TrustEdge Labs
All legal documents

Privacy

Privacy Policy

This policy explains what personal data TrustEdge Labs collects, why we collect it, how long we keep it, and the rights you have over it under Türkiye's KVKK and the EU's GDPR.

Last updated 2026-05-17

1. Who we are

For the purposes of Türkiye's Kişisel Verilerin Korunması Kanunu (KVKK, Law No. 6698) and the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the data controller is:

Trade name
TrustEdge Labs
Country of operation
Türkiye
Contact for data requests
privacy@trustedgelabs.dev

2. What data we collect

We collect the minimum data needed to operate this website and to respond to people who reach out to us. Specifically:

2.1 Information you give us directly

  • Inquiry form data — when you fill in the security engagement request form or any contact form: your name, work email, company name, company size, country (optional), phone (optional), asset description, timeline, budget range, compliance context, authorization confirmation, and any free-text notes you choose to include.
  • Email correspondence — anything you send us by email (header data, message body, attachments).

2.2 Information collected automatically

  • Server logs — IP address, user-agent string, requested URL, response code, and timestamp. Used for security, rate limiting, and debugging. Retained no longer than 30 days.
  • Captcha signal — when a form has Cloudflare Turnstile enabled, Cloudflare receives signals from your browser to determine whether you are a bot. This processing is performed by Cloudflare under its own privacy notice.
  • Analytics — if Google Analytics is enabled on the deployment, anonymized usage statistics (page views, referrer, approximate location at city level, device class). We do not use Google Analytics for advertising remarketing or for cross-site profile building.

3. Why we use it (lawful bases)

We process personal data only when at least one of the following lawful bases applies:

  • Performance of a contract — to respond to your inquiry, scope an engagement, deliver agreed services, or invoice you. (KVKK Art. 5(2)(c) · GDPR Art. 6(1)(b))
  • Legitimate interests — to operate, secure, and improve the website; to prevent abuse; to keep audit logs of submissions for the protection of our rights. We balance these interests against your rights and freedoms. (KVKK Art. 5(2)(f) · GDPR Art. 6(1)(f))
  • Legal obligations — when we are required to retain or disclose information under Turkish law, including the Turkish Tax Procedure Law and the Turkish Commercial Code. (KVKK Art. 5(2)(ç) · GDPR Art. 6(1)(c))
  • Your consent — for non-essential cookies (e.g. analytics). You can withdraw consent at any time in your browser settings or by emailing us.

4. Who we share data with

We do not sell personal data. We share it only with the service providers we need to run the site and the business, each acting as a data processor (or, for email routing, an independent provider operating their own service) on our behalf:

Vercel Inc. (hosting)
Provides web hosting, edge infrastructure, and DDoS protection. Data processed: server logs, deployment metadata. May be hosted outside Türkiye / the EEA.
Cloudflare, Inc. (DNS, email routing, Turnstile)
DNS, anti-abuse / Turnstile bot mitigation, and email routing for our @trustedgelabs.dev aliases (forwarded to an operator inbox at Google). Data processed: domain DNS records, browser signals on form pages, the contents of inbound emails passing through routing.
Google LLC (operator inbox + optional Analytics)
Operator email inbox (Gmail) — receives forwarded mail from our Cloudflare routing rules. Optional Analytics where enabled by configuration.
Telegram Messenger (operator notifications)
When configured, we forward a limited internal notification — such as company name, request type, reference, and IP — to a private internal channel for fast triage. We avoid sending credentials, vulnerability details, or sensitive asset information beyond what is necessary for triage. Telegram processes the message contents to deliver them; we do not subscribe to Telegram analytics or marketing services.

5. International transfers

Some of the providers above may store or process data in countries outside Türkiye and the European Economic Area, including the United States. International transfers are handled in accordance with applicable data-transfer rules — including the safeguards recognized under GDPR (such as Standard Contractual Clauses and the supplementary measures published by each provider, where they apply) and the cross-border-transfer requirements of KVKK as in force at the time of transfer. We rely on the lawful basis most appropriate to the specific transfer, which is typically the contractual necessity of responding to your inquiry or your explicit consent.

6. How long we keep it

  • Inquiry submissions — up to 24 months from receipt, then deleted, unless they have evolved into an active engagement and need to be retained for the duration of the contract plus the legal limitation period (typically 10 years under Turkish commercial law for tax/contract records).
  • Server logs — up to 30 days, then deleted.
  • Email correspondence — for as long as the relationship is active, or until you ask us to delete it (unless retention is required by law).
  • Analytics aggregates — as long as Google Analytics retains them under its default configuration, currently 14 months.

7. Your rights

Under KVKK Article 11 and GDPR Articles 15–22, you have the right to:

  • know whether we process data about you, and obtain a copy;
  • have inaccurate or incomplete data corrected;
  • request erasure ("right to be forgotten");
  • restrict or object to processing in certain circumstances;
  • request data portability of data you provided;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu) at kvkk.gov.tr, or, if you are in the EEA, with your local supervisory authority.

To exercise any of these rights, write to privacy@trustedgelabs.dev. Identification of the requester may be required to protect the privacy of the person whose data is being requested. We respond within 30 days.

8. Security

We take reasonable, proportionate measures to protect personal data from unauthorized access, alteration, disclosure, or loss — including TLS in transit, strict access controls, audit logging, and the use of security-conscious vendors. No system is perfectly secure; absolute security is not promised.

9. Children

This website and its services are intended for business use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data to us, please contact us at privacy@trustedgelabs.dev and we will delete it promptly.

10. Cookies

For details about the cookies and similar technologies used on this site, see the Cookie Policy.

11. Changes to this policy

If we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, post a notice on the site. The current version is binding from the effective date shown.

12. Contact

Questions, concerns, or data-rights requests: privacy@trustedgelabs.dev. General inquiries: hello@trustedgelabs.dev.

This Privacy Policy was prepared in good faith but is not legal advice. Where local law requires more specific disclosures than what is stated here, those laws prevail.