TrustEdge Labs
All legal documents

Privacy

Privacy Policy

This policy explains what personal data TrustEdge Labs collects, why we collect it, how long we keep it, and the rights you have over it under Türkiye's KVKK and the EU's GDPR.

Last updated 2026-05-04

1. Who we are

For the purposes of Türkiye's Kişisel Verilerin Korunması Kanunu (KVKK, Law No. 6698) and the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the data controller is:

Trade name
TrustEdge Labs
Legal entity
Cihan KarabaltaSole proprietorship (Türkiye / Şahıs Şirketi)
Tax ID (Vergi Kimlik Numarası)
5020827413
Registered address
Kazımkarabekir Mh., Odunpazarı Cd., Oduncu Sk., TOKİ Konutları B-2-2 Blok, No: 24, Kat: 4, Daire: 17, İlkadım / Samsun, Türkiye
Contact for data requests
privacy@trustedgelabs.dev (or postal mail to the registered address above).

2. What data we collect

We collect the minimum data needed to operate this website and to respond to people who reach out to us. Specifically:

2.1 Information you give us directly

  • Inquiry form data — when you fill in the security engagement request form or any contact form: your name, work email, company name, company size, country (optional), phone (optional), asset description, timeline, budget range, compliance context, authorization confirmation, and any free-text notes you choose to include.
  • Email correspondence — anything you send us by email (header data, message body, attachments).

2.2 Information collected automatically

  • Server logs — IP address, user-agent string, requested URL, response code, and timestamp. Used for security, rate limiting, and debugging. Retained no longer than 30 days.
  • Captcha signal — when a form has Cloudflare Turnstile enabled, Cloudflare receives signals from your browser to determine whether you are a bot. This processing is performed by Cloudflare under its own privacy notice.
  • Analytics — if Google Analytics is enabled on the deployment, anonymized usage statistics (page views, referrer, approximate location at city level, device class). We do not use Google Analytics for advertising remarketing or for cross-site profile building.

3. Why we use it (lawful bases)

We process personal data only when at least one of the following lawful bases applies:

  • Performance of a contract — to respond to your inquiry, scope an engagement, deliver agreed services, or invoice you. (KVKK Art. 5(2)(c) · GDPR Art. 6(1)(b))
  • Legitimate interests — to operate, secure, and improve the website; to prevent abuse; to keep audit logs of submissions for the protection of our rights. We balance these interests against your rights and freedoms. (KVKK Art. 5(2)(f) · GDPR Art. 6(1)(f))
  • Legal obligations — when we are required to retain or disclose information under Turkish law, including the Turkish Tax Procedure Law and the Turkish Commercial Code. (KVKK Art. 5(2)(ç) · GDPR Art. 6(1)(c))
  • Your consent — for non-essential cookies (e.g. analytics). You can withdraw consent at any time in your browser settings or by emailing us.

4. Who we share data with

We do not sell personal data. We share it only with the service providers we need to run the site and the business, each acting as a data processor on our behalf:

Vercel Inc. (hosting)
Provides web hosting, edge infrastructure, and DDoS protection. Data processed: server logs, deployment metadata. May be hosted outside Türkiye / the EEA.
Cloudflare, Inc. (Turnstile, optional)
Bot mitigation on form pages. Data processed: browser signals, IP address.
Resend Inc. (transactional email)
Sends form-submission notifications to our team. Data processed: email content, recipient and sender addresses.
Google LLC (Analytics — optional, off by default)
Anonymized usage analytics where enabled by configuration.
Slack Technologies / Telegram Messenger (optional internal alerts)
We may forward a one-line summary of submissions to an internal channel for fast triage. No data is shared back to the platform.

5. International transfers

Some of the providers above may store or process data in countries outside Türkiye and the European Economic Area, including the United States. Where required by GDPR, transfers rely on Standard Contractual Clauses (SCCs) and supplementary measures published by each provider. Where required by KVKK, transfers are based on Article 9 — typically your explicit consent or the contractual necessity of responding to your request.

6. How long we keep it

  • Inquiry submissions — up to 24 months from receipt, then deleted, unless they have evolved into an active engagement and need to be retained for the duration of the contract plus the legal limitation period (typically 10 years under Turkish commercial law for tax/contract records).
  • Server logs — up to 30 days, then deleted.
  • Email correspondence — for as long as the relationship is active, or until you ask us to delete it (unless retention is required by law).
  • Analytics aggregates — as long as Google Analytics retains them under its default configuration, currently 14 months.

7. Your rights

Under KVKK Article 11 and GDPR Articles 15–22, you have the right to:

  • know whether we process data about you, and obtain a copy;
  • have inaccurate or incomplete data corrected;
  • request erasure ("right to be forgotten");
  • restrict or object to processing in certain circumstances;
  • request data portability of data you provided;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu) at kvkk.gov.tr, or, if you are in the EEA, with your local supervisory authority.

To exercise any of these rights, write to privacy@trustedgelabs.dev, or send postal correspondence to the registered address listed above. Identification of the requester may be required to protect the privacy of the person whose data is being requested. We respond within 30 days.

8. Security

We take reasonable, proportionate measures to protect personal data from unauthorized access, alteration, disclosure, or loss — including TLS in transit, strict access controls, audit logging, and the use of security-conscious vendors. No system is perfectly secure; absolute security is not promised.

9. Children

This website and its services are intended for business use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data to us, please contact us at privacy@trustedgelabs.dev and we will delete it promptly.

10. Cookies

For details about the cookies and similar technologies used on this site, see the Cookie Policy.

11. Changes to this policy

If we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, post a notice on the site. The current version is binding from the effective date shown.

12. Contact

Questions, concerns, or data-rights requests: privacy@trustedgelabs.dev. General inquiries: hello@trustedgelabs.dev.

Postal correspondence:
Cihan KarabaltaTrustEdge Labs
Kazımkarabekir Mh., Odunpazarı Cd., Oduncu Sk., TOKİ Konutları B-2-2 Blok, No: 24, Kat: 4, Daire: 17, İlkadım / Samsun, Türkiye

This Privacy Policy was prepared in good faith but is not legal advice. Where local law requires more specific disclosures than what is stated here, those laws prevail.