GDPR Compliance
Last updated: March 28, 2026
1. Introduction
Kleif AI is committed to protecting the privacy and personal data of all individuals who interact with our platform. This GDPR Compliance Policy outlines how we collect, process, store, and protect personal data in accordance with the European Union General Data Protection Regulation (EU 2016/679) and the Turkish Personal Data Protection Law (KVKK, Law No. 6698).
This policy applies to all users of the Kleif AI platform, including website visitors, registered users, paying customers, and any individuals whose personal data is processed through our services. By using our services, you acknowledge that you have read and understood this policy.
2. Data Controller
The data controller responsible for your personal data is Kleif AI, headquartered in Istanbul, Turkey. As the data controller, we determine the purposes and means of processing personal data collected through our platform.
For enterprise customers who use Kleif AI to process end-user data, Kleif AI acts as a data processor on behalf of the customer (the data controller). In such cases, a Data Processing Agreement (DPA) is available upon request to formalize the processing relationship and obligations of each party.
3. Legal Basis for Processing
We process personal data only when we have a valid legal basis under Article 6 of the GDPR. The legal bases we rely on include:
- Consent: Where you have given clear, informed, and freely given consent for specific processing activities, such as marketing communications or optional analytics.
- Contractual necessity: Where processing is necessary to perform our contract with you, including providing the Kleif AI platform, managing your account, and processing payments.
- Legitimate interests: Where processing is necessary for our legitimate business interests, such as improving our services, ensuring platform security, and preventing fraud, provided these interests do not override your fundamental rights.
- Legal obligation: Where processing is required to comply with applicable laws, regulations, or legal proceedings.
Under Turkish KVKK, we additionally rely on the conditions set forth in Article 5, which align closely with GDPR legal bases. Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
4. Data Subject Rights
Under the GDPR and KVKK, you have the following rights regarding your personal data:
- Right of access: You may request a copy of the personal data we hold about you, along with information about how it is processed.
- Right to rectification: You may request correction of inaccurate or incomplete personal data we hold about you.
- Right to erasure: You may request deletion of your personal data where there is no compelling reason for continued processing, also known as the "right to be forgotten."
- Right to data portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest data accuracy.
- Right to object: You may object to processing based on legitimate interests or for direct marketing purposes at any time.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.
To exercise any of these rights, please contact us at legal@kleif.ai. We will respond to your request within 30 days in accordance with GDPR requirements.
5. Data Collection & Processing
We collect and process the following categories of personal data through our platform:
- Account data: Name, email address, company name, and billing information provided during registration.
- Usage data: Information about how you interact with our platform, including pages visited, features used, and session duration.
- Technical data: IP address, browser type, device information, and operating system collected automatically through server logs.
- Communication data: Content of support tickets, emails, and other communications you send to us.
- Chatbot interaction data: Conversations and data processed through AI assistants created on the platform, which may include end-user personal data.
We apply the principle of data minimization and only collect data that is necessary for the specified purposes. We do not sell personal data to third parties under any circumstances.
6. Data Storage & Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256 encryption
- Regular security assessments and penetration testing
- Access controls with role-based permissions and multi-factor authentication
- Continuous monitoring and logging of access to personal data
- Employee training on data protection and security practices
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Affected data subjects will be notified without undue delay where the breach is likely to result in a high risk.
7. International Data Transfers
Kleif AI is based in Istanbul, Turkey. When we transfer personal data outside of the European Economic Area (EEA), we ensure that adequate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfers to countries with an adequacy decision from the European Commission
- Binding Corporate Rules where applicable
- Additional technical and organizational measures to supplement transfer mechanisms where necessary
Turkey is recognized by the European Commission as having certain data protection standards under KVKK. However, for transfers that require additional safeguards, we implement SCCs and conduct transfer impact assessments. Enterprise customers may request details about specific transfer mechanisms in their DPA.
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws. Our standard retention periods are:
- Account data: Retained for the duration of your account and up to 30 days after account deletion.
- Usage and technical data: Retained for up to 24 months for analytics and service improvement.
- Billing records: Retained for up to 7 years as required by tax and financial regulations.
- Support communications: Retained for up to 36 months after resolution.
- Chatbot interaction data: Retained according to the data controller's instructions (enterprise) or up to 12 months (standard accounts).
When personal data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with an individual.
9. Sub-processors
Kleif AI engages certain third-party sub-processors to assist in providing our services. All sub-processors are bound by data processing agreements that require them to protect personal data in accordance with GDPR standards. Categories of sub-processors include:
- Cloud infrastructure and hosting providers
- Payment processing services
- AI model providers for natural language processing
- Email and communication service providers
- Analytics and monitoring tools
We maintain an up-to-date list of sub-processors, which is available upon request. Enterprise customers with a DPA will be notified of any changes to sub-processors and may object to new sub-processors in accordance with the terms of their agreement.
10. Data Protection Officer
Kleif AI has designated a Data Protection Officer (DPO) to oversee our compliance with GDPR and KVKK. The DPO is responsible for monitoring data protection practices, advising on data protection impact assessments, and serving as the point of contact for data subjects and supervisory authorities.
You may contact our Data Protection Officer at legal@kleif.ai for any data protection inquiries, concerns, or requests regarding your personal data.
12. Children's Privacy
Kleif AI services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly.
If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at legal@kleif.ai so that we can take appropriate action.
13. Changes to This Policy
We may update this GDPR Compliance Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. We will notify you of material changes via email or a prominent notice on our platform at least 30 days before they take effect.
We encourage you to review this policy periodically. Continued use of our services after changes become effective constitutes your acknowledgment of the updated policy.
14. Contact & Complaints
For any questions, concerns, or requests related to this GDPR Compliance Policy or the processing of your personal data, please contact us at legal@kleif.ai.
Kleif AI
Istanbul, Turkey
If you are not satisfied with our response to your inquiry or believe that we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. For individuals in Turkey, complaints may be directed to the Turkish Personal Data Protection Authority (KVKK Kurumu).