KVKK (TR) & GDPR (EU) — Data Subject Rights

Name: LyDos Orchestration Platform
Author: LYDOS

Last updated: 2026-05-03

DRAFT — pending counsel review. This document outlines our intended position. Final binding terms will be published after legal review. By continuing to use the service you accept the terms in this draft and agree to be notified when the final version is published.

This page is the single canonical reference for exercising your rights under both the Turkish KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698) and the EU General Data Protection Regulation (GDPR, Regulation 2016/679).

Data controller

LyDos / Lydian AI · [email protected] (interim contact while the operating entity is being incorporated).
Data Protection Officer: [email protected]

Your rights

Right to access (KVKK Art. 11/a, GDPR Art. 15) — a machine-readable export of all personal data we hold about you. Self-serve via dashboard → Settings → Export, or email [email protected] (response within 30 days).
Right to rectification (KVKK Art. 11/d, GDPR Art. 16) — correct any field via the dashboard. Free-text fields update immediately; identity-linked fields (email, KSL device) trigger a re-verification flow.
Right to erasure ("right to be forgotten", KVKK Art. 11/e, GDPR Art. 17) — Settings → Close account. 30-day soft-delete grace, then anonymisation of audit chain entries (the chain itself is preserved for cryptographic integrity but no longer references you), and hard purge of all PII fields.
Right to restriction of processing (KVKK Art. 11, GDPR Art. 18) — request via DPO email. We mark the account read-only within 5 business days.
Right to data portability (GDPR Art. 20) — same export endpoint as access; format: JSON + CSV bundle.
Right to object (KVKK Art. 11, GDPR Art. 21) — for marketing emails, one-click unsubscribe. For service- essential processing, contact DPO; we will explain the legal basis or stop the processing.
Right to withdraw consent (GDPR Art. 7) — applies only to consent-based processing (analytics, marketing). Service-essential processing under "contractual necessity" basis cannot be withdrawn while the account is active.
Right to lodge a complaint with your supervisory authority:
- Turkey: Kişisel Verileri Koruma Kurumu (KVKK)
- EU: your local Data Protection Authority (full list at edpb.europa.eu)

Legal basis matrix

Processing	KVKK	GDPR
Account + service delivery	Art. 5/2-c contract necessity	Art. 6(1)(b) contract
Security, fraud, audit log	Art. 5/2-f legitimate interest	Art. 6(1)(f) legitimate interest
Billing, tax records	Art. 5/2-ç legal obligation	Art. 6(1)(c) legal obligation
Marketing emails	Art. 5/1 explicit consent	Art. 6(1)(a) consent

VERBİS registry (Turkey only)

Once the operating entity is incorporated and the data-controller registration is filed with VERBİS, the registry number will appear here. Until then, processing is conducted under the founder's personal capacity and the legal-obligation exemption for trial / beta operations.

International transfers

Primary data residency: EU (Hetzner Helsinki). Subprocessors with non-EU access: LLM providers (Groq, Z.AI, NVIDIA NIM) — only prompt content + response, no PII unless you embed it. Standard Contractual Clauses in place where applicable.

Breach notification

We notify our DPA within 72 hours of becoming aware of a breach, and notify you within the same window if the breach is likely to result in high risk to your rights and freedoms.

Questions about this document? [email protected]