DATAGREATTOURISM INTELLIGENCE
PricingStart free →
§ Legal

Privacy Policy

Draft documentThis document is a working draft and has not been reviewed by qualified legal counsel. The final, reviewed version will replace this content before production launch.

Effective date: 2026-05-04 Version: 1.0

1. Who we are (Data Controller)

Solustiq Yazılım ve Yapay Zeka Teknolojileri Anonim Şirketi Address: Abdurrahman Mah. Şehit Emniyet Müdürü Ertan Nezihi Turan Cad. Yaşar Atlı Plaza No: 7 İç Kapı No: 40, Merkez / Edirne, Türkiye Tax ID (VKN): 7730942638 — Tax Office: Arda Privacy contact: privacy@datagreat.com

We are the data controller for personal data processed in connection with our DataGreat tourism intelligence platform.

This Privacy Policy explains what personal data we collect, why we process it, with whom we share it, how long we keep it, and what rights you have. It applies in English-language contexts and is intended to satisfy the EU General Data Protection Regulation (GDPR), UK GDPR, and the substantive requirements of the Personal Data Protection Law of Türkiye (KVKK Law No. 6698). The Turkish-language KVKK Aydınlatma Metni at /legal/kvkk controls in disputes governed by Turkish law.

2. Categories of personal data we collect

CategoryExamplesSource
IdentityName, email, password (hashed)You at sign-up
Account / profileCompany, job title, languageYou
TransactionalPayment method (tokenised by Stripe), invoice recordsYou + Stripe
UsagePages visited, features used, IP, user agentAutomatic on Service use
ContentUser-generated reports, personas, briefs, Lab notes, Sherpa conversationsYou
CommunicationsSupport emails, chat messagesYou
Cookies/analyticsSession ID, analytics eventsAutomatic, after consent

We do not collect special-category data (health, biometrics, political opinions, etc.) and ask that you do not upload such data to the Service.

3. Lawful bases for processing (GDPR Article 6)

PurposeLawful basis
Account creation, service delivery, billingContract (Art. 6(1)(b))
Internal product improvement, security, fraud preventionLegitimate interests (Art. 6(1)(f))
Compliance with tax and commercial-record obligationsLegal obligation (Art. 6(1)(c))
Marketing emails / newsletterConsent (Art. 6(1)(a)); withdrawable at any time
Optional analytics cookiesConsent (Art. 6(1)(a))
Defending or pursuing legal claimsLegitimate interests (Art. 6(1)(f))

Under KVKK, the equivalent legal grounds are Articles 5(2)(a) (express consent) for marketing/analytics, and 5(2)(c) (necessity for contract) or 5(2)(ç) (legal obligation) for service delivery and bookkeeping.

4. How we use your data

  • Provide and maintain the Service (authentication, feature delivery)
  • Process payments and billing (Stripe charges, invoices)
  • Communicate with you (transactional emails, support, security notifications)
  • Improve and secure the Service (logs, abuse detection, performance)
  • Train fraud-detection models on metadata (never on User Content)
  • Comply with law (tax records, KVK Kurumu requests, court orders)
  • Send marketing emails (only with your prior consent)

We do not train AI models on your User Content. Outputs from Anthropic Claude are processed transiently and not retained by Anthropic for training under our enterprise terms.

5. Sub-processors and recipients

We share personal data with the following sub-processors strictly to operate the Service:

Sub-processorPurposeRegion
Supabase (Supabase Inc.)Authentication, database hostingEU (Frankfurt)
Vercel Inc.Application hosting, serverless functionsUS (with EU edge)
Stripe Payments Europe Ltd.Payment processingIE (EU)
Anthropic PBCLLM inference for AI toolsUS
ResendTransactional + marketing emailUS (EU option configurable)
PostHogProduct analytics (if enabled with your consent)US/EU
Cloudflare (where used)DDoS protection, CDNGlobal
Google / Apple (where used for SSO)AuthenticationGlobal

Each sub-processor operates under a data-protection agreement that includes Standard Contractual Clauses (SCCs) for international transfers where applicable.

We disclose personal data to professional advisors (lawyers, accountants, auditors) and to authorities where legally required.

We do not sell personal data.

6. International data transfers

Some sub-processors are located outside the EEA, the United Kingdom, or Türkiye. For transfers from the EEA/UK we rely on:

  • the European Commission's Adequacy Decisions where applicable;
  • the EU Standard Contractual Clauses (Module 2 or 3) plus supplementary measures (encryption in transit + at rest);
  • your explicit consent, where no other safeguard applies.

For transfers from Türkiye under KVKK Article 9, we rely on explicit consent of data subjects until/unless KVK Kurumu publishes an adequacy decision for the destination country.

You can request copies of the SCCs by emailing privacy@datagreat.com.

7. Retention

DataRetention period
Account & profile dataWhile your account is active + 90 days after closure
Billing & invoice records10 years (Turkish Commercial Code obligation)
Logs (security, audit, abuse)12 months
User Content (reports, personas, briefs, etc.)While your account is active; 30 days after closure for export, then deleted
Marketing consents and email dataUntil consent is withdrawn + 6 months for compliance audit
CookiesAs stated in our Cookie Policy

After the retention period expires, data is deleted or anonymised.

8. Security

We use technical and organisational measures including:

  • TLS 1.2+ for all data in transit
  • Encryption at rest (Supabase / Vercel)
  • Bcrypt/Argon2 password hashing (handled by Supabase Auth)
  • Row-level security policies on the database
  • Time-bound API tokens
  • Daily automated backups (encrypted)
  • Principle-of-least-privilege access for our team
  • 2FA for all administrative access

No system is perfect. In the event of a personal-data breach we will notify the relevant supervisory authority (KVK Kurumu and/or your EU DPA) within 72 hours where required and inform affected individuals without undue delay where the breach poses a high risk to their rights and freedoms.

9. Your rights

Under GDPR (and equivalent rights under KVKK Article 11):

  • Access — request a copy of your personal data;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure ("right to be forgotten") — request deletion, subject to legal retention exceptions;
  • Restriction — limit how we process your data;
  • Portability — receive your data in a structured, machine-readable format;
  • Objection — object to processing based on legitimate interests or for direct marketing;
  • Withdraw consent — at any time, without affecting the lawfulness of prior processing;
  • No automated decision-making with legal effect — we do not make decisions about you based solely on automated processing that produces legal or similarly significant effects;
  • Lodge a complaint — with KVK Kurumu (Türkiye), the Information Commissioner's Office (UK), your national EU DPA, or any other competent authority.

To exercise any right, email privacy@datagreat.com. We will respond within 30 days (extendable by 60 days for complex requests, with explanation). For Turkish residents, KVK Kurumu's official channels are listed at kvkk.gov.tr.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact privacy@datagreat.com and we will delete it.

11. Cookies and tracking

We use cookies and similar technologies as described in our Cookie Policy at /legal/cookies. Non-essential cookies (analytics, marketing) are set only with your consent via the cookie banner.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and via the Service at least fourteen (14) days before they take effect. The "Effective date" at the top reflects the latest version.

13. Contact

  • Privacy contact: privacy@datagreat.com
  • General contact: info@datagreat.com
  • Postal: Solustiq Yazılım ve Yapay Zeka Teknolojileri A.Ş., Abdurrahman Mah. Şehit Emniyet Müdürü Ertan Nezihi Turan Cad. Yaşar Atlı Plaza No: 7 İç Kapı No: 40, Merkez / Edirne, Türkiye

If you wish to escalate to a supervisory authority:

  • Türkiye: Kişisel Verileri Koruma Kurumu — kvkk.gov.tr
  • EU/EEA: the data-protection authority of your residence
  • UK: Information Commissioner's Office — ico.org.uk
Solustiq Yazılım ve Yapay Zeka Teknolojileri A.Ş.
VKN 7730942638 · Vergi Dairesi Arda · Marka: DataGreat
Abdurrahman Mah. Şehit Emniyet Müdürü Ertan Nezihi Turan Cad. Yaşar Atlı Plaza No: 7 İç Kapı No: 40, Merkez/Edirne
info@datagreat.com · privacy@datagreat.com
Terms of ServicePrivacy PolicyKVKK NoticeDistance Sales AgreementPre-Contract InfoAll legal docs →