ENA Innovation — Legal Documents
Privacy Policy
Contents
1. Overview and Scope
ENA Innovation Sağlık ve Yazılım Teknolojileri San. Tic. A.Ş. ("ENA Innovation", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect personal data when you use the EnaSpace ecosystem — including enaspace.com, enagate.com, and all associated products (EnaFeedback, EnaSmartway, EnaQuality, EnaTto, and others).
This Policy is designed to comply with:
- EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
- Turkish Personal Data Protection Law (KVKK) — Law No. 6698
- Other applicable data protection regulations
For Turkish-language KVKK disclosure requirements, please refer to our KVKK Aydınlatma Metni.
2. Controller and Processor Roles
The distinction between ENA Innovation's role as a Data Controller and Data Processor depends on the context of data processing:
ENA Innovation as Data Controller
ENA Innovation acts as Data Controller when it determines the purposes and means of processing your personal data. This applies to:
- Information you provide when creating an EnaGate account or registering directly on enaspace.com.
- Billing and payment information processed in connection with your Subscription.
- Support and communication data you submit via our help channels.
- Platform usage analytics and operational logs generated by your direct interaction with the Services.
ENA Innovation as Data Processor
ENA Innovation acts as Data Processor when a Tenant (Business customer) determines the purposes and means of processing, and ENA Innovation processes that data on their behalf. This applies to:
- Data submitted by End Users of Tenant-deployed products (e.g., feedback respondents who scan an EnaFeedback QR code, quality audit subjects in EnaQuality).
- Tenant-specific organizational data and content uploaded to the platform.
In these scenarios, the Tenant is the Data Controller, and ENA Innovation processes data only in accordance with the Tenant's instructions and this Privacy Policy. Business customers are required to enter into a separate Data Processing Agreement (DPA) available through portal.enaspace.com.
3. Personal Data We Process
3.1 Account and Identity Data
- Full name, email address, phone number (optional), language preference
- Organization name, business address, VAT/tax number (for invoicing)
- EnaGate credentials (password stored as a one-way cryptographic hash; never in plaintext)
- Profile information provided voluntarily
3.2 Billing and Transaction Data
- Billing address and country
- Last four digits of payment card (full card data is never stored by ENA Innovation; processed directly by Paddle or PayTR)
- Invoice history, subscription plan, and payment status
3.3 Technical and Operational Data
- IP addresses, browser type, device identifiers, operating system
- Session tokens, authentication cookies, and locale cookies
- System access logs retained for legal compliance and security (see Section 6)
- API usage metrics, error logs, and performance data
3.4 Tenant-Submitted Content
- Surveys, forms, feedback responses, workflow configurations, and other Content submitted by Tenants and their users
- Processed under the Tenant's instructions as Data Processor
3.5 Communication Data
- Support tickets, emails, and chat messages you send to our support team
- Notifications and in-app messages
3.6 Integration Configuration Data
Where Tenant administrators enable integration features (including in EnaFeedback), we process:
- BYO SMS provider selection, non-secret configuration fields, and encrypted provider credentials
- Webhook endpoint URLs, subscribed event types, encrypted signing secrets, and delivery metadata (timestamps, HTTP status codes, retry counts)
4. Purposes and Legal Bases
| Purpose | Personal Data Categories | Legal Basis (GDPR) | KVKK Legal Basis |
|---|---|---|---|
| Account creation and authentication | Identity, Credentials | Art. 6(1)(b) — Contract performance | KVKK Art. 5(2)(c) — Contract |
| Service delivery and feature access | Identity, Usage data | Art. 6(1)(b) — Contract performance | KVKK Art. 5(2)(c) — Contract |
| Billing and invoicing | Billing, Identity | Art. 6(1)(b) — Contract performance | KVKK Art. 5(2)(c) — Contract |
| Legal and tax compliance | Billing, Identity | Art. 6(1)(c) — Legal obligation | KVKK Art. 5(2)(ç) — Legal obligation |
| Security, fraud prevention, and logging | Technical, Identity | Art. 6(1)(f) — Legitimate interests | KVKK Art. 5(2)(f) — Legitimate interest |
| Service improvement and analytics | Usage, Technical | Art. 6(1)(f) — Legitimate interests | KVKK Art. 5(2)(f) — Legitimate interest |
| Customer support communications | Communication, Identity | Art. 6(1)(b) — Contract performance | KVKK Art. 5(2)(c) — Contract |
| Marketing communications | Identity, Contact | Art. 6(1)(a) — Consent | KVKK Art. 5(1) — Explicit consent |
5. Data Sharing and Third Parties
We do not sell your personal data. We share personal data only with trusted service providers acting as sub-processors under contractual obligations, or when required by law.
Complete list of sub-processors is available on request at [email protected]. Material changes to sub-processors are notified to affected customers with at least 30 days' notice.
5.1 Paddle — International Payment Processing
For Subscriptions billed outside Türkiye or in non-TRY currencies, payment processing, invoicing, tax calculation, and billing are handled by Paddle.com Inc. as our Merchant of Record. Paddle independently processes payment card data and transaction details in accordance with Paddle's Privacy Policy and PCI DSS standards. ENA Innovation receives transaction confirmation and billing metadata only.
5.2 PayTR — Domestic Payment Processing (Türkiye)
For Subscriptions billed in TRY to Turkish addresses, payment processing is handled by PayTR Ödeme Hizmetleri A.Ş., a licensed payment institution regulated by the Central Bank of the Republic of Türkiye (TCMB). PayTR processes payment card data in accordance with its own privacy policy.
5.3 EnaGate — Authentication Infrastructure
Authentication and identity management for all EnaSpace products is handled through EnaGate (enagate.com), which operates on a self-hosted, enterprise-grade identity and access management platform running entirely within ENA Innovation's own infrastructure. EnaGate holds your authentication credentials, session tokens, and role assignments. No third-party cloud identity provider has access to EnaSpace user identity data.
5.4 Huawei Cloud — Infrastructure and Hosting
The EnaSpace platform is hosted on Huawei Cloud infrastructure in the TR-West-1 (Istanbul) region. Your data is stored and processed within high-availability infrastructure located in Türkiye. Huawei Cloud acts as a data processing sub-contractor. See Section 6 for technical details.
5.5 Platform Notification Infrastructure — SMS and Email
Each EnaSpace product (EnaFeedback, EnaTto, EnaSmartWay, EnaQuality, and others) may deliver operational SMS and email notifications to end users and stakeholders as part of its core functionality. The following sub-processors are used for this purpose:
- Transactional email (Resend): Outbound transactional emails are routed through Resend, ENA Innovation's contracted transactional email service provider, which acts as a sub-processor under data processing obligations. Resend processes recipient email addresses and message metadata solely for message delivery and delivery reporting, and does not use recipient data for its own commercial purposes.
- SMS (platform defaults): When platform delivery applies, outbound SMS messages are routed through ENA Innovation's contracted providers. Turkish (+90) numbers are delivered via NetGSM, our licensed Turkish mobile messaging gateway. Non-Turkish numbers are delivered via Bird (formerly MessageBird), our global SMS platform provider. Both process recipient phone numbers solely for delivery under applicable data protection obligations.
Tenants are solely responsible for obtaining lawful basis and consents from their notification recipients in compliance with applicable electronic communications law (including Turkey's Electronic Commerce Law No. 6563 and the EU's ePrivacy Directive).
5.8 Tenant-Configured Integrations
Where supported (including EnaFeedback), Tenants may configure bring-your-own (BYO) SMS gateways and outbound webhooks to connect EnaSpace products to their own systems.
BYO SMS. Tenants may route operational SMS through a provider of their choice — including NetGSM, Bird, Twilio, Infobip, or a custom HTTPS webhook endpoint — instead of, or with automatic failover to, platform defaults. Provider credentials and signing secrets supplied by the Tenant are stored encrypted at rest (AES-256-GCM) and are never returned in plaintext to client applications. When BYO SMS is enabled, ENA Innovation processes recipient phone numbers and message content solely to transmit messages on the Tenant's instructions. The Tenant's chosen SMS provider processes recipient data under the Tenant's own contract and privacy terms; such providers are not ENA Innovation sub-processors unless separately agreed. Tenants are solely responsible for provider selection, international transfers to that provider, and compliance with applicable electronic communications law.
Outbound webhooks. Tenants may subscribe HTTPS endpoints to receive real-time event notifications (including feedback, hygiene, survey, ticket, and cleaning events). Payloads are transmitted over TLS and signed with HMAC-SHA256 so recipients can verify authenticity. Event payloads may include personal data submitted within the Tenant's environment (e.g., feedback content, location identifiers, ticket metadata). Data is sent only to URLs configured by the Tenant. Receiving systems — including Slack, Microsoft Teams, Discord, n8n, Make, Zapier, CRM platforms, or custom applications — are operated by the Tenant or third parties under the Tenant's control; their processing is outside ENA Innovation's sub-processor list unless separately contracted.
Tenant responsibility. Integration features are restricted to authorized Tenant administrators (typically the Platform Owner role). Tenants are solely responsible for configuring lawful endpoints, maintaining credential security, ensuring receiving systems comply with applicable data protection law, and promptly disabling integrations that are no longer needed.
5.6 Analytics — Privacy-First Self-Hosted Platform
EnaSpace uses a self-hosted, privacy-first analytics platform to collect anonymous, aggregated page-view and session statistics on our public-facing web properties (enaspace.com, enafeedback.com). This platform does not use tracking cookies, does not fingerprint devices, and does not collect or store any personally identifiable information. The data collected is limited to: anonymized page URLs, referrer information, browser type, operating system, and country (derived from anonymized IP — the full IP address is never stored). This data is processed as non-personal data and is not subject to data subject rights requests. The analytics platform runs entirely on ENA Innovation's own infrastructure.
5.7 Legal Disclosure
We may disclose personal data when required by law, court order, regulatory authority, or to protect the rights, property, or safety of ENA Innovation, our users, or others.
6. Infrastructure and Data Storage
All personal data is stored and processed within ENA Innovation's cloud infrastructure:
Primary Data Centre: Huawei Cloud, TR-West-1 Region (Istanbul, Türkiye)
Technical Security Measures:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
- Encryption at rest: Data at rest is encrypted using AES-256 encryption within our database and object storage services.
- Database isolation: Tenant data is stored in logically isolated database partitions with row-level security controls.
- Object storage: File uploads and media content are stored in encrypted object storage with private access policies.
- High availability: Services run on highly available container orchestration infrastructure with automated failover.
We do not process your personal data on infrastructure located outside of Türkiye for primary storage. However, certain sub-processors (e.g., Paddle for international transactions, AI infrastructure providers) may process limited data outside Türkiye. See Section 7.
7. International Data Transfers
Where personal data is transferred outside the Republic of Türkiye (for example, to Paddle for international payment processing, or to AI/cloud service providers used in specific features), ENA Innovation ensures adequate safeguards are in place:
- Adequacy decisions: Where the destination country has been recognized as providing adequate data protection by relevant authorities.
- Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we rely on European Commission-approved Standard Contractual Clauses or equivalent safeguards.
- Explicit consent: Where required under KVKK for transfers to countries without adequate protection, we obtain explicit consent from data subjects.
For KVKK-specific transfer obligations, see our KVKK Aydınlatma Metni.
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Active account data | Duration of Subscription + 30 days post-cancellation |
| Billing records and invoices | 10 years (Turkish tax law requirement) |
| Technical access logs | 2 years (Turkish Law No. 5651) |
| Support communications | 3 years from last interaction |
| Marketing consent records | Until consent is withdrawn + 3 years |
| Deleted account data | Purged within 90 days of account deletion request |
After the applicable retention period, data is permanently and irreversibly deleted or anonymized.
9. Your Rights
Depending on your location, you have the following rights regarding your personal data:
Under GDPR (EU/EEA Residents)
- Right of access (Art. 15): Request a copy of personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data under certain conditions.
- Right to restriction (Art. 18): Request restriction of processing in specific circumstances.
- Right to data portability (Art. 20): Receive your data in a machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
- Right to lodge a complaint: With your national Data Protection Authority (DPA).
Under KVKK (Turkish Residents)
You have rights under KVKK Article 11, including rights to learn whether data is processed, obtain information about processing, and request correction, deletion, or anonymization. See our KVKK Aydınlatma Metni for full details and how to exercise these rights.
How to Exercise Your Rights
Submit requests to: [email protected] with subject line "Data Subject Request". We will respond within 30 days (GDPR) or within the period required under KVKK (maximum 30 days). If your request is rejected or you are not satisfied with our response, you may lodge a complaint with your national supervisory authority (for EU/EEA residents) or the Kişisel Verileri Koruma Kurumu — KVKK Board (www.kvkk.gov.tr) for Turkish residents.
Marketing Communications Opt-Out
Where we process your personal data for marketing communications on the basis of your consent, you may withdraw that consent at any time by: (a) clicking the "unsubscribe" link in any marketing email; or (b) sending a withdrawal request to [email protected] with subject line "Marketing Opt-Out". Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.
Automated Decision-Making and Profiling
ENA Innovation does not engage in automated individual decision-making (including profiling) within the meaning of GDPR Article 22 that produces legal or similarly significant effects on data subjects. Our analytics processing is limited to anonymized, aggregated data as described in Section 5.6. If this practice changes, we will update this Policy and notify affected users.
10. Data Protection Officer and EU Representative
Data Protection Officer (DPO). ENA Innovation has assessed its processing activities in accordance with GDPR Article 37. Where mandatory, we have designated a Data Protection Officer. Privacy-related inquiries may be directed to [email protected] with subject line "DPO Inquiry".
Security Measures (KVKK Article 12). ENA Innovation implements and maintains the technical and administrative measures required under KVKK Article 12 to ensure an appropriate level of security for personal data. These measures include the infrastructure security controls described in our Security Infrastructure page.
11. Children's Privacy
The Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will promptly delete it.
12. Policy Changes
We may update this Privacy Policy to reflect changes in our practices, technology, or applicable law. When changes are material, we will notify you by email and/or by posting a notice on our website at least 14 days before the changes take effect.
We encourage you to review this Policy periodically. The "Last Updated" date at the top indicates when this version was published.
13. Contact
For privacy-related inquiries, data subject requests, or to contact our Data Protection Officer:
ENA Innovation Sağlık ve Yazılım Teknolojileri San. Tic. A.Ş. Battalgazi Mah. Eskişehir Yolu Bulv., A.N.S. Kampüsü, Zafer Teknopark, Merkez/Afyonkarahisar, Türkiye
- Privacy Email: [email protected]
- Phone: +90 850 308 45 91
- MERSİS: 0334130943400001