Effective date: 10/18/2025

Workgini Privacy Policy

This policy describes how SİGMATOP BİLGİ TEKNOLOJİLERİ TİCARET LİMİTED ŞİRKETİ handles personal data when operating Workgini across the EU, UK, US, Türkiye, and MENA regions.

Overview & scope

This Privacy Policy explains how SİGMATOP BİLGİ TEKNOLOJİLERİ TİCARET LİMİTED ŞİRKETİ(“we”, “our”, “us”) processes personal data when providing Workgini, including its web and mobile applications, public websites, application programming interfaces (APIs), and related professional services (collectively, the “Services”).

The policy covers data collected directly from customers, users, website visitors, job applicants, and support contacts across the Services.

It does not apply to third-party products that integrate with Workgini; those parties provide their own privacy commitments.

Principles

These commitments guide how we design, build, and support Workgini.

Security first
We design safeguards into every layer, from infrastructure to operational playbooks.
Privacy by design
Features are reviewed to minimize personal data and respect user expectations.
Control & transparency
Customers maintain ownership of their data and receive clear tooling to manage it.

Information we collect

We collect only the data needed to provide, secure, and support Workgini.

Account information
Profile details such as name, email address, role, authentication credentials (hashed using bcrypt), workspace identifiers, and billing contacts.
Organization metadata captured during onboarding, including team size estimates and module selections.
Usage & telemetry
Product interaction events, device and browser information, approximate location derived from IP, and configuration settings required to operate the Services.
Diagnostic logs retained for 30 days for reliability and security monitoring, unless a longer retention period is required by law.
Support records
Support tickets, chat transcripts, call recordings (if any), and attachments you choose to provide when seeking assistance.
Implementation notes required to fulfill enablement, migration, or advisory workstreams.

How we use data

Personal data supports core operations, support, improvements, and compliance.

Service delivery
Operate, maintain, and provide core Workgini features, authenticate users, configure workspaces, and process transactions.
Support & troubleshooting
Respond to requests, resolve incidents, and monitor platform stability. Access is restricted to authorized personnel subject to confidentiality obligations.
Product improvement
Analyze aggregated usage to enhance performance, security, and roadmap planning. We do not sell personal data.
Legal compliance
Satisfy applicable laws, enforce agreements, prevent fraud or misuse, and respond to lawful requests from public authorities.
Türkiye (KVKK)
Bu bölüm 6698 sayılı Kişisel Verilerin Korunması Kanunu (“KVKK”) kapsamındaki aydınlatma yükümlülüğünü karşılar.

Veri Sorumlusu

SİGMATOP BİLGİ TEKNOLOJİLERİ TİCARET LİMİTED ŞİRKETİ (“Workgini”) — Maslak Mahallesi AOS 55.Sokak 42 Maslak A Blok No:2 İç Kapı No :25, Sarıyer, İstanbul, Türkiye 34485. İletişim: contact@workgini.com.

İşleme Amaçları ve Hukuki Sebepler

  • Hizmet sunumu, kimlik doğrulama, müşteri/üye ilişkileri, güvenlik ve sahtecilik önleme, destek, mevzuata uyum.
  • Hukuki sebepler: KVKK m.5/2 (c) sözleşmenin kurulması/ifası, (ç) hukuki yükümlülük, (e) hakların tesisi/korunması, (f) meşru menfaat.
  • Pazarlama iletileri ve analitik/pazarlama çerezleri yalnızca açık rıza ile işlenir.
  • Özel nitelikli veriler işlenecekse KVKK m.6 şartları sağlanır ve gerektiğinde açık rıza alınır.

Aktarımlar ve Yurt Dışı Aktarım

Veriler; tedarikçilerimize/iş ortaklarımıza (barındırma, veritabanı/kimlik doğrulama, e-posta, müşteri destek, ödemeler) ve kanunen yetkili kişi/kurumlara aktarılabilir. Yurt dışına aktarımlarda KVKK m.9 kapsamındaki mekanizmalar (yeterlilik kararı, Kurul’un belirlediği standart sözleşmeler veya istisnalar) uygulanır; ek teknik/idari önlemler (şifreleme, erişim kontrolleri, sözleşmesel güvenceler) alınır.

Toplama Yöntemi ve Hukuki Neden

Veriler; web ve mobil uygulamalar, destek kanalları ve çerezler aracılığıyla elektronik ortamda toplanır; yukarıdaki hukuki sebeplere dayanılarak işlenir.

Saklama Süreleri

Veriler; mevzuattaki zorunlu süreler ve işleme amaçları için gerekli makul süre boyunca saklanır. Süre dolduğunda silme, yok etme veya anonimleştirme gerçekleştirilir. Yedekler döngüsel bir takvimde temizlenir (genellikle 30–90 gün içinde).

Çerezler

Zorunlu çerezler hizmeti sağlamak için kullanılır. Analitik ve pazarlama çerezleri için açık rızanız alınır ve tercihlerinizi çerez yöneticisi üzerinden dilediğiniz an güncelleyebilirsiniz.

KVKK m.11 Kapsamındaki Haklarınız

  • Kişisel verilerinizin işlenip işlenmediğini öğrenme
  • İşlenmişse buna ilişkin bilgi talep etme
  • İşlemenin amacını ve amaca uygun kullanılıp kullanılmadığını öğrenme
  • Yurt içinde veya yurt dışında aktarıldığı üçüncü kişileri bilme
  • Eksik veya yanlış işlenmişse düzeltilmesini isteme ve yapılan işlemin üçüncü kişilere bildirilmesini talep etme
  • KVKK ve ilgili mevzuata uygun olarak işlenmiş olmasına rağmen, işlenmesini gerektiren sebeplerin ortadan kalkması hâlinde silinmesini veya yok edilmesini isteme ve yapılan işlemin üçüncü kişilere bildirilmesini talep etme
  • Sadece otomatik sistemler ile analiz edilmesi suretiyle aleyhinize bir sonucun ortaya çıkmasına itiraz etme
  • Zararın giderilmesini talep etme

Başvuru ve Yanıt Süresi

Başvurularınızı Türkçe olarak yazılı, KEP (varsa), güvenli e-imza/mobil imza veya sistemimizde kayıtlı e-posta adresinizden contact@workgini.com üzerinden iletebilirsiniz. Başvurular 30 gün içinde sonuçlandırılır; Kurul tarifesine göre makul bir ücret talep edilebilir.

Bu KVKK bölümü, sayfanın üst kısmındaki “Effective date” ile aynı tarihten itibaren geçerlidir.

Confidentiality & data protection

Non-public information processed through Workgini is treated as confidential. We limit access to personnel with a documented need to perform their role, enforce least-privilege controls, and use Workspace content solely to provide or support the Services.

We disclose customer data only with your documented instructions, to comply with applicable law, or in response to valid legal requests. Where permitted, we provide advance notice and opportunity to challenge or narrow the request.

All employees and contractors are bound by written confidentiality agreements and complete security & privacy training.

Payments & PCI

Payment card transactions are processed by , a PCI DSS compliant payment gateway. We never store complete payment card numbers, CVV codes, or magnetic stripe data on Workgini systems.

Limited payment metadata is retained to reconcile billing, detect fraud, and satisfy accounting obligations. Fraud prevention activities are based on legitimate interest in protecting Workgini and its customers.

Controller vs. processor roles

For Workspace content entered by customers and their users, we act as a data processor (service provider) under GDPR, UK GDPR, and CPRA/CCPA. Customers remain data controllers responsible for determining lawful purposes and configuring sharing permissions.

For our public websites, security logs, billing records, marketing insights, and internal business operations, we act as an independent data controller.

Legal bases (GDPR & UK GDPR)

Contract performance

Processing necessary to deliver the Services under the applicable customer agreement or terms of service.

Legitimate interests

Maintaining and improving Workgini, securing the platform, and communicating administrative updates, balanced against user privacy interests.

Legal obligation

Processing required to comply with laws such as tax, accounting, sanctions, or regulatory inquiries.

Consent

Where required (for example, optional analytics cookies or marketing communications). You may withdraw consent at any time.

California (CPRA/CCPA)

We do not sell or share personal information as defined by the California Consumer Privacy Act (as amended by the CPRA). We do not use or disclose Sensitive Personal Information for purposes other than those permitted by CPRA. We honor Global Privacy Control (GPC) signals where applicable. California residents can exercise the following rights by contacting contact@workgini.com:

  • Right to know, access, and receive a copy of specific pieces of personal information.
  • Right to deletion (subject to statutory exceptions).
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information (we do not sell or share personal information as defined by CPRA/CCPA).
  • Right to non-discrimination for exercising privacy rights.

Requests are verified using existing account credentials or reasonable additional information.

International transfers

Workgini operates globally. Where personal data is transferred outside the EU, UK, or Türkiye, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), and documented transfer impact assessments to evaluate destination laws and implement supplementary safeguards.

Additional safeguards include encryption in transit and at rest, strict access controls, and routine reviews of subprocessor compliance.

Türkiye’deki veri sorumlusu olarak, yurt dışına aktarımlarda KVKK m.9 kapsamındaki mekanizmaları (yeterlilik kararı, Kurul’un yayımladığı standart sözleşmeler veya istisnalar) uygular ve teknik/idari ek önlemler alırız. EEA/UK’den erişim veya aktarımlar için, Avrupa Komisyonu’nun Standart Sözleşme Maddeleri (SCC) ve/veya UK IDTA/Addendum ile destekleyici güvenlik önlemlerini uygular, aktarım etki değerlendirmelerini (TIA) muhafaza ederiz.

Security measures

We encrypt data in transit (TLS 1.2+) and at rest. Authentication credentials are hashed using bcrypt via Supabase. Role-based access controls, row-level security policies, audit logging, secure software development practices, and regular penetration testing help protect the platform.

Detailed security controls and reports are available on our Security Page.

Retention

Workspace content is retained for the life of the customer agreement unless deletion is requested or required by contract. Diagnostic logs are retained for 30 days for security and reliability, unless law or active investigations mandate a longer retention window.

Business records such as invoices or tax documentation may be stored for statutory periods. When a deletion request is validated, we complete purge operations within 30 days (unless retention is required by law or to resolve disputes). Backups are purged on a rolling schedule (typically within 30–90 days).

Subprocessors

Each subprocessor is bound by a data processing agreement and security obligations. We notify customers of material changes via the in-product admin area and our Subprocessors List.

VercelHosting infrastructure for the Workgini application stack.
SupabaseAuthentication services, managed database, and storage for customer-generated data.
PostmarkTransactional email delivery for account notices and system notifications.
LinearIssue tracking and product operations support.
IntercomCustomer support messaging, in-app assistance, and ticket management.
Payment processing gateway (PCI DSS compliant).
Cookies & similar technologies

We use essential cookies to maintain sessions, secure access, and remember preferences. In Türkiye (KVKK) and where required elsewhere, we obtain explicit consent before setting analytics or marketing cookies. You can change your preferences any time via the cookie manager.

Your rights

You may request access to, or export of, your personal data in CSV or JSON format, ask us to correct inaccuracies, request deletion (completed within 30 days unless law requires longer retention), or object to certain processing (including marketing communications).

To exercise these rights, contact contact@workgini.com. We will respond within the timelines required by applicable law and may ask for additional verification information.

Children’s data

Workgini is not directed to children under 16. For users in the United States, our Services are not directed to children under 13 (COPPA). We do not knowingly collect personal data from children without verifiable parental or guardian consent. If you believe a child has provided personal data, contact contact@workgini.com to request deletion.

Incident response & disclosures

We maintain an incident response plan aligned with industry best practices. Suspected vulnerabilities can be reported in good faith to contact@workgini.com. We investigate all credible reports promptly.

If a breach affects personal data, we notify impacted customers and regulators without undue delay, consistent with applicable law and contractual obligations.

Changes to this policy

We review this policy periodically and update it as practices evolve. Significant changes are communicated via in-app notifications, email to administrators, or prominent notices on our website before they take effect.

Continued use of Workgini after an update signifies acceptance of the revised policy.

Contact & entity information
Reach out to SİGMATOP BİLGİ TEKNOLOJİLERİ TİCARET LİMİTED ŞİRKETİ using the details below for privacy inquiries, data subject requests, or contractual matters.

Legal entity

SİGMATOP BİLGİ TEKNOLOJİLERİ TİCARET LİMİTED ŞİRKETİ

Registered address

Maslak Mahallesi AOS 55.Sokak 42 Maslak A Blok No:2 İç Kapı No :25,
Sarıyer, Istanbul, Türkiye 34485

Need assistance?

Reach out with privacy questions, data subject requests, or security disclosures.

Email privacy teamSubmit request