KVKK Disclosure (Türkiye)

Last updated: June 20, 2026

This page is an English summary of the disclosure notice required under Article 10 of the Turkish Personal Data Protection Law No. 6698 ("KVKK") for the Bulfinex Industry 4.0 platform (https://bulfinex.com/industry). It informs you about how your personal data is processed by the data controller, Graviti Labs ("Bulfinex"), on which legal grounds, to whom it is transferred, and your rights under the KVKK. In case of interpretation questions, the Turkish version prevails.

1. Data Controller

Graviti Labs ("Bulfinex") is the data controller under the KVKK for personal data processed in the course of providing the Bulfinex Industry 4.0 services (the "Service"). Responsible person: Tahsin Bayraktar. Contact: info@gravitilabs.com.

2. Scope

This notice covers customer representatives who register for the Service, team members invited to customer accounts, website visitors, and individuals who contact us regarding the Service.

3. Categories of Personal Data Processed

The following categories of personal data are processed in connection with the Service:

  • Identity data: first name, last name,
  • Contact data: email address, phone number, city,
  • Customer transaction data: company name, industry, subscription plan, invoice records,
  • Team member data: email addresses and roles of users invited by the customer,
  • Transaction security data: IP address, session records, access and audit logs, cookie records.

4. Nature of Telemetry Data

Factory, machine and device metadata, together with production, energy and sensor time-series collected from machines (telemetry), constitute the customer's business data and, as a rule, do not qualify as personal data. This data is processed on the customer's behalf solely to provide the Service; it is the customer's responsibility not to inject personal data into telemetry channels.

5. Purposes of Processing

Your personal data is processed for the following purposes:

  • Providing the Service and creating and managing your account,
  • Managing subscription, billing and payment processes (payment instrument data is processed by iyzico),
  • Managing team member invitations and authorizations,
  • Ensuring platform security and preventing unauthorized access and fraud,
  • Handling support requests and communication,
  • Improving service quality,
  • Fulfilling legal obligations and responding to requests of competent authorities,
  • Product announcements and marketing communications, subject to your explicit consent.

6. Legal Grounds

Your personal data is processed on the following legal grounds: processing is necessary for the establishment or performance of a contract (KVKK Art. 5/2-c), processing is necessary for us to comply with our legal obligations (KVKK Art. 5/2-ç), and processing is necessary for our legitimate interests provided that your fundamental rights and freedoms are not harmed (KVKK Art. 5/2-f).

Processing activities not covered by these grounds, such as marketing communications, are carried out only on the basis of your explicit consent (KVKK Art. 5/1), which you may withdraw at any time.

7. Transfers of Personal Data

Your personal data is transferred, to the extent necessary to provide the Service and under data processing agreements, to the following subprocessors:

  • Hetzner (cloud hosting — Germany/Finland, EU),
  • Neon (PostgreSQL database — EU region),
  • Upstash (Redis session and rate-limiting infrastructure — EU region),
  • Resend (transactional email delivery),
  • iyzico (payment processing — card data is processed exclusively by iyzico and never stored by us),
  • Optional AI providers configured by the customer with its own API key (keys are encrypted with AES-256-GCM).
  • As our hosting infrastructure is located in the European Union (Germany and Finland), international transfers take place; these transfers are carried out in accordance with the procedures set out in Article 9 of the KVKK (adequacy decisions, undertakings/standard contractual mechanisms and other appropriate safeguards). Your personal data may also be disclosed to competent public authorities where legally required.

8. Retention Periods

Your personal data is retained for as long as required by the processing purpose:

  • Account data: for the subscription term and 30 days after account closure,
  • Backup copies: up to 90 days after account closure,
  • Invoice and payment records: statutory periods under tax and commercial law (up to 10 years),
  • Access and transaction security logs: a reasonable and proportionate period for security purposes,
  • Consent-based processing: until consent is withdrawn.

9. Data Security Measures

In accordance with Article 12 of the KVKK, we implement the technical and organizational measures necessary to ensure an appropriate level of security and to prevent unlawful processing of and access to personal data:

  • TLS encryption in transit; AES-256-GCM encryption at rest for secrets,
  • Tenant isolation in the multi-tenant architecture and role-based access control (RBAC),
  • Audit logs, access records and rate limiting,
  • Need-to-know access restrictions and periodic access reviews.

10. Cookies

The platform uses only an essential session cookie for authentication and a functional cookie storing your language preference. No third-party advertising or tracking cookies are used. Details are provided in our Cookie Policy.

11. Your Rights under Article 11 of the KVKK

By applying to the data controller, you have the right to:

  • Learn whether your personal data is processed,
  • Request information if it has been processed,
  • Learn the purpose of processing and whether the data is used in line with that purpose,
  • Know the third parties to whom your data is transferred, in Türkiye or abroad,
  • Request rectification if the data is incomplete or inaccurate,
  • Request erasure or destruction under the conditions set out in Article 7 of the KVKK,
  • Request that rectification, erasure or destruction be notified to third parties to whom the data was transferred,
  • Object to a result arising against you from analysis of your data exclusively by automated systems,
  • Claim compensation for damages arising from unlawful processing.

12. How to Apply

You may submit requests concerning your rights, together with information verifying your identity, by email to info@gravitilabs.com. Applications are concluded free of charge within 30 days at the latest, in accordance with Article 13 of the KVKK and the Communiqué on the Procedures and Principles of Application to the Data Controller; if the process requires an additional cost, the fee in the tariff determined by the Board may be charged.

If your application is rejected, you find the response insufficient, or no response is given in time, you retain the right to lodge a complaint with the Turkish Personal Data Protection Board.

13. Changes

This disclosure may be updated in line with the development of our services and legislation. Material changes will be announced by email or within the platform; the current version is always published on this page.

Graviti Labs — info@gravitilabs.com