DATA RETENTION POLICY
This Data Retention Policy has been prepared by Gabify – Neurolens (Company hereinafter) and enforced by the board decisions on 30.03.2026 to fulfill obligations arising from the legislations regarding data protection and privacy and to inform data subjects regarding the retention of the data.
DEFINITIONS
The purpose of this policy is to regulate the methods and principles regarding data privacy and retention of data. In this policy, the terms are used with the following meaning: -
Term | Definition |
Data | Representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means; |
Digital Personal Data | Personal data in digital form |
Personal Data | Any data about an individual who is identifiable by or in relation to such data |
Personal Data Breach | Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data; |
Processing | In relation to personal data, it means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. |
Retain/Retention | (As per Black’s Law Dictionary) To continue to hold, have, use, recognise, etc., and to keep. |
PRINCIPLES
The company acts within the framework of the following principles in the retention of the data:
- The company is acting completely in compliance with the applicable data privacy regulations and the provisions of the relevant legislation, Board decisions and the provisions of this policy in the operation of data retention.
- All transactions regarding the retention and storage of the data are recorded by the company, and these records are kept for at least 14 days, excluding other legal obligations.
- The appropriate ways of retaining the data will be selected on its own motion by the company unless a contrary decision is taken by the regulator’s authority.
LEGAL REASONS FOR RETENTION
The reasons for storage are as follows:
- Storing data as it is directly related to the establishment and performance of contracts/agreements.
- Storing data for the purpose of establishing, exercising or protecting a right.
- Storing the personal data when it is mandatory to store for the legitimate interests of the company, under the condition that it does not harm the fundamental rights and freedoms of individuals.
- Storing of the personal data for the purpose of fulfilling any kind of legal obligations.
- The storage of the data is clearly foreseen in the legislation.
- Storing the personal data pursuant to the explicit consent of the data owners, when the explicit consent is required.
DURATION OF RETENTION
The following criteria are used to determine the retention period of the data obtained by the company in accordance with relevant legislation:
- If a period of time is stipulated in the legislation or decisions of the regulatory authority regarding the storage of personal data, this period shall be complied with.
- If the period stipulated in the legislation regarding the storage of the said personal data expires or if no period is stipulated in the relevant legislation regarding the storage of the said data, the retention period is determined taking into account the legitimate interests of the company and the rights of those concerned.
Personal data whose storage period has expired is erased or destructed in 7 days period according to the procedures stated in this policy. All operations regarding the erasure, disposal and anonymization of the data are recorded with a report, and these records are kept for at least 7 days, excluding other legal obligations.
TECHNICAL AND ADMINISTRATIVE PRECAUTIONS
For the purpose of storing the data securely, preventing illegal processing/accessing to the data and disposal of data eligibility to law, all administrative and technical measures taken by the company are listed below: -
ADMINISTRATIVE PRECAUTIONS
Within the scope of administrative measures, the company.
- If other individuals obtained the processed data unlawfully, or in case of breach of personal data, notify the relevant person as soon as possible.
- To ensure adequate security measures are being taken (against electrical leakage, fire, flood, theft etc.) according to the area where the data is located and prevent unauthorized entrance and exit to these areas.
TECHNICAL PRECAUTIONS
Within the scope of technical measures, the company:
- Makes required internal controls within the scope of established systems.
- Conduct the processes of information technology risk assessment and business impact analysis within the scope of established systems.
- Ensure the technical infrastructure to prevent or monitor the leakage of data outside of the company and the creation of relevant matrices.
- Ensure access to the data of employees in information technology units is kept under control.
- Ensures the disposed personal data cannot be reversed and leaves no audit trail.
- Protects all kinds of digital media where the data is stored with encrypted methods in a way that meets information security requirements.
- Ensure the necessary security tests are carried out regularly by constantly monitoring the security updates of the areas where the data is located.
ENFORCEMENT
This policy will enter into force by being announced to all clients and will be binding on all business units, consultants, external service providers and anyone processing personal data as of its date of entry into force.
FOR GRIEVANCE RESOLUTION
Email: care@gabify.life
info@gabify.life
Response Time: Within 15 working days