Privacy Policy
Last updated: 17 April 2026
This Privacy Policy explains how Oney Finanasal Danismanlik Turizm ve Dis Ticaret AS ("Shadow Guard AI", "we", "us") collects, processes and protects personal data when you use the shadowguard.ai platform. We operate as Data Controller under Regulation (EU) 2016/679 (GDPR) and as Veri Sorumlusu under Law No. 6698 on the Protection of Personal Data (KVKK).
§1Data We Collect
Account data (name, work email, organization), authentication identifiers, telemetry about the assets you explicitly submit for scanning (repository URLs, endpoint URLs, file hashes), scan findings, billing data processed by Stripe, and standard HTTP metadata. We do not collect source code — only SHA-256 hashes of findings and the secret pattern type. We never retain the value of a detected secret beyond 24 hours from first detection.
§2Legal Bases
We rely on (i) performance of a contract — Art. 6(1)(b) GDPR / Art. 5(2)(c) KVKK; (ii) legitimate interest — Art. 6(1)(f) GDPR — for anti-abuse and product improvement; (iii) consent — Art. 6(1)(a) GDPR / Art. 5(1) KVKK — for optional analytics and marketing emails; (iv) legal obligation — Art. 6(1)(c) GDPR — for tax and accounting records.
§3Purposes of Processing
Providing the service, authenticating users, producing compliance evidence you request, detecting fraud and abuse, billing, security telemetry, and statutory retention.
§5Your Rights
Under GDPR you have the right of access, rectification, erasure, restriction, portability, and to object (Art. 15–22). Under KVKK Art. 11 you may additionally request the removal or destruction of personal data and object to automated decisions. Requests can be sent to privacy@shadowguard.ai and will be addressed within 30 days (EU) or 30 days (KVKK Art. 13).
§6Retention
Account data: duration of the contract + 10 years for accounting (Turkish Tax Procedure Law). Scan findings: 24 months, or earlier on request. Detected secret values: 24 hours, then irrecoverably deleted.
§7Security
Encryption in transit (TLS 1.3) and at rest (AES-256), role-based access control, mandatory MFA for staff, continuous vulnerability scanning, and annual third-party penetration testing aligned with OWASP ASVS Level 2. Access is governed under ISO/IEC 27001:2022 Annex A.8 controls.
§8Contact
Data Protection Officer — dpo@shadowguard.ai. Supervisory authorities: your local EU DPA or the Turkish KVKK (kvkk.gov.tr). You may lodge a complaint at any time without prejudice to other remedies.