Privacy Policy

Effective date: 7 May 2026 | Last updated: 7 May 2026

Korvini ("we", "us", "our") operates the Korvini platform, a unified IT asset management system. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our services. It applies to all users of the Korvini application and website.

We are committed to complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK).

1. Data Controller

The data controller responsible for your personal data is:
Korvini
Email: [email protected]

2. Personal Data We Collect

We collect and process the following categories of personal data:

Category	Examples	Purpose
Account data	Username, email, password hash, role	Authentication, access control
Employee data	Full name, email, department, location	Device assignment tracking
Device data	Serial number, model, IMEI, MDM identifiers	Asset inventory management
Assignment data	Assignment history, custody forms, timestamps	Audit trail, compliance
Usage logs	IP address, session data, request IDs	Security, troubleshooting

3. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR Article 6:

Contractual necessity — Processing required to deliver our services to your organisation.
Legitimate interest — Security monitoring, fraud prevention, and service improvement.
Legal obligation — Compliance with tax, employment, and data retention laws.
Consent — Where required, we obtain explicit consent before processing (e.g. optional analytics).

4. How We Use Your Data

Providing and maintaining the Korvini platform
Authenticating users and managing access permissions
Tracking device assignments and generating audit trails
Synchronising device information with MDM providers (e.g. Jamf)
Sending transactional emails (assignment notifications, custody forms)
Detecting and preventing unauthorised access
Generating reports and analytics for your organisation

5. Data Sharing and Third Parties

We do not sell personal data. We may share data with the following categories of recipients, strictly for the purposes described above:

MDM providers — Device information is synchronised with your configured MDM solution.
Email service providers — Transactional email delivery.
Hosting providers — Infrastructure to run the Korvini platform.

All third-party processors are bound by data processing agreements that ensure an equivalent level of data protection.

6. International Data Transfers

If your data is transferred outside the European Economic Area (EEA) or Turkey, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, or as required by applicable law. When data is no longer needed, it is securely deleted or anonymised.

Account data — Retained while the account is active; deleted upon request after account closure.
Assignment history — Retained for the duration of your service agreement plus any legally required retention period.
Usage logs — Retained for up to 12 months for security and troubleshooting purposes.

8. Data Security

We implement appropriate technical and organisational measures, including:

Password hashing (bcrypt) and optional two-factor authentication (TOTP)
CSRF protection and secure session management
HTTPS encryption in transit
Role-based access control
Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
Rate limiting on authentication endpoints
Audit logging of security-relevant actions

9. Your Rights

Under GDPR and KVKK, you have the following rights regarding your personal data:

Access — Request a copy of your personal data.
Rectification — Request correction of inaccurate data.
Erasure — Request deletion of your data ("right to be forgotten").
Restriction — Request that we limit processing of your data.
Data portability — Receive your data in a structured, machine-readable format.
Objection — Object to processing based on legitimate interest.
Withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Supervisory Authorities

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority:

Turkey — Kişisel Verileri Koruma Kurumu (KVKK), kvkk.gov.tr
EU — Your local Data Protection Authority (DPA)

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or via email. The "Last updated" date at the top of this page indicates when the latest revision was made.

12. Contact

For questions about this Privacy Policy or our data practices, contact:
[email protected]