Privacy Policy
Last updated: 9 जुलाई 2026
Contents
Overview
This policy explains what personal data DOJILAB processes and why, who we share it with, how long we keep it, and your rights. It is written with the principles of Turkey's KVKK and the GDPR in mind; country-specific detail is in the KVKK Notice and GDPR Notice pages.
Data controller
Your personal data is processed by the data controller identified below. This section is updated once the controller details are finalized.
Categories of data and retention
Only the data below is processed to run the Service; no marketing profiling is performed. Card/wallet payment details are not stored by us; they are processed by the payment provider.
| Data | Scope | Retention |
|---|---|---|
| Account data | Name, email, password hash, language preference, consent timestamp | Until the account is deleted |
| Phone | Phone number and verification status (anti-bot / real-user check) | Until the account is deleted |
| Chart images | Screenshots you upload (private, access-restricted storage) | Until account deletion; rejected/inappropriate uploads deleted immediately |
| Analysis reports | AI-generated technical-outlook reports | Until the account is deleted |
| Payment data | Plan, amount, payment status; card/wallet details held by the payment provider | For statutory retention periods |
| Audit and log data | Security events (register, login, analysis), IP address, device/browser info | Limited period for security |
| Quota counters | Monthly analysis usage counts | Per month; until account deletion |
Purposes of processing
Your data is processed for, and limited to, the following purposes.
| Purpose | Detail |
|---|---|
| Providing the Service | Creating and managing your account and access |
| Producing analyses | Generating technical-outlook reports from your charts |
| Security | Preventing abuse and running quota and fraud checks |
| Billing | Processing paid subscriptions and reconciling with the payment provider |
| Communication | Sending transactional email/SMS (verification, key notices) |
| Legal obligation | Meeting statutory retention and reporting duties |
Legal bases
Each processing activity relies on one of the legal bases below.
| Legal basis | Applied to |
|---|---|
| Performance of a contract | Account, analysis and billing (KVKK 5/2-c; GDPR 6/1-b) |
| Explicit consent | Risk consent and international transfers (KVKK 5/1, 9; GDPR 6/1-a) |
| Legitimate interest | Security, logging and abuse prevention (KVKK 5/2-f; GDPR 6/1-f) |
| Legal obligation | Statutory retention duties (KVKK 5/2-ç; GDPR 6/1-c) |
Sub-processors
The following sub-processors are used to run the Service. Each accesses only the data needed for its function.
| Provider | Role | Region |
|---|---|---|
| Database & storage provider | Hosting account data and chart images | EU (Frankfurt) |
| Application hosting provider | Running the web app and API | Global / US |
| Cache / rate-limit provider | Quota and rate-limit counters | Global |
| AI model provider | Processing chart images for analysis | US |
| Email provider | Sending transactional email | Global / US |
| Phone verification provider | SMS phone verification | Global |
| Payment provider | Payment processing (card/wallet held by provider) | Global |
International transfers
Because some sub-processors are located abroad, your data may be transferred internationally. Such transfers rely on your explicit consent and/or appropriate safeguards such as standard contractual clauses, under KVKK art. 9 and GDPR Chapter V.
Retention periods
Your data is kept while your account is active and for as long as legal obligations require. Security and audit logs are kept for a limited period. After a deletion request, data is deleted within a reasonable technical timeframe; see the Data Retention & Deletion section.
Data security
We apply technical and organizational measures such as access control, encrypted transport, and private, access-restricted storage. No system is 100% secure, but we work to reduce risk to a reasonable level.
Your rights
You have the rights of access, rectification, erasure, restriction of processing, objection, data portability, and withdrawal of consent. Requests can be made to the contact address below and are answered within the statutory period (at most 30 days).
Children's data
The Service is not directed to persons under 18, and we do not knowingly collect data from children. If we learn we have processed a child's data, we delete it.
Changes to this policy
We may update this policy. Material changes are announced in the Service or by email, and the current version is always published on this page.
Contact
For all privacy requests, use the data controller's contact details below.
Business and data-controller details
- Legal name
- [ŞİRKET ÜNVANI BURAYA GELECEK]
- Address
- [ŞİRKET ADRESİ BURAYA GELECEK]
- Tax / Registration No
- [VERGİ / REGISTRATION NO BURAYA GELECEK]
- Support
- destek@dojilab.com
- Legal notices
- [HUKUKİ TEBLİGAT E-POSTASI BURAYA GELECEK]
- Governing law
- [UYGULANACAK HUKUK / YARGI YETKİSİ BURAYA GELECEK]