Privacy Policy
Effective date: February 21, 2026
1. Who We Are
Nex Habit LLC, 2093 Philadelphia Pike 8077, CLAYMONT DE 19703, United States (“we,” “us,” “our”) provides AI‑assisted customer support, inbox, and messaging solutions (“Services”). Contact: privacy@comturk.com.
2. Scope
- Website/app users and workspace members
- End users who message through channels connected to our platform (web widget, Instagram, Facebook, WhatsApp, Telegram, email)
- Business contacts and support interactions
Data Controller vs. Processor:
- Controller: Comturk acts as the data controller for personal data collected through our website (e.g., account registration, cookies, analytics) and from business contacts.
- Processor: When processing Customer Content (messages, conversations, end‑user data) on behalf of our business customers, Comturk acts as a data processor. Our customers remain the controller for their end‑user data and are responsible for providing appropriate notices and obtaining necessary consents.
3. Information We Collect
- Account & Profile: name, email, role, company, auth identifiers.
- Communications: messages, attachments, metadata, channel/page/IG IDs, email headers, delivery/read states.
- Integrations: tokens/IDs to connect channels (Instagram/Facebook/email), stored securely and minimally.
- Usage & Device: logs, IP, browser/OS, timestamps, diagnostics, analytics.
- Cookies: session and preference cookies; see Cookie Policy.
- Billing (if applicable): subscription and payment metadata via payment processors.
- Support: content provided in tickets/chats.
4. How We Use Data
- Provide, secure, and operate the Services
- Authenticate users; enforce workspace/account permissions
- Route and process messages across connected channels
- Communicate service notices and support
- Improve functionality and performance
- Comply with legal obligations and enforce terms
5. Legal Bases (EEA/UK, if applicable)
Contract, Legitimate Interests, Consent (where required), Legal Obligations.
6. Sharing
We do not sell personal data. We share with:
- Service providers (hosting, email, analytics, AI processing) under DPAs
- Channel providers you connect (Meta/Instagram/Facebook, email) to deliver messages
- Legal/safety, and business transfers (if applicable)
7. International Transfers
We may transfer data internationally using safeguards (e.g., SCCs) and technical/organizational measures.
8. Retention
We retain personal data only as long as necessary for the purposes described in this Policy, your account settings, or as required by law.
| Data Category | Retention Period |
|---|---|
| Account & profile data | Duration of account + 30 days |
| Messages & conversations | Per customer workspace settings (default: duration of subscription) |
| Billing & invoice records | 7 years (legal/tax requirement) |
| Server & access logs | 90 days |
| AI processing logs | 30 days |
| Cookie & analytics data | Per cookie durations (see Cookie Policy) |
You may request deletion of your data at any time (see “Your Rights” below).
9. Security
Encryption in transit (TLS 1.2+) and at rest, role‑based access controls, least‑privilege, continuous monitoring, and regular security assessments. No method is 100% secure; we continually improve.
10. Your Rights
Subject to law, you may request access, correction, deletion, restriction, objection, and portability; withdraw consent (where used). Contact: privacy@comturk.com. If you’re an end user of our customer, we may redirect you to that organization.
11. Cookies
We use necessary cookies for authentication/session and may use analytics and session-recording cookies to improve the Service. Where required, we seek consent. You can control cookies via browser settings and our banner (if shown). For details, see our Cookie Policy. You may also adjust your preferences at any time via Cookie Settings.
12. Third‑Party Services and Channels
When you connect channels (e.g., Instagram, Facebook, WhatsApp, Telegram, email), data flows under those platforms’ terms and policies. Specifically:
- Meta (Instagram & Facebook Messenger): Subject to Meta Platform Terms and Meta Privacy Policy.
- WhatsApp Business: Subject to WhatsApp Business Terms and WhatsApp Privacy Policy. Messages are end‑to‑end encrypted between end users and WhatsApp; we receive message content via the WhatsApp Business API.
- Telegram: Subject to Telegram Terms of Service and Telegram Privacy Policy. We interact via the Telegram Bot API.
- Email (IMAP/SMTP): We connect to your email provider using credentials you supply. Data handling is subject to your email provider’s terms.
12a. AI Data Processing
When AI features are enabled in your workspace:
- Data Sent: Message text content and relevant conversation context are sent to AI providers to generate responses. File attachments, images, and metadata (IP addresses, device info) are not sent to AI providers unless you explicitly enable attachment analysis.
- AI Providers: We may use services from OpenAI, Google (Gemini), and Anthropic (Claude) for AI processing. The specific provider depends on your workspace configuration.
- No Training: Your data is not used to train, fine‑tune, or improve any third‑party AI models. All AI providers are contractually prohibited from using your data for model improvement.
- Retention: AI providers retain input/output data for up to 30 days for abuse monitoring only, then delete it.
13. Children
Not directed to children; we do not knowingly collect children’s data.
14. Changes
We may update this Policy. We’ll post a new effective date and, where material, notify you via the Service or email.
15. Contact
Nex Habit LLC
2093 Philadelphia Pike 8077
CLAYMONT DE 19703
United States
Email: privacy@comturk.com
16. Sub‑Processors
We use the following categories of sub‑processors to deliver our Services:
| Sub‑Processor | Purpose | Location |
|---|---|---|
| Cloud Infrastructure Provider | Hosting, storage, compute | EU / US |
| OpenAI | AI response generation | US |
| Google (Gemini) | AI response generation | US |
| Anthropic | AI response generation | US |
| Payment Processor | Billing, subscription management | US |
| Email Delivery Service | Transactional emails, notifications | US / EU |
| Google (Analytics) | Website analytics & usage metrics | US |
| Microsoft (Clarity) | Session recording & heatmaps | US |
We will notify customers of material changes to sub‑processors with at least 30 days’ advance notice via email or in‑app notification. Customers may object to a new sub‑processor within that notice period.
17. Data Breach Notification
In the event of a confirmed personal data breach that is likely to affect your rights:
- We will notify affected customers without undue delay and within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
- Notification will include: (a) nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; (d) measures taken or proposed to address the breach.
- We will cooperate with affected customers in their obligations to notify data protection authorities and data subjects.
18. Regional Disclosures (Supplemental)
- EEA/UK: You may lodge a complaint with your data protection authority. Our legal basis for processing is detailed in Section 5 above.
- California (CCPA/CPRA):
- We do not “sell” or “share” personal information as defined by CCPA/CPRA.
- Categories of PI collected: identifiers, commercial information, internet activity, professional information, and inferences drawn from the above.
- You have the right to know, delete, correct, and opt out of the sale/sharing of personal information. We do not use sensitive personal information for purposes beyond providing the Services.
- To exercise your rights, contact privacy@comturk.com. We will respond within 45 days.
- Türkiye (KVKK): You may apply to exercise your rights (learn whether your data is processed; request correction/deletion; object in certain cases; request transfer to third parties) via privacy@comturk.com. We will respond within 30 days as required by KVKK.