Privacy Policy
This Privacy Policy describes how Bulsu Labs ("we", "us") collects, uses, and protects personal data. It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable Turkish data protection law (KVKK).
1. Who we are
Bulsu Labs is a sole-proprietorship AI automation studio operated by Berke Bulsu, based in the European Union. For the purposes of GDPR, we act as a data controller for personal data collected via our website and directly from customers, and as a data processor for personal data we process on behalf of a customer as part of an engagement. See our Data Processing Agreement for processor obligations.
2. What data we collect
2.1 Information you give us
- Contact information: name, email address, company name, phone number (if provided).
- Inquiry content: the message you send via the contact form or email.
- Commercial details: budget range, company size, role (if provided).
- Engagement data: information exchanged during an active engagement, including access credentials (kept in a secret manager, never in email), scope documents, and project communications.
2.2 Information collected automatically
- Technical data: IP address, browser type, device type, pages viewed, time spent.
- Cookies: strictly necessary cookies only by default. See our Cookie Policy.
We do not use advertising cookies, cross-site trackers, session replay, fingerprinting, or social-media pixels.
3. Why we use your data and our legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Respond to inquiries and proposals | Pre-contractual request / Legitimate interest |
| Perform services under a contract | Contract performance |
| Send service-related emails (not marketing) | Contract performance / Legitimate interest |
| Send marketing to prior customers | Legitimate interest (with opt-out) |
| Comply with tax & accounting laws | Legal obligation |
| Detect and prevent fraud or abuse | Legitimate interest |
We do not sell personal data. We do not use personal data for automated decision-making with significant effects.
4. Who we share data with
We share personal data only with service providers needed to operate our business, and only under written data processing terms. Categories include:
- Hosting & infrastructure: our website host, email provider, file storage.
- Payment processing: our authorized payment processor(s), which handle card data under PCI-DSS; we never see full card numbers.
- Communication tools: email, calendar, video conferencing.
- Accounting & invoicing: our bookkeeping provider and tax authorities where required.
- AI model providers: only when an engagement requires it and only with customer approval. We use providers that offer no-training guarantees on customer data.
We do not share personal data with any other party without your consent, except where required by law.
5. International transfers
Some service providers may be located outside the European Economic Area. Where this is the case, we rely on adequacy decisions (e.g. EU to US Data Privacy Framework) or Standard Contractual Clauses, with supplementary measures where appropriate.
6. How long we keep data
- Unsold inquiries: up to 24 months after last contact, then deleted.
- Active engagements: for the duration of the engagement plus 6 years for tax records, or as otherwise required by law.
- Website analytics: up to 14 months (aggregated only).
- Accounting records: 6 years after end of the financial year, per EU tax law.
7. Your rights
Under GDPR and equivalent laws, you have the right to:
- Access the personal data we hold about you.
- Rectify data that is inaccurate or incomplete.
- Erase your data ("right to be forgotten"), subject to legal retention obligations.
- Restrict processing in certain circumstances.
- Object to processing based on legitimate interests, including direct marketing.
- Data portability: receive your data in a structured, machine-readable format.
- Withdraw consent at any time, where consent is the legal basis.
- Lodge a complaint with your local supervisory authority.
To exercise any right, email info@bulsulabs.com. We respond within 30 days.
8. Security
We use industry-standard technical and organizational measures to protect personal data: encrypted storage and transit (TLS 1.2+), 2FA on all business accounts, principle of least privilege for access, a secret manager for credentials, secure backup and disaster recovery procedures, and regular review. No method is 100% secure, but we treat data protection as a first-order priority.
9. Children
Our services are for business use. We do not knowingly collect data from anyone under 16. If you believe we have inadvertently collected data from a minor, contact us and we will delete it.
10. Changes
We may update this policy from time to time. Material changes will be communicated by a notice on this site and, for existing customers, by email. The "last updated" date reflects the effective date of the current version.
11. Contact
Questions, requests, or complaints? Contact us at info@bulsulabs.com.