GDPR Compliance

Last updated: April 15, 2026

ERGENEKON Engine is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act (CCPA), and the Turkish Law on the Protection of Personal Data No. 6698 (KVKK).

1. Our Role Under GDPR

As a Software Tool: ERGENEKON Engine runs entirely on your infrastructure. We are not a data processor or sub-processor for your application data. Your recordings, sessions, and debugging data never leave your servers.

As a Website & License Provider: We act as a Data Controller for the personal data we collect when you purchase a license, contact support, or visit our website.

2. GDPR Compliance Checklist

Requirement	Status	Implementation
Lawful basis for processing	✅	Contract, consent, and legitimate interest
Data minimization	✅	We collect only what's necessary for license delivery
Purpose limitation	✅	Data used only for stated purposes
Storage limitation	✅	Defined retention periods for all data categories
Right to access (Art. 15)	✅	Request via privacy@ergenekon.dev
Right to rectification (Art. 16)	✅	Email us to update your information
Right to erasure (Art. 17)	✅	"Right to be forgotten" — request deletion
Right to data portability (Art. 20)	✅	Export your data in JSON format
Right to object (Art. 21)	✅	Opt out of processing based on legitimate interest
Right to restrict processing (Art. 18)	✅	Request limitation of processing
Data breach notification (Art. 33-34)	✅	72-hour notification to authorities; immediate user notification
Privacy by design (Art. 25)	✅	Minimal data collection, Ed25519 crypto, offline validation
Records of processing (Art. 30)	✅	Maintained internally
Data Protection Impact Assessment	✅	Completed — low risk profile
International transfers	✅	Standard Contractual Clauses (SCCs) with sub-processors
Cookie consent	✅	Minimal essential cookies only; no tracking cookies

3. Data We Process

3.1 What We Collect

Data Category	Examples	Legal Basis	Retention
Identity	Name, email	Contract	License term + 12 months
Financial	Payment info (via Stripe)	Contract	7 years (tax law)
Technical	IP address (anonymized), browser type	Legitimate interest	48 hours (IP), 30 days (logs)
Communications	Support emails	Legitimate interest	24 months after resolution
Marketing	Newsletter email	Consent	Until unsubscribe

3.2 What We Do NOT Collect

Your application source code
Recording sessions or debugging data
Database contents, API payloads, or user data
Behavioral tracking profiles
Biometric or special category data

4. Sub-Processors

Sub-Processor	Purpose	Location	Safeguards
Stripe, Inc.	Payment processing	USA	SCCs, SOC 2, PCI DSS Level 1
Resend (if used)	Transactional email	USA	SCCs, SOC 2
Plausible Analytics	Privacy-first analytics	EU	No personal data processed
GitHub (Microsoft)	Source code hosting	USA	SCCs, SOC 2, ISO 27001

5. Your GDPR Rights

As an EU/EEA resident, you have the following rights. All requests will be processed within 30 days:

Access: "What data do you have about me?" → We'll provide a complete export.
Rectification: "My email changed." → We'll update it immediately.
Erasure: "Delete everything." → We'll remove all personal data except what's legally required.
Portability: "Give me my data." → Delivered in JSON format.
Object: "Stop processing my data." → We'll cease non-essential processing.
Restrict: "Limit how you use my data." → We'll restrict processing to storage only.
Withdraw Consent: "I no longer agree." → We'll stop consent-based processing immediately.

How to exercise your rights:

Email privacy@ergenekon.dev with the subject line "GDPR Request: [Right Name]". Include your registered email address for identity verification. We will respond within 30 days.

6. Data Breach Response

In the event of a personal data breach:

Within 24 hours: Internal investigation and containment.
Within 72 hours: Notification to the relevant supervisory authority (as required by Article 33).
Without undue delay: Notification to affected individuals if the breach poses a high risk to their rights and freedoms (Article 34).

7. Privacy by Design

ERGENEKON Engine is architected with privacy at its core:

On-premise first: All debugging data stays on your infrastructure.
No telemetry: The SDK does not phone home or send analytics.
Offline license validation: Ed25519 signatures — no internet required.
Deep PII Redaction: Built-in automatic detection and masking of credit cards, SSNs, emails, phone numbers, and API keys before data is stored.
Minimal data collection: We only collect what's strictly necessary for license delivery.

8. California Residents (CCPA)

Under the California Consumer Privacy Act:

We do not sell your personal information.
We do not share your data for cross-context behavioral advertising.
You have the right to know, delete, and opt out.
We will not discriminate against you for exercising your rights.
Contact: privacy@ergenekon.dev

9. Turkish Data Protection (KVKK)

We comply with the Turkish Law on the Protection of Personal Data No. 6698 (KVKK). As the data controller:

Data is processed lawfully and in accordance with the principle of good faith.
Data is accurate and up to date.
Data is processed for specified, explicit, and legitimate purposes.
Data is adequate, relevant, and limited to what is necessary.
Data is retained only as long as necessary.
Data subjects can exercise their rights under Article 11 of KVKK.

10. Contact the Data Controller

Data Controller: İlhan Göktaş

Email: privacy@ergenekon.dev

Website: ergenekon.dev

If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local supervisory authority:

EU: Your local Data Protection Authority (DPA)
UK: Information Commissioner's Office (ICO) — ico.org.uk
Turkey: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr