Privacy Policy

Last updated: March 2026

1. Introduction

Penfai LLC ("Company", "we", "us") operates the TesvikAra platform ("Platform"), an AI-powered government incentive discovery and application management service. We are committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, process, store, and safeguard your information when you use our Platform, in accordance with the Turkish Personal Data Protection Law No. 6698 (KVKK) and the EU General Data Protection Regulation (GDPR) where applicable. By accessing or using our Platform, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

We may collect the following categories of personal data through the Platform:

  • Identity information: Full name and, where required for government applications, national identification number.
  • Contact details: Email address, telephone number, and business address.
  • Company information: Trade name, tax identification number, industry sector, employee count, and field of activity.
  • Usage data: Session information, pages viewed, search queries, clicks, and interaction patterns.
  • Technical data: IP address, browser type, device information, operating system, and referral source.

3. How We Use Your Data

Your personal data is processed for the following purposes:

  • Providing Platform services and managing your user account.
  • Delivering AI-powered incentive matching and eligibility analysis tailored to your company profile.
  • Tracking and reporting on incentive application processes.
  • Responding to customer support inquiries and feedback.
  • Improving the Platform, ensuring security, and diagnosing technical issues.
  • Fulfilling our legal and regulatory obligations.

4. Cookies

Our Platform uses cookies to enhance your experience and improve our services. Essential cookies are required for core Platform functionality and cannot be disabled. Analytics cookies collect anonymized usage statistics to help us understand how the Platform is used; you may manage these through your browser settings. We do not use advertising cookies. Third-party cookies are employed solely for performance analytics through trusted partners.

5. Third-Party Sharing

We do not share your personal data with third parties without your explicit consent, except in the following circumstances:

  • Service providers: Trusted infrastructure partners for hosting, payment processing, and email delivery, all bound by data processing agreements.
  • Legal requirements: Disclosure to competent authorities where required by court order, regulatory request, or applicable law.
  • Business partners: Information shared with relevant government agencies in the course of incentive applications, only with your prior consent.

All third-party service providers operate under data processing agreements that comply with KVKK and, where applicable, GDPR requirements.

6. Data Security

Your personal data is protected with 256-bit SSL/TLS encryption in transit. Our servers are hosted in ISO 27001-certified data centers, and we conduct regular security audits and penetration testing. Access to personal data is restricted to authorized personnel through role-based access controls and multi-factor authentication.

7. Your Rights

Under KVKK (Article 11) and GDPR (where applicable), you have the right to:

  • Request information about whether your personal data is being processed.
  • Obtain details about the processing of your personal data.
  • Learn the purpose of data processing and whether your data is used in accordance with that purpose.
  • Know the third parties to whom your data has been transferred, domestically or internationally.
  • Request correction of incomplete or inaccurate data.
  • Request erasure or destruction of your data under the conditions set forth in applicable law.
  • Object to any outcome arising from the automated analysis of your data that is adverse to you.
  • Claim compensation for damages resulting from unlawful processing of your data.

8. Data Retention

Your personal data is retained for as long as necessary to fulfill the purposes for which it was collected. If you delete your account, your data will be permanently removed from our systems within 30 days. Data that must be retained due to legal obligations will continue to be stored for the periods specified under applicable law.

9. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights under KVKK or GDPR, please contact us through the following channels:

  • Email: support@penfai.com
  • Data Controller: Penfai LLC

All requests will be evaluated and resolved within 30 days of receipt.