1. Data Controller

The data controller for personal data processed under Atlas is the natural or legal person who provides, operates, or is duly authorized to manage the relevant service.

Where required, additional contact information may be published on this page or in the relevant application or operational documentation.

2. Categories of Personal Data That May Be Processed

The following categories of personal data may be processed under Atlas:

• Identity and user account information
• Contact information
• Session and authentication information
• Device identifiers and application registration data
• Usage, transaction, and operational records
• Messaging and operational communication data
• Emergency incident records
• Location data
• Device health and connectivity status data
• Health and sensor data on supported devices (heart rate, oxygen saturation / SpO2, respiratory rate, body temperature, step count, walking distance)

Health, biometric, or similar data may overlap with categories considered sensitive personal data under applicable legislation. Accordingly, higher protection and limitation principles apply to such data.

3. Purposes of Personal Data Processing

Personal data may be processed under Atlas for the following purposes:

• User account creation, authentication, and session management
• Authorization and access control
• Planning, execution, and monitoring of field operations
• Real-time location and safety tracking
• Emergency notification, incident management, and response processes
• Enabling in-team operational communication and messaging
• Monitoring device, application, connectivity, and synchronization health
• Ensuring data security, system integrity, and service continuity
• Error detection, technical support, audit, and record-keeping activities
• Fulfilling obligations arising from legislation
• Responding to requests from authorized public bodies and institutions

4. Processing of Location Data

Atlas may process location data associated with the user or device for the purpose of conducting active field operations and providing safety-focused operational visibility. Location data may be used for the following purposes:

• Providing operational location visibility of field personnel
• Maintaining route continuity
• Tracking critical mission mobility
• Enabling faster and more accurate response to emergencies
• Supporting security telemetry streams

Depending on the application’s technical structure and use case, location data may be processed while the application is in use, running in the background, or under certain operational requirements even when the application is not actively in use. Such processing activities must be conducted solely for legitimate, explicit, and disclosed purposes.

5. Processing of Health and Sensor Data

Where supported devices and relevant configurations are in place, Atlas may process health and sensor data. The purpose of this processing is to support employee safety, status visibility, operational risk assessment, and emergency workflows.

In line with the data minimization principle, Atlas aims to use normalized and purpose-limited measurements rather than raw manufacturer data wherever possible. Health and sensor data shall only be processed to the extent explicitly necessary, when the relevant permissions have been obtained, when the relevant user has been informed, and when technical and administrative security measures are in place.

6. Legal Basis for Processing Personal Data

Under KVKK, personal data may be processed on the following legal grounds depending on the circumstances:

• Expressly provided for by law
• Directly related to the establishment or performance of a contract
• Necessary for the data controller to fulfill a legal obligation
• Necessary for the establishment, exercise, or protection of a right
• Legitimate interest of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

For sensitive personal data, explicit consent or other legal processing conditions provided under applicable legislation may be required.

Under GDPR, personal data may rely on the following legal bases: performance of a contract, compliance with a legal obligation, legitimate interests, explicit consent, and protection of vital interests.

7. Permissions, Explicit Consent, and User Control

Atlas requests the relevant operating system permissions before accessing sensitive data at the device level. Where necessary, informational disclosures may be presented to the user prior to the permission request. The user may deny or subsequently withdraw the following permissions:

• Location and background location
• Notifications
• Camera
• Microphone
• Health and sensor data

If certain permissions are not granted or are withdrawn, the related features may function in a limited capacity or become unavailable. However, the absence of a permission does not automatically mean that all functions of the application will be disabled.

8. Data Minimization and Proportionality

Personal data processed under Atlas is processed for specific, explicit, and legitimate purposes; kept relevant, limited, and proportionate to the purposes for which it is processed; kept accurate and up to date where necessary; and retained for no longer than is necessary for the purposes of processing. Processing personal data beyond its intended purpose, unnecessarily, or disproportionately must be avoided.

9. Transfer of Personal Data

Personal data processed under Atlas may be transferred on a limited basis to third-party service providers, business partners, authorized public bodies, or technical infrastructure providers for the purpose of technically delivering or securely operating the service, or fulfilling legal obligations. Such transfers are governed by compatibility with the data processing purpose, data minimization, security measures, and contractual and technical safeguards in accordance with applicable legislation. Where international data transfers are involved, the safeguards required under relevant data protection legislation are aimed to be provided.

10. Retention Period

Personal data may be retained taking into account the period required by the processing purposes, the duration of the relevant contractual relationship, statutory retention obligations, the period necessary for the resolution of potential disputes, and information security and audit needs. Once the retention period has expired or the processing purpose has ceased, the relevant data is deleted, destroyed, or anonymized in accordance with applicable legislation.

11. Data Security

Appropriate technical and administrative measures are aimed to be implemented to protect personal data processed under Atlas. Examples of such measures include:

• Access control and authorization management
• Role-based access restrictions
• Secure data transmission
• Signed or integrity-protected data transfer mechanisms
• Session and authentication security
• Logging and audit mechanisms
• Protective measures against data loss, unauthorized access, and misuse

However, no method of data transmission over the internet or method of electronic storage provides an absolute guarantee of security.

12. Local Device Storage

Some data may be temporarily stored on the device due to connectivity interruptions or the absence of secure transfer conditions. Such data may include technical and operational data such as telemetry packets, operation logs, message queues, or synchronization information. Local storage should be used in a limited manner solely for the purposes of service continuity and secure synchronization.

13. Data Subject Rights

Under KVKK, data subjects may have the following rights pursuant to Article 11 of the Law:

• To learn whether personal data is being processed
• To request information if it has been processed
• To learn the purpose of processing and whether data is used in accordance with that purpose
• To know the third parties to whom data is transferred domestically or abroad
• To request correction of incomplete or inaccurate data
• To request deletion or destruction within the framework of applicable legislation
• To request that correction, deletion, or destruction be notified to third parties
• To object to a result arising against them through exclusively automated systems
• To claim compensation for damages suffered due to unlawful processing

Where GDPR is applicable, data subjects may additionally have the following rights: right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, right to withdraw consent, and right to lodge a complaint with a supervisory authority.

14. Application and Contact

Requests regarding privacy, personal data processing activities, or data subject rights may be submitted via the following contact address:

The evaluation of applications is carried out within the framework of applicable legislation and operational verification requirements.

15. Policy Updates

This Privacy Policy may be amended from time to time in line with legal requirements, technical changes, operational needs, or updates to the scope of the service. The current version is published on this page.