Privacy Policy

    Effective Date: 18.09.2025

    1. Introduction

    This Privacy Policy explains how ApyGuard ("Company," "we," "our," or "us") collects, uses, shares, and protects your personal data when you use our website, platform, and services (collectively, the "Service"). This policy applies to all users, customers, and visitors from the EU and beyond, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

    We, Atlada Cyber Security (owner of ApyGuard brand), a company incorporated under the laws of Turkey, registered with the Turkiye Commercial Register, act as the data controller for the purposes of this Privacy Policy.

    This Privacy Policy is provided in English as the primary language of our service. Where required by applicable consumer protection laws (e.g., Article 7 of Directive 2011/83/EU), we may provide localized versions of this policy in additional EU languages to ensure accessibility and transparency.

    2. Data We Collect

    We may collect personal data directly from you, automatically through your use of the Service, or via integrations with third-party platforms. In some cases, our Service may access or process personal data that belongs to individuals other than our direct users (e.g., end users of your API or application). This occurs when the platform interacts with API traffic or scans that contain third-party personal information. We process such data strictly in accordance with our role as a data processor and apply technical and organizational safeguards to minimize exposure and ensure lawful processing. These data flows remain under the control of our customers, who act as the data controllers.

    These are grouped as follows:

    a. Information You Provide Directly

    • Account Registration: Name, email address, company name, and login credentials
    • Billing Information: Payment method and invoice address (processed by third-party payment providers; we do not store payment details)
    • Customer Support: Any information you provide when contacting us through forms, emails, or support channels

    b. Information Collected Automatically

    • Usage Logs: Details of API scans, platform usage, access logs, and error reporting
    • Device and Network Data: IP address, browser type, operating system, and device identifiers
    • Cookies and Similar Technologies: Used for authentication, analytics, and session preferences

    c. Information from Third-Party Integrations

    • When you integrate ApyGuard with external services (e.g., GitHub, Jira, Jenkins), we collect metadata required to configure and operate these connections (e.g., project keys, repository URLs, webhook tokens — never actual credentials)

    3. Legal Basis for Processing

    We rely on the following legal bases for processing your personal data in accordance with Article 6 of the GDPR:

    Consent (Art. 6(1)(a)): For processing that requires your explicit permission, such as the use of non-essential cookies, receipt of promotional communications, or participation in beta features. You may withdraw your consent at any time.

    Contract performance (Art. 6(1)(b)): Where processing is necessary for the performance of a contract to which you are party, such as registering your account, providing the Service, or processing payments.

    Legal obligations (Art. 6(1)(c)): Where we are required to comply with legal or regulatory obligations, such as maintaining tax or transaction records or responding to lawful requests from authorities.

    Legitimate interests (Art. 6(1)(f)): Where the processing is necessary for our legitimate business interests, including improving and securing our platform, preventing fraud, understanding user interactions, and maintaining the functionality of the Service, provided such interests are not overridden by your fundamental rights and freedoms.

    We conduct a legitimate interest assessment (LIA) where necessary to ensure that your interests and privacy rights are not adversely affected.

    4. How We Use Your Data

    We use your personal data to:

    • Provide, maintain, and improve our platform functionality and user interface
    • Register your account, manage billing and subscriptions
    • Execute automated security scans, provide scan reports and risk alerts
    • Respond to support inquiries and other service requests
    • Send service notifications, security updates, and transactional communications
    • Analyze usage data to enhance performance and security
    • Comply with tax, financial reporting, and legal obligations

    5. Third-Party and Indirect Data

    In scenarios where our system interacts with data that has not been directly collected from the data subject (such as API traffic containing personal data of your clients or users), we may temporarily access or process such data in order to execute scans or deliver security assessments. In these cases:

    • Source of the data: The data originates from the client who initiates the scan.
    • Legal basis: The data is processed under the legitimate interest of our client (the data controller) and under a data processing agreement as required by Article 28 of the GDPR.
    • Data categories: Depending on the context, data may include identifiers such as IP addresses, email addresses, usernames, API tokens, or any user-submitted payloads. These are not used for independent profiling or marketing by ApyGuard.
    • Purpose of processing: Such data is processed solely for the purpose of carrying out the scan as instructed by the client and is not reused for any other purpose.
    • Storage and retention: Data is retained for the minimum time required to complete the scan and generate a report, then either deleted or anonymized.
    • Security measures: ApyGuard applies strict access controls, encryption in transit and at rest, and restricts access to authorized personnel only.
    • Rights of data subjects: If you believe your personal data has been processed via a customer’s use of ApyGuard, please contact the relevant organization (our client) directly. ApyGuard will support any lawful request received through the data controller.

    We encourage all customers to ensure they have an appropriate legal basis and have fulfilled their own transparency obligations under Articles 13 and 14 of the GDPR before submitting data for scanning. In such cases, clients should also ensure a valid data processing agreement (DPA) is in place with us, defining roles and responsibilities in accordance with Article 28 of the GDPR.

    6. Data Sharing

    We do not sell your personal data. However, we may share your data in the following situations:

    • With service providers (e.g., hosting, analytics, payment processors) acting under confidentiality and data protection agreements
    • With integration partners when you authorize a connection between ApyGuard and a third-party service
    • With legal authorities, courts, or regulators when required by law or for protecting rights and safety
    • In business transactions, such as a merger or acquisition; you will be notified before data is transferred under new ownership

    All third-party transfers are protected by data processing agreements and, when required, by Standard Contractual Clauses (SCCs) or other safeguards.

    7. International Transfers

    If your personal data is transferred outside the European Economic Area (EEA), we apply appropriate safeguards to ensure an adequate level of protection:

    • Transfers to countries with European Commission adequacy decisions
    • Execution of Standard Contractual Clauses (SCCs)
    • Adoption of binding corporate rules, where applicable

    8. Data Retention

    We retain personal data only for as long as necessary to fulfill the purposes described in this policy or to comply with applicable legal obligations. The duration for which data is retained depends on several criteria, including:

    • The nature and sensitivity of the data
    • The purpose for which it was collected and processed
    • Legal, regulatory, or contractual requirements
    • Whether the data is actively used in delivering services or required for audit or compliance purposes

    Examples include:

    • Scan-related data: Retained for up to 12 months to support auditability, security investigations, and compliance documentation, unless a longer period is needed for regulatory purposes.
    • Account and billing data: Retained while your account remains active and for up to 6 years after closure to comply with accounting and legal record-keeping requirements.
    • Support and communication records: Retained for a reasonable period based on operational needs and user relationship history.
    • Device and network data: Retained for up to 12 months for diagnostic and security monitoring purposes unless extended for fraud prevention or compliance investigations.
    • Cookies and tracking data: Retained based on their category and function—session cookies expire when you close your browser; analytics and marketing cookies may persist for up to 24 months unless you withdraw consent earlier.
    • Third-party integration metadata: Retained as long as the integration remains active or necessary for service continuity; deleted upon disconnection or account closure.

    If data is no longer required for its original purpose and no legal obligation applies, it will be securely deleted or anonymized.

    9. Your Rights (EU Users)

    Under the GDPR, you have the right to:

    • Access the personal data we hold about you
    • Rectify inaccurate or incomplete data
    • Request erasure of your data (“right to be forgotten”) in certain circumstances
    • Restrict processing if you contest the accuracy of the data, object to processing, or need the data retained for legal claims
    • Object to processing based on legitimate interests, including profiling
    • Data portability, allowing you to obtain and reuse your personal data across different services
    • Withdraw consent at any time (when processing is based on your consent)
    • File a complaint with your national data protection authority if you believe your rights have been infringed

    These rights may be subject to limitations or conditions under applicable law. In some cases, the provision of personal data is required by law (e.g., tax regulations) or necessary to enter into a contract (e.g., to create an account or provide services). Failure to provide such data may result in our inability to deliver the requested services or fulfill our legal obligations.

    Where decisions that significantly affect you are based solely on automated processing, including profiling, you have the right not to be subject to such decisions unless they are necessary for entering into or performing a contract, authorized by law, or based on your explicit consent. In such cases, you also have the right to obtain human intervention, express your point of view, and contest the decision.

    To exercise your rights, please contact us at: [email protected]. You also have the right to file a complaint with your national or regional data protection authority if you believe that your personal data is being processed in violation of applicable laws. Contact details for EU supervisory authorities can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

    10. Security

    We implement organizational and technical safeguards, such as encryption, access controls, and pseudonymization, to protect your personal data against unauthorized access, misuse, or loss. In the event of a personal data breach that risks your rights or freedoms, we will notify both you and the relevant supervisory authority in accordance with GDPR requirements.

    11. Cookies and Tracking Technologies

    We use cookies and similar technologies to:

    • Authenticate sessions and keep users logged in
    • Analyze usage patterns (e.g., pages visited, actions taken)
    • Remember user preferences (e.g., language selection)
    • Improve performance and detect bugs

    Consent is obtained via our cookie banner, in line with GDPR Article 7. You can change your cookie preferences at any time through our cookie settings interface. For more information, refer to our Cookie Policy.

    12. Advertising and Remarketing

    We may use remarketing services (e.g., Google Ads) to display tailored advertisements based on your past interactions with our platform. This may involve:

    • Setting marketing cookies (with consent)
    • Using hashed identifiers or IP-based targeting

    You can disable personalized ads via browser settings or tools like the Network Advertising Initiative (NAI) opt-out page.

    14. Third-Party Links

    Our Service may contain links to external websites. We are not responsible for their content or privacy practices. We recommend reviewing the privacy policies of those third-party sites before sharing any personal data.

    15. Children’s Privacy

    Our platform is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that data has been collected from a minor, we will delete it promptly.

    16. Changes to This Policy

    We may revise this Privacy Policy periodically. Significant updates will be communicated through email or in-app notifications. Your continued use of the Service after such updates constitutes your acknowledgment and acceptance.

    17. Contact Us

    If you have questions or concerns about this Privacy Policy or how we handle your personal data, contact us at:

    Email: [email protected]
    Postal Address: Bahcelievler Mah. 323/1 Cad. Gazi Universitesi Teknokent Binasi No: 10/50C-71 Golbasi, Ankara, Turkiye