Privacy Policy
This Privacy Policy (“Policy”) explains how Bakdaulet Tashmanov, operating as a sole proprietorship (şahıs işletmesi) under the trade name Canly AI (“we”, “us”, or “our”), with business address at Adnan Kahveci Mah. Büyükdere Cad. Beylikdüzü / İstanbul, Türkiye and Vergi Kimlik No 8240839884(Büyükçekmece Vergi Dairesi), collects, uses, stores, and protects personal data when you use the Canly AI platform (the “Service”), including its WhatsApp interface, web portal, and all related features.
This Policy is prepared in accordance with:
- Türkiye: Law No. 6698 on the Protection of Personal Data (Kişisel Verilerin Korunması Kanunu, “KVKK”), the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, and the Regulation on Procedures and Principles Regarding Cross-Border Transfer of Personal Data as amended by the January 2025 Guidelines on Transfer of Personal Data Abroad.
- European Union: Regulation (EU) 2016/679 (“GDPR”) and, from 2 August 2026, Regulation (EU) 2024/1689 (“EU AI Act”).
- Turkish E-Commerce: Law No. 6563 on the Regulation of Electronic Commerce and its implementing regulations.
Where both KVKK and GDPR apply simultaneously, we comply with the stricter requirement.
1. Introduction and Identity of the Data Controller
Data Controller Contact:
- Email: support@canlyai.com
- Postal address: Adnan Kahveci Mah. Büyükdere Cad. Beylikdüzü / İstanbul, Türkiye
- Data Protection Officer: We are monitoring DPO appointment requirements under the 2025 KVKK amendments and will appoint a DPO when our processing activities meet the applicable thresholds. Current data protection enquiries are handled by the privacy contact above.
2. Scope and Applicability
This Policy applies to:
- Registered sellers who create an account and use the Service.
- Authorized representatives of seller businesses whose contact details are provided during onboarding.
- End-users of the WhatsApp interface who interact with Canly AI through the seller's linked WhatsApp number.
This Policy does not apply to third-party websites or services linked from the Service. We encourage you to review the privacy policies of any third party before providing personal data to them.
3. Personal Data We Collect
We collect the minimum personal data necessary to provide and improve the Service (data minimisation, KVKK Art. 4 / GDPR Art. 5(1)(c)).
3.1 Data You Provide Directly
| Category | Examples |
|---|---|
| Identity data | Full name, title |
| Contact data | WhatsApp / mobile phone number |
| Account credentials | Authentication tokens (session-based) |
| Business data | Trendyol Seller ID, API key, API secret, store name |
Note on financial and payment data: We do not collect bank account details or process seller payouts — payout reconciliation is handled entirely by Trendyol. Subscription payments are processed by iyzico (iyzico Ödeme Hizmetleri A.Ş.), a BDDK-licensed payment institution. We receive only a payment confirmation token and your subscription tier from iyzico — we do not store card numbers, CVV codes, or bank account data.
3.2 Data Collected Automatically
| Category | Examples |
|---|---|
| Usage data | Log-ins, WhatsApp message timestamps, features accessed, session duration |
| Device / connection data | IP address, browser type, operating system, device identifiers |
| Trendyol API data | Orders, settlements, shipments, product listings, cargo fees — fetched on your behalf via the Trendyol V2 API with your credentials |
| Conversation data | WhatsApp message content and metadata routed through Twilio Programmable Messaging |
3.3 Special Categories of Personal Data
We do notintentionally collect special category (“sensitive”) personal data as defined under KVKK Art. 6 and GDPR Art. 9 (e.g., health, religion, biometrics). If any such data is inadvertently transmitted within a WhatsApp message, it will not be processed for any purpose other than responding to your query and will be deleted without retention.
4. Legal Bases for Processing
4.1 Under KVKK (Art. 5 and Art. 6)
| Processing activity | Legal basis (KVKK) |
|---|---|
| Account creation and service delivery | Explicit consent (Art. 5/1) and necessity for performance of contract (Art. 5/2-c) |
| Trendyol API data ingestion | Explicit consent + legitimate interest (Art. 5/2-f) — required to operate the service |
| WhatsApp message processing | Explicit consent (Art. 5/1) obtained at onboarding |
| Security monitoring and fraud prevention | Legitimate interest (Art. 5/2-f) |
| Cross-border transfer to sub-processors | Standard Contractual Clauses being executed with Turkish DPA notification (2024 Cross-Border Transfer Regulation, Art. 7) |
4.2 Under GDPR (Art. 6) — for EU/EEA Data Subjects
| Processing activity | Legal basis (GDPR) |
|---|---|
| Service delivery | Contract performance (Art. 6(1)(b)) |
| Security, fraud prevention | Legitimate interests (Art. 6(1)(f)) — balanced test documented internally |
| Marketing communications | Consent (Art. 6(1)(a)) — freely withdrawable at any time |
| AI-based analytics and recommendations | Legitimate interests (Art. 6(1)(f)) with LIA completed per EDPB April 2025 guidance on LLM processing |
5. How We Use Your Personal Data
We process personal data for the following purposes:
- Service delivery — Running the multi-agent AI co-pilot, including order monitoring, repricing, financial forecasting, cargo fee auditing, and seller support.
- Account management — Creating, managing, and securing your account; authenticating identity via session tokens.
- WhatsApp communication — Routing your messages to the appropriate AI agent and delivering responses through Twilio.
- Analytics and improvement — Aggregated, de-identified analytics to improve agent accuracy and service performance.
- Subscription management — Verifying your active plan and granting access to features. Payment processing is handled entirely by iyzico and is not stored by us.
- Legal compliance — Meeting obligations under KVKK, GDPR, and responding to lawful government requests.
- Security — Detecting and preventing fraud, abuse, and unauthorized access.
- Customer support — Responding to your support requests.
We will not use your personal data for purposes incompatible with those stated above without obtaining fresh consent or a new legal basis.
6. Automated Decision-Making and AI Processing
The Service uses large language models (LLMs) and multi-agent AI to analyse your store data and generate recommendations. In compliance with KVKK Art. 11(1)(g), GDPR Art. 22, and the EU AI Act:
- No legally binding or similarly significant decisions are made solely by automated means without human review. All AI-generated actions (e.g., repricing, dispute letters) require your explicit confirmation before execution.
- The AI system classifies as limited-risk under the EU AI Act. You will always be clearly informed that you are interacting with an AI system, in compliance with Art. 50 of the EU AI Act (transparency obligation applicable from 2 August 2026).
- You have the right to contest any automated recommendation, request human review, and express your view before any automated action is confirmed.
- We maintain AI literacy documentation for our team to meet Art. 4 EU AI Act obligations (in force since 2 February 2025).
7. Data Sharing and Recipients
We share personal data only where necessary and on a strictly controlled basis.
7.1 Sub-processors (Data Processors)
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| iyzico Ödeme Hizmetleri A.Ş. | Subscription payment processing | Türkiye | No transfer (domestic); BDDK-licensed payment institution |
| Twilio Inc. | WhatsApp messaging infrastructure | USA | GDPR SCCs (Art. 46); KVKK SCCs in progress |
| OpenAI, L.L.C. | LLM inference for AI agents | USA | GDPR SCCs (Art. 46); KVKK SCCs in progress |
| Supabase, Inc. | Vector database for RAG knowledge base | USA/EU | GDPR SCCs (Art. 46); KVKK SCCs in progress |
| Langfuse GmbH | AI observability and tracing | EU (Germany) | GDPR-compliant (intra-EEA); KVKK SCCs in progress |
| Railway Corp. | Cloud hosting and deployment (EU region) | EU (Netherlands) | GDPR-compliant (intra-EEA); KVKK SCCs in progress |
| PostgreSQL (Railway) | Conversation history, tenant metadata | EU (Netherlands) | GDPR-compliant (intra-EEA); KVKK SCCs in progress |
| Redis (Railway) | Job queue, distributed locks | EU (Netherlands) | GDPR-compliant (intra-EEA); KVKK SCCs in progress |
We are in the process of executing Data Processing Agreements (DPAs) with all sub-processors. Each DPA contractually restricts sub-processors from using your data for any purpose other than providing the Service.
7.2 Cross-Border Data Transfers — KVKK
Pursuant to the Regulation on Cross-Border Transfer of Personal Data (in force 1 September 2024), all transfers of personal data outside Türkiye — including to EU member states (Netherlands, Germany) and the USA — require a valid transfer mechanism. We are currently in the process of executing Standard Contractual Clauses (SCCs) in the exact form published by the Turkish Personal Data Protection Authority (Kurul) with each of our sub-processors. Consent is not used as a legal basis for cross-border transfers under the 2024 regulation.
7.3 Disclosure to Authorities
We may disclose personal data to competent public authorities (courts, tax authorities, law enforcement) where required by law or in response to a valid legal process. Where legally permitted, we will notify you before such disclosure.
7.4 No Sale of Personal Data
We do not sell, rent, or trade personal data to third parties for commercial purposes.
8. Data Retention
We retain personal data for no longer than necessary for the purpose for which it was collected, in accordance with KVKK Art. 7 and GDPR Art. 5(1)(e).
| Data category | Retention period | Reason |
|---|---|---|
| Account data (name, phone, business data) | Duration of subscription + 5 years | Turkish Commercial Code (TTK) Art. 82 — contractual records |
| Trendyol API data (orders, settlements) | Duration of subscription + 5 years | Turkish Commercial Code (TTK) Art. 82 |
| WhatsApp conversation data | 2 years from last message | Service improvement and dispute resolution |
| Security logs | 2 years | Legitimate interest |
| Marketing consent records | Until consent withdrawn + 3 years | KVKK enforcement period |
Upon account termination, personal data will be anonymised or deleted within 30 days, except where retention is required by law.
9. Cookies and Tracking Technologies
Our web portal uses cookies and similar technologies. In summary:
| Cookie type | Purpose | Basis | Retention |
|---|---|---|---|
| Strictly necessary | Authentication, security, load balancing | Contract / legitimate interest | Session |
| Functional | Language preference, dashboard settings | Consent | 1 year |
| Analytics | Aggregated usage statistics | Consent | 13 months |
| Marketing | Targeted content (if applicable) | Consent | 6 months |
Non-essential cookies are set only after you provide consent. You may withdraw consent at any time via the cookie preference centre in the web portal footer.
10. Data Security
We implement appropriate technical and organisational measures (TOMs) to protect personal data:
- Encryption at rest and in transit (TLS 1.3, AES-256)
- Token-based authentication — session tokens are short-lived and invalidated on logout
- Multi-tenant isolation — each seller's data is logically separated and scoped by `seller_id` in all queries
- Access controls — role-based access; principle of least privilege
- Distributed Redis locks — prevent duplicate processing of sensitive operations
- Regular security assessments
Data Breach Notification: In the event of a personal data breach, we will notify the Turkish Personal Data Protection Authority (Kurul) within 72 hours and affected data subjects without undue delay.
11. Your Rights as a Data Subject
11.1 Rights Under KVKK (Art. 11)
You have the right to learn whether your data is processed, request info, understand the purpose, know domestic/foreign recipients, request correction, deletion, notification of corrections to third parties, object to negative automated outcomes, and claim compensation for damages.
11.2 Rights Under GDPR (Art. 15–22) — for EU/EEA Data Subjects
You have the right of access, rectification, erasure (“right to be forgotten”), restriction, data portability, object, and not to be subject to automated decision-making.
11.3 How to Exercise Your Rights
Submit your request to: support@canlyai.com. We will respond within 30 days (without delay and within 30 days under KVKK).
11.4 Right to Lodge a Complaint
- Türkiye: Personal Data Protection Authority (www.kvkk.gov.tr).
- EU/EEA: The supervisory authority in your member state.
12. Children's Privacy
The Service is intended for use by registered business operators and is not directed at children under the age of 18. If you believe we have collected data from a minor, please contact us immediately at support@canlyai.com.
13. Changes to This Policy
We may update this Policy periodically. For material changes, we will notify you at least 30 days before they take effect via WhatsApp or our web portal.
14. Governing Law and Jurisdiction
This Policy is governed by the laws of the Republic of Türkiye. Disputes shall first be submitted to the Personal Data Protection Authority.
15. Contact Us
Bakdaulet Tashmanov (trading as Canly AI)
Adnan Kahveci Mah. Büyükdere Cad. Beylikdüzü / İstanbul, Türkiye
Email: support@canlyai.com
Phone: +90 552 599 68 14
