Privacy Policy
Last updated: May 23, 2026
1. Data Controller
The data controller responsible for your personal data is:
Botterfly AI Teknoloji Limited Şirketi
Trading as Mikato
Topçular Mah. Osmangazi Cad. No: 2 İç Kapı No: 18
Eyüpsultan / İstanbul, Turkey
Trade Registry: İstanbul Ticaret Sicili Müdürlüğü, No: 1083384
Tax ID: 1810905136 (Bayrampaşa Vergi Dairesi)
MERSİS: 0181090513600001
Email: hello@mikato.co
Website: mikato.co
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (mikato.co), chatbot, and concierge services (together, the “Service”).
We comply with Turkey’s Personal Data Protection Law (KVKK, Law No. 6698) and the European Union’s General Data Protection Regulation (GDPR) where applicable. We have conducted a Data Protection Impact Assessment (DPIA) for our chatbot service.
2. What Data We Collect
Information you provide
- Chat messages - The conversations you have with Mikato, including questions and any personal details you share (nationality, permit type, situation)
- Contact information - If you engage our concierge services: name, email, phone number, and relevant documents
- Documents - Files you upload for concierge review (passports, leases, permits)
Information collected automatically
- Device information - Browser type, operating system, screen size
- Usage data - Pages visited, time on site, interactions with the chatbot
- IP address - Used for approximate location and security
- Language preference - The language you select, stored locally on your device
- Cookies - See Section 10 below
3. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal basis |
|---|---|
| Providing chatbot guidance based on your questions | Performance of a contract / providing the service you requested (KVKK Art. 5/2c; GDPR Art. 6/1b) |
| Delivering paid concierge services | Contract performance (KVKK Art. 5/2c; GDPR Art. 6/1b) |
| Improving service quality using anonymized and aggregated data | Legitimate interest (KVKK Art. 5/2f; GDPR Art. 6/1f) |
| Handing off your case to the concierge team | Your explicit consent (KVKK Art. 5/1; GDPR Art. 6/1a) |
| Cookieless analytics - understanding how visitors interact with our site using privacy-friendly, cookieless analytics (Vercel Web Analytics) | Legitimate interest (KVKK Art. 5/2f; GDPR Art. 6/1f) |
| Cookie-based analytics - understanding visitor behavior using Google Analytics 4 (only with your consent) | Your explicit consent (KVKK Art. 5/1; GDPR Art. 6/1a) |
| Advertising measurement - measuring the effectiveness of our Google Ads campaigns and showing relevant ads (only with your consent) | Your explicit consent (KVKK Art. 5/1; GDPR Art. 6/1a) |
| Security, fraud prevention, and legal compliance | Legal obligation (KVKK Art. 5/2ç; GDPR Art. 6/1c) |
Note on AI training: We do not use your personal chat conversations to train AI models. Service improvement is based only on anonymized, aggregated data that cannot be linked back to you.
4. Automated Processing
The Mikato chatbot is an AI system. When you use it, your messages are processed automatically by an artificial intelligence model to generate personalized responses. This means:
- Your messages are sent to an AI language model that generates a response based on your question and publicly available information about Turkish immigration and administrative processes
- No legally binding decisions are made by the AI
- The AI does not determine your eligibility for any permit, service, or legal status
- You have the right to request human review of any guidance provided by the AI - simply ask to speak with our concierge team
5. Who We Share Your Data With
We share your data only when necessary and with the following parties:
- BaltasGlobal concierge team - Our concierge service provider, based in Turkey. They receive your information only when you explicitly request a handoff or engage concierge services. BaltasGlobal acts as a data processor under a formal Data Processing Agreement.
- Anthropic - We use AI models provided by Anthropic (Claude) to power our chatbot. Chat messages are processed by Anthropic to generate responses. Anthropic does not use your conversations for training and operates under a Data Processing Agreement with us. See Anthropic’s privacy policy.
- Cloud hosting providers - Our infrastructure runs on cloud services with data centers in the EU and/or US. All providers operate under Data Processing Agreements with appropriate safeguards.
- Google Analytics 4 - With your consent, we use Google Analytics to understand how visitors interact with our website. Data is processed on Google servers in the United States. Google Analytics cookies are only loaded after you give explicit consent through our cookie consent banner. See Google’s privacy policy.
- Google Ads - With your consent, we use Google Ads to measure the effectiveness of our advertising campaigns and to show you relevant ads. Data is processed on Google servers in the United States. Google Ads cookies are only loaded after you give explicit marketing consent through our cookie consent banner. See Google’s privacy policy.
- Vercel Web Analytics - We also use Vercel Web Analytics, a cookieless analytics service that does not set cookies, does not track individual users across sessions, and does not collect personally identifiable information. Data is aggregated and anonymized. No consent is required. See Vercel’s analytics privacy policy.
We do not sell your personal data. All third-party processors are bound by Data Processing Agreements (DPAs) as required by KVKK Article 12 and GDPR Article 28.
6. Cross-Border Data Transfers
Your data may be transferred to and processed in countries outside of Turkey and the European Economic Area (EEA), including the United States (for AI processing and, with your consent, for analytics via Google Analytics 4). When this happens, we ensure your data is protected through:
- Standard contractual clauses (SCCs) approved by the Turkish Data Protection Authority (KVKK) and/or the European Commission
- Selecting providers in countries with adequate data protection laws as recognized by relevant authorities
- Data Processing Agreements with all international recipients
7. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Chat conversations | Retained while your account is active, plus 30 days after deletion request |
| Concierge case files | Duration of service plus 2 years (legal retention requirement) |
| Device and usage data | 12 months |
| Contact information | Retained while you use the Service, deleted upon request |
| Cookie consent preference | 1 year |
| Google Analytics data | Up to 14 months (if you consent to analytics cookies) |
| Google Ads data | Up to 90 days (if you consent to marketing cookies) |
When data is no longer needed, we securely delete or anonymize it.
8. Your Rights
Under KVKK (Turkey) and GDPR (EU/EEA), you have the following rights:
- Access - Request a copy of the personal data we hold about you
- Correction - Ask us to correct inaccurate or incomplete data
- Deletion - Request that we delete your personal data (the “right to be forgotten”)
- Portability - Receive your data in a structured, machine-readable format (GDPR)
- Objection - Object to processing based on legitimate interest
- Restriction - Ask us to limit how we process your data in certain circumstances
- Withdraw consent - Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing
- Human review - Request that a human reviews any automated guidance provided by the chatbot
How to exercise your rights
Send your request to hello@mikato.co. You can submit your request in writing via email. Please include enough information for us to verify your identity and specify which right(s) you wish to exercise.
Response times: We will respond within 30 days under KVKK and within one calendar month under GDPR. For complex requests, the GDPR response period may be extended by up to two additional months - we will inform you if this is necessary. Your first request each year is free of charge; subsequent requests may be subject to a reasonable administrative fee as permitted by KVKK.
Filing a complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
- Turkey: Kişisel Verileri Koruma Kurumu (KVKK) - kvkk.gov.tr
- EU/EEA: Your local data protection authority
9. Sensitive Data
During conversations about immigration, you may share information that is considered “special category” data under KVKK (Article 6) and GDPR (Article 9) - such as nationality, ethnic origin, or health conditions.
We process this data only when you have given explicit, informed consent. Before your first chat session, we present a notice explaining that conversations may involve sensitive personal data and ask for your consent to process it. You can withdraw this consent at any time - though this may limit our ability to provide relevant guidance.
We do not request sensitive data beyond what is necessary to answer your question or provide concierge services. We do not use sensitive data for profiling, automated decision-making, or AI training.
10. Cookies & Local Storage
We use cookies and local storage for essential functionality and, with your consent, for analytics. When you first visit our website, a cookie consent banner lets you accept or reject optional cookies. You can change your preferences at any time via the “Cookie Settings” link in the footer. For full details, see our Cookie Policy.
Strictly necessary (no consent required)
| Name | Purpose | Duration |
|---|---|---|
| NEXT_LOCALE | Remembers the language you selected so we serve the right content on your next visit | 1 year |
| cookie_consent | Remembers your cookie consent choice | 1 year |
Analytics (consent required)
We use Google Analytics 4 to understand how visitors interact with our website. These cookies are only loaded after you give your explicit consent through our cookie consent banner. Data is aggregated and statistical. Google Analytics data is processed on Google servers in the United States; by consenting, you acknowledge this cross-border transfer pursuant to KVKK Article 9.
Marketing (consent required)
We use Google Ads to measure the effectiveness of our advertising campaigns and to show you relevant ads. These cookies are only loaded after you give your explicit consent through our cookie consent banner. Data is processed on Google servers in the United States; by consenting, you acknowledge this cross-border transfer pursuant to KVKK Article 9.
Cookieless analytics
We also use Vercel Web Analytics, a privacy-friendly, cookieless analytics service. It does not set cookies, does not use tracking pixels, and does not collect personally identifiable information. Visitors are identified by a daily-rotating hash derived from the incoming request, which cannot be used to track individuals across sessions or websites. No consent is required for this service.
We do not use social media tracking cookies.
11. Children’s Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
12. Data Security and Breach Notification
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (HTTPS/TLS)
- Encryption of sensitive data at rest
- Access controls limiting who can view your data
- Regular security reviews of our systems
- Data Processing Agreements with all third-party processors
No system is 100% secure. In the event of a data breach:
- We will notify the Turkish Data Protection Authority (KVKK) as soon as possible, and in any case within 72 hours of becoming aware of the breach
- Under GDPR, we will notify the relevant EU/EEA supervisory authority within 72 hours where the breach is likely to result in a risk to your rights
- We will notify you directly and without undue delay if the breach is likely to result in a high risk to your rights and freedoms
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the “Last updated” date at the top of this page. For material changes to how we process your data, we will notify you directly where possible and may request renewed consent where required by law.
14. Contact Us
For questions about this Privacy Policy or to exercise your data protection rights:
Botterfly AI Teknoloji Limited Şirketi
Trading as Mikato
Topçular Mah. Osmangazi Cad. No: 2 İç Kapı No: 18
Eyüpsultan / İstanbul, Turkey
Trade Registry: İstanbul Ticaret Sicili Müdürlüğü, No: 1083384
Tax ID: 1810905136 (Bayrampaşa Vergi Dairesi)
MERSİS: 0181090513600001
Email: hello@mikato.co
Website: mikato.co