KVKK Disclosure Notice

Pursuant to article 10 of the KVKK and the Communiqué on the Obligation to Inform, the data controller in respect of the personal data processed under this notice is Topluyıldız Danışmanlık A.Ş. (hereinafter the ‘Company’ or the ‘data controller’), a joint-stock company established under Turkish law and seated in Beşiktaş, İstanbul, Türkiye. The Company’s trade name is Topluyıldız Danışmanlık A.Ş., and its registry and contact details are as follows: 282911-5 (İstanbul Ticaret Sicili Müdürlüğü), 0854121033400001, Sinanpaşa Mahallesi, Süleyman Seba Caddesi, No: 6 İç Kapı No: 4, Beşiktaş / İstanbul, 25878-54156-69813, [telefon numarası]. The Company may also be contacted in all matters at mtopluyildiz@gmail.com.

Where a domestic representative of the data controller is provided for, the details of that representative are as follows: [veri sorumlusu temsilcisi, varsa]. This Disclosure Notice applies both to data collected through the omnipotentlegal.ai information and marketing site operated by the Company and to data processed during use of the Omnilegal product.

It must be emphasised that, in respect of client personal data entered into the system by a lawyer or law firm while using Omnilegal, the data controller is the relevant lawyer or law firm; in respect of that data, Topluyıldız Danışmanlık A.Ş. acts solely as a data processor, on the instructions of the data controller, within the framework of the Data Processing Agreement concluded between the parties. This matter is explained in detail in sections 11 and 12 of this notice.

Depending on the nature of the service and the scope of the relationship that the data subject establishes with Omnilegal, the Company may process the following categories of personal data: identity data (name, surname and, where relevant, title and professional capacity); contact data (work e-mail address, telephone number, the firm or company at which the person works); professional experience data (role, bar information, jurisdictions of practice and areas of specialisation); customer transaction and account data (subscription details, order and invoice records, transaction information relating to the payment and checkout process); and usage, transaction security and log data (IP address, session records, access and approval logs, audit trails relating to the citation gate and masking steps).

In addition, by reason of how Omnilegal operates, content entered into the system by the user (client documents, matter and file information, correspondence and legal texts) is processed. Such content may, by its nature, contain identity, contact and dispute information relating to third parties and in particular to clients, and may include special categories of personal data within the meaning of article 6 of the KVKK (for example data concerning health, criminal convictions and security measures, religion or membership). For this reason, the special safeguard regime set out in this notice and in the Data Processing Agreement applies to content entered by the user.

The data collected through the Company’s marketing site consists solely of the name, work e-mail address, firm or company name, role, jurisdictions of interest and free-text message provided in the free-trial and contact request form. No third-party advertising trackers are used on the site, and a privacy-first approach to analytics is adopted.

Personal data is processed in accordance with the general principles set out in article 4 of the KVKK (lawfulness and fairness; accuracy and being up to date where necessary; processing for specified, explicit and legitimate purposes; being relevant, limited and proportionate to the purposes; and retention only for the period prescribed by legislation or required for the purpose of processing).

The principal purposes of processing are as follows: receiving, assessing and concluding free-trial and contact requests; establishing, providing and maintaining the Omnilegal subscription service and creating and managing the user account; conducting the payment, checkout and account-provisioning processes by or on behalf of Topluyıldız Danışmanlık A.Ş.; performing the contract, issuing invoices and discharging financial obligations; ensuring service quality, information security and system integrity, preventing misuse and maintaining audit trails; discharging legal obligations arising from legislation and responding to requests of competent authorities; and the establishment, exercise or protection of rights in legal disputes.

The Company processes personal data only for the purposes stated in this notice and to the extent required by those purposes; it does not engage in processing beyond those purposes. Features that are planned on the roadmap or that are optional (for example firm-RAG memory, extended KVKK suites or EU data-residency backup) are made subject to processing only once they are rolled out and where the relevant legal ground exists.

The processing of personal data is, for each purpose, based on at least one of the processing conditions enumerated in article 5/2 of the KVKK. For establishing the subscription service, creating and managing the user account, and conducting the payment and invoicing processes, the legal ground is the necessity, under article 5/2(c), of processing the personal data of the parties to a contract, provided that this is directly related to the conclusion or performance of that contract.

For keeping, retaining and reporting financial, commercial and legal records to competent authorities, the legal grounds are the express provision of the law under article 5/2(a) and the necessity, under article 5/2(ç) (the legal-obligation ground), for the data controller to fulfil its legal obligation. Where processing is mandatory for the establishment, exercise or protection of a right, article 5/2(e) applies; and in respect of the Company’s legitimate interests in information security, system integrity and the prevention of misuse, article 5/2(f) applies, provided that the fundamental rights and freedoms of the data subject are not thereby harmed.

Within the scope of the free-trial and contact form, given the nature of the request, processing is conducted primarily in preparation for the relationship to be established at the data subject’s request and within the legitimate-interest framework of article 5/2(f); where no statutory processing condition exists, the explicit consent of the data subject is obtained under article 5/1. Where content entered into the system by the user contains special categories of personal data, since the data controller in respect of that content is the relevant lawyer or law firm, the obligation to secure the legal ground required under article 6 of the KVKK (as a rule, the explicit consent of the data subject or the exceptions enumerated in article 6/3) and to provide the relevant information rests with the lawyer or law firm acting as data controller; the Company processes such data solely as a data processor and subject to the masking regime.

Personal data is collected by partly automated and automated means, through the free-trial and contact form on omnipotentlegal.ai, the product sign-up and checkout flows, transactions carried out through the user account, and the log and transaction-security records generated automatically during use of Omnilegal. Content uploaded or entered into the system by the user is obtained directly through the act of the user concerned.

The legal basis for this collection activity comprises the processing conditions under article 5/2 of the KVKK that are specified separately for each purpose in section 4 of this notice. Form data collected through the marketing site is stored using the Supabase infrastructure with an EU region intended; no third-party advertising trackers are present on the site.

Personal data may be transferred domestically, to the extent necessary for the realisation of the purposes stated in this notice and in conformity with the conditions set out in article 8 of the KVKK. The principal categories of domestic recipients are as follows: hosting and infrastructure service providers ([barındırma sağlayıcısı]); service providers that conduct the payment, checkout and account-provisioning processes on behalf of the Company; suppliers providing accountancy, audit and legal advisory services; and public authorities, institutions and judicial bodies that are legally competent.

Such transfers are made only to the extent limited to the purpose that necessitates the transfer, and under contractual safeguards that ensure the recipients take the requisite technical and organisational measures. Service providers may access personal data only on the Company’s instructions and to the extent required by the service.

In order to provide the artificial-intelligence functions of Omnilegal and to operate the hosting infrastructure, limited personal data may be transferred abroad. The principal cross-border recipients in this context are the artificial-intelligence model service provider ([yapay zekâ model sağlayıcısı]) and the hosting service providers. Cross-border transfer is carried out within the framework of article 9 of the KVKK as amended with effect from 2024 and the Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad.

In this framework the transfer relies, in order, on the following mechanisms: transfer to countries for which an adequacy decision has been announced by the Personal Data Protection Board; where no adequacy decision exists, the provision of one of the appropriate safeguards enumerated in article 9/3 of the KVKK (a standard contract subject to notification to the Board, a written undertaking, or binding corporate rules); and, in the exceptional cases where none of these is available, the incidental situations provided for in article 9/6 of the KVKK together with, where required, the explicit consent of the data subject. Where the standard-contract route is used, the relevant contract is notified to the Authority within the period prescribed by the legislation.

It is emphasised that, by reason of Omnilegal’s personal data masking architecture, personal data is masked before any call is made to an artificial-intelligence model, and only masked text is transmitted to the model; the model never accesses unmasked personal data. The masking key or mapping table is not taken outside the jurisdiction and is not transferred abroad. These safeguards are explained in detail in section 12 of this notice.

Personal data is retained for the period necessary for the purpose for which it is processed and, in any event, having regard to the minimum retention periods and limitation periods prescribed by the relevant legislation. Identity, contact, account and customer-transaction data processed within the scope of the contractual relationship is retained, following the termination of the subscription relationship, having regard to any legal disputes and burdens of proof that may arise and to the retention obligations arising from financial and commercial legislation (for example the periods prescribed under the Turkish Commercial Code and the Tax Procedure Law).

Data collected within the scope of the free-trial and contact form is retained for the conclusion of the request and a reasonable follow-up period thereafter; at the end of that period it is deleted, destroyed or anonymised. Log and transaction-security records are kept within the framework of the periods prescribed by the relevant legislation and the requirements of information security.

Upon the expiry of the relevant periods, personal data is deleted, destroyed or anonymised, of the Company’s own motion or upon the request of the data subject, within the framework of periodic destruction processes, in accordance with the Company’s Personal Data Retention and Destruction Policy and the Regulation on the Deletion, Destruction or Anonymisation of Personal Data.

Pursuant to article 11 of the KVKK, as a data subject you have the right, by applying to the data controller, to: learn whether your personal data is being processed; request information about it where it has been processed; learn the purpose of processing and whether the data is used in accordance with that purpose; and know the third parties to whom personal data is transferred, whether domestically or abroad.

In addition, you have the right to: request the rectification of personal data where it has been processed incompletely or inaccurately; request the erasure or destruction of personal data within the framework of the conditions prescribed in the KVKK and the relevant legislation; request that rectification, erasure and destruction operations be notified to the third parties to whom the data has been transferred; object to the emergence of a result against you through the analysis of the processed data exclusively by automated systems; and claim compensation for damage where you suffer loss by reason of the unlawful processing of personal data.

These rights are exercised directly against the Company in respect of data that the Company processes in its capacity as data controller. In respect of client data of a lawyer or law firm that is processed through Omnilegal, since the data controller is the relevant lawyer or law firm, applications relating to article 11 rights are, as a rule, directed to that data controller; in such cases the Company, in its capacity as data processor, provides the requisite support to the relevant data controller.

Pursuant to article 13 of the KVKK and the Communiqué on the Procedures and Principles of Application to the Data Controller, data subjects may submit to the Company their requests relating to the rights enumerated in section 9 of this notice. The application may be made, together with information evidencing the data subject’s identity, in writing or by the other methods determined by the Board (by registered electronic mail (KEP) address, secure electronic signature, mobile signature, or by using an e-mail address that the data subject has previously notified to the Company and that is registered in the system).

Applications may be submitted in writing to Sinanpaşa Mahallesi, Süleyman Seba Caddesi, No: 6 İç Kapı No: 4, Beşiktaş / İstanbul, to the registered electronic notification address (UETS) 25878-54156-69813, or to the e-mail address mtopluyildiz@gmail.com. The application must contain the name and surname and, where the application is in writing, the signature; for citizens of the Republic of Türkiye, where applicable, the Turkish identity number; the address for notification; any e-mail address for notification; and the subject of the request.

The Company concludes the requests contained in the application free of charge, as soon as possible according to the nature of the request and in any event within thirty (30) days at the latest from the date on which the application reaches the Company. However, where the operation additionally entails a cost, a fee in the tariff determined by the Board may be charged. Where the request is rejected, the response given is found insufficient, or no response is given within the period, the data subject has the right to lodge a complaint with the Board within thirty (30) days of becoming aware of the response and, in any event, within sixty (60) days of the date of application.

Omnilegal is a legal artificial-intelligence operating system that unifies the work of lawyers and law firms, from client intake to delivery, in a single system. When a lawyer or law firm enters personal data belonging to its own clients into Omnilegal, the data controller in respect of that data is the relevant lawyer or law firm, which determines the purposes and means of processing the personal data.

In that case Topluyıldız Danışmanlık A.Ş. is not the data controller in respect of such client data but holds the capacity of data processor within the meaning of article 12 of the KVKK, and processes the data solely within the framework of the Data Processing Agreement (DPA) concluded between the parties, on the written instructions of the data controller and to the extent necessary to provide the service. The obligations relating to technical and organisational measures for data security are expressly allocated between the parties in that agreement.

Accordingly, the fulfilment of the obligation to inform clients, the securing where necessary of explicit consent or of the other legal grounds under article 6 of the KVKK, and the handling of clients’ applications relating to their article 11 rights, rest essentially with the lawyer or law firm acting as data controller. The Company, in its capacity as data processor, provides reasonable support to the data controller in fulfilling these obligations.

The architecture of Omnilegal supports the protection of client data through structural safeguards. Before any call is made to an artificial-intelligence model, personal data is masked and only the masked text is transmitted to the model; at no stage does the model access unmasked personal data. The key or mapping table relating to the masking operation is not taken outside the jurisdiction and is not transferred abroad.

Client data and content entered into the system by the user are not used for the purpose of training any artificial-intelligence model. Where the masking step fails, the relevant flow is halted rather than continued, in order to prevent any data leak. The Company further applies encryption in transit and at rest, ensures per-matter isolation, and maintains an audit trail of approvals, citation steps and masking steps.

In addition to these safeguards, a citation gate is operated under which every reference is checked back to its source; what cannot be verified is flagged for verification rather than fabricated. Pursuant to article 36 of the Attorneys Act no. 1136, the final reading, decision and signature remain in every case with the human attorney; the system is structured so as not to stand in for the attorney’s judgment. The artificial intelligence assists the attorney; it does not replace the attorney and does not itself give legal advice.

The Company reserves the right to update this Disclosure Notice in line with any changes that may occur in legislation and with the decisions and regulations of the Board. The current text takes effect on the date it is published on omnipotentlegal.ai. It is essential that data subjects be informed, by appropriate methods, of material changes affecting their rights.