Legal
Privacy Policy and Data Protection Notice
Last updated: July 17, 2026
1. Controller and Scope
Under Turkish Personal Data Protection Law No. 6698 ("KVKK"), your personal data is processed by Murat Canördek ("Docly") as the data controller within the scope described here. This policy covers the account workspace, PDF tools that do not require sign-in, and other Docly features on mydocly.app.
2. Data We Process
- Account and contact data: name, email address, hashed password, and optional Google account identifier.
- Workspace data: documents you upload, chat messages, AI prompts, operation history, settings, and generated outputs.
- Security and technical data: IP address, session information, timestamps, and limited request records needed to prevent abuse or diagnose errors.
- Provider information: AI API keys you add in encrypted form, plus your selected provider and model preferences.
- Product measurement: an allowed event name and limited context such as feature usage. Document content, file names, full URLs, referrers, persistent session identifiers, and free-form text are not collected in these events.
- Billing data: when Pro is enabled, your plan, subscription status, billing period, and payment-provider transaction identifiers. Docly does not store full card details.
3. Purposes and Legal Bases
We process data to perform our contract with you, pursue legitimate interests, meet legal obligations, and rely on consent where required, for the following purposes:
- Creating accounts, authenticating users, and storing preferences,
- Providing document editing, conversion, PDF tools, chat, and controlled AI features,
- Completing the task you request through the AI provider you select,
- Managing quotas and subscriptions and completing payment flows,
- Keeping the Service secure, reliable, and resistant to abuse,
- Understanding aggregate product-flow performance without collecting personal content, meeting lawful requests, and protecting legal rights.
4. PDF Tools Without Sign-in
Files uploaded to PDF tools that do not require sign-in are not linked to a user account or permanent file record. Inputs and outputs stay in temporary working storage only long enough to complete the operation and are cleaned when the response is ready or the operation fails. Short-lived IP-based technical data may be processed for security and rate limiting. File names and contents are not added to product measurement events.
5. Service Providers and International Transfers
To provide the Service, data may be processed by the following recipient categories only as necessary:
- Hetzner and Cloudflare: hosting, network security, DNS, and content delivery.
- OnlyOffice: the document editor hosted within Docly's infrastructure.
- Your selected AI provider: Anthropic, OpenAI, Google Gemini, OpenRouter, DeepSeek, xAI, Groq, or Mistral. The content sent depends on the task you start and is also subject to that provider's terms.
- Google: optional Google sign-in and web fonts.
- Sentry: error monitoring configured without request bodies or default personal information.
- Lemon Squeezy: payment, tax, invoicing, and subscription management when Pro is enabled.
- Email infrastructure: verification, password reset, and service messages.
Some providers may be located outside Türkiye. Transfers are made with regard to applicable data-protection rules and the technical requirements of the Service. We do not sell personal data.
6. Retention and Security
- Account documents, chats, and settings remain until you delete them, close the account, or they are no longer needed to provide the Service.
- You can separately clear AI operation history from Settings.
- Files used by tools without sign-in are retained temporarily only for the duration of the operation.
- Allowed product events that carry no personal content are retained for no more than 90 days.
- Security, error, and legal records may be retained for a period necessary for their purpose and permitted by law.
- Passwords are one-way hashed; user AI keys are encrypted with Fernet; TLS, access controls, quotas, and rate limits are applied.
7. Browser Storage, Cookies, and Advertising
Session information, email, and theme preference are kept in local browser storage; an explicit language choice is kept in an essential NEXT_LOCALE cookie. Google sign-in loads only when configured. Docly currently does not display advertising or load the AdSense script. Before advertising is enabled, this policy and any required cookie or consent flow will be updated.
8. Your Rights
Under Article 11 of the KVKK, where applicable, you may have the right to:
- Learn whether your data is processed and request information,
- Learn the purpose of processing and the recipients of transfers,
- Request correction of incomplete or inaccurate data,
- Request deletion, destruction, or object to processing where the relevant conditions are met,
- Seek compensation for harm caused by unlawful processing.
From Settings > Privacy & Data, you can export your data, clear AI history, or delete your account. For other requests, contact [email protected]. We may request reasonable additional information to verify your identity.
9. Changes and Contact
We may update this policy as the product or law changes and will communicate material changes through an appropriate channel. For privacy questions and requests, contact [email protected].