1. Data Controller and Roles
This policy is issued by Procright, [Address]. For data processed on behalf of an enterprise Customer, Procright typically acts as a data processor and the Customer acts as the data controller. For details, see the Data Processing Addendum (DPA).
2. Personal Data We Collect
Account information: name, email, role, optional phone number.
Workspace and organization information: company name, team structure, admin permissions.
Uploaded files and procurement content: specifications, product documents, vendor materials.
Usage and analytics data: session duration, click behavior, page visits.
AI interaction data: prompts, AI outputs, user feedback (thumbs up/down).
Cookies and similar technologies: see our Cookie Policy.
3. Purposes of Processing
We process personal data to: (a) deliver and maintain the Service; (b) ensure security and prevent misuse; (c) improve the product; (d) comply with legal obligations; (e) send limited marketing communications (subject to your consent where required).
4. Data Sharing
Sub-processors: see our Sub-processors page for the current list.
Legal requirements: when required by court order, public authority, or applicable law.
Corporate transactions: in the event of a merger or acquisition (with prior notice where required).
Enterprise admins: Customer administrators have access to user data within their workspace.
We do not sell personal data and do not share it with third parties for advertising purposes.
5. International Data Transfers
Some sub-processors may be located outside the EU or Türkiye. In such cases we rely on Standard Contractual Clauses (SCCs), relevant regulatory approvals, or equivalent safeguards to protect the data. Details are provided in the DPA.
6. Retention Periods
Account data: retained until the account is closed, plus [Legal retention period] where required by law.
Customer Content: retained for the term of the Agreement, plus [Post-termination retention].
Usage logs: [Log retention period].
Billing data: retained according to applicable financial regulations ([Financial retention period]).
7. Security Measures
We apply encryption in transit and at rest, role-based access control, multi-factor authentication, regular security testing, and incident response procedures. For more details, see our Security and Compliance Summary.
8. Your Rights (KVKK and GDPR)
You have the right to access, correct, delete, restrict processing, object to processing, and request data portability. Enterprise users can exercise many of these rights through the admin panel. For other requests, contact us at hi@procright.com. We will respond within [Response time].
9. Enterprise Admin Controls and Updates
Customer administrators can manage user access, export data, and process deletion requests from within the platform. This policy may be updated from time to time. For material changes, we will notify you through the platform or via email. The last updated date is shown at the bottom of this page.
10. Contact
For KVKK and GDPR requests or any privacy-related question:
Email: hi@procright.com
Mail: [Address]
Last updated: [Effective date]