Privacy Policy

We respect your privacy and are committed to protecting it through our compliance with this Privacy Policy ("Policy"). This Policy describes the types of information we may collect from you or that you may provide on the paraph.io website ("Website") and any of its related services (collectively, "Services"), and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This Policy applies to information we collect on this Website, in email, text, and other electronic messages between you and this Website, and when you interact with our contact forms, newsletter subscriptions, or other communication channels.

This Policy is designed to comply with the EU General Data Protection Regulation (GDPR — Regulation 2016/679), the Turkish Personal Data Protection Law (KVKK — Law No. 6698), and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). Please read this Policy carefully to understand our practices regarding your personal data. By accessing and using our Website and Services, you acknowledge that you have read and understood this Policy.

The data controller responsible for your personal data is:

We act as a data controller when we ask you to submit your personal information that is necessary to ensure your access to and use of the Website and Services. We determine the purposes and means of processing personal information in such situations.

Our primary priority is the security of customer data. We process only minimal user data, only as much as is absolutely necessary to maintain the Website and Services. We collect personal data that you voluntarily provide to us, as well as certain data collected automatically:

• Contact Form Data: First name, last name, email address, company name, area of interest, and message content — provided voluntarily when you submit an inquiry.
• Newsletter Subscription: Email address — provided voluntarily when you subscribe to our communications.
• Technical Data (Automatic): Browser type and version, IP address, access timestamps, referring URLs, pages viewed, and device information — collected automatically for security and analytics purposes.

Information collected automatically is used only to identify potential cases of abuse and to establish statistical information regarding Website usage and traffic. This statistical information is not otherwise aggregated in such a way that would identify any particular user of the system.

We do not knowingly collect personal information from children under 18 years of age. If you are under 18, please do not submit any personal information through our Website and Services. If you have reason to believe that a child under 18 has provided personal information to us, please contact us to request that we delete that information. We encourage parents and legal guardians to monitor their children's Internet usage and to help enforce this Policy by instructing their children never to provide personal information online without permission.

We act as both a data controller and a data processor when handling personal information, unless we have entered into a data processing agreement with you, in which case you would be the data controller and we would be the data processor.

Any of the information we collect from you may be used for the following purposes:

• Respond to inquiries and provide support: To address your consultation requests and project inquiries submitted through our contact form.
• Send administrative information: To provide information about our services, changes to terms, and other administrative communications.
• Send product and service updates: To send AI insights, case studies, and industry updates (only with your explicit consent via newsletter subscription).
• Improve user experience: To analyze aggregated, anonymized usage patterns and improve our Website and Services.
• Run and operate the Website: To maintain, secure, and ensure proper functioning of our Website and Services.

Processing of your personal information depends on how you interact with the Website and Services, where you are located in the world, and if one of the following applies:

• (i) You have given your consent for one or more specific purposes (Art. 6(1)(a) GDPR);
• (ii) Provision of information is necessary for the performance of this Policy and/or for any pre-contractual obligations thereof (Art. 6(1)(b) GDPR);
• (iii) Processing is necessary for compliance with a legal obligation (Art. 6(1)(c) GDPR);
• (iv) Processing is necessary for the purposes of the legitimate interests pursued by us or a third party (Art. 6(1)(f) GDPR).

In addition to GDPR, we also comply with applicable data protection regulations in the jurisdictions where we operate:

• Turkey — KVKK (Law No. 6698): Processing is conducted in accordance with the Turkish Personal Data Protection Law, including explicit consent requirements and data subject rights as defined under KVKK Art. 5 and Art. 11.
• UAE — PDPL (Federal Decree-Law No. 45/2021): Processing complies with the UAE Personal Data Protection Law, including the principles of purpose limitation, data minimization, and data subject rights as outlined in the PDPL.

We do not sell, rent, or trade your personal data to third parties. Depending on the requested Services or as necessary to complete any transaction or provide any Service you have requested, we may share your information with our affiliated companies, contracted companies, and service providers (collectively, "Service Providers") we rely on to assist in the operation of the Website and Services.

• Service Providers: Trusted third-party providers who assist us in operating our Website and delivering Services (e.g., hosting, email delivery), bound by data processing agreements and whose privacy policies are consistent with ours.
• Legal Obligations: When required to comply with applicable laws, regulations, subpoenas, or legal proceedings, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

We will not share any personally identifiable information with unaffiliated third parties. Service Providers are not authorized to use or disclose your information except as necessary to perform services on our behalf or to comply with legal requirements. They are given only the information they need to perform their designated functions, and we do not authorize them to use or disclose any of the provided information for their own marketing or other purposes.

We will retain and use your personal information for the period necessary to comply with our legal obligations, to enforce our Policy, to resolve disputes, and unless a longer retention period is required or permitted by law:

• Contact Form Data: Retained for up to 12 months after your last interaction, unless a business relationship is established.
• Newsletter Subscriptions: Retained until you withdraw your consent by unsubscribing.
• Technical Logs: Automatically deleted after 90 days.

We may use any aggregated data derived from or incorporating your personal information after you update or delete it, but not in a manner that would personally identify you. Once the retention period expires, personal information shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after the expiration of the retention period.

Our Website and Services use "cookies" to help personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.

• Essential Cookies: Required for basic website functionality such as navigation and session management. Always active.
• Functional Cookies: Enable enhanced functionality and personalization.
• Analytics Cookies: Help us understand how visitors interact with our Website, used only with your explicit consent and in an anonymized form.
• Performance Cookies: Collect information about how you use our Website to improve its performance.

Please note that you have the ability to accept or decline cookies. Most web browsers automatically accept cookies by default, but you can modify your browser setting to decline cookies if you prefer.

Some browsers incorporate a Do Not Track feature that signals to websites you visit that you do not want to have your online activity tracked. Tracking is not the same as using or collecting information in connection with a website. For these purposes, tracking refers to collecting personally identifiable information from consumers who use or visit a website as they move across different websites over time. Our Website does not currently respond to Do Not Track browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

Our Website and Services may include social media features, such as LinkedIn, Instagram, YouTube, and TikTok buttons or share links. These features may collect your IP address, which page you are visiting on our Website, and may set a cookie to enable the feature to function properly. Social media features are hosted either by their respective providers or directly on our Website. Your interactions with these features are governed by the privacy policy of the respective provider.

We offer electronic newsletters to which you may voluntarily subscribe at any time. We are committed to keeping your email address confidential and will not disclose your email address to any third parties except as allowed in the disclosure section or for the purpose of utilizing a third-party provider to send such emails.

In compliance with applicable regulations, all emails sent from us will clearly state who the email is from and provide clear information on how to contact the sender. You may choose to stop receiving our newsletters or marketing emails by following the unsubscribe instructions included in these emails or by contacting us.

The Website and Services contain links to other resources that are not owned or controlled by us. Please be aware that we are not responsible for the privacy practices of such other resources or third parties. We encourage you to be aware when you leave the Website and Services and to read the privacy statements of each resource that may collect personal information.

We secure information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use, or disclosure. We maintain reasonable administrative, technical, and physical safeguards in an effort to protect against unauthorized access, use, modification, and disclosure of personal information in our control and custody. These measures include SSL/TLS encryption, access controls, and regular security assessments. However, no data transmission over the Internet or wireless network can be guaranteed. Therefore, while we strive to protect your personal information, you acknowledge that (i) there are security and privacy limitations of the Internet which are beyond our control; (ii) the security, integrity, and privacy of any and all information and data exchanged between you and the Website cannot be guaranteed; and (iii) any such information and data may be viewed or tampered with in transit by a third party, despite best efforts.

In the event we become aware that the security of the Website has been compromised or users' personal information has been disclosed to unrelated third parties as a result of external activity, including but not limited to security attacks or fraud, we reserve the right to take reasonably appropriate measures, including but not limited to investigation and reporting, as well as notification to and cooperation with law enforcement authorities. In the event of a data breach, we will make reasonable efforts to notify affected individuals if we believe there is a reasonable risk of harm to the user as a result of the breach or if notice is otherwise required by law. When we do, we will send you an email and post a notice on the Website.

Paraph AI operates from Istanbul (Turkey), Dubai (UAE), and Bucharest (Romania). When your data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers to countries without an adequacy decision.
• Adequacy Decisions: Where the European Commission has determined that a country provides an adequate level of data protection.
• Organizational Measures: Internal policies ensuring all offices handle data to the same high standards regardless of location.

The General Data Protection Regulation recognizes a number of rights in relation to your personal data. You may request access to your data, correction of any mistakes in our files, and/or object to the processing of your personal data. You may also exercise your right to complain to a competent supervisory authority or seek a legal remedy. Where applicable, you may also benefit from the right to request the erasure of your personal data, the right to restriction of processing, and the right to data portability.

We reserve the right to modify this Policy or its terms relating to the Website and Services at any time at our discretion. When we do, we will revise the updated date at the top of this page. We may also provide notice to you in other ways at our discretion, such as through the contact information you have provided. An updated version of this Policy will be effective immediately upon the posting of the revised Policy unless otherwise specified. Your continued use of the Website and Services after the effective date of the revised Policy (or such other act specified at that time) will constitute your consent to those changes. However, without your consent, we will not use your personal information in a manner materially different from what was stated at the time your personal information was collected.

You acknowledge that you have read this Policy and agree to all its terms and conditions. By accessing and using the Website and Services and submitting your information, you agree to be bound by this Policy. If you do not agree to abide by the terms of this Policy, you are not authorized to access or use the Website and Services. This Privacy Policy has been designed to comply with EU Regulation 2016/679 (General Data Protection Regulation — GDPR), the Turkish Personal Data Protection Law No. 6698 (KVKK), and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL).

If you have any questions, concerns, or complaints regarding this Policy, we encourage you to contact us using the details below:

We will try to resolve complaints and disputes and will make every reasonable effort to honor your wish to exercise your rights as quickly as possible and, in any event, within the timescales provided by applicable data protection laws.