AqlDataProcurement Insights Desk

Privacy Policy

Effective Date: 2026-06-04 Last Updated: 2026-06-04

1. Who We Are

AqlData ("we," "us," or "our") operates the AqlData insights service available at https://data.heyvaql.com ("Service"). We provide B2B procurement insights derived from public EU procurement registries (OCDS — Open Contracting Data Standard).

Data Controller: AqlData, operated from Turkey. Full postal address provided on request via desk@data.heyvaql.com.

Contact for privacy matters: Email: desk@data.heyvaql.com

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, and protect information in connection with:

1. Visitors to data.heyvaql.com and related subdomains;
2. Recipients of our B2B outreach communications;
3. Customers who purchase access to our Service;
4. Data subjects whose information appears in public procurement records we process as part of our core analytics function.

3. The Data We Process and Its Sources

3.1 Website Visitor Data

When you visit data.heyvaql.com, we may collect standard server-log information including IP address, browser user-agent string, referring URL, and pages visited. This information is used for security monitoring, abuse prevention, and aggregate traffic analysis. We do not use third-party behavioral tracking pixels or advertising SDKs.

Legal basis (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f)): Legitimate interest in operating a secure web service.

Retention: Server logs are retained for a maximum of 90 days, then deleted or anonymized.

3.2 Business Contact Information — B2B Outreach

We conduct low-volume, individually composed outreach to business professionals at companies whose procurement activity appears in public OCDS registries. The contact information we process for this purpose consists exclusively of:

- First and last name of a named business professional;
- Business email address (corporate domain);
- Job title and employer organization;
- Country of operation.

Source of data: Public sources only — including (a) official EU and national public-procurement portals publishing OCDS-format award notices; (b) the prospective company's own public website, press releases, and official corporate directories; and (c) professional public profiles where the individual has self-published their business contact details. We do not purchase contact lists from data brokers. We do not scrape private social networks in a manner that violates those platforms' terms of service.

Information obtained from public records (GDPR Art. 14): Because we collect this information from public sources rather than from you directly, our first communication to you identifies that the data originates from public procurement records and the company's own public channels, and provides a one-step opt-out. You may object to this processing at any time (see Section 5), after which your address is added to our permanent suppression list.

Legal basis (GDPR Art. 6(1)(f) / KVKK Art. 5(2)(f)): Legitimate interest. We have conducted a Legitimate Interest Assessment (LIA) concluding that:

- Purpose test: We contact business professionals in their professional capacity about a service directly relevant to their documented field of work (procurement insights). There is a clear, specific connection between the data subject's professional role and our communication.
- Necessity test: Name, business email, and role are the minimum required to send a targeted, relevant business communication. We collect no sensitive personal data, no private contact details, and no data about personal life.
- Balancing test: The communication concerns B2B services, not consumer offers. The contact data is factual business-role information sourced from official public procurement records, and each communication concerns the recipient's documented professional remit. Each communication includes a clear unsubscribe mechanism. The impact on privacy interests is minimal relative to the legitimate interest pursued.

- Electronic-marketing rules (ePrivacy): We recognise that, independently of GDPR, some EU member states (notably Germany and Austria) require prior consent for unsolicited commercial email even in a B2B context. Where required, we direct outreach to functional/role addresses rather than named individuals, or rely on inbound contact, in those jurisdictions.

We have weighed this assessment against reasonable expectations of business professionals operating in the procurement sector and are satisfied that our legitimate interest is not overridden by the data subjects' interests, rights, or freedoms.

Retention: Contact records are retained for the duration of an active outreach relationship (maximum 12 months from last contact without response) and then deleted, unless the individual becomes a paying customer (see 3.3).

3.3 Customer Account Data

When a business purchases access to the Service, we collect:

- Name and business email address of the account holder;
- Company name and billing address;
- Payment information (processed by our payment processor — see Section 9; we do not store full card numbers);
- Usage logs (queries made, reports accessed) for service delivery and abuse prevention.

Legal basis (GDPR Art. 6(1)(b) / KVKK Art. 5(2)(c)): Performance of a contract.

Retention: Account data is retained for the duration of the subscription plus five (5) years for tax and financial record-keeping obligations, after which it is deleted or anonymized.

3.4 Public Procurement Record Data (OCDS)

Our core analytical function involves processing OCDS-format public procurement records published by EU member state contracting authorities. These records may contain personal names (e.g., contact persons listed on award notices, individual sole-trader suppliers).

Legal basis (GDPR Art. 6(1)(f) + Art. 85 / KVKK Art. 5(2)(d) — publicly available data): The data is already public record, published under legal mandate by government contracting authorities. We process it to produce aggregated competitive-insights analytics. We do not use this data for any purpose unrelated to procurement analysis.

Output: Our Service delivers aggregated, entity-resolved analytical outputs. We do not sell or expose raw personal identifiers to third parties.

4. International Data Transfers

We are a Turkish-based company. Our primary data processing infrastructure is located in Turkey. Turkey is not recognized by the European Commission as a country ensuring an adequate level of personal data protection under GDPR Art. 45.

Where personal data of EU/EEA residents is transferred to and processed in Turkey, we rely on the following safeguard:

- Standard Contractual Clauses (SCCs) (GDPR Art. 46(2)(c)), implemented in our agreements with EU-resident customers, where applicable; and/or
- Legitimate interest combined with the practical observation that the personal data in question is limited to professional/business contact data voluntarily made publicly available by data subjects in a business context, which substantially reduces the transfer risk.

We also use cloud infrastructure services (including Amazon Web Services, EU regions where available) that may process data in EU data centers under their own DPA agreements with us.

We will not represent that processing occurs exclusively within the EU/EEA. It does not. We are transparent about this.

EU representative (GDPR Art. 27): As a controller established outside the EU that offers services to data subjects in the EU, we are in the process of designating an EU representative. Their name and contact details will be published in this section once the appointment is complete.

If you are an EU-based customer requiring a Data Processing Agreement (DPA) with Standard Contractual Clauses, please contact desk@data.heyvaql.com.

5. Your Rights as a Data Subject

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right	GDPR (EU/EEA)	KVKK (Turkey)
Right to access	Art. 15	Art. 11(1)(b)(c)
Right to rectification	Art. 16	Art. 11(1)(d)
Right to erasure ("right to be forgotten")	Art. 17	Art. 11(1)(e)
Right to restrict processing	Art. 18	Art. 11(1)(d)
Right to object to processing	Art. 21	Art. 11(1)(e)
Right to data portability	Art. 20	—
Right not to be subject to solely automated decisions	Art. 22	Art. 11

To exercise any right: Email desk@data.heyvaql.com. We will respond within 30 days (GDPR) / 30 days (KVKK Art. 13). For erasure requests, we will delete your contact record and add your email address to our permanent suppression list so you are not contacted again.

Note on public procurement data: Where your name appears in an OCDS public record as, for example, a contracting officer or award contact, erasure from our analytics database does not affect the underlying public record held by the relevant government body. We can remove your identifier from our derived outputs; we cannot alter official government registries.

Lodging a complaint: If you are in the EU/EEA and believe we have processed your personal data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority. In Turkey, complaints may be directed to the Kişisel Verileri Koruma Kurumu (KVKK — Personal Data Protection Authority), Nasuh Akar Mahallesi, Ziyabey Caddesi No: 19, 06520 Balgat / Ankara.

6. Email Communications and Opt-Out (CAN-SPAM / GDPR)

6.1 Nature of our email communications

All outreach emails from AqlData are:

- Individually composed for a specific recipient and company;
- Related exclusively to professional/business subject matter (procurement insights);
- Sent at low volume (fewer than 50 individual outreach emails per month as of the effective date of this policy);
- Sent from desk@data.heyvaql.com.

6.2 Unsubscribe / opt-out mechanism

Every commercial email we send includes:

- A List-Unsubscribe header (mailto:desk@data.heyvaql.com?subject=unsubscribe) compliant with RFC 2369 and CAN-SPAM requirements;
- A plain-text statement at the foot of each email advising recipients that they may opt out by replying with the word "unsubscribe" or by emailing desk@data.heyvaql.com.

We honor opt-out requests within 10 business days as required by CAN-SPAM (15 U.S.C. § 7704(a)(4)). In practice we aim to process opt-outs within 48 hours.

6.3 Suppression list

We maintain a permanent suppression list of email addresses that have unsubscribed or bounced. Once an address is added to the suppression list, it will not be contacted again under any circumstances unless the individual affirmatively re-initiates contact with us.

6.4 Physical address (CAN-SPAM § 7704(a)(5))

Every commercial email we send includes our full physical postal address in its footer, as required by CAN-SPAM § 7704(a)(5). To limit automated harvesting, the full street address is not published on this website but is shown in every email itself and provided on request at desk@data.heyvaql.com. We operate from Turkey.

7. Automated Decision-Making

We do not make automated decisions that produce legal or similarly significant effects on individuals. Our Service provides analytical insights to human decision-makers; all outputs are advisory. Customers retain full human control over any procurement or business decisions.

8. Data Security

We implement technical and organizational measures appropriate to the risk, including:

- Encrypted data transmission (TLS 1.2+) for all web traffic;
- Access controls limiting data access to personnel who require it for service delivery;
- Regular security review of our infrastructure;
- Incident response procedures — in the event of a breach affecting EU residents, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33) and affected individuals without undue delay where the breach is likely to result in high risk (GDPR Art. 34).

9. Third-Party Processors

We use the following categories of third-party sub-processors:

Category	Purpose	Location
Cloud infrastructure	Hosting, storage, compute	EU (AWS eu-north-1 / eu-west) + TR
Payment processing	Subscription billing	Payoneer — EU/US
Email delivery	Transactional + outreach email	AWS SES (eu-north-1)

We do not sell personal data to any third party. We do not share personal data with advertising networks.

10. Cookies

data.heyvaql.com is a primarily informational B2B site. We use only:

- Strictly necessary session cookies (where authentication exists) required for service function;
- No third-party advertising or behavioral tracking cookies.

If and when we introduce analytics cookies, this policy will be updated and a cookie consent mechanism will be implemented.

11. Children

This Service is directed exclusively at business professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy at data.heyvaql.com/privacy with an updated "Last Updated" date. For paying customers, we will provide notice by email at least 14 days before material changes take effect.

13. Contact

For all privacy enquiries, data subject requests, and opt-out requests:

Email: desk@data.heyvaql.com Subject line: "Privacy Request — [your name]"

AqlData, operated from Turkey. Full postal address provided on request via desk@data.heyvaql.com.

Legal notes. Three items in our compliance programme are handled by professional advisors rather than asserted here: (1) Turkish corporate registration and tax (invoicing authority) — a licensed Turkish accountant; (2) KVKK VERBİS exemption threshold — a one-time consultation with a Turkish data-protection specialist; (3) EU Standard Contractual Clauses — standard SCCs executed with EU customers on request. This policy is offered in good faith and updated as those items are finalised.

AqlData — Procurement Insights Desk · desk@data.heyvaql.com · data.heyvaql.com