Legal

Data Protection Policy

Effective Date: 1 January 2026 | Last Updated: 1 March 2026 | Compliant with GDPR & KVKK

This document outlines how Tech Tank, operator of OpenPatent, fulfils its obligations as a data controller under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and Turkish Personal Data Protection Law (KVKK, Law No. 6698). It supplements our Privacy Policy.

1. Data Controller Identity

Controller: Tech Tank
Registered Address: Istanbul, Turkey
Data Protection Contact: openpatent@techtank.com.tr

2. Lawful Bases for Processing

Tech Tank processes personal data only where a valid lawful basis exists under Article 6 GDPR / Article 5 KVKK:

Contract (Art. 6(1)(b) GDPR) — processing necessary to provide the services you signed up for, including account management, AI search, application drafting, and payment processing.
Legitimate Interests (Art. 6(1)(f) GDPR) — aggregate analytics, fraud prevention, and platform security, where our interests do not override your rights.
Legal Obligation (Art. 6(1)(c) GDPR) — compliance with applicable tax, financial, and regulatory obligations.
Consent (Art. 6(1)(a) GDPR) — marketing communications and optional analytics cookies, where obtained explicitly and revocable at any time.

3. Special Category Data

We do not intentionally collect special category data (e.g., health, biometric, or political data) as defined in Article 9 GDPR. If any such data is incidentally included in an invention description, it will be treated with the highest level of protection and promptly deleted upon identification.

4. Data Subject Rights (GDPR & KVKK)

You have the following rights, exercisable at any time by contacting openpatent@techtank.com.tr:

📋 Right to Access

Receive a copy of all personal data we hold about you (Art. 15 GDPR).

✏️ Right to Rectification

Have inaccurate or incomplete data corrected (Art. 16 GDPR).

🗑️ Right to Erasure

Request deletion of your data where no legal retention basis applies (Art. 17 GDPR).

📦 Right to Portability

Receive a structured, machine-readable export of your data (Art. 20 GDPR).

⛔ Right to Object

Object to processing based on legitimate interests (Art. 21 GDPR).

🔒 Right to Restriction

Request that we restrict processing in certain circumstances (Art. 18 GDPR).

We will respond to all verified requests within 30 calendar days. In complex cases, this may be extended by up to a further 60 days with notification.

5. Data Security Measures (Art. 32 GDPR)

Tech Tank applies the following technical and organisational measures to protect personal data:

Encryption in transit — all data transmitted via TLS 1.2+ with HSTS enabled;
Encryption at rest — AES-256 encryption applied to all stored data;
Access controls — role-based access control (RBAC) with least-privilege principles;
Audit logging — immutable access and mutation logs retained for 12 months;
Penetration testing — annual third-party security audits;
Employee training — mandatory annual data protection training for all staff.

6. Data Breach Notification (Art. 33–34 GDPR)

In the event of a personal data breach, Tech Tank will:

Notify the relevant supervisory authority within 72 hours of becoming aware (where feasible);
Notify affected data subjects without undue delay where the breach poses a high risk to their rights and freedoms;
Document all breaches in an internal register, including remediation steps taken.

7. Data Retention Schedule

Account & usage data — retained for the duration of the account plus 90 days after deletion.
Billing records — retained for 7 years to meet Turkish tax and accounting obligations.
Support communications — retained for 3 years.
Security & audit logs — retained for 12 months, then securely deleted.

8. Third-Party Data Processors

We rely on the following categories of processors, each bound by a Data Processing Agreement (DPA) that meets GDPR Article 28 requirements:

Payment Processors (e.g., Stripe) — billing and subscription management;
Cloud Infrastructure — server hosting, database management, object storage;
Email Service Providers — transactional and notification emails;
Error Monitoring — anonymised crash reporting and uptime monitoring.

9. International Data Transfers

Where personal data is transferred outside the EEA or Turkey, Tech Tank ensures that adequate safeguards are in place, including:

European Commission Standard Contractual Clauses (SCCs, 2021 edition);
Adequacy decisions recognised by the European Commission; or
Binding Corporate Rules where applicable.

10. Data Protection Impact Assessments (DPIA)

Tech Tank conducts DPIAs for any new processing activities likely to result in high risks to individuals' rights, in accordance with Article 35 GDPR. Results are documented internally and reviewed at least annually.

11. KVKK Specific Provisions

Users in Turkey have additional rights under KVKK Article 11, including the right to obtain all information about themselves, to know to whom their data has been transferred domestically and internationally, and to apply to the Personal Data Protection Board (KVKK Kurulu) if their rights are not upheld. You may apply by email to openpatent@techtank.com.tr.

12. Policy Reviews

This Data Protection Policy is reviewed annually and following any significant change to our processing activities or applicable law. Material updates will be communicated to registered users via email with at least 14 days' notice.

13. Contact

Data protection enquiries: openpatent@techtank.com.tr
You also have the right to lodge a complaint with your local supervisory authority (e.g., CNIL in France, ICO in the UK, or the KVKK Board in Turkey).