1) Data Controller Identity (Veri Sorumlusu)

Data ControllerLegalX Yapay Zeka Teknolojileri A.Ş.

AddressAPY Tekmer, Ataşehir Bulvarı, Atatürk, Ertuğrul Gazi Sk. D:2 Blok No:13, 34758 Ataşehir/İstanbul, Türkiye

Contact (KVKK/Privacy)support@harmonity.ai

2) Who this notice applies to

This notice applies to individuals whose personal data we process, including:

Customer representatives and administrators (e.g., procurement, legal, sales ops)
Authorized users invited to a Harmonity workspace
Website visitors and prospects contacting us for demos or information
Individuals communicating with support
Vendors/partners and their representatives (where applicable)

3) Categories of personal data we may process

Depending on your interaction with Harmonity, we may process the following categories:

A. Identity & contact data

Name, surname, business email, phone number (if provided), company, role/title.

B. Account & authentication data

User IDs, login events, password reset metadata, workspace membership, role/permission assignments.

C. Usage, device & log data

IP address, device/browser identifiers, timestamps, audit logs (who did what/when), security logs, error logs.

D. Communication data

Support tickets, emails, chat transcripts (if a chat widget is enabled), meeting notes/recordings (where used), and related attachments.

E. Billing & finance (business context)

Invoice/contact details, billing addresses, tax/VAT-related information, payment administration metadata (as applicable).

F. Customer content (platform data)

Documents, contract text, templates, clause libraries, extracted fields, comments, approvals, and related metadata which may contain personal data depending on what customers upload.

G. Cookie/online identifiers (website)

Cookie identifiers and similar technologies as described in our Cookie Statement and managed via Cookie Preferences.

4) Purposes of processing and KVKK legal bases

We process personal data for the purposes below, based on the applicable legal grounds under KVKK Article 5 and Article 6 (as relevant):

A) Providing and operating the service

Creating and managing workspaces and user accounts
Enabling collaboration features (review, approvals, audit history)
Customer support, troubleshooting, and platform administration

Legal basis (examples): necessary for contract performance / service delivery; legitimate interests; establishment/exercise/protection of rights (where applicable).

B) Security, abuse prevention, and reliability

Access control, logging, monitoring, incident response
Detecting suspicious activity and preventing misuse
Business continuity and service reliability operations

Legal basis (examples): legitimate interests; legal obligations (where applicable); establishment/exercise/protection of rights.

C) Sales, relationship management, and communications

Responding to demo requests and product inquiries
Managing customer relationships and communications
Recording certain sales/support calls/meetings (where used) for internal note-taking, quality, and training

Legal basis (examples): legitimate interests; explicit consent where required by law/practice.

D) Billing, accounting, and tax compliance

Invoicing and payment administration
Meeting legal obligations under tax/accounting rules

Legal basis (examples): legal obligation; contract performance.

E) Website analytics, functionality, and marketing (where applicable)

Operating the website
Measuring performance and improving content
Marketing and advertising activities (e.g., pixels) subject to cookie choices

Legal basis (examples): consent for non-essential cookies where required; legitimate interests for strictly necessary operations.

Note on special categories of personal data: We do not intend to process special categories (sensitive data) unless customers include them in their content or a lawful exception applies. Where special categories are processed, we apply stricter safeguards and rely on appropriate legal grounds under KVKK.

5) How we collect personal data

We may collect personal data:

Directly from you (forms, emails, support tickets, website interactions)
From your organization (your employer/customer admin providing business contact info)
Automatically (cookies and similar technologies on the website; platform logs and audit events)
Through integrations/service providers used to operate the service (as described in Subprocessors)

6) To whom we may transfer personal data (and why)

We may share personal data with:

Service providers/subprocessors (hosting, analytics, communications, customer support tooling, security tooling) strictly to operate and secure the service
Professional advisors (e.g., legal/accounting) where necessary
Authorities where required by law or to protect our legal rights

We do not sell personal data. For transparency on vendors, see Trust Center → Subprocessors.

7) International transfers (yurt dışına aktarım)

Depending on vendor locations and customer configuration, personal data may be transferred and/or accessed from outside Türkiye. Where cross-border transfer rules apply, we implement appropriate safeguards and contractual protections and reflect relevant terms in our DPA and vendor arrangements.

8) Retention periods

We retain personal data for the period necessary to fulfill the purposes described above, and longer where required by law. Typical examples:

Sales/support records and meeting recordings (where used): up to 365 days
Account and workspace data: for the duration of the customer relationship and as needed for post-termination obligations (e.g., security, dispute handling), consistent with contractual terms and customer instructions
Logs/audit records: retained for security, auditability, and operational purposes for a reasonable period
Legal/tax records: retained as required under applicable Turkish law

More detail is provided in the Privacy Policy and (for customer content) the DPA.

9) Security measures

We use appropriate technical and organizational measures designed for controlled contract workflows, including (high-level):

Role-based access and permission boundaries
Encryption in transit and at rest (high-level)
Auditability and attributable actions
Monitoring and incident response processes

See Trust Center → Security for the controls overview.

10) AI features (Harmony AI) — important clarifications

If you use AI-enabled features:

AI outputs are not legal advice and should be reviewed and approved by humans before use
AI operates within permission boundaries and access controls
Our AI data boundaries and training commitments are explained in Trust Center → AI Data Governance

11) Your rights under KVKK and how to apply

KVKK grants individuals certain rights regarding their personal data (e.g., learning whether data is processed, requesting information, requesting correction/deletion under conditions, and other KVKK rights).

To submit a request:

Use Legal → KVKK Application Form (recommended)
Or contact: support@harmonity.ai with the subject “KVKK Request”
Requests should be submitted in Turkish and may require identity verification.

12) Updates to this notice

We may update this Information Notice from time to time. The “Last Updated” date above shows the most recent revision.

Questions about this notice? Contact us at support@harmonity.ai

← Back to Legal Hub

KVKK Information Notice (Aydınlatma Metni)