NEXUS DİJİTAL Private Beta
TR EN
Request Early Access
NEXUS DİJİTAL
TR EN
Beta
Legal

Privacy Policy

Effective date: May 12, 2026 Last updated: May 12, 2026

This Privacy Policy explains how Mesh Yazılım Teknoloji Limited Şirketi ("Nexus Dijital", "we", "us", "our") collects, uses, shares, and protects information about you when you use our platform at https://nexusdijital.com and related services (the "Service").

We comply with Türkiye'nin Kişisel Verilerin Korunması Kanunu (KVKK, Law No. 6698) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Who we are

  • Data Controller: Mesh Yazılım Teknoloji Limited Şirketi
  • Tax Identification Number (Vergi No): 6191104251
  • Meta Business Portfolio ID: 425784229165763
  • Trademark holder of "Nexus Dijital": Reg. No. 2024/161525 (Türk Patent ve Marka Kurumu, classes 35 and 42, 10-year protection from 03.12.2024)
  • Registered address: ARK 399 BLOK, N:399-1-1 Suadiye Mahallesi, Istanbul (Anatolia) 34730, Turkey
  • Business phone: +90 543 226 86 85
  • Contact email for privacy matters: [email protected]
  • Data Protection Officer (DPO) / KVKK Sorumlusu: [email protected]

2. What information we collect

2.1 Information you provide

  • Account data: name, email, password (hashed), phone number (optional), profile picture (optional), preferred language and time zone.
  • Workspace and brand data: brand legal name, trade name, trademark info, country, industry, brand kit (colors, typography, logos), business knowledge prompts you submit to build your AI knowledge base, uploaded assets (images, documents).
  • Content data: prompts, generated text and images you approve, edited versions, content history.
  • Social account credentials: OAuth tokens for Facebook, Instagram, LinkedIn, Telegram (encrypted at rest).
  • Billing data: plan selection, billing address, tax ID for invoicing; we do not store full payment card details — these are tokenized and held by our payment processors (iyzico, Stripe).
  • Support correspondence: messages you send to support, including attachments.

2.2 Information collected automatically

  • Usage data: pages visited, features used, timestamps, referrer, click events (privacy-respecting, no third-party analytics cookies).
  • Device data: IP address, browser type and version, operating system, screen resolution, time zone.
  • Authentication metadata: login times, IP addresses, device fingerprints used for fraud prevention.
  • Cookies and similar: see our Cookie Policy at https://nexusdijital.com/cookies.

2.3 Information from third parties

  • Social platforms (Facebook, Instagram, LinkedIn, Telegram): when you connect an account, we receive the data needed to publish on your behalf (page IDs, usernames, follower counts, analytics for your content). Scope is limited to what you authorize.
  • Payment processors (iyzico, Stripe): we receive transaction status, last 4 digits of card, billing country.
  • AI providers (Anthropic, OpenAI, Google, fal.ai): we receive generated content + token usage in response to our requests; we do not receive personal data about you from them.

3. How we use information

We use your information to:

  • Provide and operate the Service (run your workspace, generate content, publish to social platforms you connect).
  • Authenticate you, protect your account from unauthorized access (account lockout, MFA, fraud detection).
  • Improve quality of AI-generated content for your brand (per-brand learning — see §6).
  • Send you essential service notifications (publish results, billing, security alerts).
  • Send you optional marketing communications (only with your consent; you can opt out anytime).
  • Comply with legal obligations (tax records, KVKK requests, court orders).
  • Detect, prevent, and respond to abuse, security threats, or violations of our Terms of Service.
Purpose Legal basis
Provide the Service to you Contract (GDPR Art. 6(1)(b))
Authentication and security Legitimate interests (Art. 6(1)(f))
Service improvement, AI learning per your brand Legitimate interests, balanced against your rights
Compliance with tax, KVKK, court orders Legal obligation (Art. 6(1)(c))
Marketing emails Consent (Art. 6(1)(a)) — you can withdraw anytime
Processing of comments / DMs of third parties via the platform Legitimate interests, with data minimization

5. Sharing of information

We share information only as needed and only with these categories of recipients:

5.1 Service providers (sub-processors)

Vendor Purpose Data shared Location
Ixnodes Infrastructure hosting All Service data Türkiye
Cloudflare DDoS, CDN, DNS IP, request metadata Global edge
Anthropic AI text generation Your prompts + brand KB excerpts US/EU per provider routing
OpenAI AI text + image generation Same US/EU
Google AI text generation Same US/EU
fal.ai AI image generation Your prompts US
iyzico Payment processing for TR Billing metadata, tokenized card TR
Stripe Payment processing global Same EU/US
MinIO (self-hosted in our cloud) Object storage Brand assets, generated images TR / EU
Resend (or equivalent) Transactional email Email address + content EU

We do not sell or rent your information to advertisers or data brokers.

5.2 Social platforms

When you publish content through Nexus Dijital, the content and metadata are sent to the platform you chose (Facebook, Instagram, LinkedIn, Telegram). We do not control what those platforms do with that content after delivery.

We may share information if required by law (court order, subpoena, KVKK request), to protect our rights, or to investigate fraud or abuse.

5.4 Business transfers

If we are merged, acquired, or sell assets, your information may be transferred subject to the same protections.

6. AI processing and learning

  • We use your prompts and approved/rejected content to learn your brand voice so future AI generations match your style better. This learning is scoped to your brand, not shared across customers.
  • We do not use your content to train third-party AI models. AI providers we use are instructed (via API headers) not to train on our requests.
  • You can request deletion of learning data at any time via Settings → Brand → Reset learning.

7. International data transfers

If our service providers process your data outside Türkiye / EU, we ensure adequate safeguards:

  • For GDPR: Standard Contractual Clauses (SCC) or adequacy decisions.
  • For KVKK: Article 9 mechanisms — explicit consent for transfers, or transfer to adequately protected countries, or signed undertakings.

Current sub-processor list and their countries: §5.1 above.

8. Your rights

8.1 Under KVKK (Türkiye)

You have the right to (Art. 11): - Learn whether your data is processed. - Request information about purposes, recipients, sources. - Request correction of inaccurate data. - Request deletion or destruction. - Object to results based solely on automated processing. - Claim compensation for damages from unlawful processing.

To exercise: email [email protected] or use in-app Settings → Account → KVKK request. We respond within 30 days (KVK 13).

8.2 Under GDPR

You have the right to: - Access (Art. 15) - Rectification (Art. 16) - Erasure / "right to be forgotten" (Art. 17) - Restriction of processing (Art. 18) - Data portability — machine-readable export (Art. 20) - Object to processing (Art. 21) - Not be subject to automated decision-making with legal effect (Art. 22) - Withdraw consent at any time - Lodge a complaint with your supervisory authority

To exercise: email [email protected]. We respond within one month (extendable by two if complex; we'll inform you).

8.3 Data export and deletion (self-serve)

In the app: - Export: Settings → Account → Download my data → ZIP delivered to your email within 30 days. - Delete: Settings → Account → Delete my account → 30-day grace period to cancel, then permanent erasure subject to legal-retention exceptions (tax records).

9. Data retention

Data Retention After retention
Active account While your account is active Deletion on request or after extended inactivity (5 years)
Soft-deleted account 30 days PII purged; anonymous analytics may remain
Billing records 10 years (Turkish tax law) Anonymized after 10 years
Audit logs 365 days Deleted
Webhook payloads 30 days Deleted
Login attempts 90 days Deleted
Backups 30 days hot + 1 year cold Cold backups deleted after 1 year
Generated content While account active Deleted on account deletion
AI learning signals While brand active Anonymized on brand deletion

10. Security

We take industry-standard measures, including:

  • Encryption in transit (TLS 1.3 everywhere)
  • Encryption at rest (full-disk encryption + envelope encryption for sensitive fields like OAuth tokens, TOTP secrets)
  • Strong authentication (WebAuthn passkeys, MFA for paid plans)
  • Network segmentation, default-deny firewalls, Cloudflare WAF
  • Row-Level Security in our database for tenant isolation
  • Continuous vulnerability scanning, OWASP-aligned controls
  • Annual penetration testing (after public launch)
  • Internal access on need-to-know basis with audit logging

No system is 100% secure. We disclose material breaches per KVKK Art. 12 (within 72 hours where required) and GDPR Art. 33 (within 72 hours of awareness).

11. Children

The Service is not directed to children under 18. We do not knowingly collect data from minors. If we learn we have, we delete it.

12. Cookies

See https://nexusdijital.com/cookies.

The Service may contain links to third-party sites. We are not responsible for their privacy practices.

14. Changes to this policy

We may update this policy. Material changes will be notified 30 days in advance via email and an in-app banner. The "Last updated" date at the top shows the latest revision. Continued use after the effective date constitutes acceptance.

15. How to contact us

You may also complain to: - KVKK Kurumu (Türkiye): https://www.kvkk.gov.tr - Your local EU supervisory authority (GDPR users).

Back to top ↑