Privacy Policy

1. Definitions

"Commap", "we", "us" or "our": Commap, with its registered office at Biracılar Sok. No:3, Şişli / İstanbul, Türkiye, the controller of personal information processed through our corporate website and panel.

"Customer": The organisation that purchases or subscribes to the Service.

"User": An individual authorised by a Customer to access the Service.

"Service": The Commap digital perception and corporate intelligence platform, including websites, panels, APIs and related reports.

"Personal information" / "Personal data": Information that identifies, relates to or could reasonably be linked to an individual, as defined by the applicable law.

"Processing": Any operation performed on personal information.

2. Who is Responsible for Your Data (Controller / Processor Roles)

For information collected through our corporate website, account creation, billing, support and marketing, Commap acts as the controller (or "business" under CCPA/CPRA).

For information processed on behalf of a Customer in the course of providing the Service, Commap acts as a processor (or "service provider" under CCPA/CPRA) and operates strictly under the Customer's documented instructions, governed by a separate Data Processing Addendum (DPA).

Where required by law, the DPA incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

3. Information We Collect

Account & contact data: name, business email, job title, organisation, phone, postal address, password hashes and authentication factors.

Commercial data: billing details, contract terms, invoices, purchase history.

Service usage data: IP address, device and browser metadata, log files, session identifiers, feature usage, in-app actions.

Communications: messages exchanged via our support channels, demo forms, sales correspondence and survey responses.

Service-Processed Data: Datasets processed on behalf of Customers pursuant to monitoring parameters they define, derived from publicly available digital sources. We do not access closed, password-protected or authenticated-only spaces.

We do not knowingly collect sensitive or special categories of data. Where such information is incidentally surfaced from public sources, it is handled under data-minimisation principles and is not associated with identified individuals where avoidable.

4. How We Use Information

To provide, maintain and improve the Service, including authentication, billing, support, security and analytics.

To fulfil our contractual obligations and respond to Customer instructions.

To communicate with Customers and Users about service updates, security advisories, billing and support.

To send marketing communications to organisational contacts, subject to applicable consent or opt-out requirements.

To detect, prevent and respond to security incidents, fraud or violations of our Terms.

To comply with legal obligations, court orders and law-enforcement requests where lawful.

To generate aggregated, de-identified analytics that do not relate to any identifiable individual.

5. Legal Bases for Processing (EEA, UK, Türkiye)

Performance of a contract (GDPR Art. 6(1)(b); KVKK Art. 5/2-c): account management, billing, providing the Service.

Legitimate interests (GDPR Art. 6(1)(f); KVKK Art. 5/2-f): security, fraud prevention, network operations, product improvement, B2B marketing, processing of publicly disclosed information in line with the data subject's own disclosure, and corporate intelligence purposes balanced against the rights of data subjects.

Legal obligation (GDPR Art. 6(1)(c); KVKK Art. 5/2-ç): compliance with tax, accounting, lawful requests and other statutory duties.

Consent (GDPR Art. 6(1)(a); KVKK Art. 5/1): where required, for non-essential cookies, certain marketing channels and the processing of special-category data made manifestly public (GDPR Art. 9(2)(e)).

Performance of a task carried out in the public interest, vital interests and other lawful bases may apply where permitted.

6. Public-Source Datasets and Minimisation

Service-Processed Data is sourced only from publicly available digital information that has been openly disclosed by its author or made available without authentication requirements.

Our processing applies data-minimisation, purpose-limitation and pseudonymisation principles. Direct identifiers are stored using pseudonymous tokens where the operational use case permits, and panel views avoid surfacing direct identifiers wherever this is consistent with the legitimate purpose of the Service.

Analytical and aggregated outputs are designed to be non-identifying and are produced from datasets that have been irreversibly anonymised where applicable.

We do not perform automated decision-making that produces legal effects or similarly significant effects concerning data subjects (GDPR Art. 22).

7. Sharing and Sub-processors

We share personal information with: cloud infrastructure providers (hosting, storage, backups); analytics, monitoring and security providers; payment processors; professional advisors (lawyers, auditors, accountants); authorities when legally required; and any successor entity in connection with a corporate transaction.

All sub-processors are bound by written contracts that impose confidentiality, security, data-protection and assistance obligations no less protective than those we owe to Customers.

A current list of material sub-processors is provided to Customers upon request as part of the DPA package, under confidentiality terms.

We do not sell personal information as defined under CCPA/CPRA and we do not engage in "sharing" personal information for cross-context behavioural advertising without affording applicable opt-out rights.

8. International Data Transfers

Our primary processing infrastructure is located in Türkiye. Where personal information is transferred to recipients located in another jurisdiction, we rely on the following safeguards as applicable:

Adequacy decisions issued by the European Commission or the UK Information Commissioner's Office (ICO).

Standard Contractual Clauses (SCCs) approved by the European Commission and, where required, supplemented by the UK International Data Transfer Addendum.

Türkiye KVKK Art. 9 transfer commitments and Personal Data Protection Board approvals where applicable.

Binding contractual safeguards with sub-processors, including confidentiality, technical and organisational measures and onward-transfer restrictions.

Where required, we provide copies of the relevant transfer mechanism to Customers via the DPA.

9. Retention

Account and commercial data: retained for the duration of the Customer relationship plus the period required to comply with tax, accounting, statute-of-limitation and other legal obligations (typically up to ten years).

Service-Processed Data: retained for the duration required to deliver the Service; analytical/aggregated outputs typically retained for up to 24 months unless a longer Customer-specified retention period applies.

Marketing data: retained until the recipient unsubscribes or withdraws consent, plus a reasonable suppression period.

Cookie data: retained according to cookie lifetime, with a maximum duration of 24 months unless re-set by your interaction.

Upon expiry, information is deleted, destroyed or irreversibly anonymised in accordance with applicable law and our information lifecycle procedures.

10. Security

We implement technical and organisational measures appropriate to the risk, including: end-to-end TLS 1.3 encryption in transit; tenant-level isolation at the database layer; role-based access control (RBAC) and multi-factor authentication; immutable audit logging; periodic vulnerability assessments and independent penetration testing; secure software development lifecycle; vendor risk management; staff confidentiality and training; backup and disaster-recovery procedures.

Our information security management practices are designed in alignment with ISO 27001 principles.

No security control is perfect. We will notify affected Customers and, where required, supervisory authorities of personal data breaches in accordance with applicable law.

11. Your Rights

Subject to applicable law and identity verification, you may have the right to:

Access the personal information we hold about you; obtain a copy in a portable format; request rectification of inaccurate or incomplete information; request erasure ("right to be forgotten") where conditions are met; restrict or object to certain processing; withdraw consent where processing is based on consent; lodge a complaint with a supervisory authority.

For residents of the EEA/UK: GDPR Articles 15-22 apply; you may complain to your local supervisory authority (e.g., ICO in the UK).

For residents of California: CCPA/CPRA grants rights to know, delete, correct, opt-out of "sale" or "sharing", and non-discrimination. We do not sell personal information.

For residents of Türkiye: KVKK Article 11 rights apply; complaints may be lodged with the Turkish Personal Data Protection Board (KVKK).

For residents of Brazil: LGPD Article 18 rights apply.

Requests can be submitted to privacy@commap.tr or hello@commap.tr and will be addressed within the timeframes required by applicable law (typically 30 days, extendable where permitted).

12. Right to Object and Public-Source Information

Where Commap processes information sourced from publicly available digital channels, you may object to the processing of your information at any time on grounds relating to your particular situation.

Requests for removal of specific publicly sourced content from analytical datasets should include the URL or other unique identifier of the content. We will assess and respond in accordance with applicable law and, where appropriate, instruct upstream providers to apply the request.

13. Children

The Service is intended for use by organisations and adult professional users. We do not knowingly collect personal information from children under the age of 16 (or under 13 where applicable). If you believe a child has provided personal information to us, please contact us so we can take appropriate action.

14. Cookies and Similar Technologies

We use strictly necessary cookies and, with consent where required, performance, functional and marketing cookies. Detailed information is provided in our Cookie Policy. You may manage your preferences through your browser settings or our cookie preference centre.

15. Changes to This Policy

We may update this Policy from time to time. Material changes will be highlighted at the top of this page with the updated effective date. Where required, we will notify registered Customers and Users via email or in-product notice.

16. How to Contact Us

Privacy questions and data-subject requests: privacy@commap.tr · hello@commap.tr

Mailing address: Commap, Biracılar Sok. No:3, Şişli / İstanbul, Türkiye

Telephone: +90 (212) 273 27 50

Customers requesting a Data Processing Addendum, sub-processor list or transfer documentation may contact privacy@commap.tr.