Applicable jurisdiction
These documents are presented for the United States. KeyBrox is operated by a Turkish company (ASTRAL GAYRİMENKUL DANIŞMANLIK TİC. LTD. ŞTİ.); Turkish law governs the agreement, while your mandatory local data-protection and consumer rights remain reserved and unaffected.
Data-protection framework: CCPA / CPRA · Supervisory authority: the California Privacy Protection Agency or your State Attorney General
Privacy Policy
This Privacy Policy explains how the personal data of every individual who uses the KeyBrox real-estate technology platform (the "Platform") is collected, processed, protected and shared. As ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ (the Data Controller), we attach great importance to your privacy.
This notice is intentionally dual-standard, prepared to satisfy both Law No. 6698 (KVKK) and the GDPR. The rights and safeguards below reflect a universal, GDPR-grade baseline that applies to all of our users regardless of country. Any additional rights arising from the mandatory data-protection laws of your own country are reserved in all cases and are not affected by this policy.
1. What Data Do We Collect?
1.1. Information You Provide to Us
- Account information: First name, last name, email, phone, password (stored hashed with bcrypt).
- Profile information: Profile photo, title, office details, license number.
- Transaction data: Commission records, property details, client information, contract details.
- Communication content: In-platform messages, mediation statements, task notes.
- Signature and minutes: The digital signature on the viewing (showing) minutes.
1.2. Automatically Collected Information
- Device information: Operating system, browser type and version, screen resolution, language preference.
- Connection information: IP address, internet service provider, connection time and duration.
- Location: GPS coordinates (only when you grant permission — panic button, showings, AR pricing).
- Usage data: Pages visited, click counts, session duration, error logs.
- Cookies: Session cookies, preference cookies, analytics cookies (for details: Cookie Policy).
1.3. Information Received from Third Parties
- Agent details entered into the system by the broker/office manager.
- Real-estate listing data (listing title, location, price).
- Push notification subscription status (OneSignal / Firebase Cloud Messaging).
- Gravatar profile images (based on the email hash).
2. Why Do We Collect Data?
We process your data for the following specific, explicit and legitimate purposes:
- To provide the Platform service: Operating the CRM, commission management, portfolio matching, messaging and other core features (performance of the contract).
- To keep you safe: Life-saving location sharing in emergencies via the panic button, and prevention of unauthorized access (legitimate / vital interest).
- To meet legal obligations: Tax, accounting and commercial-law requirements (legal obligation).
- To personalize your experience: Motivation system, performance feedback, improving recommendations (legitimate interest / explicit consent).
- To communicate: Service notifications, security alerts, support responses.
- To resolve disputes: Operating a fair decision mechanism via the mediation board.
3. How Do We Protect Your Data?
We adopt industry best practices to keep your data secure:
3.1. Encryption
- All data transfers are encrypted with the TLS 1.3 protocol (HTTPS).
- Session cookies are stored encrypted using the AES-256-GCM algorithm.
- Passwords are hashed with bcrypt and are never stored in plaintext anywhere.
- Phone numbers are anonymized via SHA-256 hashing in sensitive operations (mediation, assist chain).
3.2. Access Control
- Role-based access control (RBAC): Broker, Agent and Admin roles access different data sets.
- Multi-tenant isolation (`user_id + office_id`): One office cannot see another office's data.
- Data-minimization principle: Each role accesses only the data necessary for its function.
- JWT-based authentication; 15-minute access + 30-day refresh token lifetimes.
3.3. Infrastructure Security
- Cloudflare DDoS protection and Web Application Firewall (WAF).
- Daily automated database backups (7-day rotation) plus 4-hourly incremental backups.
- Server access is SSH-key based (password login disabled).
- Service continuity target: 99.9% uptime.
- Security patches are applied within 48 hours.
3.4. Auditing and Monitoring
- All admin access logs are retained for 2 years.
- Anomalous activity detection (brute force, bulk data download).
- Internal security audits every 6 months.
- Data-breach response plan: notification from the data processor to the data controller within 24 hours, and to the competent supervisory authority within 72 hours of detection.
4. Who Do We Share It With?
We do not sell, rent or transfer your personal data to third parties for commercial purposes. Your data is not shared except in the limited cases below.
4.1. Infrastructure Providers (Data Processors / Sub-processors)
The following sub-processors access data solely to provide the service and under contractual safeguards (DPA + SCC):
| Provider | Location | Purpose | Safeguard |
|---|---|---|---|
| Vercel Inc. | USA | Frontend hosting, edge rendering, CDN | SCC + SOC 2 Type II |
| Hostinger International | Lithuania (EU) | Backend hosting, database | GDPR-adequate (EU location) |
| OneSignal Inc. | USA | Push notification infrastructure | SCC + DPA |
| Google LLC (Gemini) | USA/EU | AI Assistant — chat, listing text | SCC + DPA + not used for model training |
| Google LLC (Firebase) | USA/EU | FCM mobile push | SCC + ISO 27001 |
| Cloudflare Inc. | Global | CDN, DNS, WAF security | SCC + ISO 27001 + SOC 2 |
For analytics we use Vercel Analytics (active) and — only when enabled — IP-anonymized Google Analytics 4.
4.2. Legal Disclosure
- With competent authorities upon a court order or prosecutor's request.
- With certified public accountants/financial advisers in the scope of a tax audit.
- Under applicable anti-money-laundering legislation (suspicious-transaction reporting).
4.3. Intra-Office Sharing (Multi-Tenant)
KeyBrox has a multi-tenant structure. Brokers/office managers can see the performance data, transaction records and communication history of their own agents. This sharing is inherent to the business relationship and is set out in the membership agreement.
5. Your Rights
Under data-protection law (a universal, GDPR-grade baseline), you have the following rights regardless of your country:
- Right to be informed: To learn whether your data is processed and how it is processed.
- Right of access: To request a copy of your processed data.
- Right to rectification: To request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): To request deletion of data whose legal retention period has expired.
- Restriction of processing: To request that processing be stopped under certain conditions.
- Data portability: To receive your data in a structured, machine-readable format (JSON/CSV).
- Right to object: To object to processing based on legitimate interest (including automated decision-making).
- Withdrawal of consent: To withdraw your consent at any time for processing based on explicit consent.
To exercise your rights, write to kvkk@keybrox.com or fill in the "My Account > Data Request" form inside the app. Requests are answered within 30 days at the latest.
5c. United States — CCPA / CPRA Rights
Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the following rights:
- Right to Know: To learn which categories of personal information are collected, their sources, the purposes of processing, and the parties with whom they are shared.
- Right to Delete: To request deletion of your personal information, subject to certain exceptions.
- Right to Correct: To request correction of inaccurate personal information.
- Right to Opt-Out: To opt out of the "sale" or "sharing" of your personal information.
- Right to Non-Discrimination: Not to receive discriminatory treatment for exercising these rights.
Do Not Sell or Share My Personal Information. KeyBrox does not sell your personal information and does not share it for cross-context behavioral advertising within the meaning of the CCPA/CPRA. No separate opt-out action is therefore required; however, if you still wish to submit a request, you may contact us at kvkk@keybrox.com.
6. Cookies
The Platform uses cookies for essential functionality, analytics and preferences. Explicit consent is obtained for all non-essential cookies. For details, please review our Cookie Policy.
7. Children's Privacy
The KeyBrox platform is designed for professional real-estate agents and office managers. Individuals under the age of 18 are not intended to open an account or use the Platform. When we learn that personal data of an individual under 18 has been processed, we delete it immediately.
8. International Data Transfers
Part of our technical infrastructure runs on providers located outside the EU (e.g., the USA). In that case:
- EU Standard Contractual Clauses (SCC) are signed.
- Additional technical measures (TLS encryption, pseudonymization) are applied to the transfer.
- The GDPR / SOC 2 / ISO 27001 certifications of the providers are assessed.
- Appropriate transfer safeguards are established with all cross-border sub-processors, including Cloudflare.
9. Changes
This Privacy Policy may be updated in line with legal developments and service changes. Material changes are:
- Announced via an in-platform notification.
- Communicated to you by email.
- Published on this page, with the "Last updated" date changed accordingly.
Continuing to use the Platform after material changes means you accept the updated policy.
10. Contact
Data Controller: ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ
Data / KVKK email: kvkk@keybrox.com
KEP: astralgayrimenkuldanismanlik@hs01.kep.tr
Address: Aksoy Mahallesi Girne Caddesi 36/3 Zemin Kat, Karşıyaka/İzmir, Türkiye
Phone / WhatsApp: +90 505 869 00 81
General Support: info@keybrox.com
