Autosify is built to Turkey's KVKK and EU GDPR frameworks. Guest data stays under hotel control; Autosify provides the technical layer as a data processor.
Hotel = data controller (booking, stay, guest request). Autosify = data controller (messaging infrastructure, AI, journey/campaign). Granular consent: messaging + AI processing + marketing — each its own opt-in. Guests can request deletion at any time; the request also cancels cross-border consent.
PMS, payment provider and channel credentials are encrypted with Fernet at the application layer. Sensitive fields never land in the database as plain text. Card details stay with the provider — Autosify never stores payment information.
Production servers run on Hostinger Frankfurt (EU). Under KVKK Art. 9, every guest message is treated as a TR→EU transfer; our privacy notice spells this out. A GDPR Standard Contractual Clauses-compatible DPA is ready.
ComplianceAuditLog is append-only via a DB trigger; UPDATE / DELETE / TRUNCATE are blocked. Every consent, deletion request and opt-out is preserved as a KVKK Art. 6 evidence chain.
An hourly breach_anomaly_check watches 5 scenarios including auth login failures, unusual data export, unexpected admin activity. Threshold breaches log a breach_suspected entry and trigger a Telegram alert — kicking off the KVKK Art. 12/5 72-hour notification window.
Guest message content, sender ID (phone/email/PSID), name. We do NOT collect: card details (provider-held), full booking details (vendor mirror), PMS records, ID numbers or passports. A defensive regex masks TC/IBAN/card/email at the log layer.
We can send our DPA, privacy notice and KVKK compliance documents as PDFs before the demo call.
Request documents