Effective date: March 2026 Β· Last updated: March 2026 Β· This policy fulfils the transparency obligations under Articles 13 and 14 of the EU General Data Protection Regulation (GDPR β Regulation 2016/679).
1. Data Controller and Contact Information
1.1 Data Controller
The data controller responsible for the processing of personal data within the scope of this Privacy Policy is:
| Company name | Unifics Limited |
| Brand | RYSTAT |
| Registered address | Hong Kong Special Administrative Region |
| privacy@rystat.com | |
| Website | rystat.com |
1.2 Contact
For all enquiries relating to data protection, privacy, and legal matters:
Privacy: privacy@rystat.com
Legal correspondence / DSA notices: legal@rystat.com
Security notifications: security@rystat.com
Available languages: English, Turkish, German
2. Scope and Roles
This Privacy Policy describes the personal data processed within the scope of the website, customer panel, order flows, support processes, and all related services provided under the RYSTAT brand.
RYSTAT assumes different roles depending on the type of service:
| Processing context | RYSTAT role | Customer role |
|---|---|---|
| Customer account, billing, support | Data Controller | Data subject |
| Content hosted by the customer and end-user data | Data Processor or Sub-processor | Data Controller |
| Website analytics and cookies | Data Controller | Data subject (visitor) |
Where RYSTAT acts as data processor or sub-processor, all legal obligations as data controller for the data processed lie with the customer. RYSTAT processes such data solely in accordance with the customer's documented instructions.
3. Categories of Data Collected
3.1 Data you provide directly
- First name, last name, company name, authorised representative and contact information
- Email address, telephone number
- Billing address, country, tax identification number (corporate)
- Account creation, authentication, and security information
- Support requests and correspondence content
- Documents collected for tax, commercial, or regulatory compliance purposes
3.2 Automatically collected data
- IP address, access logs, session records, and security logs
- Browser, device, operating system, and client information
- Panel usage history and error logs
- Preference and usage data collected via cookies and similar tracking technologies (see Cookie Policy)
3.3 Payment data
Payment transactions are processed through PCI-DSS certified third-party payment processors. RYSTAT does not store full card numbers, CVV codes, or PINs; only limited information such as the last four digits, transaction reference, and payment status may be retained.
3.4 Service content and customer data
In connection with hosting, virtual server, email, and related infrastructure services, customers retain effective control over their own systems and datasets. Such data may be processed to a limited extent for the purposes of delivering the service, ensuring security, conducting incident analysis, and providing technical support. The customer is responsible for obtaining all necessary legal bases and third-party consents for the processing of such data.
4. Processing Purposes, Legal Basis and Retention Periods (GDPR Articles 6 and 13)
The table below sets out the purpose, legal basis, and estimated retention period for each processing activity, in accordance with GDPR Articles 13(1)(c) and 13(2)(a).
| Processing purpose | Legal basis (GDPR Article 6) | Estimated retention period |
|---|---|---|
| Account creation, authentication, and access management | Article 6(1)(b) β Performance of a contract | For the duration of the account + 3 years after contract termination |
| Service activation, delivery, and technical support | Article 6(1)(b) β Performance of a contract | Duration of the service + 2 years |
| Billing, collection, and accounting records | Article 6(1)(c) β Legal obligation (tax and commercial legislation) | 10 years from the date of transaction (may vary by jurisdiction) |
| Security monitoring, log analysis, and incident response | Article 6(1)(f) β Legitimate interests (infrastructure security and fraud prevention) | 30 days to 12 months depending on log type |
| Compliance with legal obligations (regulatory requests, court orders) | Article 6(1)(c) β Legal obligation | For the duration of the legal requirement |
| Marketing communications and product announcements (existing customers) | Article 6(1)(f) β Legitimate interests (relevant service notifications) or Article 6(1)(a) β Consent | Until withdrawal of consent or objection; 2 years after account closure |
| Website analytics and performance measurement | Article 6(1)(a) β Consent (cookie consent) | Subject to cookie lifespan; see Cookie Policy |
| Dispute management and defence of legal claims | Article 6(1)(f) β Legitimate interests | Until resolution of the dispute + 5 years |
Legitimate interests balancing test: RYSTAT relies on legitimate interests as a legal basis only after conducting a balancing assessment between those interests and the fundamental rights and freedoms of the data subjects concerned. Further information regarding such assessments is available upon request.
5. Recipients of Personal Data
Personal data may be shared with the following categories of recipients to the extent necessary to deliver the Services:
| Category of recipient | Purpose of disclosure |
|---|---|
| Infrastructure and data centre providers | Server hosting (including Germany) |
| Network, CDN, and DDoS protection providers | Bandwidth, security, content delivery |
| Payment and billing services | Collection and invoicing |
| Support and communications platforms | Customer support management |
| Monitoring and security tools | Infrastructure monitoring, incident detection |
| Competent public authorities and courts | Legal obligations and official requests |
For the current and detailed list of sub-processors, see the Subprocessor Framework.
RYSTAT does not sell personal data to third parties for commercial purposes.
6. International Data Transfers (GDPR Chapter V β Articles 44β49)
Unifics Limited is incorporated in the Hong Kong Special Administrative Region. The European Commission has not issued an adequacy decision in respect of Hong Kong (GDPR Article 45). Accordingly, transfers of data from the EEA to Hong Kong are underpinned by appropriate safeguards under GDPR Article 46.
6.1 Transfer mechanisms applied
- Standard Contractual Clauses (SCCs): The standard contractual clauses adopted under European Commission Implementing Decision 2021/914/EU of 4 June 2021 are applied. Data Processing Agreements (DPAs) concluded with enterprise customers incorporate the SCCs under the module applicable to the service relationship (primarily Module 2: Controller β Processor).
- Transfer Impact Assessment (TIA): RYSTAT assesses whether Hong Kong law undermines the protections afforded by the SCCs in accordance with EDPB Recommendations 01/2020, and implements technical and organisational supplementary measures where required.
- Additional technical measures: To enhance transfer security, end-to-end encryption (where applicable), data minimisation, and privileged access controls are applied.
6.2 Server infrastructure in Germany
Data stored on servers located in EU member states benefits from GDPR protections and does not require an additional transfer mechanism.
6.3 Transfers to other third countries
Certain sub-processors used to deliver the Services may operate outside the European Economic Area. Such transfers are carried out through countries with an adequacy decision, SCCs, or other GDPR-compliant mechanisms.
7. Data Subject Rights (GDPR Articles 15β22)
Data subjects resident in the EU/EEA have the following rights under GDPR. These rights apply directly only in respect of data for which RYSTAT acts as data controller.
| Right | Description | GDPR article |
|---|---|---|
| Right of access | Request a copy of the personal data processed about you | Article 15 |
| Right to rectification | Request correction of inaccurate or incomplete data | Article 16 |
| Right to erasure ("right to be forgotten") | Request deletion of your data under certain conditions | Article 17 |
| Right to restriction of processing | Request that processing be limited | Article 18 |
| Right to data portability | Receive your data in a structured, machine-readable format | Article 20 |
| Right to object | Object to processing based on legitimate interests or public interest; object to direct marketing (absolute right) | Article 21 |
| Right not to be subject to automated decision-making | Object to decisions based solely on automated processing | Article 22 |
| Right to withdraw consent | Withdraw consent at any time for consent-based processing | Article 7(3) |
How to apply: privacy@rystat.com | Additional information may be requested to verify identity. RYSTAT will respond within the statutory time limits (general rule: 1 month; extended: up to 3 months).
7.1 Right to lodge a complaint with a supervisory authority (GDPR Article 77)
Data subjects in the EU/EEA have the right to lodge a complaint regarding the processing of their personal data with the competent data protection authority in their member state. Each EU member state has an independent supervisory authority; you may contact the authority in the country where you reside.
List of EU supervisory authorities: edpb.europa.eu/about-edpb/board/members_en
We encourage you to contact RYSTAT directly before lodging a complaint with the supervisory authority, as many issues can be resolved more swiftly through direct contact.
8. Security Measures (GDPR Article 32)
In accordance with GDPR Article 32, RYSTAT implements appropriate technical and organisational security measures commensurate with the nature, scope, and risks of the processing:
- Access control, authentication, and privileged access management
- Encryption in transit and at rest (where applicable)
- Security incident monitoring, logging, and alerting processes
- Network segmentation, vulnerability management, and regular updates
- Backup and business continuity plans
- Data protection training for data processing personnel
No method of data transmission over the internet or electronic storage can guarantee absolute security. Users bear primary responsibility for account security, the use of strong passwords, and enabling two-factor authentication.
8.1 Personal data breach notification (GDPR Articles 33β34)
RYSTAT is obliged to notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it; where the breach is likely to result in a high risk to the rights and freedoms of data subjects, those individuals will also be notified directly without undue delay.
9. Cookies and Tracking Technologies
RYSTAT uses cookies and similar tracking technologies on its website and customer panel. In view of our German server infrastructure, the obligations under the German TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) and the EU ePrivacy Directive (2002/58/EC) apply.
For detailed information on cookie categories used, retention periods, third-party providers, and opt-out options, see the Cookie Policy.
9/A. Marketing Communications β Explicit Consent (KVKK Art.5 + GDPR Art.6(1)(a))
RYSTAT's marketing electronic communications (product announcements, promotional notices, blog updates, event invitations and similar) are sent only with the user's prior, freely given opt-in consent. Conclusion of the service agreement or receipt of transactional emails relating to billing or support does not constitute marketing consent.
9/A.1 Legal Basis
- GDPR Article 6(1)(a): Processing of personal data for marketing requires specific, informed and freely given consent.
- KVKK Article 5(1): Processing of personal data for marketing requires explicit consent (the exceptions in KVKK Art. 5(2) do not cover marketing).
- Turkish Electronic Commerce Act (No. 6563) Article 6: Sending commercial electronic messages requires prior recipient consent, recorded via the IYS (Commercial Electronic Message Management System).
- EU/UK PECR (Privacy and Electronic Communications Regulations): The "soft opt-in" exemption for direct marketing communications is narrow; non-similar product promotions require explicit consent.
9/A.2 Granting and Withdrawing Consent
The user can grant or withdraw marketing consent via the "Marketing Communications" toggle on /panel/profile (Privacy tab). Every marketing email contains a one-click "Unsubscribe" link in the footer; clicking it immediately revokes consent on a prospective basis. Withdrawal of consent does not affect past processing and does not affect the service agreement.
9/A.3 Transactional vs. Marketing Communications
The following communications are transactional and are sent independently of marketing consent: billing/payment notices, account security alerts, service outage notifications, contract/legal update notices, and support ticket responses. These are necessary for the performance of the service agreement (GDPR Art. 6(1)(b) β performance of a contract).
9/B. Disclosure of AI Processors (KVKK Art.9 + GDPR Arts. 28 and 49)
When the user activates RYSTAT's AI-powered features (AI Site Builder, AI Assistant, AI content generation), RYSTAT may transfer the user's prompts and input data to the following four third-party AI providers:
| Provider | Jurisdiction | Role | Adequacy Status |
|---|---|---|---|
| Hangzhou DeepSeek AI Co., Ltd. | People's Republic of China (PRC) | Primary AI processor | NO adequacy decision β Schrems II risk |
| Anthropic, PBC | United States | Backup AI processor | EU-US Data Privacy Framework (DPF) certified |
| OpenAI, LLC | United States | Backup AI processor | EU-US Data Privacy Framework (DPF) certified |
| Mistral AI SAS | France (intra-EU) | Backup AI processor | Intra-EU transfer β GDPR directly applicable |
9/B.1 Categories of Data Transferred
- User's free-text prompts input to AI features (queries, questions, content instructions)
- Configuration parameters: sector, target audience, language, tone, style preferences
- Generation context: page descriptions, content template names, brand name (where provided by the user)
- NOTE: The user's panel account information (email, name, billing address) is not transferred to AI providers.
9/B.2 Cross-Border Transfer Mechanism
- KVKK Article 9: Cross-border transfer of personal data from Turkey requires explicit consent, obtained granularly via the AI features toggle on /panel/profile (Privacy tab).
- GDPR Article 49(1)(a) β Derogation for explicit consent: Transfers to DeepSeek (PRC), which has no adequacy decision, rely on the user's explicit consent given after specific information.
- GDPR Article 46(2)(c) β Standard Contractual Clauses (SCC): For US providers (Anthropic, OpenAI), EU SCCs apply in combination with EU-US DPF.
- Schrems II / EDPB Recommendation 01/2020: A Transfer Impact Assessment (TIA) is performed for DeepSeek (PRC); on request it can be obtained from legal@rystat.com.
9/B.3 Withdrawal of Explicit Consent
The user may withdraw explicit consent at any time by disabling the AI features toggle on /panel/profile (Privacy tab). Withdrawal applies prospectively and does not invalidate transfers already performed (KVKK Art. 7; GDPR Art. 7(3)). If a new AI provider is added, re-consent is triggered.
9/B.4 No-Train and Retention
RYSTAT applies reasonable commercial efforts to obtain "no-train" provisions (user data shall not be used for model training) in AI provider contracts. On the provider side, retention of prompt data is governed by provider policies: for Anthropic and OpenAI, "zero-retention" mode is enabled where available. For a detailed provider comparison, see AI Provider Disclosure.
10. Policy Updates
RYSTAT may update this policy from time to time. Material changes will be announced via the website or by registered email address at least 30 days before the effective date. Continued use of the Services following publication of the updated policy constitutes acceptance of the changes. For significant changes affecting your rights under GDPR, separate consent will be obtained where required by applicable law.
11. Order of Precedence and Conflicts
In the event of a conflict between this Privacy Policy and any other contractual document, the order of precedence shall be as follows:
- Signed enterprise agreement, order form, or statement of work
- Product-specific service terms
- Acceptable Use Policy (AUP)
- Service Level Agreement (SLA)
- Data Processing Agreement / DPA (with respect to data processing matters only)
- Terms of Service
- This Privacy Policy
- Refund Policy
- Subprocessor Framework and other public disclosure documents
Signed enterprise agreements and order forms shall always take precedence. In the event of a conflict, the most specific and most recently signed document shall prevail. Rights arising under mandatory consumer and data protection legislation are reserved in all circumstances.
12. Global Compliance Approach
Unifics Limited is a globally operating service provider incorporated in Hong Kong. Our services are offered to users in different countries, and we acknowledge the existence and importance of local legislation governing the protection of personal data.
- For users in the EU/EEA, we endeavour to comply with the data protection principles arising from GDPR (Article 5).
- For users in Turkey, reasonable technical and organisational measures for the protection of personal data are applied.
- Should RYSTAT receive a formal request from a data protection authority in any jurisdiction, it stands ready to respond within the applicable legal framework. Contact: privacy@rystat.com
RYSTAT may not be registered with local data protection authorities in certain jurisdictions. This does not affect our commitment to processing personal data responsibly.