Privacy Policy

1. Introduction

Godot Teknoloji Bilişim ve Danışmanlık Hizmetleri Sanayi ve Ticaret Anonim Şirketi ("Godot," "we," "us," or "our") operates the AdaptiveReply platform (the "Service"). Registered office: Demirtaş Cumhuriyet Mah. Müjdat Köstendil Cad. No:129 Osmangazi/Bursa, Türkiye. This Privacy Policy explains what information we collect, how we use it, the legal bases for processing, and the choices you have. By accessing or using the Service you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account we collect your name, email address, and password. If you sign in through a third-party provider (Google or Facebook) we receive the profile information you authorize that provider to share with us, such as your name, email, and profile picture.

2.2 Organization & Team Data

You may create or join organizations. We store organization names, member roles, business settings (working hours, timezone), notification preferences, and related configuration data you provide.

2.3 Connected Social Media Accounts (Meta Platforms)

To deliver our Service you may connect Facebook Pages, Instagram Business Accounts, and WhatsApp Business Accounts. We store the OAuth access tokens, page/account identifiers, phone number identifiers, and page names necessary to send and receive messages on your behalf. We do not access your personal Facebook or Instagram profile beyond what is required for the connected business pages.

2.4 E-commerce Platform Data (Shopify & WooCommerce)

If you connect Shopify or WooCommerce stores, we sync and store product information (names, descriptions, prices, images, variants, stock levels), order data (order numbers, items, amounts, shipping details, customer names, emails, phone numbers, and addresses), and customer records. API credentials (access tokens, consumer keys/secrets) are stored to maintain the connection.

2.5 Gmail Data

If you connect a Gmail account, we sync and store email threads, message bodies (text and HTML), subject lines, sender/recipient information, and attachment metadata. We store your Gmail OAuth refresh token to maintain the connection. We access Gmail data solely to provide email management features within the Service.

2.6 Conversations, Messages & Contacts

We process and store messages exchanged between you and your end-users through supported platforms (Facebook, Instagram, WhatsApp, web widget), including text content and media attachments (images, videos, audio, files). Media files are stored on our cloud storage infrastructure. We also store contact information (name, email, phone, platform identifiers, tags, notes, custom fields) that you or the connected platforms provide.

2.7 Orders & Appointments

We store order data (customer name, email, phone, address, items, amounts, shipping and tracking information) and appointment data (customer name, email, phone, service details, scheduling information) that you create or that is synced from connected e-commerce platforms.

2.8 Bot & Automation Data

If you use our chatbot features, we store bot configurations, system prompts, knowledge base documents, and generated text embeddings. Message content may be sent to third-party AI providers to generate automated responses (see Section 4).

2.9 Usage & Technical Data

We automatically collect technical information such as IP address, browser type, device type, pages visited, and actions taken within the Service. This data is used to maintain, improve, and secure the Service.

2.10 Cookies & Similar Technologies

We use cookies and similar technologies in three categories:

• Essential — login and preferences. Login cookies keep you signed in as you move between pages; without them you would have to log in again on every click. They are removed when you log out and the longer-lived one expires automatically after 7 days of inactivity. A separate preference cookie remembers your language choice (Turkish or English) for up to one year.
• Analytics. We use Google Analytics on our landing and marketing pages to understand how visitors discover and use the site (page views, traffic sources, session length). Data is processed by Google in accordance with the Google Privacy Policy.
• Marketing & conversion measurement. We use Meta Pixel and the Facebook SDK on our landing pages to measure the effectiveness of our advertising on Meta platforms (Facebook, Instagram) and to attribute conversions. Data is processed by Meta in accordance with Meta's Data Policy.

Cloudflare Turnstile is used on certain forms to tell humans apart from bots and may set cookies as described in Cloudflare's privacy policy.

You can delete or block any of these cookies at any time through your browser settings, or use browser-level Do Not Track / opt-out tools. Blocking essential cookies will sign you out and require re-login. Where the law requires consent for non-essential cookies (e.g., EU/UK), we will obtain that consent before activating them.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Performance of Contract: Processing your account data, organization data, connected accounts, messages, orders, and appointments is necessary to provide the Service you requested.
• Legitimate Interest: Processing usage/technical data and aggregated analytics to maintain, improve, and secure the Service.
• Consent: Where you choose to enable AI-powered features that send your data to third-party AI providers, or where you connect optional third-party platform integrations.
• Legal Obligation: Where we are required to retain certain data (such as billing records) to comply with applicable laws, including Turkish Tax Procedure Law and the Turkish Commercial Code.

For data subjects in Türkiye, processing is also conducted in accordance with the legal grounds set out in Article 5 of the Turkish Personal Data Protection Law No. 6698 ("KVKK") — including explicit consent (Art. 5/1), performance of contract (Art. 5/2-c), legal obligation (Art. 5/2-ç), and legitimate interest (Art. 5/2-f). For details, see our KVKK Clarification Notice at /kvkk.

4. How We Use Your Information

• To provide, operate, and maintain the Service.
• To authenticate your identity and manage your account.
• To facilitate messaging between you and your end-users via connected platforms.
• To synchronize product, order, and customer data with connected e-commerce platforms.
• To synchronize and manage emails from connected Gmail accounts.
• To power chatbot and automation features you configure.
• To generate aggregated analytics and reports within your dashboard.
• To communicate with you about your account, security alerts, or Service updates.
• To detect, prevent, and address technical issues, fraud, or abuse.
• To comply with legal obligations.

5. Third-Party Service Providers

We share your data only to the extent necessary to deliver the Service, with the following categories of recipients:

• Business partners and suppliers,
• Information technology and cloud hosting providers (located in the European Union),
• Payment and subscription service providers,
• Artificial-intelligence service providers powering our chatbot features,
• Analytics and marketing measurement providers (Google Analytics, Meta Pixel) on our public landing pages,
• Third-party platforms you choose to connect through the Service,
• Legal advisors and auditors,
• Competent public authorities and judicial bodies, when required by law.

We do not sell, rent, or trade your personal information to any third party for marketing purposes, and we do not permit AI providers to use your content for model training.

6. Data Controller & Data Processor Roles

For your account data: We act as the data controller ("veri sorumlusu" under KVKK) and determine how and why your personal data is processed.

For your end-users' data: When you use the Service to collect and process personal data of your end-users, customers, or contacts, you act as the data controller and we act as the data processor ("veri işleyen" under KVKK). We process this data solely on your behalf and in accordance with your instructions through the Service.

A Data Processing Agreement (DPA) is available upon request for customers who require one for regulatory compliance. Please contact us at the email address in Section 14.

7. Data Security

We implement industry-standard technical and organizational measures to protect your data, including password hashing (bcrypt), encrypted connections (HTTPS/TLS), token-based authentication, role-based access controls, and webhook signature verification for all incoming third-party data. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Data Retention

We retain your data according to the following schedule:

• Account & organization data: Retained for as long as your account is active.
• Messages, conversations & media: Retained for as long as the associated account/organization is active.
• Connected account tokens: Retained until the account is disconnected or deleted.
• Orders & appointments: Retained for as long as the associated organization is active.
• Technical/server logs: Retained for up to 90 days.
• Billing & transaction records: Retained for up to 5 years as required by applicable financial regulations (including Turkish Tax Procedure Law Article 253).

When you delete your account, we will permanently delete or anonymize your personal data within 30 days, except where retention is required by law. Data stored in encrypted backups will be purged within the backup rotation cycle (maximum 90 days).

9. Your Rights

Depending on your jurisdiction, you may have the following rights under applicable data protection laws (including GDPR, CCPA, and the Turkish Personal Data Protection Law No. 6698 "KVKK"):

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data. You can delete your account directly through your account settings.
• Right to Restriction: Request that we limit how we process your data in certain circumstances.
• Right to Data Portability: Request your data in a structured, commonly used, and machine-readable format.
• Right to Object: Object to processing based on legitimate interest.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
• KVKK Article 11 Rights: Turkish data subjects additionally have the rights enumerated in Article 11 of the KVKK, including: learning whether personal data is being processed, requesting information about processing if it has been, learning the purpose of processing and whether data is used in accordance with that purpose, knowing third parties to whom data has been transferred, requesting correction of incomplete or inaccurate data, requesting erasure or destruction within the framework of Article 7, requesting notification of such corrections/erasures to third parties, objecting to the occurrence of a result against the data subject by analyzing data exclusively through automated systems, and claiming compensation for damages arising from unlawful processing.
• Right to Non-Discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us using the details in Section 14 or use the self-service options in your account settings. We will respond to your request within 30 days. Turkish data subjects may also file a complaint with the Personal Data Protection Authority (KVKK Kurumu) at kvkk.gov.tr.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including countries where our cloud infrastructure, third-party service providers, and AI providers operate. These countries may have different data protection laws. Where required by applicable law, we ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses (SCCs) or equivalent mechanisms. Cross-border transfers from Türkiye are conducted in accordance with KVKK Articles 9 and the Personal Data Protection Authority's implementing regulations. By using the Service you acknowledge and consent to such transfers.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly.

12. Do Not Track

We do not use tracking cookies or behavioral advertising. Our Service responds to Do Not Track (DNT) browser signals by default, as we do not engage in cross-site tracking.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes that affect the rights or obligations of users (such as new categories of data collected, new third-party recipients, or changes to retention periods), we will provide notice by email to the address registered on your account at least 30 days before the changes take effect. For non-material changes, we will post the updated policy on this page and update the "Last updated" date. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us: