Privacy Policy and Data Protection Notice

1. DATA CONTROLLER INFORMATION

2. DATA PROCESSOR INFORMATION

MxGate acts as a Data Processor in the context of Email Security Gateway services. The Customer (the organization using the service) is the Data Controller for their employees'/users' data.

3. PERSONAL DATA CATEGORIES PROCESSED

3.1 Directly Collected Data (Customer Account Information)

Data Category	Example Data
Identity Information	First name, last name, title
Contact Information	Email address, phone number, address
Corporate Information	Company name, tax number
Account Information	Username, password (encrypted), IP address

3.2 Data Processed During Email Gateway Service

Data Type	Description	Content Read?
Email Metadata	Sender, recipient, CC, BCC, subject, timestamp, size	Yes (for security scanning)
Email Content	Email body text	Yes (only during security scanning)
Email Attachments	Documents, archive files	Yes (for malware scanning)
Security Logs	Detected threats, quarantine records	No (automatically generated)

4. PURPOSES OF PERSONAL DATA PROCESSING

Processing Purpose	Legal Basis	Description
Service Delivery	Contract performance	Email traffic routing and security scanning
Security and Protection	Legal obligation	Prevention of cyber threats, phishing and malware detection
Billing	Legal obligation	Invoice preparation in accordance with tax regulations
Archiving	Legal obligation	Retention of commercial records
Technical Support	Contract performance	Problem resolution and customer support

5. SCANNING AND PROCESSING OF EMAIL CONTENT

5.1 Security Scanning Process

1. Entry Control: IP/reputation check, blacklist verification
2. Header Analysis: SPF, DKIM, DMARC validation
3. Content Scanning: Spam filtering, phishing detection
4. Attachment Scanning: Malware scanning (sandbox)
5. Data Leakage Control: DLP (Data Loss Prevention) rules

5.2 Automated Processing and Human Intervention

• All scanning operations are performed by automated systems
• Email contents are not read by MxGate employees
• Access is only provided upon customer request and solely for support purposes
• Quarantined suspicious content is managed at the customer's own discretion

6. DATA RETENTION PERIODS AND ARCHIVING POLICY

6.1 Retention Periods

Data Category	Retention Period	Retention Reason
Account and Contact Information	Contract period + 10 years	Legal obligations
Email Metadata (Logs)	30 days (default)	Security and problem resolution
Security Logs	1 year	Threat analysis and audit
Archived Emails*	Customer-defined (min. 5 years)	Legal archiving obligation

* Archiving service is valid when purchased separately.

6.2 Data Anonymization Policy

Data whose retention period has expired:

• Is completely deleted (secure deletion - NIST 800-88 standard)
• Or is anonymized and retained for statistical analysis purposes
• Anonymized data cannot be associated with an identified or identifiable person

7. DATA TRANSFERS AND THIRD PARTIES

7.1 Data Not Sold

MxGate does not:

• Sell your personal data under any circumstances
• Share data with third parties for marketing purposes
• Use data for commercial purposes without your permission

7.2 Service Provider Transfers

Limited data transfer may occur in the following cases:

• Cloud infrastructure provider (encrypted data)
• Payment institutions (billing information)
• Security databases (hash values, IPs for threat intelligence)

7.3 International Data Transfers

MxGate does not transfer personal data outside Turkey. All data processing activities are carried out on servers located in Turkey.

8. DATA SECURITY MEASURES

8.1 Technical Measures

• Encryption: TLS 1.3 for transmission, AES-256 for data encryption
• Access Control: Role-based access control (RBAC), multi-factor authentication
• Network Security: Firewall, IDS/IPS, DDoS protection
• Data Masking: Masking and tokenization of sensitive data

9. DATA SUBJECT RIGHTS (GDPR)

Under applicable data protection regulations, you have the following rights:

Right	Description
Right to Access	Obtain confirmation and information about your personal data processing
Right to Rectification	Request correction of inaccurate personal data
Right to Erasure	Request deletion of personal data under certain conditions
Right to Restrict Processing	Request restriction of processing under certain conditions
Right to Data Portability	Receive your data in a structured, machine-readable format
Right to Object	Object to processing based on legitimate interests or direct marketing

9.1 Exercising Your Rights

To exercise your rights, please contact us:

• Email: privacy@mxgate.com.tr
• Subject: Data Subject Rights Request

Requests will be processed free of charge within 30 days.

10. COOKIE POLICY

10.1 Cookies Used

Cookie Type	Cookie Name	Purpose	Duration
Necessary	session_id, csrf_token	Session management, security	Session / 1 year
Preferences	language, theme	Language and theme preferences	1 year
Analytics	_ga, _gid (Google Analytics)	Website usage analysis	2 years / 24 hours
Marketing	_fbp (Facebook Pixel)	Advertising targeting	3 months

10.2 Cookie Management

You can manage cookie preferences through:

• Manage Cookie Preferences - (Cookie Consent Manager)
• You can reject all cookies except necessary ones
• You can disable cookies completely in your browser settings

11. PERSONAL DATA BREACH NOTIFICATION

In the event of a personal data breach:

• Authority Notification: Relevant authorities will be notified within 72 hours
• Data Subject Notification: You will be immediately notified of breaches with adverse consequences
• Measures: Necessary technical and administrative measures will be taken after notification

12. POLICY CHANGES

We may update this privacy policy in accordance with legal regulations and service changes. Significant changes:

• Will be notified by email
• Will be published on our website 30 days in advance
• Will appear as a notification in your account panel

13. CONTACT