Privacy Policy
Copy revision: July 2026 (not legal approval)
1. Information We Collect
We collect information you provide directly when you create an account, configure a business workspace, or contact us. This may include name, business email, company information, and support content. Billing contact and transaction metadata are processed only when a contracted billing/provider flow is selected and activated. LuniOps does not claim to store raw card details; the selected payment provider handles them under the signed customer terms.
2. How We Use Your Information
We use collected information to provide, maintain, secure, and improve the contracted service, send service notifications, and communicate about the account. Billing transaction metadata is processed only when the agreed provider flow is activated.
3. Legal Basis for Processing
Where GDPR applies, our main legal bases are Article 6(1)(b) for account, subscription, support, order, delivery, and invoice processing needed to perform the contract; Article 6(1)(c) for tax, accounting, retention, and other legal-obligation records; Article 6(1)(f) for service security, abuse prevention, customer support, operational reliability, and dispute handling; and Article 6(1)(a) where optional analytics, marketing, or optional location features rely on consent. Where Turkish KVKK applies, we map these activities to the relevant processing conditions under KVKK Articles 5 and 6 and obtain explicit consent where required. Consent-dependent processing is managed separately from this information notice.
4. Turkey / KVKK Information Notice
Where Turkish KVKK applies, the controller for LuniOps account and service data is the provider identified in the Legal Notice, unless a business customer acts as the controller for its own customer, employee, order, delivery, and invoice data. We process account, company, order, delivery, invoice, support, security, and consent records to provide the B2B service, maintain legally required records, prevent abuse, resolve disputes, and communicate service-critical information. Data may be shared with the sub-processors listed below, payment providers, professional advisers, and authorities where legally required.
5. Explicit Consent
Explicit consent is requested as a separate choice when a processing activity relies on consent, for example optional analytics cookies, marketing communication, or optional location features. Contractual service processing, security processing, and statutory invoice retention are not switched off by withdrawing consent. You can withdraw optional consent in the account privacy page or through the secure contact form.
6. Commercial Electronic Messages
Marketing email, SMS, or call communication is sent only where the required consent exists. For recipients in Turkey, commercial electronic message permissions and withdrawal handling must also be aligned with the IYS framework where applicable. Service messages about login, security, invoices, deliveries, support, or contract performance are treated separately from marketing communication.
7. Data Security
Security controls depend on the deployed service configuration. Managed Google Cloud and Firebase services provide transport and storage protections; exact algorithms, regions, and enforcement status are verified service by service before production sign-off.
8. Sub-Processors
The production sub-processor list is confirmed in signed customer documents after provider, region, transfer, and legal review. Managed Google Cloud/Firebase services are current technical candidates for infrastructure, authentication, database, and storage. A payment provider is listed only if selected and activated for contracted billing; this public draft is not the final production register.
9. International Transfers
LuniOps primarily uses the managed cloud and payment infrastructure listed above. Where personal data is transferred outside the EU/EEA, the transfer is assessed under GDPR Chapter V, including Articles 44-46, and is supported by Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914 or another valid transfer mechanism where required. We review transfer risks and supplementary measures for relevant sub-processors. Where KVKK applies to a cross-border transfer, the transfer is assessed under the applicable KVKK rules and uses explicit consent or another lawful transfer mechanism where required. Production region and sub-processor details are confirmed in the applicable customer DPA/order documents.
10. Cookies & Tracking
We use essential cookies required for the service to function (authentication, session management). We do not use third-party advertising cookies. Optional analytics is disabled by default and only starts after explicit consent, including where consent is required under TDDDG/ePrivacy rules.
11. Data Retention
We retain personal information for as long as your account is active or as needed to provide the service. Invoice-related and business records are retained for the applicable statutory retention period, depending on document type and jurisdiction. You can request deletion of non-legally-required data at any time.
12. Consent Management
Consent-dependent processing is logged separately from core service processing where the product supports it. Public cookie choices are versioned and minimized when the deployed consent endpoint is enabled; in-app marketing, analytics, and optional location choices are managed in the account privacy settings where available. Withdrawing consent affects future optional processing and does not remove records that must be retained for contract, tax, accounting, security, or legal reasons.
13. Your Rights (GDPR / KVKK)
Under GDPR and, where applicable, KVKK, you may request access to your personal data, correction of inaccurate data, deletion or anonymization where legally possible, restriction or objection to processing, data portability, and information about processing purposes and recipients. To exercise these rights, use the secure contact form or the confirmed email published in the Legal Notice.
14. Data Protection Contact / DPO
Privacy requests can be submitted through the secure contact form or the confirmed email published in the Legal Notice. LuniOps has not publicly appointed a separate data protection officer unless required for a specific customer, processing activity, or legal assessment. If a formal DPO is appointed or required under GDPR Article 37 or applicable local law, this notice and the relevant customer documents will be updated.
15. Children
LuniOps is a B2B operations service and is not directed to children or private consumer users. Customers must not intentionally create user accounts for children or enter children's personal data into the service unless they have a valid legal basis, required notices, and customer-side approvals for that specific processing.
16. Personal Data Breach Notification
If we become aware of a personal data breach affecting data processed by LuniOps, we will assess the incident, take appropriate containment steps, and notify affected customers or authorities where legally required. GDPR notification duties, including Articles 33 and 34 where applicable, depend on the role, risk, and facts of the incident; customer controller duties remain with the customer for its own data subjects.
17. Data Processing Agreement
A non-final DPA template referencing GDPR Article 28 is available for customer and counsel review. It becomes applicable only when the provider identity is configured, legal review is complete, and customer terms are signed.
18. Contact Us
For questions about this Privacy Policy, use the secure contact form or the confirmed email published in the Legal Notice.