Privacy Policy

1. Data Controller

Acting as the data controller, Morfoz Ltd. is registered at 128 City Road, London EC1V 2NX, United Kingdom (Companies House No. 14728392). For data processed by the Istanbul branch, the local data controller is Morfoz Yazılım ve Bilişim Hizmetleri Ltd. Şti.

2. Data We Collect

The following personal data may be processed when you use the Service:

• Account information: First name, last name, email address, password hash, billing address.
• Assistant/clone training data: Text you upload, voice samples, images, product information, and other content.
• Conversation data: Records of your assistants' conversations with end users (for quality and training).
• Usage data: IP address, browser type, session duration, clickstream, cookie information.
• Payment data: We do not store card details; our payment service provider (Stripe) tokenizes and processes them.

3. Purposes and Legal Basis for Processing

We process your data only for the following purposes, based on a valid legal ground:

• Contract performance: Service provision, account management, billing.
• Legitimate interest: Service quality improvement, fraud prevention, security.
• Explicit consent: Marketing communications, cookies (other than necessary), optional analytics.
• Legal obligation: Tax, accounting, response to legal requests.

4. Data Retention

We retain your account data until you delete your account. After a deletion request, all personal data is permanently deleted within 30 days; backups are cleared within 90 days at the latest. Data we are required to retain by law (e.g., invoices, tax records) is kept for the period specified in the relevant law.

5. Data Sharing

We do not sell your data. We share it with third parties only in the following cases:

• Our processors: Cloud infrastructure providers (AWS, Cloudflare), payment processor (Stripe), email service (Postmark) — all under GDPR-compliant contracts.
• Legal talepler: When required by a valid court order or legal obligation.
• Transfer/merger: In case of company transfer or merger, to the new owner (with 30 days prior notice to you).

6. International Data Transfers

Morfoz infrastructure is hosted in the European Union (Frankfurt) and the United Kingdom (London) regions. Data collected from Turkey is transferred under explicit consent and standard contractual clauses. Required safeguards for cross-border data transfer are provided in accordance with Article 9 of KVKK.

7. Your Rights

You have the following rights under GDPR and KVKK:

• Access your personal data and obtain a copy
• Request correction of inaccurate data
• Request erasure of your data ("right to be forgotten")
• Restrict processing or object to it
• Port your data in a machine-readable format
• Withdraw your consent (without retroactive effect)

To exercise these rights, write to support@aigap.com. We respond within 30 days.

8. Cookies

Our site uses only necessary cookies for session management and (with consent) anonymous analytics cookies. We do not place advertising cookies. You can update your cookie preferences at any time from your browser or the cookie panel on the site.

9. Security

Data is encrypted with TLS 1.3 in transit and AES-256 at rest. Access is bound to strict role-based permissions and audited. We are in the SOC 2 Type II preparation process. In case of suspected breach, we notify the relevant authority and affected users within 72 hours.

10. Children's Data

The Service is not intended for individuals under 16. We do not knowingly collect data from a child under 16.

11. Policy Changes

We may update this policy from time to time. Material changes will be notified at least 30 days in advance via email and on the site.

12. Complaints

If you are not satisfied with our data processing, you may file a complaint with the UK ICO (ico.org.uk) or, in Turkey, with the KVKK Authority (kvkk.gov.tr).