This Privacy Policy explains how personal data is collected, processed and protected in connection with the Bulfinex Industry 4.0 SaaS platform (https://bulfinex.com/industry) operated by Graviti Labs ("Bulfinex", "we", "us"). This policy is drafted with regard to both the Turkish Data Protection Law No. 6698 (KVKK) and the EU General Data Protection Regulation (GDPR). For data subjects in Türkiye, our KVKK Disclosure also applies.
1. Data Controller
Graviti Labs ("Bulfinex") is the data controller for personal data processed on the platform. Responsible person: Tahsin Bayraktar. Contact for all privacy matters: info@gravitilabs.com.
For customer business data such as machine telemetry, our customer is the data controller and Graviti Labs acts as a data processor on the customer's behalf (see Section 5).
2. Scope
This policy applies to visitors of the bulfinex.com/industry website, customers who create trial or paid accounts, team members invited to customer accounts, and users of the platform APIs.
3. Categories of Data We Process
We process the following categories of data in connection with the platform:
- Account data: name, company name, email, phone, city, industry,
- Team data: email addresses and role assignments of team members invited by the customer,
- Asset metadata: factory, machine and device descriptions (brand, model, location, connection configuration),
- Machine telemetry: production, energy and sensor time-series (processed as customer business data; not personal data),
- Security data: IP address, session records, access and audit logs,
- Cookies: session and language preference cookies (no third-party advertising cookies),
- Payment data: subscription plan and invoice records; card data is processed by iyzico and never stored by us.
4. Purposes and Legal Bases
We process personal data for the following purposes and on the following legal bases:
- Providing the Service, creating and managing accounts — performance of a contract,
- Billing, subscription and payment management — performance of a contract and legal obligation,
- Platform security, fraud prevention, access logging and rate limiting — legitimate interest,
- Improving service quality and debugging — legitimate interest,
- Product announcements and marketing communications — consent (withdrawable at any time),
- Responding to legal requests and regulatory compliance — legal obligation.
5. Telemetry: Customer Business Data
Production, energy and sensor time-series collected from machines, sensors and gateways constitute the customer's business data and are processed solely on the customer's behalf to provide the Service. As a rule, this data does not contain personal data; the customer is responsible for not injecting personal data into telemetry channels.
Telemetry data is owned by the customer. Customers can export their data from the platform; upon account closure, data is deleted within 30 days and backups are destroyed within a maximum of 90 days.
6. Subprocessors
We work with the following subprocessors to provide the Service. Each processes data only for the stated role and under contractual data protection commitments:
- Hetzner — cloud hosting and servers — Germany / Finland (EU),
- Neon — PostgreSQL database hosting — EU region,
- Upstash — Redis (session and rate-limiting infrastructure) — EU region,
- Resend — transactional email delivery — email service,
- iyzico — payment processing — card data is processed and stored exclusively by iyzico,
- Optional AI providers — only if the customer configures its own API key; keys are stored encrypted with AES-256-GCM, and only customer-initiated requests are forwarded to the selected provider.
7. International Data Transfers
Your data is hosted primarily within the European Union (data centers in Germany and Finland). Limited transfers outside the EU, where necessary, are carried out under appropriate safeguards such as adequacy decisions or standard contractual clauses.
Transfers to AI providers configured by the customer at its own choice are governed by the customer's selection and that provider's data processing terms.
8. Data Retention
We retain data only for as long as necessary for the relevant purpose:
- Account data: for the subscription term and 30 days after account closure,
- Backup copies: up to 90 days after account closure,
- Invoice and payment records: statutory retention periods under tax and commercial law (up to 10 years in Türkiye),
- Access and audit logs: a reasonable and proportionate period for security purposes,
- Marketing permissions: until consent is withdrawn.
9. Security Measures
Technical and organizational measures we apply to protect data include:
- TLS encryption in transit,
- AES-256-GCM encryption at rest for secrets and API keys,
- Tenant isolation and role-based access control (RBAC),
- Audit logs and access records,
- Rate limiting and abuse detection,
- Need-to-know access restrictions and periodic access reviews.
10. Your Rights
Under the KVKK and the GDPR you have the right to access your data, request rectification, request erasure, request restriction of processing, receive your data in a portable format, object to processing based on legitimate interest, and withdraw any consent you have given at any time.
Withdrawal of consent does not affect the lawfulness of processing before withdrawal. You also have the right to lodge a complaint with the competent data protection authority (in Türkiye, the Personal Data Protection Authority).
11. How to Exercise Your Rights
To exercise your rights, email us at info@gravitilabs.com. We may request reasonable information to verify your identity. Requests are answered within 30 days at the latest. If you are a team member of one of our customers and the request concerns data in the customer's account, we may forward the request to, or coordinate the response with, the relevant customer.
12. Cookies
The platform uses only essential and functional cookies for session authentication and language preference; no third-party advertising or tracking cookies are used. See our Cookie Policy for details.
13. Children
The Service is directed at businesses (B2B) and is not intended for persons under 18. We delete account data that we determine belongs to persons under 18.
14. Data Breach Notification
If we detect a security breach affecting personal data, we assess the breach, notify the competent authority where required within the statutory deadlines (as a rule 72 hours under the GDPR), and inform affected customers without undue delay. Notifications describe the nature of the breach, its likely consequences and the measures taken.
15. Changes to This Policy
We may update this policy as our services evolve. Material changes will be notified by email or within the platform; the current version is always published on this page.
16. Contact
For all privacy questions and requests: Graviti Labs — info@gravitilabs.com. Responsible person: Tahsin Bayraktar.
Graviti Labs — info@gravitilabs.com