We transparently share how we collect, process, and protect your data.
1. Data Controller
Data Controller Information
NormSignal Technology — Istanbul, Turkey
Contact: privacy@normsignal.com
Your employer is the data controller; NormSignal acts as the data processor
Purpose of This Notice
This notice is prepared in accordance with KVKK Art. 10 and GDPR Articles 13-14
It is provided to inform you about the processing of your personal data
2. Personal Data Processed
Simulation Data
Decision choices (cooperation / competition)
Decision times (in milliseconds)
Round information and session completion status
Storage: Pseudonymized (separate from real identity, stored under pseudonymous ID)
Identity and Contact Data
Full name, corporate email address
Storage: Encrypted at rest
Technical Data
Session information, device type, browser information
Storage: Anonymized
Consent Records
Consent date, version, consent method
Storage: Encrypted
Data NOT Collected
IP address is not matched with game data
No personality assessments, psychological profiles, or performance scores are produced
No individual behavioral labels are created
Biometric data is not collected
Location data is not collected
Device fingerprinting is not performed
3. Legal Basis for Processing
Under KVKK (Turkey)
Legitimate interest (KVKK Art. 5/2-f): Your employer's organizational development through team-level statistical analysis
Supplementary explicit consent (KVKK Art. 5/1): Obtained as an additional safeguard beyond legitimate interest
Non-consent or withdrawal of consent has no adverse consequences
You may withdraw your consent at any time
Under GDPR (EU)
Legitimate interest (GDPR Art. 6(1)(f)): Team-level analysis for organizational development
In the employer-employee context, consent may not constitute a freely given legal basis under GDPR (EDPB guidelines), therefore legitimate interest serves as the primary legal basis
Your participation remains entirely voluntary as an additional safeguard
Proportionality Safeguards
All simulation data is pseudonymized immediately upon collection
No individual scores, labels, or profiles are produced or shared with your employer
Reports contain only team-level statistical trends (minimum group size: 5)
No automated decision-making within the meaning of KVKK Art. 22 / GDPR Art. 22 takes place
4. Data Processing
Pseudonymization
All game data is pseudonymized with HMAC-SHA256
Real identities cannot be matched with game decisions
HR teams only see team aggregations
Minimum n=5 Rule
No metrics are generated for groups with fewer than 5 participants
This rule prevents individual inference
No exceptions — technically enforced
5. Data Transfer
Data Recipients
Your employer: Team-level aggregate reports only (no individual data)
Google Cloud / Firebase: Data hosting and processing (encrypted + pseudonymized)
International Data Transfers
Your data is processed using Google Cloud infrastructure
Transfers to the United States are protected by Standard Contractual Clauses (SCCs 2021/914) approved by the European Commission
Under KVKK Art. 9, your explicit consent is obtained for international data transfers
No other third parties receive your personal data
6. Data Retention Periods
Retention Policy
Identity and contact data: 90 days after pilot completion, then permanently deleted
Pseudonymized simulation data: 12 months after pilot completion (for statistical analysis)
Consent records: 3 years (legal obligation)
All data is automatically deleted when the contract ends
Upon Deletion Request
Identity data is permanently deleted within 30 days
Pseudonymized data is permanently deleted within 90 days
7. Your Rights
Under KVKK Art. 11
Learn whether your personal data has been processed
Request information about the processing if data has been processed
Learn the purpose of processing and whether data is used in accordance with its purpose
Know the third parties to whom data is transferred domestically or abroad
Request rectification of incomplete or incorrectly processed data
Request deletion or destruction under KVKK Art. 7
Request notification of rectification/deletion to third parties
Object to results produced exclusively through automated analysis that are against you
Claim compensation for damages caused by unlawful processing
Under GDPR (EU)
Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure — right to be forgotten (Art. 17)
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20)
Right to object to processing based on legitimate interest (Art. 21)
Right to withdraw consent (Art. 7(3))
Right to lodge a complaint with your national supervisory authority
Request Process
Submit a written request to privacy@normsignal.com
Your request will be responded to within 30 days
Identity verification may be required
Automated Decision-Making
NormSignal does not produce individual decisions, scores, or labels and does not share them with your employer
Processed data consists solely of team-level statistical interaction trends