1) Who we are (Controller contact)

The Legal Text	In Plain English
Data Controller (where applicable): LegalX Yapay Zeka Teknolojileri A.Ş. ("Harmonity"). Address: APY Tekmer, Ataşehir Bulvarı, Atatürk, Ertuğrul Gazi Sk. D:2 Blok No:13, 34758 Ataşehir/İstanbul, Türkiye. Contact: support@harmonity.ai (subject: "GDPR Request").	If Harmonity decides why/how your personal data is processed (e.g., for our website, sales, support), we’re the data controller and you can contact us at support@harmonity.ai.

2) When GDPR applies and how this page is used

The Legal Text	In Plain English
This page explains our GDPR approach for (a) website visitors and B2B contacts and (b) customer users, where Harmonity may act as a processor. This page does not replace the Privacy Policy or DPA; it connects them.	Think of this as a “map” for security/procurement. The Privacy Policy covers our controller activities, and the DPA covers customer/workspace processing.

3) Controller vs Processor roles (critical distinction)

The Legal Text	In Plain English
Controller: Harmonity acts as controller for personal data processed for our own business purposes (e.g., marketing site, lead management, sales/support, billing/admin). Processor: Harmonity acts as processor for customer content and workspace data processed on customers’ instructions (e.g., contracts and related user data in the platform). This is governed by the DPA.	If you’re browsing our site or talking to sales/support, we’re usually the controller. If you’re using Harmonity through your company workspace, your company is usually the controller, and we’re the processor under the DPA.

4) What personal data we process (typical categories)

The Legal Text	In Plain English
Depending on context, we may process: (i) identity and contact details (name, work email, phone, company, title); (ii) account and authentication data; (iii) usage, device, and log data (IP address, timestamps, events); (iv) support/sales communications; (v) billing and transaction metadata; and (vi) cookie/analytics identifiers where enabled.	Mostly: business contact info, account info, and basic usage/security logs. Cookie data depends on what you allow in Cookie Preferences.

5) Why we process data (purposes) and legal bases

The Legal Text	In Plain English
We process personal data only when we have a lawful basis under GDPR, typically: contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), legal obligation (Art. 6(1)(c)), or consent (Art. 6(1)(a))—especially for certain cookies/marketing.	We only process data when there’s a GDPR-allowed reason. Most B2B processing is contract/legitimate interest; cookies/ads are consent-based.

Common examples (controller processing)

Activity	Purpose	Lawful basis (typical)
Website operation, security, fraud prevention	Keep site secure, prevent abuse	Legitimate interests
Demo/contact requests	Respond to you, set up demos, follow-ups	Legitimate interests / steps prior to contract
Sales & customer relationship management	Maintain B2B relationship, communications	Legitimate interests / contract
Support requests	Resolve issues, provide help	Contract / legitimate interests
Billing & accounting	Invoicing, tax/accounting compliance	Contract / legal obligation
Cookies (Functional/Analytics/Marketing)	Preferences, measurement, ads	Consent (where required)

Details for cookies are in Cookie Statement + Cookie Preferences.

6) "Customer workspace data" and the DPA

The Legal Text	In Plain English
For customer workspace data, Harmonity processes personal data as a processor on customer instructions, under the DPA. The DPA covers processing details, security, subprocessors, and cross-border transfer mechanisms where applicable.	If your company uses Harmonity, the DPA is the main doc procurement should review for platform processing.

AI note (high-level):

Inputs and outputs used in AI features are handled under the same customer data boundaries described in the DPA and AI Data Governance page.
We align with a “no training on customer data” stance for general models (see AI Data Governance).

7) Subprocessors and vendors

The Legal Text	In Plain English
We may engage subprocessors (service providers) to help operate the service (e.g., hosting, analytics, support tooling). Where required, we maintain agreements and impose GDPR-aligned obligations on them. Subprocessors are listed on Trust Center → Subprocessors and may be updated over time with a documented update/notice approach.	We use vendors (like most SaaS). The vendor list lives on Subprocessors so procurement can review it in one place.

8) International data transfers (EEA/UK and beyond)

The Legal Text	In Plain English
Where personal data is transferred outside the EEA/UK, we use appropriate safeguards as required by GDPR (e.g., Standard Contractual Clauses and, where relevant, supplementary technical/organizational measures). Transfer details depend on the subprocessors and the services used.	If data goes outside Europe/UK, we use recognized legal mechanisms and security measures. Check Subprocessors for where vendors operate.

9) Security measures (overview)

The Legal Text	In Plain English
We implement technical and organizational measures designed to protect confidentiality, integrity, and availability of personal data, including access controls, logging/auditability, encryption in transit and at rest (high-level), and incident response practices. Additional details are provided in Trust Center → Security and may be shared in a security package (under NDA where needed).	We’re built for sensitive contract work: permissions, audit trails, and secure handling. The detailed overview lives on the Security page / security package.

10) Retention (high-level)

The Legal Text	In Plain English
We keep personal data only as long as necessary for the purposes described, then delete or anonymize it unless we must keep it for legal obligations or to establish/exercise/defend legal claims. For sales/support records and meeting recordings (where used), our typical retention is up to 365 days.	We don’t keep data forever. For sales/support records (including recordings), it’s typically up to 1 year unless there’s a legal reason to keep it longer.

Customer workspace retention/deletion is addressed in the DPA and product controls where applicable.

11) Your GDPR rights

The Legal Text	In Plain English
Where GDPR applies, you may have rights including: access, rectification, erasure, restriction, objection, data portability, and the right to withdraw consent (where processing is based on consent). You also have rights related to certain automated decision-making/profiling under GDPR.	You can ask what we have, fix it, delete it (when allowed), limit it, object, or export it—depending on the situation.

12) How to exercise rights (DSAR process)

The Legal Text	In Plain English
Submit requests to support@harmonity.ai with the subject "GDPR Request". We may require identity verification to protect your data. We aim to respond within GDPR timelines, and may extend where permitted for complex requests. If Harmonity is only a processor for the requested data, we may redirect you to the relevant controller (e.g., your employer/customer).	Email support@harmonity.ai. We’ll verify it’s really you. If the data belongs to your company workspace, we may ask you to contact your company admin (the controller).

13) Complaints

The Legal Text	In Plain English
If you believe our processing violates GDPR and you are eligible to lodge a complaint, you may contact your local EU/EEA supervisory authority (and the UK ICO where UK law applies).	If you’re not satisfied, you can complain to your local data protection authority in Europe/UK.

14) Updates to this page

The Legal Text	In Plain English
We may update this page to reflect changes in processing, vendors, or legal requirements. The "Last Updated" date indicates the latest revision.	If we change something meaningful, we update the page and the date at the top.

Questions about GDPR? Contact us at support@harmonity.ai

← Back to Legal