Privacy Policy

01. Overview

At PersonaX, we take your privacy seriously. This policy explains what data we collect when you use our services, how we use it, and how we protect you. For your legal rights regarding the processing of personal data under Turkish law, we also recommend reviewing our KVKK Privacy Notice.

02. Data We Collect

03. How We Use Your Data

• To deliver, manage, and improve our services
• To build and operate your digital twin profile
• To coordinate content production workflows
• To process billing and payment transactions
• To fulfil our legal obligations and protect our rights
• To detect and prevent security vulnerabilities
• To send service notifications and support communications

04. Who We Share Your Data With

We never sell your data. We share it only with third parties necessary for service delivery who have signed data processing agreements with us:

• Voice synthesis providers (ElevenLabs Inc., Cartesia AI Inc., PlayHT Inc.) — for voice clone production
• Avatar and video production providers (HeyGen Inc., Tavus Inc., Synthesia Ltd., D-ID Ltd.) — for video production
• Content generation platforms (Anthropic PBC, OpenAI LLC) — for script and text generation, non-personal content only
• Cloud storage and hosting providers (Cloudflare Inc., Amazon Web Services) — for file security
• Payment processor (İyzico A.Ş.) — for billing
• Analytics tools — anonymous usage data only
• Legal obligation: where required by court order, applicable law, or competent authority request

05. International Data Transfers

Some of our service providers are based outside Turkey and the European Economic Area. Where we transfer personal data internationally, we rely on:

• Decisions of the Turkish Personal Data Protection Board (adequacy decisions)
• Standard Contractual Clauses (SCCs) approved by the Personal Data Protection Board
• Your explicit consent, where required under KVKK Art. 6(2) for biometric data

06. Data Security

• All data in transit is protected by TLS 1.2+ encryption
• Stored files are encrypted using AES-256
• Biometric data (voice/face) is kept in isolated storage environments
• Access is controlled through strict role-based access control (RBAC)
• All operations are monitored with audit logs
• In the event of a data breach, we will notify the Personal Data Protection Authority within 72 hours as required by KVKK Art. 12

07. Cookies

We use three categories of cookies on our website:

08. Data Retention

• Identity and contact data: 5 years after termination of the service agreement
• Biometric voice and face data: 5 years after termination, or 30 days after withdrawal of consent — whichever is earlier
• Consent and audit records: 10 years (evidential obligation)
• Payment records: 10 years (tax legislation)

09. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion or erasure of your data
• Object to or restrict certain processing activities
• Withdraw consent at any time (without affecting prior lawful processing)
• Lodge a complaint with the relevant supervisory authority (Turkey: www.kvkk.gov.tr; EU: your national DPA; California: California Privacy Protection Agency)

10. Third-Party Links

Our website or services may contain links to third-party websites. We are not responsible for their privacy practices. We recommend reviewing the privacy policies of any linked sites before visiting them.

11. Children's Privacy

PersonaX services are not directed at individuals under 18 years of age. We do not knowingly collect data from anyone we know to be under 18.

12. Changes to This Policy

We may update this policy from time to time. For material changes, we will send a notification to your registered email address. The current policy is always available at mypersonax.com/privacy-policy.