contracts) within the framework of KVKK art. 9 and/or, where necessary, based on explicit consent. Main sub-processors:
- Hosting and infrastructure: Supabase, Vercel, Upstash.
- AI processing: OpenAI (USA).
- E-mail delivery: Resend.
- Messaging channels: Meta/WhatsApp, Instagram.
- Calendar integration: Google.
- Error and performance monitoring: Sentry, Slack.
6. Retention Periods
Personal data is retained for as long as required by the processing purpose and applicable legislation. At the end of the period, data is deleted, destroyed or anonymised.
Upon an account deletion request, data is deleted after a [30]-day grace period; records subject to statutory retention obligations are exempt from this period.
7. Your Rights (KVKK art. 11)
As a data subject, you have the following rights:
- To learn whether your personal data is processed and to access it.
- To request correction of incomplete or inaccurately processed data.
- To request erasure or destruction of data.
- To object to processing and to request information about third parties to whom data is transferred.
- To request compensation for damages arising from unlawful processing.
8. Cookies
For detailed information about the cookies used on the Platform and preference management, please see the Cookie Policy.
9. Data Security
Pursuant to KVKK art. 12, the Company applies appropriate technical and administrative measures (access control, row-level security, encryption, logging, etc.) to prevent unlawful processing of and access to personal data.
10. Updates and Contact
This policy may be updated from time to time; significant changes are communicated through appropriate channels. For questions, you may write to [KVKK e-mail].