Privacy Policy

1. Introduction & Scope

Codesseum is a technology company and digital agency based in Istanbul, Turkiye, operating online at https://codesseum.com. The full legal entity, registered office, and registry details responsible for your data are set out in the Contact Us section below. We respect your privacy and are committed to handling personal data responsibly, transparently, and in line with applicable data protection laws, including the Turkish Personal Data Protection Law No. 6698 (KVKK), the EU and UK General Data Protection Regulation (GDPR), and, where relevant, the United States Children’s Online Privacy Protection Act (COPPA).

This document is the canonical English-language Privacy Policy for Codesseum. It explains how we collect, use, share, and protect personal data across our website AND our mobile and web applications and services. Where a Codesseum app is published on the Apple App Store or Google Play, a link to this policy is provided in that app’s store listing and within the app in an easily accessible location (for example, within a Settings, Profile, or Privacy menu), so that you can review it at any time.

This policy covers the following Codesseum products and services:

• EduDiamond — an AI-powered education platform used by students, parents, and teachers. EduDiamond is intended for educational use and may process the personal data of minors, so additional protections described in the Children’s Privacy section apply.
• AI Destekli Bulut Santral (Cloud PBX) — an AI-assisted cloud telephony / business phone system that may process phone numbers, call metadata, and, where enabled, call recordings.
• AI Cagri Merkezi (AI Call Center) — a Turkish-speaking AI voice assistant that may process voice data, call recordings, transcripts, and related content using automated and AI/LLM systems.
• Custom software developed for business clients — bespoke applications and services built for our business customers, where Codesseum may act as a data processor on behalf of the client.

Some apps may also provide a supplemental, in-app privacy notice or just-in-time disclosure to give product-specific detail (for example, before a microphone is first used or before a call is recorded). Order of precedence. Where a supplemental notice applies, it works together with this policy; if there is any conflict, the more specific in-app or just-in-time notice governs for that feature. For deployments we operate on behalf of a business client (see Our Role: Controller vs. Processor), that client’s own privacy notice governs the client’s processing. Any Apple App Privacy or Google Play Data Safety summaries are descriptive summaries of the practices in this policy and are not independent commitments; this policy and the applicable in-app notice control.

The exact data we process depends on which products and features you use, and not every disclosure below will apply to every user. We use “categories such as” and “we may collect” language because practices can vary by app, configuration, and your choices, and because some features are made available only where they are enabled or configured.

2. Information We Collect

We collect only the data relevant to the functionality of the product you are using, and we use it only for the purposes described in this policy. The categories below describe the types of information we may collect. How we collect data (KVKK collection method). We collect personal data in three main ways: (1) directly from you, when you provide it through our website or app forms, account setup, support requests, or calls; (2) automatically, through your device, cookies, SDKs, telephony systems, and server logs when you use the services; and (3) from third parties, such as a teacher entering a student’s details into EduDiamond, or a business customer whose callers are handled through our telephony services. The legal reason (hukuki sebep) for each collection is the legal basis set out in the Legal Bases for Processing section.

Information you provide

• Account and profile data — categories such as name, username, email address, phone number, password or other authentication credentials, organization or school affiliation, and role (for example, student, parent, teacher, or business administrator).
• Contact data — information you submit through contact forms, support requests, or other communications with us.
• Billing and transaction data — where you purchase a subscription or service, categories such as billing name, billing address, and transaction records. Payment card details are handled by third-party payment processors and are not stored by us in full.
• User content — content you create, submit, or upload while using our services, which varies by product (described further below).

Whether providing data is required. Certain account and billing data is necessary to create an account and to provide the service or process a purchase; if you do not provide it, we cannot deliver the relevant service. Other data is optional, and where a field or feature is optional we indicate this; declining to provide optional data only limits the related feature.

Information collected automatically

When you use our website or apps, we may automatically collect categories such as:

• Device information — such as device type, operating system and version, browser type, language settings, and hardware/network configuration.
• Identifiers — such as user IDs, device identifiers, and similar persistent identifiers used to operate and secure the service.
• Log and diagnostics data — such as IP address, access times, app crashes, performance data, and error reports.
• Usage data — such as features used, pages or screens viewed, interactions, and other product-interaction data.
• Approximate location — such as a general location derived from your IP address. We do not collect precise GPS location unless a feature requires it and you grant permission.
• Cookies and SDK data — information collected through cookies, software development kits (SDKs), and similar technologies, as described in the Cookies and Third-Party Services sections.

Voice & call data (Cloud PBX and AI Call Center)

When you use AI Destekli Bulut Santral (Cloud PBX) or AI Cagri Merkezi (AI Call Center), we may collect and process categories such as:

• Audio data — call recordings, voicemail, and real-time voice/speech, where recording is enabled or configured.
• Transcripts — automated, AI-generated transcripts and summaries of calls, where this feature is enabled.
• Call metadata — such as the phone numbers involved (caller and called numbers), date, time, duration, routing, queue, and call outcome data.
• Related contact and identifier data — such as account details and identifiers needed to deliver, route, and bill the service.

Audio is both collected and shared. Where recording or AI handling is enabled, voice/audio recordings and transcripts are collected by us and are shared with third-party AI, transcription, and voice providers in order to deliver these features, as further described in the How We Share Information, Third-Party Services, and AI Processing sections.

Not all calls are recorded. Recording occurs only where it is enabled or configured. For Cloud PBX, recording and retention are typically configured by the business customer that operates the phone system; in that case, Codesseum acts as a service provider/processor and the business customer is responsible for notifying its own callers and employees and obtaining any required consents. We describe the AI processing of this data, and how recording notice and consent are handled, in the sections below.

Voice recordings can incidentally capture special-category/sensitive personal data (for example, references to health), and where voiceprints are used for identification, voice may constitute biometric data under KVKK Art. 6 and GDPR Art. 9. We do not intentionally solicit special-category data, and we do not perform voice-biometric identification unless a specific feature clearly states that it does. Where such sensitive processing occurs, we rely on your explicit consent (acik riza) under KVKK Art. 6 and on the explicit-consent condition under GDPR Art. 9(2)(a) (or another condition specifically permitted by Art. 9(2) / KVKK Art. 6 that is named at the point of collection), and we apply heightened safeguards. We do not rely on legitimate interest, contract, or any general legal basis to process special-category or biometric data.

Education data (EduDiamond)

When EduDiamond is used by a student, parent, or teacher, we may collect and process categories such as:

• Student profile data — such as name, school or class, grade level, and (only where required by law to apply children’s protections) age or date of birth and parent/guardian contact details.
• Learning progress and performance data — such as assignments, answers, assessments, scores, and progress over time.
• Content interactions — such as prompts, questions, and responses exchanged with AI tutoring features, and other interactions with learning content.

Because EduDiamond is designed for use in education and may be used by minors, we collect age or parental-contact information only to apply legally required children’s protections, we minimize what we collect, and we apply the parental/school consent rules described in the Children’s Privacy section.

3. How We Use Your Information

We use personal data only for the purposes for which it was collected, and we do not repurpose data for materially different uses without an appropriate legal basis or, where required, your further consent. We may use the categories of data above for purposes such as:

• Providing and operating our services — creating and managing accounts, delivering features, routing and connecting calls, and enabling education, telephony, and software functionality.
• AI processing and voice assistance — using automated and AI/LLM systems to understand requests, transcribe and summarize calls, generate spoken or written responses, route or handle calls, and power AI tutoring and learning features (see the AI Processing section).
• Support — responding to your inquiries, troubleshooting, and providing customer service.
• Billing and payments — processing subscriptions, invoices, and transactions, and keeping required financial records.
• Safety and security — protecting our services and users, preventing fraud and abuse, and maintaining the integrity and security of our systems.
• Legal compliance — meeting legal, regulatory, tax, telecommunications, and record-keeping obligations, and responding to lawful requests.
• Product improvement — analyzing usage and diagnostics to maintain, improve, and develop our services.
• Communications — sending service-related messages and, where permitted and with consent if required, other communications you can opt out of.

Data minimization and purpose limitation. Each app requests only the data relevant to its core functionality, and we use data only for the disclosed purposes. We do not condition access to paid functionality on your agreeing to data collection that is not necessary to provide that functionality.

Tracking and advertising. Our apps are not designed to track you across other companies’ apps and websites for advertising. We do not serve behavioral or third-party advertising in EduDiamond’s child-directed features, and we do not use children’s data for targeted advertising. If an app were to engage in cross-app tracking on Apple devices, it would first request your permission through Apple’s App Tracking Transparency (ATT) prompt, and tracking would occur only if you grant that permission. Where an app does not track you in this way, the corresponding Apple App Privacy and Google Play disclosures for that app reflect that.

4. Legal Bases for Processing

Where the GDPR or KVKK applies, we rely on a lawful basis for each processing purpose. Because KVKK has a narrower set of legal grounds than the GDPR, the appropriate basis is assessed separately for each. Depending on the context, we rely on:

• Performance of a contract (GDPR Art. 6(1)(b); KVKK Art. 5(2)(c) — processing necessary for the conclusion or performance of a contract) — to provide the services you request and manage your account.
• Legitimate interests (GDPR Art. 6(1)(f)) — for purposes such as security, fraud prevention, and improving our services, where these interests are not overridden by your rights. Because KVKK does not treat “legitimate interest” identically, in Turkiye we rely on the controller’s-legitimate-interest ground (KVKK Art. 5(2)(f)) where its conditions are met, or on explicit consent (acik riza) where required.
• Legal obligation (GDPR Art. 6(1)(c); KVKK Art. 5(2)(ç) — compliance with a legal obligation of the controller) — for example, to meet tax, telecommunications, billing, and record-keeping requirements.
• Consent / explicit consent (GDPR Art. 6(1)(a); Art. 9(2)(a) for special-category data; KVKK Art. 5(1) acik riza, and Art. 6 for special-category data) — where required, such as for non-essential cookies, optional call recording, certain marketing, processing of special-category data, any use of data to train or improve AI models beyond what is integral to the service, and processing of minors’ data via a parent or guardian. Consent is requested separately (not bundled), is specific, informed, and freely given, and can be withdrawn at any time without affecting the lawfulness of processing before withdrawal.

Where required, we obtain your consent before collecting user or usage data for which consent is the applicable basis, and you have an easily accessible way to withdraw consent (see Your Rights & Choices). We do not require you to enable tracking, notifications, or location in order to access core functionality.

5. How We Share Information

We do not sell your personal data. We share personal data only as needed to operate our services and as described below. Where we engage service providers and sub-processors to handle data on our behalf, we put data-processing agreements in place that require appropriate protection and processing only on our documented instructions. We may share data with categories of recipients such as:

• Service providers and sub-processors — such as cloud hosting and storage, infrastructure, analytics, crash/error reporting, push-notification, and support providers, acting on our behalf.
• Telephony carriers — SIP/telecommunications carriers and related providers necessary to route and connect calls for Cloud PBX and the AI Call Center.
• Cloud and AI/LLM providers — providers that process content, voice, and transcripts to deliver AI features, including speech-to-text/transcription, large language model, and text-to-speech/voice services (see Voice & Call Data and Third-Party Services).
• Payment processors — to process subscriptions and payments.
• Business clients (where we act as processor) — for custom software and for Cloud PBX / Call Center deployments operated by a business customer, we share or make data available to that customer, who acts as the controller of the relevant end-user data.
• Codesseum affiliates — any parent, subsidiary, or affiliate of Codesseum, subject to this policy.
• Legal and safety recipients — authorities, regulators, or other parties where necessary to comply with law, enforce our terms, or protect the rights, safety, and security of users and the public. Such disclosures are made under legal compulsion or necessity and are not governed by our data-processing agreements.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, in which case data may be transferred to the counterparty or acquirer, subject to this policy.

For clarity, sending voice recordings, transcripts, or user content to third-party AI/LLM providers to deliver AI features is a form of sharing, and we disclose it expressly above and in the Third-Party Services and AI Processing sections. We do not name specific vendors in this policy where they cannot be confirmed; a current list of service-provider/sub-processor categories, and further detail, can be provided on request.

6. Third-Party Services & SDKs

Our website and apps may integrate third-party services and software development kits (SDKs) to provide and improve functionality. These third parties may collect or receive data in accordance with their own privacy policies, and each provider’s processing is governed by that provider’s policy. Where these third parties act as our service providers, we require them to handle data consistently with this policy and our instructions. The categories of third-party services we may use include:

• Analytics — to understand usage and improve our services.
• Crash and error reporting — to detect, diagnose, and fix problems.
• Push notifications — to deliver notifications where you enable them.
• Payment processing — to handle billing and transactions.
• AI / voice processing — including AI/LLM, speech-to-text/transcription, and text-to-speech providers that process prompts, content, voice, and transcripts to deliver AI features.
• Cloud hosting and authentication — to host, secure, and operate the services.

For EduDiamond’s child-directed features, we do not embed third-party advertising and we limit third-party analytics in line with applicable children’s-privacy requirements, including using only providers that meet the relevant store family-program and statutory standards. A list of the SDK/sub-processor categories described above is available on request.

7. Cookies & Similar Technologies

Our website, and in some cases our apps, use cookies and similar technologies (such as local storage, pixels, and SDKs). We use:

• Essential technologies — required to operate the site/app, keep you signed in, and maintain security. These do not require consent.
• Analytics and, if used, marketing technologies — non-essential technologies that help us understand usage or measure performance. These are used only with your prior consent where required.

Where consent is required, we request it through a cookie banner or similar mechanism, and you can manage or withdraw your consent at any time through that mechanism or your browser settings. Withdrawing consent is as easy as giving it.

8. AI Processing & Automated Decision-Making

Several of our services use automated systems and artificial intelligence, including large language models (LLMs), to deliver their core features. For example, the AI Call Center is designed to understand spoken requests and generate responses; Cloud PBX may transcribe or summarize calls where that feature is enabled; and EduDiamond provides AI-assisted tutoring and learning features. To do this, user content — such as call audio and transcripts, voice, prompts, questions, and answers — may be processed by automated systems and may be transmitted to third-party AI/LLM, transcription, and voice providers. We disclose this AI processing and third-party sharing so you can make an informed choice before such data is transmitted.

AI training is a separate purpose. Using personal data to train or improve AI/ML models is treated as a distinct purpose that is not integral to simply providing the service, and it requires its own legal basis or separate consent. We do not use your data for AI-model training beyond what is necessary to provide the service unless we have an appropriate legal basis and, where required, your separate opt-in consent. For children, any such use would require separate verifiable parental consent; we do not use children’s data to train AI models or for targeted advertising without that separate consent.

Automated decisions. Where a feature involves solely automated decision-making or profiling that could produce legal or similarly significant effects, you have the right (under GDPR Art. 22 and KVKK Art. 11) to object and to request human review. You can reach us at [email protected] to exercise this right.

9. Voice, Calls & Recording Consent

For Cloud PBX and the AI Call Center, calls may be recorded and transcribed where the feature is enabled. We use call audio, transcripts, and metadata for purposes such as handling and routing calls, operating the AI voice assistant, quality assurance, service delivery, and keeping required records.

Notice and consent — deployments Codesseum operates directly. Where Codesseum operates the AI Call Center or Cloud PBX line directly (so that Codesseum is the controller), callers are informed at the start of the call by a spoken or IVR notice that the call may be recorded and/or handled by an AI assistant. In jurisdictions that require all-party consent, and for processing of voice that may constitute special-category or biometric data under KVKK Art. 6 / GDPR Art. 9, we obtain affirmative consent (for example, an explicit IVR opt-in or “press to continue / consent to recording” confirmation) before recording, rather than relying on call continuation alone. Where the law permits notice-and-continuation as a valid basis, continuing the call after the notice may constitute consent; we do not rely on continuation where the law requires affirmative or all-party consent.

Notice and consent — deployments operated by a business customer. For Cloud PBX and Call Center deployments operated by a business customer, that customer configures recording and is the controller; it is responsible for notifying and obtaining any required consents from its own callers and staff and for meeting all-party-consent and other local requirements. In those cases Codesseum acts as a service provider/processor.

Call-recording laws vary by jurisdiction. You can ask not to be recorded, or object to recording, by contacting us or, where applicable, the business operating the line.

10. Our Role: Controller vs. Processor

Codesseum is the data controller for personal data processed through its own products and website (including direct-to-user use of EduDiamond, Cloud PBX, and the AI Call Center).

For custom software built for business clients, and for Cloud PBX / AI Call Center deployments operated by a business customer, Codesseum typically acts as a data processor (service provider) on behalf of that client, who is the controller. In those cases we process end-user data only on the client’s documented instructions, the client’s own privacy notice may also apply (and, as noted in the Introduction, governs the client’s processing), and the client is responsible for matters such as recording notices, consent, and the legal basis for processing. End users of such deployments should direct certain privacy requests to the relevant business client; we will support our clients in responding to those requests.

11. Data Retention

We keep personal data only as long as necessary for the purposes described in this policy or as required by applicable law (for example, tax, telecommunications, commercial, or other record-keeping obligations). When data is no longer needed, we delete it or irreversibly anonymize it; where complete deletion is not immediately possible (for example, in backups), we securely isolate the data until deletion is possible. Retention is governed by our internal retention and destruction schedule, maintained consistently with the KVKK Regulation on the Deletion, Destruction and Anonymization of Personal Data, under which periodic destruction is carried out. Indicative retention periods (which Codesseum should confirm against its internal schedule) are:

• Account and profile data — retained for the life of your account and then for a limited wind-down period after closure (for example, on the order of a few months), unless a longer period is required by law.
• Call recordings and transcripts — retained for a limited period proportionate to the purpose and applicable law. For Cloud PBX, the retention period is typically set by the business customer that operates the system; for deployments we operate directly, we apply a defined, limited retention period set in our internal schedule.
• Billing and transaction records — retained for the period required by Turkish tax and commercial law (generally up to ten years under the Turkish Tax Procedure Law and the Turkish Commercial Code), and otherwise as required by applicable law.
• Children’s data (EduDiamond) — retained only as long as necessary for the educational purpose for which it was collected, and deleted within a defined period after the end of the relevant educational relationship, consistent with COPPA and our written children’s-data retention practices. It is not retained indefinitely.
• Diagnostics, logs, and analytics data — retained for a limited period needed to operate, secure, and improve the service, after which it is deleted or aggregated/anonymized.

Where a fixed period is not stated above, retention is determined by criteria such as the duration of your relationship with us, the purpose of processing, and our legal obligations, rather than a single fixed period for all data.

12. Data Security

We use reasonable technical and organizational measures designed to protect personal data, consistent with KVKK Art. 12 and GDPR Art. 32. These include measures such as encryption of data in transit (for example, HTTPS/TLS), access controls, and restricting access to personal data to those who need it. Where we process sensitive data such as voice recordings, we apply additional safeguards.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. In the event of a personal data breach, we will notify the competent supervisory authority and affected individuals where and within the timeframes required by applicable law. Where Codesseum is the Turkish controller, KVKK and the Personal Data Protection Board’s breach-notification timelines govern (notification to the Board “in the shortest time” and to affected individuals without delay); where the GDPR applies, we follow its standards, including the 72-hour authority-notification timeframe.

13. International Data Transfers

Codesseum is based in Turkiye and serves users globally. Your personal data — including, where relevant, voice and call data — may be processed or stored in Turkiye, the European Economic Area, the United Kingdom, the United States, or other countries, including through cloud, AI, and telephony providers that may operate outside your country. The principal destinations for our cloud, AI, and telephony processing are Turkiye, the EU/EEA, and the United States; a more specific list of destination countries for your data can be requested at any time.

Where we transfer personal data internationally, we apply appropriate safeguards. For transfers subject to the GDPR, we rely on a mechanism such as an adequacy decision (where one exists for the destination) or Standard Contractual Clauses (SCCs); where no adequacy decision exists, SCCs or another valid mechanism apply, and copies of the relevant safeguards can be requested. For transfers subject to KVKK (as amended by Law No. 7499), we rely on the applicable mechanism in the three-tier regime: (1) an adequacy or Board decision; (2) appropriate safeguards, such as the Board’s standard contractual clauses (with the required notification to the Authority) or binding corporate rules; or (3) specific derogations, including explicit consent, as a last resort. We do not claim any adequacy decision that does not exist, and we keep transfer safeguards generic where specific mechanisms are not confirmed.

14. Children’s Privacy

EduDiamond is an education platform designed for use by students, parents, and teachers, and it may process the personal data of minors, including children under 13 (in the United States) and minors (in Turkiye and the EU/UK). Because of this, the following protections apply. We collect age or parental-contact information only to apply these legally required protections, and we minimize the data we collect from minors.

COPPA (United States)

For users under 13 in the United States, EduDiamond is designed to operate consistently with COPPA, including its 2025 amendments. Before collecting personal information from a child under 13, we will obtain verifiable parental consent or, for school-based educational use, rely on school-authorized consent under the COPPA school-consent exception; we limit collection to what is reasonably necessary; and we do not condition a child’s participation on providing more information than is needed. Before disclosing a child’s personal information to non-integral third parties or using it for targeted advertising, we will obtain separate verifiable parental consent — and we do not use children’s data for targeted advertising. We do not retain children’s data indefinitely and apply a written retention policy for children’s data. We describe our intended COPPA-aligned practices here; we do not claim to be “COPPA certified,” and the specific consent mechanism in use is the one implemented in the live product.

KVKK (Turkiye) and GDPR (EU/UK)

KVKK does not set a single fixed digital-consent age for minors. As a precaution, where a user is a minor we seek the explicit consent (acik riza) of a parent or legal guardian for processing the minor’s data and apply data minimization. Under the GDPR (Art. 8), where consent is the basis for offering online services directly to a child below the applicable digital-consent age (16, or as low as 13 depending on the EU member state; 13 in the UK), we obtain parental or guardian consent. This reflects Codesseum’s conservative, protective approach rather than a settled statutory age threshold under Turkish law.

School and parental consent; parental review and deletion

Where EduDiamond is provided through a school or teacher, the school may provide consent on behalf of parents for educational purposes; in that case we act as the school’s service provider/processor and use the child’s data only to provide the educational service, not for our own commercial purposes. Where EduDiamond is used directly by a family, the parent or guardian provides consent.

A parent or guardian may review the personal information collected from their child, refuse further collection or use, and request deletion of the child’s data, and we will stop collecting from the child on request. We will delete children’s data when it is no longer needed for the educational purpose. To exercise these rights, contact us at [email protected]; we may need to verify that the requester is the child’s parent or guardian.

15. Your Rights & Choices

Subject to applicable law, you have rights regarding your personal data. Under the GDPR, these include the rights to access, rectification, erasure (“right to be forgotten”), restriction of processing, objection (including to processing based on legitimate interests and to direct marketing), data portability, withdrawal of consent at any time (without affecting prior lawful processing), and rights relating to solely automated decision-making.

Under KVKK Art. 11, you have the rights to learn whether your data is processed; request information about the processing; learn its purpose and whether data is used accordingly; know the third parties to whom data is transferred at home or abroad; request correction or deletion and ask that this be notified to recipients; object to results arising solely from automated analysis; and claim compensation for damages caused by unlawful processing.

How to exercise your rights and revoke consent. You can exercise your rights, withdraw consent, or ask questions by emailing [email protected], or by written application to our postal address in the Contact Us section (for KVKK applications). We will respond within the timeframes required by applicable law (including KVKK’s 30-day statutory response period). For EduDiamond, a parent or guardian may exercise these rights on a child’s behalf. Where we act as a processor for a business client, we may direct your request to the relevant client (controller).

Right to complain. You may lodge a complaint with a supervisory authority. Users in Turkiye may apply to the Turkish Personal Data Protection Authority / Board (Kisisel Verileri Koruma Kurumu / Kurul); under KVKK Art. 13-14 you are generally required to apply to us first, but you always retain the right to apply to the Board after applying to us — including if we do not respond within 30 days or our response is unsatisfactory. Users in the EU/UK may complain to their local Data Protection Authority at any time, regardless of whether they contact us first. We encourage you to contact us first so we can try to resolve your concern.

16. Account & Data Deletion

You can request deletion of your account and associated personal data at any time, including without re-installing or opening the app. Where a Codesseum app supports in-app account creation, that app also provides a way to initiate deletion of your account and associated personal data from within the app itself, in an easily accessible location — not merely to deactivate or disable the account.

You can also request account and data deletion from outside the app at any time, in either of these ways:

• Deletion request page — visit our publicly accessible deletion page at https://codesseum.com/account-deletion/, reachable from any browser without logging in, which explains what data is deleted and what may be retained as required by law.
• By email — email [email protected] and ask us to delete your account and data.

When you delete your account, we delete or irreversibly anonymize your associated personal data, except where we are required to retain certain data to meet legal obligations (such as billing or telecommunications records) or for the limited purposes permitted by law. For call recordings, transcripts, and children’s data, deletion requests are honored consistent with these principles; for deployments operated by a business client, deletion may be handled by, or coordinated with, that client. We may need to verify your identity (or, for a child’s data, parental status) before completing a deletion request.

17. App Permissions

Our apps request only the device permissions needed for the features you use, with a plain-language explanation shown at the time of the request. The purposes described here match the in-app permission prompts. Permissions may include:

• Microphone — used by Cloud PBX and the AI Call Center to make and handle calls and enable voice features. Recording occurs only where enabled, with the notice described in the Voice, Calls & Recording Consent section.
• Notifications — used to deliver app notifications where you enable them.
• Network access — used to connect to our services and route calls and data.
• Contacts (only where a feature requires it, such as a dialer) — used solely to let you initiate a call or action you choose. We do not use Contacts to build a database or to contact people without your explicit, per-contact action, and we do not default to selecting all contacts.

We do not request restricted permissions (such as call-log or SMS access) unless a disclosed, core, user-facing feature requires them, and we follow the platform declaration and consent requirements that apply. You can review and change app permissions at any time in your device settings (for example, under Settings on iOS or Android). Turning off a permission may limit related features.

18. App Store Disclosures & Consistency

Where a Codesseum app is published on the Apple App Store or Google Play, this policy covers that app by name and describes its data practices, and the practices described here are intended to be consistent with that app’s Apple App Privacy (“Nutrition Label”) declarations and Google Play Data Safety declarations, including disclosures about data collection, sharing (such as sharing with third-party AI providers), audio data, and account/data deletion. This policy is published at a public URL (https://codesseum.com/privacy-policy/) and, for any published app, is also reachable from within the app and its store listing, in plain English. The account-deletion resource referenced in the Account & Data Deletion section is provided as the deletion resource in the corresponding Google Play Data Safety declaration.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the “Last updated” date shown with this policy. For material changes, we will provide additional notice where appropriate, such as through the website, in-app notice, or other reasonable means. We encourage you to review this policy periodically.

20. Contact Us

Codesseum is the data controller for personal data processed through its own products and website. If you have questions about this policy or wish to exercise your rights, you can reach our privacy contact using the details below.

• Data controller (legal entity): Codesseum (full registered legal name and legal form available on request)
• Registered office / postal address: Istanbul, Turkiye (full registered address available on request)
• Trade registry / MERSIS no.: available on request
• VERBIS registration: available on request
• KVKK contact person (irtibat kisisi) / privacy officer: Codesseum Privacy Team — [email protected]
• Website: https://codesseum.com
• Privacy / data protection contact: [email protected]

EU and UK representatives. Because Codesseum is established in Turkiye and offers services to individuals in the EU and the UK, it is required to designate representatives under Article 27 of the EU GDPR and Article 27 of the UK GDPR. Our representatives are:

• EU representative (GDPR Art. 27): to be appointed; once designated, the representative’s name and EU/EEA address will be published here. In the meantime, individuals in the EU may also contact us at [email protected].
• UK representative (UK GDPR Art. 27): to be appointed; once designated, the representative’s name and UK address will be published here. In the meantime, individuals in the UK may also contact us at [email protected].

Individuals in the EU or UK may contact the relevant representative on matters relating to the processing of their personal data, in addition to contacting us directly. If a Data Protection Officer (DPO) is appointed, or one is determined to be required, the DPO’s contact details will be published here. Our privacy contact above is monitored and is the appropriate channel for privacy questions, data-subject requests, and account or data deletion. Where Codesseum acts as a processor on behalf of a business client, some requests may be directed to that client as the controller.