1) Data controller and processor roles

OSINTA.AI acts as a data processor for customer data and as a data controller for account and service operation data. We process personal data in accordance with KVKK requirements and your instructions.

Depending on deployment and service configuration, data processing agreements may be available for enterprise customers.

2) Data subject rights (KVKK Art.11)

We support data subject rights under KVKK Art.11, including:

• Right to learn whether personal data is processed and request information about processing.
• Right to learn the purpose of processing and whether data is used in accordance with that purpose.
• Right to know third parties to whom data is transferred domestically or internationally.
• Right to request rectification if data is incomplete or inaccurate.
• Right to request deletion or destruction of data under KVKK Art.7 conditions.
• Right to object to processing that may result in negative consequences.
• Right to request compensation for damages arising from unlawful processing.

3) Lawful bases for processing

Personal data is processed under KVKK Art.5 based on:

• Explicit consent: Where provided for specific processing purposes.
• Legal obligation: Compliance with statutory requirements and obligations.
• Contract performance: Necessary for establishing or performing a contract.
• Legitimate interests: Service security, abuse prevention, and performance improvements, where not overriding data subject interests.

4) Data transfers and safeguards

Data may be transferred to service providers necessary for service delivery, including cloud hosting, communications, and analytics (if enabled).

Where transfers occur outside Turkey, we aim to use appropriate safeguards as required by applicable law, such as Standard Contractual Clauses or adequacy decisions.

Transfer scope is kept to a minimum and limited to what is necessary for service operation.

5) Data minimization and retention

We collect and retain only the data necessary for service operation and support. Data retention periods are aligned with service needs and legal requirements under KVKK.

Data is deleted when no longer needed for the processing purpose or upon request, subject to legal retention obligations.

6) Security and breach notification

We implement technical and organizational measures to protect personal data, including encryption, access controls, and regular security assessments.

In the event of a data breach that may affect your rights, we will notify you and the Personal Data Protection Authority (KVKK) as required by applicable law, typically within 72 hours where feasible.