Privacy Policy.

This policy explains how d-dat — data-driven ai technologies ("d-dat", "we", "us") processes personal data we collect when you use d-dat.com, app.d-dat.com and our products (d-lens, d-reach).

It applies under Turkey's Personal Data Protection Law No. 6698 (KVKK), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA).

---

// 01Data Controller Identity

Legal name	DATA ANALYTICS TEKNOLOJİ REKLAM ANONİM ŞİRKETİ
Mersis no.	0271-1964-6050-0001
Tax office / no.	Maslak Tax Office · 2711964605
Address	Maslak Mah. Eski Büyükdere Cad. No: 21 İç Kapı No: 1 Sarıyer / İstanbul, Türkiye
Registered email (KEP)	mesut.sefizade@hs01.kep.tr
VERBİS status	We are not subject to VERBİS registration
Data subject requests	info@d-dat.com
General contact	info@d-dat.com
Data Protection Officer	Mesut Şefizade · Founder — info@d-dat.com (Data Protection Contact Point)

Designation of an EU representative under GDPR Article 27 is in progress; this page will be updated once appointed. CCPA US contact point: info@d-dat.com.

// 02Who This Policy Covers

• Anyone who visits our websites
• People who create a free or Pro d-lens account
• People who use d-reach (free trial or paid)
• Our B2B service customers (ad management) and their employees
• Anyone who fills out a contact form or emails us
• People who give us information at events, demos, or sales meetings

// 03What Data We Collect

3.1 Data you give us directly

Category	Examples	Source
Identity	First name, last name	Contact form, signup
Contact	Work email, phone	Contact form, signup
Business info	Company name, role	Signup, sales call
Content	Message text, questions	Contact form, email
Account credentials	Magic-link verification	d-lens / d-reach login
Payment	Billing name, tax no., last 4 digits of card	d-lens Pro / d-reach subscription

3.2 Data automatically generated when you use the product

Category	Examples
OAuth tokens	Read-only authorisation tokens you grant for Google Ads / Meta / TikTok / GA4 / Shopify. We cannot make changes in your account — the token is read-only.
Ad account data	Campaigns, ad groups, keywords, conversions, performance metrics. Our access ends when you revoke authorisation or delete the data.
d-reach content	Customer lists you upload, messages sent, replies received, automation flows
Usage logs	Which modules you opened, which scans you ran, session durations
Device / technical	IP address, browser, OS, language, screen resolution
Cookies	See Cookie Policy

3.3 Data from third parties

• Google, Meta, TikTok, LinkedIn: Ad clicks, conversion data (you authorised access via their accounts)
• Payment provider PayTR Ödeme ve Elektronik Para Hizmetleri A.Ş.: payment confirmation data
• Sales tools: LinkedIn outreach, Apollo, etc. — only at the level of B2B business contact info

// 04Why We Process This Data

For each data category we must declare a legal basis and a purpose. The table below summarises this.

Purpose	Data	KVKK basis	GDPR basis
Providing the service (signup, account management, scans, message sending)	Identity, contact, account, OAuth, content	Performance of contract	Art. 6(1)(b) — contract
Billing and payment	Identity, payment	Legal obligation + contract	Art. 6(1)(b) and (c)
Replying to contact forms, sales calls	Identity, contact, content	Legitimate interest	Art. 6(1)(f) — legitimate interest
Marketing emails, product announcements	Contact	Explicit consent	Art. 6(1)(a) — consent
Targeting cookies for advertising	Cookie data	Explicit consent	Art. 6(1)(a) — consent
Site analytics (anonymised)	Cookie, technical	Legitimate interest (KVKK Cookie Guide)	Art. 6(1)(f)
Security, fraud prevention	Technical, usage	Legitimate interest	Art. 6(1)(f)
Legal obligations (tax, KVKK notifications, court orders)	Various	Legal obligation	Art. 6(1)(c)

// 05d-lens — OAuth and Ad Account Data

d-lens connects to Google Ads, Meta, TikTok, GA4, Shopify and similar platforms with read-only permissions to scan your account.

What we do

• Read campaign, ad group, keyword, conversion metrics
• Analyse account structure
• Interpret findings with AI and present action recommendations

What we don't do

• We cannot make changes in your account — the permission is read-only
• We do not access payment information, customer lists, or personal customer identity data
• We do not use your data to train AI models — per Google API Services User Data Policy "Limited Use" rule. We only use the data to deliver service to you.
• We do not sell your data to third parties

You can revoke access at any time

• Google: myaccount.google.com/permissions
• Meta: Settings → Business Integrations
• TikTok: Ads Manager → Asset → App Authorization
• or one click from app.d-dat.com

Once revoked, your data (other than service records) is deleted within 30 days.

// 06d-reach — Customer Lists and WhatsApp

This section is important. Read carefully.

When you, as a d-reach user, upload your customer list (phone numbers, names, etc.) and send messages:

• The list is your customers — you are the "data controller"
• d-dat processes that data on your behalf — we are the "data processor"
• You must have explicit consent for WhatsApp communication from the people you upload. This is required by Meta's WhatsApp Business Policy and KVKK.
• Uploading a list without explicit consent is prohibited and may result in account suspension.
• Detailed terms: see Data Processing Agreement (DPA) and Terms of Service.

The WhatsApp Business infrastructure is provided by Meta via Gupshup Inc. Messages traverse Meta's servers.

// 07Who We Share Data With

We never sell your data. We share it in the three cases below:

7.1 Our service providers (sub-processors)

Category	Provider	Data type	Location
Cloud infrastructure / hosting	Amazon Web Services EMEA SARL	All data (encrypted)	Frankfurt · EU
Database management	AWS RDS	Account, usage	Frankfurt · EU
Email delivery	Mailchimp (Intuit Inc.)	Contact	USA
Payment processing	PayTR A.Ş.	Payment	Türkiye (domestic)
WhatsApp Business API	Gupshup Inc. + Meta	d-reach content	USA / India / Ireland
Analytics	Google (GA4)	Anonymous usage	USA / EU
Ad measurement	Meta, Google, LinkedIn	Cookie data	USA / EU
Customer support	In-house tooling (own AWS infra)	Contact, content	Frankfurt · EU

All providers are bound by a data processing agreement (DPA) and meet KVKK Art. 12 and GDPR Art. 28 security obligations.

7.2 Legal obligation

When required by court order, prosecutor request, or law. We notify you when possible (unless prohibited).

7.3 Corporate change

In the event of a merger, sale, or restructuring, your data may be transferred to the new entity — we will notify you in advance.

// 08International Data Transfers

We are based in İstanbul. However, parts of our service infrastructure (AWS, Google Cloud, etc.) are located outside Türkiye. Per KVKK Art. 9 and GDPR Chapter V:

Transfer	To	Protection mechanism
EU countries	Ireland, Germany, Netherlands	GDPR adequacy (KVKK accepts equivalent protection level)
USA	Our cloud providers	EU-US Data Privacy Framework (DPF) certified providers + KVKK Standard Contract + GDPR Standard Contractual Clauses
Other	—	KVKK Art. 9/4 — explicit consent or necessity grounds

Following the March 2024 KVKK amendments, we use the Standard Contract mechanism; relevant contracts are filed with the Authority within 5 working days.

// 09How Long We Retain Your Data

Data	Retention period	Basis
Active account data	While account is active	Contract
Closed account	30 days (recovery window) → deleted	Contract
Billing records	10 years	Tax Procedure Law, Turkish Commercial Code
Contact form messages	2 years	Legitimate interest
Marketing list (with consent)	Until consent withdrawn	Consent
Server logs	6 months	Security
Backups	90-day rotation	Operational
Anonymised statistics	Indefinite	Anonymous, outside KVKK scope

At the end of the retention period, data is deleted or irreversibly anonymised.

// 10Your Rights

10.1 KVKK Article 11 — Data Subject Rights

Under KVKK every data subject has the right to:

1. Learn whether their personal data is being processed
2. Request information about it if it is
3. Learn the purpose of processing and whether the data is used in line with that purpose
4. Know the third parties to whom data is transferred domestically or abroad
5. Request correction if processed incompletely or inaccurately
6. Request deletion or destruction within the conditions of KVKK Art. 7
7. Request that any correction, deletion or destruction be communicated to third parties
8. Object to outcomes adverse to them resulting from automated analysis
9. Claim compensation if they suffer damage due to unlawful processing

10.2 GDPR — Additional rights for EU residents

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / right to be forgotten (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20) — request your data in machine-readable format
• Right to object (Art. 21)
• Right not to be subject to automated decision-making (Art. 22)
• Right to lodge a complaint with your country's supervisory authority

10.3 CCPA / CPRA — Additional rights for California residents

• Right to Know — what we have collected about you
• Right to Delete — request deletion of your data
• Right to Correct — request correction of inaccurate data
• Right to Opt-Out of Sale/Sharing — object to sale/sharing of your data. We do not sell data, but targeted advertising cookies may be considered "sharing"; you can opt out via the cookie banner.
• Right to Limit Use of Sensitive Personal Information
• Right to Non-Discrimination — we cannot exclude you for exercising these rights

10.4 How to exercise your rights

• Email: info@d-dat.com (Türkiye + global)
• Written: Maslak Mah. Eski Büyükdere Cad. No: 21 İç Kapı No: 1 Sarıyer / İstanbul, Türkiye
• KEP: mesut.sefizade@hs01.kep.tr
• Application form: /en/data-request

We respond to KVKK requests within 30 days and to GDPR requests within 1 month. We may verify your identity.

// 11Data Security

Per KVKK Art. 12 and GDPR Art. 32, we apply the following measures:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access control: Role-based, least-privilege principle
• OAuth tokens: Stored encrypted in a separate keyvault, no employee sees raw tokens
• Logging and monitoring: Suspicious-access alerts 24/7
• Security testing: Annual penetration test, continuous vulnerability scanning
• Personnel: Mandatory KVKK training, signed confidentiality undertaking
• Backup: Encrypted, 90-day rotation

// 12Breach Notification

In the event of a data breach:

• Per GDPR Art. 33 we notify the supervisory authority within 72 hours
• Per KVKK Art. 12/5 we notify the KVK Authority and affected data subjects as soon as possible and in any case within 72 hours with reasonable cause
• For high-risk breaches we notify you directly by email

// 13Children's Data

d-dat products are intended for adults and businesses. We do not knowingly serve children under 16. Under California's CCPA, opt-in is required to sell or share data of anyone under 16 — we never do this.

// 14Automated Decision-Making and Profiling

d-lens analyses your ad account with AI and produces recommendations. These recommendations:

• Are presented to you — the final decision is yours
• Do not automatically make changes in your account
• Have no legal effect

Therefore, within the meaning of GDPR Art. 22, this is not a "decision based solely on automated processing producing legal effects". You may object to a review or request a manual conversation.

// 15Changes to This Policy

We may update this policy. For significant changes:

• We send an email notification (to our users)
• We display a notice in the top banner of the website for 14 days
• The effective date is always shown at the top

Past versions are available from info@d-dat.com.

// 16Contact

KVKK / Data protection	info@d-dat.com
General	info@d-dat.com
DPO (Data Protection Officer)	Mesut Şefizade · Founder — info@d-dat.com
Postal	Maslak Mah. Eski Büyükdere Cad. No: 21 İç Kapı No: 1 Sarıyer / İstanbul, Türkiye
KEP	mesut.sefizade@hs01.kep.tr

Supervisory authorities

• Türkiye: Personal Data Protection Authority — www.kvkk.gov.tr
• EU: Data protection authority of your country of residence
• USA/CA: California Attorney General — oag.ca.gov/privacy