GDPR

Effective: February 3, 2026 · Last updated: February 3, 2026

LegalX Yapay Zeka Teknolojileri A.Ş. ("Harmonity")

APY Tekmer, Ataşehir Bulvarı, Atatürk, Ertuğrul Gazi Sk. D:2 Blok No:13, 34758 Ataşehir/İstanbul, Türkiye

support@harmonity.ai (subject: "GDPR Request")

This GDPR page is a high-level, procurement-friendly overview of how Harmonity approaches GDPR compliance and how it connects to our other trust and legal materials.

1) Who we are (Controller contact)

Data Controller (where applicable): LegalX Yapay Zeka Teknolojileri A.Ş. ("Harmonity"). Address: APY Tekmer, Ataşehir Bulvarı, Atatürk, Ertuğrul Gazi Sk. D:2 Blok No:13, 34758 Ataşehir/İstanbul, Türkiye. Contact: support@harmonity.ai (subject: "GDPR Request").

2) When GDPR applies and how this page is used

This page explains our GDPR approach for (a) website visitors and B2B contacts and (b) customer users, where Harmonity may act as a processor. This page does not replace the Privacy Policy or DPA; it connects them.

3) Controller vs Processor roles (critical distinction)

Controller: Harmonity acts as controller for personal data processed for our own business purposes (e.g., marketing site, lead management, sales/support, billing/admin).

Processor: Harmonity acts as processor for customer content and workspace data processed on customers' instructions (e.g., contracts and related user data in the platform). This is governed by the DPA.

4) What personal data we process (typical categories)

Depending on context, we may process: (i) identity and contact details (name, work email, phone, company, title); (ii) account and authentication data; (iii) usage, device, and log data (IP address, timestamps, events); (iv) support/sales communications; (v) billing and transaction metadata; and (vi) cookie/analytics identifiers where enabled.

5) Why we process data (purposes) and legal bases

We process personal data only when we have a lawful basis under GDPR, typically: contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), legal obligation (Art. 6(1)(c)), or consent (Art. 6(1)(a)) — especially for certain cookies/marketing.

6) "Customer workspace data" and the DPA

For customer workspace data, Harmonity processes personal data as a processor on customer instructions, under the DPA. The DPA covers processing details, security, subprocessors, and cross-border transfer mechanisms where applicable.

AI note: Inputs and outputs used in AI features are handled under the same customer data boundaries described in the DPA and AI Data Governance page. We align with a "no training on customer data" stance for general models.

7) Subprocessors and vendors

We may engage subprocessors (service providers) to help operate the service (e.g., hosting, analytics, support tooling). Where required, we maintain agreements and impose GDPR-aligned obligations on them. Subprocessors are listed on Trust Center → Subprocessors and may be updated over time with a documented update/notice approach.

8) International data transfers (EEA/UK and beyond)

Where personal data is transferred outside the EEA/UK, we use appropriate safeguards as required by GDPR (e.g., Standard Contractual Clauses and, where relevant, supplementary technical/organizational measures). Transfer details depend on the subprocessors and the services used.

9) Security measures (overview)

We implement technical and organizational measures designed to protect confidentiality, integrity, and availability of personal data, including access controls, logging/auditability, encryption in transit and at rest (high-level), and incident response practices. Additional details are provided in Trust Center → Security and may be shared in a security package (under NDA where needed).

10) Retention (high-level)

We keep personal data only as long as necessary for the purposes described, then delete or anonymize it unless we must keep it for legal obligations or to establish/exercise/defend legal claims. For sales/support records and meeting recordings (where used), our typical retention is up to 365 days.

Customer workspace retention/deletion is addressed in the DPA and product controls where applicable.

11) Your GDPR rights

Where GDPR applies, you may have rights including: access, rectification, erasure, restriction, objection, data portability, and the right to withdraw consent (where processing is based on consent). You also have rights related to certain automated decision-making/profiling under GDPR.

12) How to exercise rights (DSAR process)

Submit requests to support@harmonity.ai with the subject "GDPR Request". We may require identity verification to protect your data. We aim to respond within GDPR timelines, and may extend where permitted for complex requests. If Harmonity is only a processor for the requested data, we may redirect you to the relevant controller (e.g., your employer/customer).

13) Complaints

If you believe our processing violates GDPR and you are eligible to lodge a complaint, you may contact your local EU/EEA supervisory authority (and the UK ICO where UK law applies).

14) Updates to this page

We may update this page to reflect changes in processing, vendors, or legal requirements. The "Last Updated" date indicates the latest revision.

Questions about GDPR? Contact us at support@harmonity.ai