Privacy Policy

Your personal data is processed by Topluyıldız Danışmanlık A.Ş., a joint-stock company incorporated under Turkish law and seated in the Beşiktaş district of İstanbul, in its capacity as the ‘data controller’ within the meaning of article 3 of the KVKK.

The data controller’s official contact and application details are as follows: e-mail address mtopluyildiz@gmail.com; registered address Sinanpaşa Mahallesi, Süleyman Seba Caddesi, No: 6 İç Kapı No: 4, Beşiktaş / İstanbul; trade registry information 0854121033400001 and 282911-5 (İstanbul Ticaret Sicili Müdürlüğü); tax information Beşiktaş Vergi Dairesi, 8541210334; registered electronic notification address (UETS) 25878-54156-69813; telephone [telefon numarası]. To the extent that the appointment of a representative within the Union is required under European Union data protection law pursuant to article 27 of the GDPR, the information of that Union representative shall be identified as [veri sorumlusu temsilcisi, varsa]. It is reserved that this representative is a legally distinct role from the controller’s representative that may arise under the KVKK and the VERBİS regime.

Any request, question or application under this Policy may be submitted to the data controller through the contact channels above, in accordance with the application procedure set out in Article 12 below.

This Policy covers two distinct contexts, and a clear distinction between them matters for an understanding of data subjects’ rights. The first context is the website at omnipotentlegal.ai; this is essentially a marketing and information channel that collects only limited data from visitors for the purposes of a free trial or a contact request. The second context is the Omnilegal product; this is a software service provided on a subscription basis that unifies, in a single system, the work of law firms and lawyers from client intake to delivery.

The website itself does not take payment, does not open accounts and does not process client matter files; payment, account creation and in-product transactions are carried out through the product sign-up flow operated by or on behalf of Topluyıldız Danışmanlık A.Ş. The details of personal data processing on the product side are set out in the KVKK Disclosure Notice, which supplements this Policy, and in the Data Processing Agreement concluded with corporate customers.

Unless expressly stated otherwise in this Policy, the provisions concerning website visitors are to be understood as referring to the first context, and the provisions concerning product users and their client data as referring to the second context.

On the website side: where you complete the free-trial or contact form, the following data provided by you is processed: your name and surname, your work e-mail address, the name of your firm or organisation, your professional role or title, the jurisdictions of interest, and the free-text message contained in the form. This data is stored on an infrastructure where the European Union region is intended (Supabase), solely for the purpose of handling your request and communicating with you.

On the product side: identity and contact details, together with subscription and billing information, are processed in connection with the creation and administration of your account; usage data in the nature of session, transaction and audit-trail (log) records generated during use of the product is also processed. As regards the client data that lawyers process through the product, personal data is masked before any call is made to an artificial-intelligence model; only masked text is transmitted to the model, the masking key and mapping table do not leave the jurisdiction, and client data is not used to train any model.

During the technical operation of the website, technical data such as connection and device information may be processed through a limited number of strictly necessary cookies and privacy-first analytics; these matters are set out in detail in the Cookie Policy. The Company does not use any third-party advertising trackers.

The Company does not request special categories of personal data through the website forms. We kindly ask that you do not enter such data into the free-text field; if it is entered, that data will be processed within the safeguards of article 6 of the KVKK and only to the extent necessary to address your request.

Within the website context, personal data is processed for the purposes of receiving and evaluating your free-trial and contact requests, responding to you, providing information about the product, delivering the website in a secure and functional manner, and fulfilling legal obligations and establishing rights in the event of a dispute.

Within the product context, personal data is processed for the purposes of creating, maintaining and administering the subscription and the account, providing and improving the service, billing and collection, ensuring the security, integrity and auditability of the service, preventing misuse, and fulfilling obligations arising under the applicable legislation.

The Company processes personal data only for specified, explicit and legitimate purposes, in a manner that is connected with, limited to and proportionate to those purposes; it does not collect or process data beyond what the purpose requires.

Your general personal data is processed on the legal bases enumerated in article 5 of the KVKK. Accordingly, processing may rest on the bases that it is necessary because it is directly related to the conclusion or performance of a contract (for example, the subscription relationship and the conduct of the trial process you have requested), that it is mandatory for the data controller to fulfil a legal obligation, that it is mandatory for the establishment, exercise or protection of a right, and that it is necessary for the legitimate interests of the data controller, provided that this does not harm your fundamental rights and freedoms.

Where the fundamental rights and freedoms of the data subject must be given precedence, or where the bases above cannot be applied, processing is grounded on the explicit consent of the data subject pursuant to the first paragraph of article 5 of the KVKK. In processing based on explicit consent, you are entitled to withdraw your consent at any time.

In the exceptional cases involving special categories of personal data, processing is carried out within the framework of article 6 of the KVKK and, as a rule, on the basis of the data subject’s explicit consent. For data subjects resident in or within the scope of the GDPR, processing rests on the legal bases enumerated in article 6 of the GDPR (in particular performance of a contract, legal obligation, legitimate interests and, where required, explicit consent) and on the safeguards in article 9 for special categories of data.

The website may use a limited number of cookies and similar technologies in order to provide functionality and to improve the user experience. The Company adopts a privacy-first approach, does not place any third-party advertising trackers, and does not profile visitors for advertising purposes.

The types of cookies used, their purposes, their retention periods and the means by which you may exercise your preferences in respect of them are explained in detail in the Cookie Policy, a separate document. In respect of non-essential cookies, your explicit consent is taken as the basis to the extent required by the applicable legislation, and you may withdraw that consent at any time through [çerez yönetim aracı].

Analytics activities are conducted, so far as possible, in an aggregated and privacy-preserving manner; the purpose of these activities is to measure the performance of the website and to improve its content.

Your personal data may be transferred, limited to the purposes set out in this Policy and subject to compliance with the conditions in articles 8 and 9 of the KVKK. Within Türkiye, transfers may be made, to the extent necessary for the provision of the service and the fulfilment of legal obligations, to suppliers providing hosting, infrastructure, payment, accounting and similar services, to authorised public authorities and institutions, and to legal advisers.

As regards cross-border transfers, the website form data is stored on an infrastructure where the European Union region is intended (Supabase), which may constitute a transfer abroad. Such transfers are carried out, within the framework of article 9 of the KVKK as re-enacted in 2024 and the Regulation on the Transfer of Personal Data Abroad, on the basis of legal mechanisms such as the existence of an adequacy decision, the provision of appropriate safeguards (standard contractual clauses between the parties, binding corporate rules or an undertaking), or the existence of one of the exceptional situations in the sixth paragraph of that article.

For data subjects resident in or within the scope of the GDPR, transfers to third countries are conducted within the framework of Chapter V of the GDPR, on the basis of an adequacy decision or appropriate safeguards. On the product side, by reason of the KVKK PII-masking design, only masked text is processed in calls made to the artificial-intelligence model and the masking key does not leave the jurisdiction. Current information regarding hosting and model providers is set out in the relevant documents as [barındırma sağlayıcısı] and [yapay zekâ model sağlayıcısı].

Your personal data is retained for the period necessary for the purpose for which it is processed and, in any event, having regard to the maximum periods and limitation periods stipulated in the relevant legislation. In determining the retention period, criteria such as whether the processing purpose continues, the continuation of the relationship between the parties, statutory retention obligations and the need for the data to serve as evidence in a possible legal dispute are taken as the basis.

Data submitted through the website form is retained for the period necessary to evaluate your request and to complete the related communication; account and usage data on the product side is retained for the duration of the subscription relationship and, following its termination, for the period required by obligations arising under the legislation.

Upon expiry of the retention period or where the purpose of processing has ceased, your personal data is erased, destroyed or anonymised in the first periodic destruction cycle, within the framework of the Regulation on the Erasure, Destruction or Anonymisation of Personal Data.

In order to prevent the unlawful processing of personal data and unlawful access to it, and to ensure the preservation of the data, the Company takes technical and organisational measures aimed at ensuring an appropriate level of security pursuant to article 12 of the KVKK.

The technical measures taken in this context include the encryption of data in transit and at rest (the encryption described in the catalogue as AES-256-GCM), segregation on a per-file or per-matter basis (per-matter isolation), and the keeping of an audit trail covering the steps of approval, source verification and masking. The organisational measures include making access subject to authorisation, confidentiality obligations and regular review processes.

As required by the legal profession, the product is designed so as to support the duty of confidentiality under article 36 of the Attorneys Act no. 1136; the final reading, decision and signature remain in every case with the human attorney, and where the masking step fails, the flow is stopped in order to prevent any data leakage.

Where personal data is obtained by others through unlawful means, the Company shall, pursuant to the fifth paragraph of article 12 of the KVKK and the relevant decisions of the Personal Data Protection Board (in particular Decision no. 2019/10 of 24 January 2019), notify the Board of the situation as soon as possible and without undue delay, and within the seventy-two-hour period taken as the basis in the Board’s established practice; the affected data subjects shall also be informed by appropriate means.

For data subjects within the scope of European Union data protection law, personal data breaches are notified to the competent supervisory authority within the framework of articles 33 and 34 of the GDPR, as a rule within seventy-two hours of becoming aware of the breach; in cases entailing a high risk, the data subjects are also notified.

Pursuant to article 11 of the KVKK, by applying to the data controller you have the following rights in respect of yourself: to learn whether your personal data is being processed; if it has been processed, to request information in this regard; to learn the purpose of processing and whether the data is used in accordance with that purpose; to know the third parties to whom the data is transferred within the country or abroad; to request rectification if the data has been processed incompletely or inaccurately; to request erasure or destruction within the conditions of article 7 of the KVKK; to request that rectification, erasure and destruction operations be notified to the third parties to whom the data has been transferred; to object to a result arising against you through the analysis of the data exclusively by automated systems; and to claim compensation for damage suffered by reason of the unlawful processing of the data.

Data subjects resident in or within the scope of the GDPR additionally have the rights of access, rectification, erasure (to be forgotten), restriction of processing, data portability and objection to processing conferred by the GDPR. In processing based on explicit consent, consent may be withdrawn at any time; however, withdrawal does not affect the lawfulness of processing carried out up to the date of withdrawal.

The exercise of these rights may, depending on the nature of the request, in certain cases be balanced against the necessity of continuing the minimum processing that is indispensable for the provision of the service; in such a case, the Company shall explain, with reasons, why the request can be met only in part.

Pursuant to article 13 of the KVKK and the Communiqué on the Procedures and Principles of Application to the Data Controller, data subjects may submit their requests concerning the rights enumerated in Article 11 above to the data controller, in writing together with information establishing their identity, or by the other methods determined by the Board. An application may be made in writing to our registered address, by registered electronic notification address (UETS) (25878-54156-69813), or by transmitting it to mtopluyildiz@gmail.com from the e-mail address that you have previously notified to the Company and which is registered in our system.

The data controller shall conclude the requests contained in the application free of charge, as soon as possible depending on the nature of the request and in any event within thirty days of the date on which the application reaches it. However, where the operation requires an additional cost, the fee in the tariff determined by the Board may be charged.

Where the application is rejected, the response given is found insufficient or no response is given within the period, the data subject has the right to lodge a complaint with the Personal Data Protection Board within thirty days of learning of the response and, in any event, within sixty days of the date of the application.

The Omnilegal product and the omnipotentlegal.ai website constitute a professional service directed at lawyers and law firms and are not directed at children. The Company does not knowingly collect personal data belonging to children through the website forms.

Where it is established that personal data belonging to a child has been processed without obtaining the required permission in cases where consent is necessary, that data is erased or destroyed without delay within the framework of the relevant legislation. If you believe that data belonging to a child has been transmitted to us, we kindly ask you to contact us through the channels set out in Article 1.

The Company reserves the right to update this Privacy Policy at any time in line with changes in legislation, developments in its services or updates to its processing activities. The current text is published on the website together with its effective date.

In the event of material changes, data subjects are, to the extent required by the legislation, separately informed by appropriate means or, where necessary, their explicit consent is obtained anew. The ‘Last updated’ date at the head of the Policy indicates the effective date of the most current version of the text.

You may submit any question, request or complaint concerning privacy and the protection of personal data to the data controller, in the first instance through the contact channels set out in Article 1. The Company undertakes to evaluate your applications in good faith and within the periods stipulated by the legislation.

Data subjects have the right to lodge a complaint, in respect of their requests under the KVKK, with the Personal Data Protection Authority in Türkiye. Data subjects resident in or within the scope of the GDPR may lodge a complaint with the competent data protection supervisory authority in the member state of their habitual residence, place of work or the place where the infringement occurred.

This Policy forms a whole together with the product-specific KVKK Disclosure Notice, the Cookie Policy and the Data Processing Agreement concluded with corporate customers, and is completed by the references made to those documents. In the event of a conflict between the documents, the document most specific to the relevant processing context shall apply with priority.