Madar AI
Privacy

Privacy Policy

Last updated: May 12, 2026

This Privacy Policy explains how Madar AI (operated by Zyrix Global Technologies, Istanbul, Türkiye) collects, uses, and protects information when you use our website and services. We aim to be plainspoken about this — read it carefully.

1. Information we collect

When you sign up, we collect your name, work email, company name (optional), and password (hashed, never stored in plain text). When you connect a mobile app, we receive analytics data — installs, MRR, churn rates, ROAS, retention curves — through your linked accounts (Adjust, AppsFlyer, Mixpanel, RevenueCat, ad networks). We also log usage data (which features you use, when, from where) to improve the product.

2. How we use it

To run the product (analyze your app data, generate forecasts, send alerts). To improve the AI models (we use anonymized, aggregated patterns — never your raw customer data). To communicate with you about your account, billing, and product updates. To contribute to anonymized benchmarks (your app may contribute to the MENA-first benchmark dataset we are building with our launch cohort, always de-identified and never tied back to your account in any external report).

3. Legal basis for processing

Under the GDPR (Article 6) we process personal data on three bases: performance of a contract — to deliver the service you signed up for; legitimate interests — to secure, debug, and improve the product and to build de-identified benchmarks, balanced against your rights; and consent — for optional things like the newsletter, which you can withdraw at any time. Withdrawing consent does not affect processing carried out before withdrawal.

4. What we don't do

We don't sell your data. Ever. We don't share individual app metrics with competitors. We don't use your customer data to train AI models that benefit other companies in identifiable ways. We don't track you across the web for advertising purposes.

5. Data storage and security

Data is stored on encrypted servers in EU and US regions (you can request a specific region for Enterprise). Backups are encrypted and rotated daily. We are working toward SOC 2 Type II with an external auditor; we do not claim certification until the report is signed. Full technical posture is documented at /security.

6. Data retention

We keep account data while your account is active. Connected-app analytics are retained for the life of the connection and deleted within 30 days of disconnection or account closure; encrypted backups roll off within 90 days. De-identified, aggregated benchmark data is not tied to your account and may be kept indefinitely. Billing records are kept for as long as Turkish tax law requires. You can request earlier deletion at any time.

7. Sub-processors

We run the service on a short list of vetted infrastructure providers: Cloudflare (hosting and edge), Supabase (database and authentication), Resend (transactional email), and Anthropic (the AI model layer; zero-data-retention enrollment requested, pending). Each is bound by a data-processing agreement and processes data only on our instructions. Full detail is documented at /security and /legal/dpa.

8. Your rights

You can access, export, correct, or delete your data anytime from the dashboard. Under the GDPR, KVKK, and PDPL you also have the rights to rectification, erasure (the "right to be forgotten"), data portability, restriction of processing, and to object to processing based on legitimate interests. To exercise any of these, email privacy@madarai.co — we respond within 30 days and do not charge for a first request.

9. Cookies

We use essential cookies for authentication and session management. We use one analytics cookie (Cloudflare Web Analytics) which is privacy-preserving and doesn't track you across sites. We don't use advertising cookies.

10. Children

Our service is for businesses. We don't knowingly collect data from anyone under 16. If you believe a minor has provided us data, contact us immediately.

11. International transfers

Data may be processed in Türkiye, the EU, or the US. By using Madar, you consent to these transfers. We use Standard Contractual Clauses where required.

12. KVKK (Türkiye)

For users in Türkiye, Madar AI — operated by Zyrix Global Technologies — acts as data controller (veri sorumlusu) under Law No. 6698 (KVKK). You have the Article 11 rights: to learn whether your data is processed, request information, correction, or erasure, and object to outcomes produced solely by automated analysis. Requests go to privacy@madarai.co. Where KVKK and the GDPR differ, we apply the stricter standard.

13. PDPL (Saudi Arabia & the Gulf)

For users in Saudi Arabia, we align with the Personal Data Protection Law (PDPL): you may access your data, request correction or deletion, withdraw consent, and be told the legal basis for collection. For PDPL-sensitive customers we can discuss data-residency options on request (see /security). PDPL requests also go to privacy@madarai.co.

14. Changes to this policy

We'll notify you by email and post the new policy at least 30 days before any material change. Continued use of the service after the effective date constitutes acceptance.

15. Jurisdiction

This policy is governed by the laws of Türkiye. Disputes are resolved in the courts of Istanbul.

Questions about privacy?

For any privacy-related question or request, email privacy@madarai.co. We have not formally appointed a Data Protection Officer; this inbox handles all access, correction, deletion, and other data-subject requests.

privacy@madarai.co →