Privacy Policy

Last updated: 9. Juli 2026

Contents
  1. Overview
  2. Data controller
  3. Categories of data and retention
  4. Purposes of processing
  5. Legal bases
  6. Data sharing
  7. Sub-processors
  8. International transfers
  9. Retention periods
  10. Data security
  11. Your rights
  12. Cookies
  13. Children's data
  14. Changes to this policy
  15. Contact

Overview

This policy explains what personal data DOJILAB processes and why, who we share it with, how long we keep it, and your rights. It is written with the principles of Turkey's KVKK and the GDPR in mind; country-specific detail is in the KVKK Notice and GDPR Notice pages.

Data controller

Your personal data is processed by the data controller identified below. This section is updated once the controller details are finalized.

Categories of data and retention

Only the data below is processed to run the Service; no marketing profiling is performed. Card/wallet payment details are not stored by us; they are processed by the payment provider.

Categories of data and retention
DataScopeRetention
Account dataName, email, password hash, language preference, consent timestampUntil the account is deleted
PhonePhone number and verification status (anti-bot / real-user check)Until the account is deleted
Chart imagesScreenshots you upload (private, access-restricted storage)Until account deletion; rejected/inappropriate uploads deleted immediately
Analysis reportsAI-generated technical-outlook reportsUntil the account is deleted
Payment dataPlan, amount, payment status; card/wallet details held by the payment providerFor statutory retention periods
Audit and log dataSecurity events (register, login, analysis), IP address, device/browser infoLimited period for security
Quota countersMonthly analysis usage countsPer month; until account deletion

Purposes of processing

Your data is processed for, and limited to, the following purposes.

Purposes of processing
PurposeDetail
Providing the ServiceCreating and managing your account and access
Producing analysesGenerating technical-outlook reports from your charts
SecurityPreventing abuse and running quota and fraud checks
BillingProcessing paid subscriptions and reconciling with the payment provider
CommunicationSending transactional email/SMS (verification, key notices)
Legal obligationMeeting statutory retention and reporting duties

Legal bases

Each processing activity relies on one of the legal bases below.

Legal bases
Legal basisApplied to
Performance of a contractAccount, analysis and billing (KVKK 5/2-c; GDPR 6/1-b)
Explicit consentRisk consent and international transfers (KVKK 5/1, 9; GDPR 6/1-a)
Legitimate interestSecurity, logging and abuse prevention (KVKK 5/2-f; GDPR 6/1-f)
Legal obligationStatutory retention duties (KVKK 5/2-ç; GDPR 6/1-c)

Data sharing

Your personal data is not sold. It is shared only with sub-processors strictly necessary to run the Service, and with competent authorities where legally required.

Sub-processors

The following sub-processors are used to run the Service. Each accesses only the data needed for its function.

Sub-processors
ProviderRoleRegion
Database & storage providerHosting account data and chart imagesEU (Frankfurt)
Application hosting providerRunning the web app and APIGlobal / US
Cache / rate-limit providerQuota and rate-limit countersGlobal
AI model providerProcessing chart images for analysisUS
Email providerSending transactional emailGlobal / US
Phone verification providerSMS phone verificationGlobal
Payment providerPayment processing (card/wallet held by provider)Global

International transfers

Because some sub-processors are located abroad, your data may be transferred internationally. Such transfers rely on your explicit consent and/or appropriate safeguards such as standard contractual clauses, under KVKK art. 9 and GDPR Chapter V.

Retention periods

Your data is kept while your account is active and for as long as legal obligations require. Security and audit logs are kept for a limited period. After a deletion request, data is deleted within a reasonable technical timeframe; see the Data Retention & Deletion section.

Data security

We apply technical and organizational measures such as access control, encrypted transport, and private, access-restricted storage. No system is 100% secure, but we work to reduce risk to a reasonable level.

Your rights

You have the rights of access, rectification, erasure, restriction of processing, objection, data portability, and withdrawal of consent. Requests can be made to the contact address below and are answered within the statutory period (at most 30 days).

Cookies

The site uses strictly necessary cookies only, such as session, language preference, and cookie consent; no analytics or advertising cookies are used. See the Cookie Policy for details.

Children's data

The Service is not directed to persons under 18, and we do not knowingly collect data from children. If we learn we have processed a child's data, we delete it.

Changes to this policy

We may update this policy. Material changes are announced in the Service or by email, and the current version is always published on this page.

Contact

For all privacy requests, use the data controller's contact details below.

Business and data-controller details

Legal name
[ŞİRKET ÜNVANI BURAYA GELECEK]
Address
[ŞİRKET ADRESİ BURAYA GELECEK]
Tax / Registration No
[VERGİ / REGISTRATION NO BURAYA GELECEK]
Support
destek@dojilab.com
Legal notices
[HUKUKİ TEBLİGAT E-POSTASI BURAYA GELECEK]
Governing law
[UYGULANACAK HUKUK / YARGI YETKİSİ BURAYA GELECEK]