Privacy Policy
Last updated: 10 June 2026
This Privacy Policy explains how Velqor ("we", "us", "our") — the operator of Komplyon at komplyon.io — collects, uses, and protects your personal data. We act in accordance with Turkey's Law on the Protection of Personal Data (KVKK / Law No. 6698) as our primary legal framework, and with the EU General Data Protection Regulation (GDPR) for visitors and customers in the European Economic Area.
1. Data Controller
Komplyon
Velqor [Legal form, İlker Gürcan Akyüz Sole Trader]
Evliya Çelebi Mah. Sadi Konuralp Cad. IKSV Vakfı No: 5 / 2 Beyoğlu / İstanbul
Tax ID (VKN): 0460317354
Email: hello@komplyon.io
2. Data we collect
We collect personal data in two situations: when you actively submit information (waitlist signup, contact email) and when you visit our website (server logs, optional analytics).
Waitlist signups
When you submit our waitlist form, we collect:
- Email address (required) — to notify you about our launch
- Company name (required) — to evaluate fit for early access
- Role (optional) — to personalise our communication
- Technical metadata: truncated IP address, user agent, referrer, timestamp, locale
Legal basis: Under KVKK: explicit consent (Art. 5/1) and necessity for the establishment of a contract (Art. 5/2/c). Under GDPR (for EEA residents): Art. 6 (1) lit. b (steps prior to entering into a contract) and Art. 6 (1) lit. f (legitimate interest in evaluating prospective customers and informing you about our product launch). Marketing emails are sent only with your explicit consent and you can withdraw at any time.
Server log files
Our hosting provider (Vercel Inc.) automatically collects log data when you visit any page. This is necessary to deliver the website and to detect abuse:
- Truncated IP address (last octet zeroed for IPv4, last 80 bits zeroed for IPv6)
- Browser family and version, operating system family
- Referrer URL, time of access, requested resource, HTTP status
3. Data Processors and International Transfers
We use the following service providers to process your personal data on our behalf. Each is bound by a Data Processing Agreement under Art. 28 GDPR (and the equivalent KVKK obligations for cross-border transfers):
- Vercel Inc. — Hosting, content delivery, edge compute. Default region for komplyon.io: Frankfurt, Germany (eu-central-1). Vercel is GDPR-compliant; we have entered into their standard DPA. Some operational data (e.g. abuse detection, billing) may be processed in the United States. Such transfers are protected by the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. See https://vercel.com/legal/privacy-policy and https://vercel.com/legal/dpa.
- Google Firebase (Firestore, Analytics) — Database (Cloud Firestore, region eur3 — Belgium and Netherlands) and analytics (Firebase Analytics / Google Analytics 4). Google is the data processor; we have signed Google's standard Data Processing Addendum. International transfers, where they occur, rely on EU Standard Contractual Clauses and the EU-US Data Privacy Framework. See https://firebase.google.com/support/privacy.
Each of our processors is bound by a Data Processing Agreement (DPA) — a legal contract under Art. 28 GDPR (and the equivalent KVKK Art. 12 obligations) that defines how they handle your data on our behalf. These agreements specify the nature and purpose of processing, the types of personal data involved, applicable security measures, sub-processor obligations, breach notification requirements, your data subject rights, and the obligation to delete or return your data when our relationship with the processor ends. We have signed standard DPAs with Vercel and Google (Firebase). Where international transfers occur, the DPAs incorporate EU Standard Contractual Clauses and rely on the EU-US Data Privacy Framework where applicable, supplemented by technical safeguards (TLS in transit, AES-256 encryption at rest).
4. Cookies and similar technologies
We use cookies and similar technologies (localStorage, web beacons) in two categories:
- Essential — Required for the website to function — for example, remembering your language preference and your consent decision. No consent required under § 25 (2) TDDDG (for EEA residents) or KVKK (these are necessary for the legitimate purpose of operating the site). Cannot be disabled.
- Analytics (Firebase / Google Analytics) — Helps us understand how visitors use our site. Sets cookies including _ga, _ga_*, and Firebase identifiers. Loaded only after you give consent via our cookie banner. Default state: off.
You can withdraw or modify your consent at any time using the "Cookie settings" link in the footer. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
\When you make a consent decision, we record an audit log entry containing: a pseudonymous ID generated in your browser, your decision (granted or denied), the version of the consent text shown, a truncated IP address (e.g. 192.168.1.0/24), and a summarised user agent (e.g. "Chrome/124 on macOS/14"). This log is required to demonstrate that consent was obtained. It is stored in Firestore (region eur3, EU) and retained for 36 months. We do not link this log to your email address unless you also join the waitlist from the same browser session.
5. Data retention
We retain personal data only as long as necessary for the purposes for which it was collected, in line with KVKK Art. 7 (and Art. 5 (1) lit. e GDPR for EEA residents — the storage limitation principle). Specifically: waitlist signup data is retained until you request deletion or for 24 months after Komplyon's public launch — whichever is sooner. Server log files are automatically deleted after 14 days. Analytics data is retained for 14 months by default in Google Analytics 4. Consent audit log entries are retained for 36 months from the date of decision, as required to demonstrate that consent was obtained. Marketing communications opt-out records are retained indefinitely as we are legally obligated to honour your objection. When our relationship with a processor ends, that processor is contractually required to either delete or return your data to us; we then apply the retention policy above to the returned data. After the applicable retention period expires, data is deleted from active systems within 30 days and from backups within 90 days.
6. Your rights
Under KVKK Art. 11 and (where applicable) GDPR, you have the following rights regarding your personal data, free of charge:
- Right to access — request a copy of your data
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure / "right to be forgotten"
- Right to restriction of processing
- Right to data portability — receive your data in a machine-readable format (GDPR only)
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time, without affecting prior lawful processing
- Right to lodge a complaint with a supervisory authority
To exercise any of these rights, email us at hello@komplyon.io.
7. Security
We apply industry-standard technical and organisational measures to protect your personal data:
8. Changes to this Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes — such as new processors or new processing purposes — will be communicated to waitlist members by email at least 14 days before they take effect. Continued use of komplyon.io after changes take effect constitutes acceptance of the updated Policy.