Privacy Policy

1. General Information and Data Controller

This Privacy Policy ("Policy") explains how personal data collected through the hareki.com website and the Hareki Studio platform ("Platform", "Service") operated by Hareki LLC ("Company", "we", "us"), operating under the Hareki Studio brand, is collected, processed, stored, transferred, and protected.

Hareki LLC is a limited liability company established under the laws of the State of New Mexico, United States of America. The Platform offers AI-powered social media content creation services (SaaS) and serves users in Turkey, the European Union, and worldwide.

Information about the legal entity acting as data controller under Law No. 6698 on the Protection of Personal Data ("KVKK"), the European Union General Data Protection Regulation ("GDPR", EU 2016/679), and the California Consumer Privacy Act ("CCPA"):

• Trade Name: Hareki LLC
• Place of Establishment: New Mexico, United States of America
• Website: hareki.com
• Email: privacy@hareki.com

By using the Platform or creating an account, you accept the data processing practices described in this Policy. If you do not accept the Policy, please do not use the Platform.

2. Definitions

The key terms used in this Policy have the following meanings:

• Personal Data: Any information relating to an identified or identifiable natural person. (KVKK Art.3/1-d, GDPR Art.4/1)
• Special Category Personal Data: Race, ethnic origin, political opinion, philosophical belief, religion, sect, dress code, association/foundation/union membership, health, sexual life, criminal conviction, biometric and genetic data. We do not knowingly collect such data through the Platform.
• Data Controller: The natural or legal person who determines the purposes and means of processing personal data — Hareki LLC under this Policy.
• Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on their authorization (e.g., Stripe, Vercel, Supabase, OpenRouter).
• Data Subject: The natural person whose personal data is processed — Platform user.
• Data Processing: Any operation performed on personal data: collection, recording, storage, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.
• Explicit Consent: Consent relating to a specific matter, based on being informed, and expressed freely.
• Anonymization: Rendering personal data in such a way that it cannot be associated with an identified or identifiable natural person under any circumstances, even when matched with other data.
• Profiling: Using personal data through automated processing to analyze or predict a person's preferences, interests, or behavior.

3. Personal Data Collected

Hareki Studio collects and processes the following categories of personal data to provide its services:

3.7 Automatically Collected Data

The Platform automatically collects the following data to improve service quality and for debugging purposes:

• Server logs
• Error reports (via Sentry)
• Performance metrics
• Page view data

4. Purposes of Personal Data Processing

Your personal data is processed for the following purposes:

5. Legal Basis for Processing Personal Data

5.1 Legal Basis under KVKK (Article 5)

Your personal data is processed based on the following legal grounds under Article 5 of Law No. 6698:

• Explicit consent (Art.5/1): Marketing communications, analytics cookies, and non-mandatory data processing activities.
• Necessary for the performance of a contract (Art.5/2-c): Account creation, service delivery, content generation, subscription management.
• Legal obligation (Art.5/2-ç): Tax legislation, commercial law, and regulatory compliance requirements.
• Legitimate interest (Art.5/2-f): Service improvement, security measures, fraud detection. Users' fundamental rights and freedoms and interests are taken into account when conducting legitimate interest assessments.

5.2 Legal Basis under GDPR (Article 6)

For users in the European Economic Area ("EEA"), the processing of personal data is based on the following legal grounds:

• Performance of a contract (Art.6/1-b): Data processing necessary to provide the core functions of the Platform.
• Legitimate interest (Art.6/1-f): Service improvement, security, fraud prevention. A legitimate interest assessment (LIA) has been conducted for each processing activity.
• Consent (Art.6/1-a): Non-essential cookies, marketing communications. Consent can be withdrawn at any time.
• Legal obligation (Art.6/1-c): Tax and accounting obligations, legal reporting.

5.3 CCPA Scope

For California residents: we do not sell your personal information. Your rights under the CCPA are detailed in Section 14 of this Policy.

6. Data Processing with Artificial Intelligence

Hareki Studio uses artificial intelligence technologies to generate social media content. This section transparently explains how your data is used in AI processes.

6.1 AI Content Generation

During content generation, the following data is sent to third-party AI providers (OpenRouter/OpenAI):

• Brand voice and tone parameters
• Industry and topic information
• Content type preferences
• User-entered prompt texts

6.2 Anonymization

Data sent to AI providers is anonymized. Users' personal identification information (name, email, IP address) is not included in AI requests. Sent data is used solely to create context for content generation.

6.3 AI Provider Data Usage

• AI providers (OpenRouter, OpenAI) do not use data sent via API to train their own models (under API Terms of Service).
• AI requests are processed in real-time; after the request is completed, data on the AI provider's side is subject to the provider's data retention policy (typically 30 days for security purposes).
• Generated content is stored in the user's account by the Platform and is owned by the user.

6.4 Brand Analysis

Automatic brand analysis is performed through the website URL provided by the user. During this process:

• Publicly accessible pages of the website are crawled
• Visual identity elements (logo, colors, typography) are extracted
• Brand voice and tone analysis is performed
• Analysis results are stored only in the relevant user's account

6.5 Model Training

Hareki LLC does not use user data to train its own AI models or for third-party model training. Your data is processed solely for the purpose of providing services to you.

7. Cookies and Tracking Technologies

The Platform uses various types of cookies and similar technologies:

7.1 Essential Cookies

Cookies that are necessary for the core functions of the Platform and cannot be disabled:

• Session cookie (Better Auth): Authentication and secure session management
• CSRF token: Cross-site request forgery protection
• Security cookies: Rate limiting and bot protection

7.2 Functional Cookies

• Theme preference (light/dark mode)
• Language preference
• Interface preferences

7.3 Analytics and Performance Cookies

• Sentry: Error tracking and performance monitoring. User actions are recorded in anonymized form.

7.4 Cookie Management

You can manage or disable all cookies except essential cookies from your browser settings. However, disabling some cookies may affect Platform functionality.

For more detailed information about cookies, please review our Cookie Policy.

8. Transfer of Personal Data

Your personal data is shared with the following third-party service providers to the extent necessary for service delivery. Appropriate data processing agreements (DPA) have been signed with each provider:

8.1 Infrastructure and Hosting

• Vercel Inc. (USA/EU) — Web application hosting, CDN, and edge functions. Servers in USA and EU regions.
• Supabase Inc. (USA) — Database hosting, file storage, and real-time data operations. Row Level Security (RLS) implemented with PostgreSQL database.

8.2 Payment Processing

• Stripe Inc. (USA) — Payment processing, subscription management, and billing. Stripe is PCI DSS Level 1 compliant. Your credit card information is processed directly by Stripe and is not stored by us.

8.3 AI Providers

• OpenRouter / OpenAI (USA) — AI-powered content generation. Anonymized brand and content parameters are sent. Personal identification information is not shared.

8.4 Error Tracking and Analytics

• Sentry (USA) — Application error tracking and performance monitoring. Error reports may contain IP addresses and browser information.

8.5 Email Services

• Resend (USA) — Transactional emails (password reset, notifications). Email address and name information are shared.

8.6 No Sale of Data

Your personal data is never sold, rented, or shared for marketing purposes with third parties. Your data is shared only with the service providers listed above and only to the extent necessary for service delivery.

8.7 Legal Obligation Cases

Your personal data may be shared with authorized institutions and organizations in the following cases:

• Court orders or legal obligations
• Lawful requests from authorized public institutions and organizations
• When necessary to protect the life or physical integrity of the user or others
• Legal requests for the prevention or investigation of criminal offenses

9. International Data Transfers

Hareki LLC is headquartered in the United States and our service providers are located in the USA and EU. Your personal data may be transferred to countries outside Turkey and/or the EEA.

9.1 Transfer Mechanisms

We implement the following protection mechanisms for international data transfers:

• Standard Contractual Clauses (SCC): Standard data protection clauses approved by the European Commission, applied for all non-EU/EEA transfers.
• Adequacy Decisions: Transfers to countries determined by the European Commission to have an adequate level of data protection.
• EU-US Data Privacy Framework (DPF): When our service providers have DPF certification, transfers are carried out under this framework.
• KVKK Adequacy: Transfers to countries with adequate protection under KVKK Art.9 or through mechanisms authorized by the Personal Data Protection Board.

9.2 Server Locations

• Vercel: USA and EU regions (nearest edge server based on user's geographic location)
• Supabase: USA
• Stripe: USA (PCI DSS Level 1 compliant infrastructure)
• Sentry: USA

9.3 Additional Safeguards

We additionally provide the following safeguards for international transfers:

• Transfer impact assessment (TIA) before transfer
• Application of the data minimization principle
• Encryption of transferred data in transit and at rest
• Data Processing Agreements (DPA) signed with service providers

10. Data Security Measures

We implement comprehensive technical and administrative measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

10.1 Technical Measures

• Encryption (Transit): All data communication is encrypted with TLS 1.2+ / HTTPS
• Encryption (At Rest): AES-256 encryption in database and file storage areas
• Password Security: User passwords are hashed with the bcrypt algorithm; never stored as plain text
• Row Level Security (RLS): Row-level security policies at the database level ensuring each user can only access their own data
• Rate Limiting: Abuse prevention through request rate limiting on API endpoints
• CSRF Protection: Token-based protection against cross-site request forgery
• Zod Validation: Runtime data validation at all API entry points
• OAuth 2.0: Secure authentication through Google, Apple, Microsoft, and LinkedIn
• Secure Session Management: JWT-based secure session management with Better Auth infrastructure

10.2 Administrative Measures

• Least privilege principle: Only personnel who need access can access data
• Regular security assessments and code reviews
• Dependency security scans and updates
• Data breach response plan
• Monitoring service provider security compliance

10.3 Data Breach Notification

In the event of a personal data breach, in accordance with applicable legal requirements:

• KVKK: The Personal Data Protection Board is notified as soon as possible and in any case within 72 hours; affected users are informed as soon as possible.
• GDPR: The competent supervisory authority is notified within 72 hours; users are directly informed in case of high-risk breaches.
• CCPA: The California Attorney General's Office and affected consumers are notified within statutory timeframes.

11. Data Retention Periods

Your personal data is retained for the period required by processing purposes and in accordance with legal obligations:

Data whose retention period has expired is securely deleted or anonymized through automatic or periodic destruction processes. In cases of legal obligation, data continues to be stored for the period prescribed by the relevant legislation.

12. User Rights — KVKK

Under Article 11 of Law No. 6698, you have the following rights regarding your personal data:

• Right to know: Learning whether your personal data is being processed.
• Right to request information: Requesting information about your processed personal data.
• Right to learn purpose: Learning the purpose of processing your personal data and whether they are used in accordance with their purpose.
• Right to know third parties: Knowing the third parties to whom your personal data has been transferred, domestically or abroad.
• Correction: Requesting correction of your personal data if processed incompletely or inaccurately.
• Deletion / destruction: Requesting deletion or destruction of your personal data under the conditions set forth in Article 7 of the KVKK.
• Correction/deletion notification: Requesting that correction and deletion operations be notified to third parties to whom your personal data has been transferred.
• Automated analysis objection: Objecting to a result against you arising from the analysis of processed data exclusively through automated systems.
• Compensation: Requesting compensation for damages incurred due to unlawful processing of your personal data.

Application Method

To exercise your rights under the KVKK, you can submit a written application to privacy@hareki.com along with information to verify your identity. Your application will be concluded free of charge within 30 days at the latest. If the process requires additional cost, the fee determined by the Personal Data Protection Board applies.

13. User Rights — GDPR

If you reside in the European Economic Area (EEA), you have the following rights under the GDPR:

• Right of access (Article 15): Requesting a copy of your personal data and obtaining information about processing conditions.
• Right to rectification (Article 16): Requesting correction of inaccurate or incomplete personal data.
• Right to erasure / Right to be forgotten (Article 17): Requesting deletion of your personal data under certain conditions.
• Right to restriction of processing (Article 18): Requesting restriction of processing of your personal data in certain situations.
• Right to data portability (Article 20): Receiving your personal data in a structured, commonly used, and machine-readable format (JSON) and transferring it to another data controller.
• Right to object (Article 21): Objecting to data processing based on legitimate interest. In case of objection, processing is stopped unless compelling legitimate grounds are demonstrated for continuing.
• Right not to be subject to automated decision-making (Article 22): Not being subject to decisions based solely on automated processing that produce legal or similarly significant effects.
• Right to withdraw consent: Withdrawing your consent at any time for consent-based data processing activities. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

Response Period

Requests under the GDPR are responded to within one (1) month at the latest. This period may be extended by two (2) additional months depending on the complexity or number of requests; in this case, you will be informed within the first month along with the reason for extension.

14. User Rights — CCPA (California)

If you reside in California, you have the following rights under the California Consumer Privacy Act (CCPA/CPRA):

• Right to know: Learning what categories of personal information have been collected in the last 12 months, the sources of collection, the purpose of collection, and the third parties with whom information has been shared.
• Right of access: Requesting a copy of your collected personal information.
• Right to delete: Requesting deletion of your collected personal information (subject to legal exceptions).
• Right to correct: Requesting correction of inaccurate personal information.
• Right to opt-out of sale: Objecting to the sale or sharing of your personal information. Note: Hareki LLC does not sell or share your personal information for marketing purposes.
• Non-discrimination: Not being subject to discrimination in service quality, pricing, or access for exercising your CCPA rights.

Information Categories Collected under CCPA

• Identifiers (name, email, IP address)
• Commercial information (subscription history, payment records)
• Internet or electronic network activity (browser type, page views)
• Professional information (brand name, industry, profession)
• User-provided content (brand data, generated content)

Application

To exercise your CCPA rights, you can contact privacy@hareki.com. After identity verification, your request will be responded to within 45 days.

15. Children's Privacy

The Hareki Studio Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from individuals under 18.

If you become aware that an individual under 18 has provided us with personal data, please immediately notify privacy@hareki.com. Upon verification, the data in question will be deleted as soon as possible.

Under the GDPR, parental or guardian consent is required for processing data of children under 16. Under the KVKK, processing data of minors under 18 requires parental/guardian consent. In both cases, the Platform enforces the 18-year age limit.

16. Automated Decision-Making and Profiling

Hareki Studio performs certain automated processing activities in the course of service delivery:

16.1 AI-Powered Content Generation

AI models generate content suggestions based on your brand voice parameters and preferences. This is an automated decision-making mechanism; however:

• Every generated content is reviewed and approved by the user
• The user has the right to edit, revise, or reject generated content
• The final publishing decision always belongs to the user

16.2 Content Quality Scoring

The Platform assigns automatic quality scores to generated content. These scores are for informational purposes only and do not restrict the user's access to the service.

16.3 Brand Voice Analysis

During brand analysis, AI analyzes the publicly available data of your website to create a brand voice profile. The user can edit this profile at any time.

16.4 Your Rights

Under KVKK Art.11 and GDPR Art.22, you have the right to object to decisions based solely on automated processing (including profiling) that produce legal effects or significantly affect you. In case of your objection, evaluation will be conducted with human intervention.

17. Policy Changes

This Privacy Policy may be revised from time to time in line with legal requirements, service changes, or updates in data processing practices.

17.1 Notification Methods

For policy changes:

• Significant changes: Notification sent to your registered email address at least 30 days in advance
• Minor updates: Announced via in-platform notification
• The current Policy is always published at hareki.com/privacy
• The date of each update appears at the top and bottom of the page

17.2 Consent Renewal

For significant changes that expand the scope of data processing, explicit consent may be re-requested in accordance with legal requirements. If you do not accept the changes, your right to close your account is reserved.

18. Contacting the Data Controller

You can use the following channels for any questions, requests, and applications regarding your personal data:

18.1 Contact Information

• Data Controller: Hareki LLC
• Email: privacy@hareki.com
• Web: hareki.com/privacy

18.2 Application Requirements

Your application must contain the following information to be evaluated:

• First and last name
• Registered email address
• Subject of request (which right you wish to exercise)
• Detailed description of the request
• Information necessary for identity verification (the email address associated with your account is sufficient)

18.3 Response Times

• KVKK: Within 30 days at the latest
• GDPR: Within 1 month at the latest (extendable to 2 months)
• CCPA: Within 45 days at the latest (extendable by 45 additional days)

19. Right to Complain

If your requests regarding the processing of your personal data are not met or you are not satisfied with the response, your right to file a complaint with the relevant supervisory authorities is reserved:

19.1 Turkey — KVKK

If your application to the data controller is rejected, the response is found insufficient, or no response is given within 30 days, you can file a complaint with the Personal Data Protection Board:

• Institution: Personal Data Protection Authority (KVKK)
• Web: kvkk.gov.tr
• Address: Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4, 06520 Balgat-Çankaya / Ankara, Turkey

19.2 European Union — GDPR

If you reside in the EEA, you can file a complaint with the data protection authority (Supervisory Authority / Data Protection Authority) in your country. You can access the list of EU data protection authorities on the European Data Protection Board (EDPB) website:

• Institution: European Data Protection Board (EDPB)
• Web: edpb.europa.eu

19.3 California — CCPA

California residents can contact the California Attorney General's Office regarding privacy rights violations:

• Institution: California Attorney General — Office of Privacy Protection
• Web: oag.ca.gov/privacy

19.4 Judicial Recourse

In addition to the above administrative remedies, your right to apply to competent courts for compensation of damages caused by the unlawful processing of your personal data is reserved.