Privacy Policy — Refons Teknoloji
Last updated: 05 November 2025 (Europe/Brussels)
This page explains how we handle personal data across our websites, software, and services. Questions? hello@refons.com.
1) Who we are
Controller: Refons Teknoloji (Kahramanmaraş Teknokent, Türkiye). Official site: refonsteknoloji.com. Privacy contact: hello@refons.com.
EU representative (GDPR Art. 27, if required): Will be appointed if/when Refons has no EEA establishment while targeting/monitoring EEA residents. Until then, contact hello@refons.com. Updates will be published at /legal/eu-representative.
DPO (if appointed): To be announced. Until then: hello@refons.com.
2) Scope & audiences
- Visitors of our websites and landing pages.
- Clients & prospects using our B2B software, APIs, portals, and support.
- End users whose data flows via client projects where Refons acts as processor.
- Applicants & suppliers (and their contact persons).
Refons is a controller for its own sites, CRM, hiring, vendor, and billing data; and a processor when delivering solutions for clients under a Data Processing Addendum (DPA) with SCCs where needed. DPA: /legal/dpa.
3) Data we collect
- Website & platform telemetry: IP, device/browser info, language, referrer, session logs, performance, security signals; approximate geo (city/region) from IP.
- Contact & CRM: name, work email/phone, title, company, country, message content, meeting notes, attachments.
- Accounts & auth: identifiers, roles, password hashes or SSO IDs (OIDC/SAML), MFA status, audit logs.
- Billing: invoice data, tax IDs, addresses, transaction meta (no full card storage).
- IoT/Telematics (project-specific): device IDs, SIM/IMSI/ICCID, firmware/app versions, sensor readings (incl. CAN/J1939), timestamps, geolocation/routes only if enabled by the client, DTCs, VIN/plate if instructed.
- AI/ML & analytics: prompt/response logs (redacted where feasible), feedback, error traces, evaluation metrics. Client content is not used to train general models unless the contract permits.
- Support & diagnostics: screenshots, crash dumps, minimal samples for reproduction (under NDA), server/app logs.
- Recruitment: CV/portfolio, references, eligibility docs, interview notes.
4) Why we process data (GDPR legal bases)
| Purpose | Examples | Legal basis |
|---|---|---|
| Websites & security | Serve pages, detect abuse, uptime | Legitimate interests; legal obligation (security) |
| Sales & client relations | Demos, proposals, CRM, email | Legitimate interests; pre-contractual steps; consent where needed |
| Provision & support | Auth, roles, tickets, incidents | Contract; legitimate interests |
| IoT/Telematics | Device mgmt, ingestion, dashboards | Contract (processor); legitimate interests (controller services) |
| Analytics & product | Usage metrics, feature adoption | Consent (cookies/SDKs) or legitimate interests for privacy-friendly analytics |
| Compliance & finance | Invoicing, tax, audits, sanctions | Legal obligation |
| Recruitment | Applications, interviews, offers | Legitimate interests; consent where required |
5) Cookies & tracking
We use strictly necessary cookies for operations. Optional analytics/marketing cookies run only with your consent via our CMP (you can change choices anytime via the footer “Cookies” link). If your browser sends DNT, we minimize tracking and ignore marketing pixels.
| Category | Examples | Retention | Notes |
|---|---|---|---|
| Necessary | Auth, CSRF, WAF/LB | Session–1 year | Required for core functions |
| Preferences | Language, UI | Up to 1 year | Improves UX |
| Analytics (opt-in) | First-party/privacy-friendly | 6–14 months | Aggregated, IP truncation |
| Marketing (opt-in) | Ad/retargeting pixels | Varies | Off by default |
6) Sources of data
- Direct: forms, emails, tickets, demos, contracts.
- Automatic: logs, events, configured device telemetry.
- From clients/partners: when we act as processor.
- Public/third-party: B2B enrichment per law.
7) Sharing & recipients
- Sub-processors: infra, email delivery, incident tooling, CI/CD, optional analytics. Live list: /legal/subprocessors.
- Advisers/compliance: accountants, auditors, legal.
- Corporate events: mergers/acquisitions with safeguards.
- Authorities: only when legally required and narrowly scoped.
8) International transfers
We prefer EEA hosting. Where transfers outside the EEA occur (e.g., to Türkiye or other countries), we apply appropriate safeguards such as the EU Standard Contractual Clauses (2021) with transfer impact assessments, or rely on adequacy decisions. Client contracts may mandate residency.
9) Security
- Encryption: TLS in transit; encryption at rest.
- Access: least-privilege, MFA, audited admin actions.
- Secure SDLC: code review, dep scanning, secrets mgmt, IaC, env segregation.
- Backups/BCP: encrypted backups, restore testing, DR plans.
- Vulnerability disclosure: /security, severity-based SLAs.
- Incidents: investigate and notify per law (e.g., GDPR 72h).
10) Data retention
| Data | Typical retention | Notes |
|---|---|---|
| Security/server logs | 90–365 days | Longer during investigations |
| CRM/contracts | Term + 5–10 years | Tax/audit laws |
| Support tickets | 3 years | Troubleshooting history |
| IoT/telematics | 30–365 days (configurable) | Per DPA/contract; data minimization by default |
| Product analytics | 6–14 months | Aggregated/pseudonymized |
| Recruitment | Up to 2 years | Or longer if law permits/you consent |
11) Your rights (GDPR/EEA/UK)
- Access, rectification, erasure, restriction, objection (incl. to direct marketing), and portability.
- Withdraw consent any time (prior processing remains lawful).
- Complaints: you may contact your local EEA supervisory authority. We will cooperate with competent authorities as required.
Requests: hello@refons.com. If we act as a processor, we will relay your request to the client (controller) and assist them.
12) Automated decision-making & AI/ML
- No fully automated decisions with legal or similarly significant effects for visitors/prospects.
- AI/ML is used for anomaly detection, quality, support. Client projects are contract-bounded; no repurposing of client data for general training without explicit prior consent.
- Human-in-the-loop for impactful recommendations.
13) Children
Our services target professional audiences; we do not knowingly collect data from children.
14) Third-party embeds & links
Articles may include third-party embeds (e.g., videos, maps). Those services may collect data as if you visited them directly. Their policies apply. Optional embeds load only after consent where required.
15) Comments, forms & uploads
- Comments: Disabled by default; if enabled, we collect form data, IP and user agent to prevent spam/fraud. Gravatar may display an avatar.
- Forms: Contact/project forms collect what you enter plus necessary metadata. File uploads are virus-scanned and retained per the table above.
- EXIF/GPS: Avoid uploading images with embedded location data if you do not want it exposed.
16) Processor work (client projects)
- Process personal data only on documented client instructions.
- Access limited to authorized personnel under confidentiality.
- Assist with data subject requests, DPIAs, and incident notices as set in the DPA.
- At end of term, delete/return client data (incl. backups after expiry) unless law requires retention.
17) Türkiye — KVKK short notice
Veri sorumlusu Refons Teknoloji’dir. Kişisel verileriniz; sözleşme, hukuki yükümlülük, meşru menfaat ve gerekli hallerde açık rıza kapsamında; web sitesi işletimi, teklif/sözleşme, destek ve güvenlik amaçlarıyla işlenebilir ve yurt içi/dışına aktarılabilir. KVKK m.11 kapsamındaki talepler için: hello@refons.com. Ayrıntılı metin: /legal/kvkk.
18) How to contact us
- Email: hello@refons.com
- Mail (Türkiye): Refons Teknoloji, Kahramanmaraş Teknokent, [Açık Adres]
- Mail (EEA): EU representative details (if required) will be published at
/legal/eu-representative.
19) Changes
We will update this page when our practices change. Material changes will be announced on the site and, where appropriate, by email to account owners or client contacts.