GDPR Data Protection Notice
Last updated: February 2026
This notice supplements our Privacy Policy and provides additional information required under the General Data Protection Regulation (EU) 2016/679 ("GDPR") for users in the European Union and European Economic Area.
1. Data Controller
Dijital Inovasyon ve Yapi Teknolojileri A.S. Trading as: Algomim Address: Mustafa Kemal Mah. Dumlupinar Blv. ODTU TEKNOKENT Bilisim Inovasyon Merkezi CoZone 280/G No: 1260 Cankaya / Ankara 06520 Email: info@algomim.com MERSIS No: 0295103853200001 Tax ID: 2951038532
We are established in Turkey and provide services to users in the EU/EEA. For EU representative inquiries, please contact us at info@algomim.com.
2. Categories of Personal Data and Purposes of Processing
2.1 Processing Activities
| Processing Activity | Categories of Data | Purpose | Legal Basis (GDPR Art. 6) | Retention Period |
|---|---|---|---|---|
| Account creation and authentication | Email address, display name, profile photo (Google Sign-In), Firebase UID | Creating and managing your user account | Performance of contract (Art. 6(1)(b)) | Until account deletion + 30 days |
| AI chat processing | Chat messages (prompts and responses), uploaded file contents, project metadata | Providing the AI assistant service | Performance of contract (Art. 6(1)(b)) | Until chat/account deletion |
| Script generation and execution | Chat context, project data from connected plugins | Generating and executing AI scripts in design applications | Performance of contract (Art. 6(1)(b)) | Until chat/account deletion |
| File storage and analysis | Uploaded files, file metadata (name, type, size, hash) | Storing and processing user-uploaded documents | Performance of contract (Art. 6(1)(b)) | Until file removal or account deletion |
| Billing and subscription | Email, name, billing address, tax ID, subscription status, CU consumption | Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) | 10 years (legal obligation) |
| Email OTP authentication | Email address, OTP code | Verifying user identity during login | Performance of contract (Art. 6(1)(b)) | OTP: 10 minutes; email: until account deletion |
| Customer support | Email, chat history, usage data, plugin connection info | Providing customer support via Crisp | Legitimate interest (Art. 6(1)(f)) | Per Crisp retention policy |
| Error tracking | Error logs, stack traces, browser/OS info, IP (Sentry) | Detecting and fixing software errors | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Security and fraud prevention | IP address, authentication logs, rate limiting data | Protecting the Service from unauthorized access | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Billing audit logging | User ID, package changes, trigger source, timestamps | Maintaining billing audit trail for dispute resolution | Legal obligation (Art. 6(1)(c)) | 10 years |
| Message feedback | User's feedback rating on AI responses | Improving AI response quality | Legitimate interest (Art. 6(1)(f)) | Until chat/account deletion |
| Document quality evaluation | Retrieval quality metrics, chat ID | Measuring and improving RAG search quality | Legitimate interest (Art. 6(1)(f)) | Until account deletion |
2.2 Legitimate Interest Assessment
Where we rely on legitimate interest as a legal basis, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms:
- Error tracking (Sentry): Our interest in maintaining service quality and fixing bugs is balanced by: (a) stripping authorization headers and cookies before transmission, (b) masking text in session replays, (c) limiting retention to 90 days. The impact on your privacy is minimal as data is used solely for technical troubleshooting.
- Customer support (Crisp): Our interest in providing effective support is balanced by: (a) sharing only session-level context (not full chat history), (b) HMAC-authenticated identity verification. You can always use email support instead.
- Service improvement: We only use aggregated, non-identifying usage patterns. We do NOT use your individual chat content or project data for product improvement or model training.
3. Data Recipients (Sub-Processors)
We categorize our sub-processors based on whether they receive personal identifying information:
Sub-Processors That Receive Personal Data
| Sub-Processor | Purpose | Personal Data Shared | Location | Safeguard |
|---|---|---|---|---|
| Polar (Polar.sh) | Payment processing, subscription management | Email address, name, billing address, tax ID | United States / EU | SCCs + DPA |
| Resend (Resend, Inc.) | Email delivery (OTP login codes) | Email address only | United States | SCCs + DPA |
| Crisp (Crisp IM SAS) | Customer support widget | Email address, display name, subscription tier, CU usage and limits, connected plugin types and count, active chat ID | France (EU) | GDPR-compliant (EU processor) |
Sub-Processors That Do NOT Receive Personal Data
These services process content but never receive your email, name, or other identifying information:
| Sub-Processor | Purpose | Non-Personal Data Shared | Location | Safeguard |
|---|---|---|---|---|
| OpenRouter (OpenRouter, Inc.) | Multi-model AI gateway | Chat messages, prompts, pseudonymous session ID | United States | SCCs + DPA |
| OpenAI (OpenAI Group PBC) | AI model provider (accessed via OpenRouter) for embeddings, reasoning, and tool calling | Chat messages, prompts, file contents (via OpenRouter) | United States | SCCs + DPA |
| FAL.ai (fal.ai, Inc.) | AI image generation, editing, upscaling | Image prompts, temporary image URLs | United States | SCCs + DPA |
| Sentry (Functional Software, Inc.) | Error tracking, monitoring, and session replay (with maskAllText: true and blockAllMedia: true — no readable text or media is captured) | Error logs, stack traces only (no user identity attached, auth headers stripped) | United States | SCCs + DPA |
| Google Fonts (Google LLC) | Font delivery (loaded in browser) | Standard HTTP request data (IP address at transport level) | United States | SCCs |
Own Infrastructure
| Provider | Purpose | Note |
|---|---|---|
| Google Cloud Platform (Google LLC) | Cloud hosting, database (Firestore), file storage, authentication | Our own infrastructure. All user data is stored here. |
We maintain Data Processing Agreements (DPAs) with all sub-processors in accordance with GDPR Article 28.
We will provide at least 30 days' advance notice before any new sub-processor begins processing personal data, via email or in-app notification. You may object to a new sub-processor by notifying us in writing at info@algomim.com within that 30-day period. If you object and we cannot reasonably accommodate the objection, you may terminate the affected services without penalty.
4. International Data Transfers
Your personal data is transferred to countries outside the EU/EEA, primarily the United States. For these transfers, we implement the following safeguards under GDPR Chapter V:
4.1 Transfer Mechanisms
- EU Standard Contractual Clauses (SCCs) — approved by the European Commission (Decision 2021/914), executed with each US-based sub-processor
- Supplementary measures — including encryption in transit (TLS 1.2+), encryption at rest, access controls, and contractual restrictions on government access requests
4.2 Transfer Impact Assessment
We have conducted Transfer Impact Assessments (TIAs) for transfers to the United States, evaluating the legal framework and implementing supplementary technical and organizational measures to ensure an essentially equivalent level of protection as required by the CJEU's Schrems II ruling. These measures include encryption in transit (TLS 1.2+), encryption at rest, strict access controls, and contractual restrictions on government access requests. Our TIA documentation is maintained internally and is available upon request to the competent supervisory authority.
5. AI-Specific Data Processing
5.1 How AI Processing Works
When you use the Algomim AI assistant:
- Your chat message (prompt) is sent from your browser/plugin to our server
- Our server constructs a request including your message, conversation history, and system instructions
- This request is sent to the AI model provider via the OpenRouter gateway API
- The AI model generates a response, which is streamed back to your browser/plugin
- Both your message and the AI response are stored in our Firestore database
5.2 What This Means for Your Data
- Your personal information is NOT sent to AI providers — your email address, name, billing details, and other identifying information are never transmitted to OpenRouter or any AI model. Only your chat content and a pseudonymous session identifier are sent.
- We do NOT use your data for model training — we have contractual commitments with our AI providers that your data is not used for training purposes
- Data minimization — we only send the necessary context (current conversation) to AI providers, not your entire account data
- No profiling — we do not use AI to profile you, make automated decisions about you, or assess personal characteristics
5.3 Image Generation
When you use the image generation feature:
- Your text prompt is sent to FAL.ai — no personal identifying information is included
- Generated images are stored in our Firebase Cloud Storage
- FAL.ai processes the prompt solely for image generation and does not retain it
6. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
6.1 Right of Access (Art. 15)
You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access a copy of that data along with information about the processing.
How to exercise: Email info@algomim.com with "Data Access Request" in the subject line.
6.2 Right to Rectification (Art. 16)
You have the right to request correction of inaccurate personal data and completion of incomplete data.
How to exercise: Update your display name directly in the Service settings, or email us for other corrections.
6.3 Right to Erasure / Right to Be Forgotten (Art. 17)
You have the right to request deletion of your personal data when:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw consent (where processing was based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
How to exercise: Delete your account through Service settings (Settings > Account > Delete Account), or email us. Note: We may retain certain data where required by law (e.g., billing records for 10 years per Turkish commercial law).
6.4 Right to Restriction of Processing (Art. 18)
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing.
How to exercise: Email info@algomim.com.
6.5 Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to transmit that data to another controller.
How to exercise: Email info@algomim.com with "Data Portability Request" in the subject line. We will provide your data in JSON format within 30 days.
6.6 Right to Object (Art. 21)
You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
How to exercise: Email info@algomim.com with "Objection to Processing" in the subject line.
6.7 Right Related to Automated Decision-Making (Art. 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you.
Note: The Algomim AI assistant does not make automated decisions with legal or significant effects. AI outputs are suggestions that require your review and decision.
6.8 Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
7. How to Exercise Your Rights
7.1 Contact Information
For all GDPR-related requests:
Email: info@algomim.com Subject Line: Include "GDPR Request" or the specific right you wish to exercise Postal Address: Mustafa Kemal Mah. Dumlupinar Blv. ODTU TEKNOKENT Bilisim Inovasyon Merkezi CoZone 280/G No: 1260 Cankaya / Ankara 06520
7.2 Identity Verification
To protect your privacy, we may request verification of your identity before processing your request. This typically involves confirming your email address associated with your account.
7.3 Response Timeline
We will respond to your request within 30 days of receipt. If the request is complex or we receive a high volume of requests, we may extend this period by up to 60 additional days, in which case we will inform you of the extension within the initial 30-day period.
7.4 No Fee
We will not charge a fee for exercising your rights, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse the request.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay
- We maintain an internal data breach register documenting the facts, effects, and remedial actions taken
9. Data Protection Impact Assessment (DPIA)
We have conducted Data Protection Impact Assessments for high-risk processing activities, including:
- AI processing of user data — assessing risks of transmitting chat data to third-party AI providers
- Cross-border data transfers — evaluating risks of transferring data to the United States
- Large-scale data storage — assessing risks associated with cloud-based storage of user content
These DPIAs are maintained internally and updated when processing activities change materially.
10. EU AI Act Compliance
In anticipation of the EU AI Act obligations:
- Transparency: We clearly disclose that you are interacting with an AI system when using the chat interface
- AI-generated content labeling: AI responses are clearly identified as AI-generated within the chat interface
- Human oversight: All AI outputs require your review and validation before use; no automated actions are taken without your initiation
11. Cookies and Tracking
11.1 Cookies Used
| Cookie/Storage | Type | Purpose | Duration |
|---|---|---|---|
| Sidebar state cookie | Essential (functional) | Remembers sidebar open/closed preference | 7 days |
i18nextLng (localStorage) | Essential (functional) | Stores your language preference | Persistent until cleared |
| Firebase Auth tokens (IndexedDB) | Essential (authentication) | Maintains your login session | Persistent until logout (managed by Firebase SDK) |
plansDismissed (sessionStorage) | Essential (functional) | Tracks if plans banner was dismissed | Current browser session only |
11.2 No Third-Party Tracking Cookies
We do not use third-party advertising cookies. We do not currently use Google Analytics, Facebook Pixel, or similar tracking technologies, but may enable privacy-compliant analytics in the future with appropriate notice and consent mechanisms.
11.3 Crisp Widget
The Crisp customer support widget may set its own cookies for session management. Please refer to Crisp's Cookie Policy for details.
12. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority:
- Your local EU/EEA Data Protection Authority — a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en
- Turkish Data Protection Authority (KVKK) — for users also subject to Turkish law: https://www.kvkk.gov.tr
We encourage you to contact us first at info@algomim.com so we can try to resolve your concern directly.
13. Changes to This Notice
We may update this GDPR notice from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
14. Contact
Data Controller: Dijital Inovasyon ve Yapi Teknolojileri A.S. Address: Mustafa Kemal Mah. Dumlupinar Blv. ODTU TEKNOKENT Bilisim Inovasyon Merkezi CoZone 280/G No: 1260 Cankaya / Ankara 06520 Email: info@algomim.com MERSIS No: 0295103853200001