Data Protection (KVKK) Notice

1. Data controller

Gramavec acts as the data controller. You can submit requests via the contact address published on our website.

2. Personal data we process

Identity/contact data (your email and authentication details), transaction-security data (session tokens, rate-limit and error logs), and the handwriting/signature images you upload together with the analysis results.

Morphological features derived from your uploads — quantitative measurements our calibrated engine produces (pressure, slant, letter height, proportion, connection structure). Because these features could be construed as biometric data under a broad reading of KVKK art. 6, we take the safer path and obtain **explicit consent** for the relevant processing (collected at signup and before every upload).

Important scope boundary: Discovery features (personality style, learning style, handwriting wellness, partner compatibility) are offered for **entertainment and self-discovery only** — they are NOT an identity, diagnostic, hiring, or decision tool. Forensics features (signature/document) are offered as an **expert pre-screening assistant**; a certified expert always has the final say. The Enterprise surface contains organisational management data only.

We do not seek to collect other special-category data (clinical health information, religious belief, biometric identifiers used for ID verification, etc.); please avoid uploading such content.

3. Purposes and legal grounds

We process data to provide the requested analysis, manage your account, enforce usage limits, secure the service, and meet legal obligations — relying on contract performance, legal obligation, and legitimate interest (KVKK art. 5).

Processing that requires transfer abroad, and any processing of morphological features that could fall under a broad reading of KVKK art. 6, relies on your **explicit consent**.

4. International transfer

Our analysis workflow runs on our own calibrated measurement engine; for some language-understanding and visual-interpretation steps we use **Google's Gemini API as a data processor**. During those calls the uploaded images are transferred to Gemini's infrastructure abroad; this transfer relies on your explicit consent. Per Gemini's commitment, those call-time inputs are not retained for model training.

Payment data, if any, is shared with our payment processor.

5. Retention and your rights

Uploaded raw images are retained for the duration of your subscription tier's retention window (Free: 24 hours, Professional: 90 days, Business: 1 year, Enterprise: per-organisation policy) and then automatically purged by a scheduled cleanup task.

Structured analysis reports (numeric measurements + generated text) are kept until you delete them or close your account; Enterprise tenants may set a shorter retention window.

Images are transmitted over TLS 1.3 and (when stored on Google Cloud Storage) protected by Google-managed server-side encryption. When the MongoDB blob fallback path is used (development or single-tenant deployments), raw image bytes are Fernet-encrypted (AES-128-CBC with HMAC authentication) before they reach the database — at-rest protection is in line with the GCS path.

Under KVKK art. 11 you have rights to learn about, access, correct, delete, and object to the processing of your data, and to request that these actions be communicated to third parties. Submit requests via the contact address on our website.