This notice is provided pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "General Data Protection Regulation" or "GDPR"). It describes how Bigbrains Yazılım Teknolojileri Ltd. Şti. ("we", "us", the "Controller") processes personal data of individuals located in the European Economic Area ("EEA") in connection with the Commento social media comment management platform (the "Service").

1. Data Controller

The data controller within the meaning of Article 4(7) GDPR is:

  • Company: Bigbrains Yazılım Teknolojileri Ltd. Şti.
  • Address: Çankaya, Ankara, Turkey
  • GDPR contact email: gdpr@commento.co
  • Service: Commento – social media comment management and analysis platform

As the Controller is established outside the EEA, enquiries from EU/EEA data subjects may be directed to gdpr@commento.co. We will respond in accordance with the timelines set out in Article 12(3) GDPR.

2. Categories of Personal Data

In providing the Service, we may process the following categories of personal data relating to EEA data subjects:

  • Identity and contact data: name, surname, email address, company or brand name, phone number (where provided voluntarily)
  • Authentication and social media data: OAuth tokens, platform user IDs, page/channel names, profile display information and technical metadata necessary for connecting Instagram, Facebook, YouTube or other supported platforms
  • Comment and content data: comment text, commenter usernames, timestamps and associated metadata as made available by the respective social media platform APIs
  • Usage and technical data: IP address, browser type, device and operating system information, access timestamps, in-Service interaction logs, feature usage statistics, error and performance data
  • Communication data: content of messages you send us via the contact form, email or support channels

We do not intentionally collect special categories of data (Article 9 GDPR). If comment text incidentally contains such data, it is processed solely for the purpose of providing the Service and is not used for profiling or other unrelated purposes.

3. Purposes and Legal Bases for Processing

We process personal data for the purposes and on the legal bases set out below, in accordance with Article 6(1) GDPR:

  • Performance of a contract (Art. 6(1)(b)): account creation, authentication, connecting social media accounts, collecting and managing comments, providing AI-powered analysis and reporting, billing and customer support
  • Legitimate interests (Art. 6(1)(f)): ensuring platform security and preventing fraud, improving and developing the Service, producing anonymized/aggregated analytics, crisis early warning functionality. Our legitimate interest is balanced against your rights and freedoms; you may object at any time (see Section 6)
  • Legal obligations (Art. 6(1)(c)): compliance with applicable tax, accounting and regulatory requirements
  • Consent (Art. 6(1)(a)): where you opt in to receive marketing communications or consent to non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent prior to withdrawal

4. Recipients and International Transfers

Personal data may be shared with the following categories of recipients, strictly to the extent necessary for the purposes described above:

  • Social media platform providers: Meta Platforms (Facebook/Instagram), Google (YouTube) — subject to their respective API terms and privacy policies
  • Cloud infrastructure and hosting providers: for server hosting, data storage, backup and email delivery
  • Analytics and monitoring tools: for usage measurement and error tracking, using anonymized or pseudonymized data where feasible
  • Professional advisors: legal, accounting or audit services where required

As our company is established in Turkey, personal data of EEA data subjects is transferred to Turkey. Where data is further transferred to third countries (outside the EEA and countries recognized by the European Commission as providing adequate protection), we rely on appropriate safeguards pursuant to Chapter V GDPR, including Standard Contractual Clauses (SCCs) adopted under Commission Implementing Decision (EU) 2021/914, supplemented by additional technical and organizational measures where necessary following a transfer impact assessment.

You may request a copy of the relevant safeguards by contacting gdpr@commento.co.

5. Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected and in compliance with applicable legal retention obligations:

  • Account data: for the duration of the active account and a reasonable period thereafter (generally up to 12 months post-deletion request) to allow for data recovery and legal compliance
  • Comment and analysis data: for the duration of the contractual relationship plus any statutory retention period
  • Log and security data: typically retained for up to 12 months for security monitoring and incident investigation
  • Marketing consent records: until consent is withdrawn or the purpose ends
  • Billing and financial records: as required by applicable tax and commercial legislation

Upon expiry of the applicable retention period, personal data is securely deleted, destroyed or anonymized.

6. Your Rights Under GDPR

As a data subject located in the EEA, you have the following rights under Regulation (EU) 2016/679:

  • Right of access (Art. 15): obtain confirmation of whether your data is being processed and request a copy
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): request deletion of your data ("right to be forgotten") where conditions are met
  • Right to restriction of processing (Art. 18): request that processing be restricted in certain circumstances
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
  • Right to object (Art. 21): object to processing based on legitimate interests, including profiling; object to processing for direct marketing at any time
  • Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw at any time without affecting prior lawfulness
  • Right not to be subject to automated decision-making (Art. 22): not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except where permitted by law

To exercise any of these rights, please contact us at gdpr@commento.co with sufficient information to verify your identity. We will respond within one month; this period may be extended by two further months for complex requests, in which case we will inform you of the extension within the initial month.

If you believe your rights have been infringed, you have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work or place of the alleged infringement.

7. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include, but are not limited to:

  • Encryption of personal data in transit (TLS) and at rest where appropriate
  • Access controls and role-based authorization
  • Regular security assessments and vulnerability testing
  • Staff training on data protection
  • Incident response procedures and breach notification capabilities
  • Data processing agreements with sub-processors

8. Cookies

Our website uses cookies and similar technologies. Essential cookies required for site functionality are placed under our legitimate interest. Analytics and marketing cookies are placed only with your consent. For full details, please refer to our Privacy Policy. You may manage your cookie preferences through your browser settings or our cookie consent banner where available.

9. Children

The Service is not directed at individuals under the age of 16 (or such lower age as provided by the applicable Member State under Article 8 GDPR). We do not knowingly collect personal data from children. If you believe a child's data has been processed, please contact us immediately so that we can take appropriate steps.

10. Changes to This Notice

This GDPR Notice may be updated to reflect changes in our data processing practices, the Service or applicable law. Material changes will be communicated via email or in-Service notification. The "Last updated" date will be revised accordingly. We encourage you to review this notice periodically.

11. Contact

For any enquiries or requests relating to GDPR or the processing of your personal data: