Giizo AI

Giizo AI

KVKK Disclosure Notice

Data controller disclosure notice under Turkish Data Protection Law (KVKK) by Giizo Yapay Zeka Teknolojileri Ltd. Şti.: processing purposes, legal grounds, transfers and your rights.

Effective date: 14 July 2026

1. Introduction and Purpose

This Disclosure Notice is prepared under Article 10 of Turkish Law No. 6698 on the Protection of Personal Data (“KVKK”) and the related Communiqué on the Procedures and Principles for Fulfilling the Disclosure Obligation, to inform you about how Giizo Yapay Zeka Teknolojileri Ltd. Şti. (“Giizo AI”, the “Company”) processes your personal data.

This notice should be read together with the Privacy Policy, Terms of Use, AI Terms of Use and Subprocessors pages. The general framework for personal data processing is in the Privacy Policy; the KVKK-specific disclosure elements are on this page.

2. Data Controller

The data controller under KVKK is:

  • Entity: Giizo Yapay Zeka Teknolojileri Ltd. Şti.
  • Address: Kuyuluk Mah. 36107 Sok. No:3A Mezitli, Mersin, Türkiye
  • Email: mail@giizo.ai
  • Contact: Contact form

Role distinction (three-party structure): Giizo AI is a B2B platform.

  • For account holder (business) data (registration, billing, dashboard usage), Giizo AI is generally thedata controller.
  • For the business’s own end-customer data (channel messages, conversation content, uploaded customer files, etc.), the business is generally thedata controller and Giizo AI acts as adata processor delivering the Service on the business’s instructions. The contractual detail of this distinction (data processing agreement / DPA) must be clarified separately.

This Disclosure Notice primarily covers data that Giizo AI processes as a data controller (account holders, visitors, demo/contact/support applicants).

3. Processing of Personal Data and Collection Touchpoints

Your personal data may be collected through the following touchpoints:

  • Account registration / sign-in: name, email, account credentials, company information.
  • Demo request and contact form: name, email, phone, message content, company/business information.
  • Support requests: correspondence content and contact details.
  • Billing / payment: invoice information; card data is processed by the payment provider (iyzico).
  • Automatic collection: IP address, device/browser information, usage/log data, cookies.
  • Voice channels: voice data received via Web Widget, Standalone and Robot, and voice profile/voice cloning data (may be special-category data — see §7).

4. Purposes of Processing Personal Data

Your personal data may be processed for the following purposes:

  • Providing, managing, maintaining and performing the contract for the Services
  • Membership/account creation, authentication and account security
  • Conducting billing, collection and accounting processes
  • Responding to requests, suggestions and support applications
  • Measuring service quality, product and process improvement; learning features specific only to the relevant business’s agent (RAG, Agent Learning)
  • Information security, fraud and abuse prevention
  • Service notifications and critical security announcements; marketing/promotional communication where explicit consent is given
  • Fulfilling legal obligations and responding to authorized authority requests

Giizo AI does not use customer content to train shared foundation models across all customers; your data is not sold or rented for model training.

Your personal data is collected through automated or partly automated means such as websites, dashboards, forms, APIs/integrations, access channels and cookies.

Legal grounds for processing (KVKK Art. 5), by way of example:

  • Establishment/performance of a contract (Art. 5/2-c): account, subscription and Service delivery.
  • Legal obligation (Art. 5/2-ç): tax, accounting and statutory retention.
  • Establishment/exercise/protection of a right (Art. 5/2-e): dispute management.
  • Legitimate interest (Art. 5/2-f): security, abuse prevention and service improvement (without harming fundamental rights and freedoms).
  • Explicit consent (Art. 5/1): for processing outside the above exceptions and for special-category data.

Your personal data may be processed without your explicit consent in the following cases:

  • Where expressly provided for by law
  • Where directly related to the establishment or performance of a contract
  • Where mandatory for the Company to fulfill a legal obligation
  • Where made public by the data subject
  • Where mandatory for the establishment, exercise or protection of a right
  • Where mandatory for the legitimate interests of the Company, provided that fundamental rights and freedoms are not harmed

7. Special-Category (Biometric / Voice) Data

Voice data processed within voice interaction and voice cloning / voice profile features may, depending on context, be consideredspecial-category personal data under KVKK Art. 6. Such data is processed only with the data subject’s explicit consent or under legal exceptions. Businesses using voice cloning are obligated to inform the individuals they interact with that the voice is cloned/synthesized.

8. Data Transferred to Third Parties

In accordance with KVKK Articles 8 and 9, and to the extent necessary, your personal data may be transferred to:

  • Service providers / subprocessors — current list: Subprocessors (in summary: Meta Platforms, Twilio, Google, OpenAI [fallback], iyzico; conditionally NetGSM).
  • Authorized public institutions and authorities — under legal obligations.
  • Parties to a business transfer — in mergers, acquisitions, etc.
  • Third-party integrations connected on your instruction — Meta channels, MCP tools, payment provider.

International transfers: Some providers may process data in data centers outside Türkiye. In such cases, mechanisms compliant with KVKK’s cross-border transfer provisions (explicit consent or prescribed safeguards/undertakings) are applied. Primary AI inference and embedding operations run on the Company’s self-hosted systems.

9. Web Server Log Data

When you access our websites and Services, our servers may automatically record log data such as IP address, access date/time, pages viewed, browser and operating system information. These records are kept for a limited period for security, debugging and legal obligations.

10. Cookies

We use cookies on our websites to operate the services and improve the experience. You can manage your cookie preferences from your browser settings; blocking certain cookies may affect some functionality.

11. Your Rights Regarding Your Personal Data (KVKK Art. 11)

Under Article 11 of KVKK, you have the right to: learn whether your personal data is processed, request information if it is, learn the purpose of processing and whether it is used accordingly, know the third parties to whom it is transferred domestically or abroad, request correction if it is incomplete/incorrect, request erasure/destruction under KVKK Art. 7, request that correction/erasure be notified to third parties to whom the data was transferred, object to an outcome against you resulting exclusively from automated analysis, and claim compensation for damages arising from unlawful processing.

12. Exercising Rights, Application and Contact

To exercise your rights, you may submit your requests to mail@giizo.ai or via the contact form. After your identity is verified, your application is concluded within the periods prescribed by KVKK and related legislation (as a rule, within a maximum of 30 days). Depending on the nature of the request, a fee may be charged where permitted by KVKK.

13. Data Security

We apply commercially reasonable technical and administrative measures — such as encryption, access control, network segmentation and logging — to protect your personal data against unlawful access, loss and misuse. Retention periods are determined by service delivery, legal obligations (e.g., 10 years for financial records under the Turkish Tax Procedure Law) and legitimate interests. Following an account deletion request, data may be kept restorable for 30 days; at the end of this period it is anonymized or permanently deleted.

14. Data of Minors

Our Services are not directed at persons under the age of 18, and personal data is not knowingly collected from such persons. Age restrictions on the end-user side also depend on the relevant channel and business policies.

Our sites may contain links to third-party sites not operated by the Company. The Company is not responsible for the data practices of these sites; we recommend reviewing their own privacy/disclosure notices.

16. Changes

This Disclosure Notice may be updated from time to time. The current version is published on this page; where necessary, additional notice is provided for significant changes.