1. What we collect
- Account data: email, full name, organisation name (only if you create an account)
- Usage data: agent runs, queries, audit log entries you author
- Technical data: IP address (per-request, not stored), user-agent, device fingerprint (KSL bound)
- Payment data: processed by our PSP (iyzico / Stripe); we do not store card numbers
2. Why we collect it
- Service delivery: running the agents you asked us to run
- Security: per-tenant rate limiting, audit log integrity, fraud / abuse detection
- Billing: measuring usage against your plan
- Required by law: tax records, KVKK / GDPR obligations
3. Where it lives
Account + usage data: PostgreSQL federation cluster, EU region (Hetzner Helsinki). Tenant rows are isolated by row-level security; cross-tenant reads are cryptographically blocked at the database layer (see data-isolation architecture).
4. Who can see it
- You (everything in your account)
- Co-tenants you explicitly invite (only the resources you share)
- LyDos engineering on-call (during incident response, audit-logged)
- Nobody else without a court order
5. How long we keep it
- Active account data: as long as your account is open
- Usage logs: 90 days hot, then archived (still encrypted)
- Audit chain: indefinitely (cryptographic chain integrity requires it)
- Backups: 7 days rolling
- After deletion request: 30 day soft-delete grace, then hard purge
6. Your rights
Under KVKK Article 11 + GDPR Articles 15–22 you can:
- Access a machine-readable copy of your data: dashboard → settings → export
- Correct any field via the dashboard
- Delete your account: dashboard → settings → close account (30 day grace then permanent)
- Object to processing for any non-essential purpose
- Withdraw consent for marketing emails at any time
7. Contact
Data Protection Officer: [email protected]
General privacy questions: [email protected]