AssetUno Privacy Policy
Global privacy notice covering GDPR, UK GDPR, KVKK and Brazil LGPD considerations
| Effective Date | 25 June 2026 |
| Product | AssetUno |
| Website | https://www.assetuno.com |
| Privacy Contact | privacy@assetuno.com |
| Support Contact | info@assetuno.com |
| Document Status | Draft for legal review |
Important legal note: This document is a business draft intended to align AssetUno privacy language with the AssetUno End User License Agreement and Subscription Terms. It should be reviewed by qualified legal counsel before publication or customer use.
1. Introduction
This Privacy Policy explains how MOS Bilisim Danismanlik Sanayi ve Ticaret Ltd. Sti., operating under the commercial name MOS Academy (“MOS Academy”, “we”, “us” or “our”), collects, uses, stores, protects, transfers and shares personal data and technical information in connection with AssetUno.
This Privacy Policy applies to the AssetUno website, online purchases, trials, pilots, proof-of-concept use, paid subscriptions, account creation, support, onboarding, professional services, managed service environments, demo environments, on-premise deployments and customer-controlled cloud deployments.
This Privacy Policy should be read together with the AssetUno End User License Agreement and Subscription Terms, the applicable Order, any Data Processing Agreement, service-specific terms and any cookie notice made available by MOS Academy.
2. Who We Are
For personal data processed through the AssetUno website, checkout, billing, customer relationship, account management, support, direct communications and similar business operations, the data controller is:
MOS Bilisim Danismanlik Sanayi ve Ticaret Ltd. Sti.
FSM Mah. Poligon Cad. No:8 Buyaka Is Merkezi, Kule:3 D:1 Istanbul, Turkiye
Tax Number: 6220813576
Privacy Email: privacy@assetuno.com
Support Email: info@assetuno.com
Where AssetUno is used by a Customer in the Customer’s own environment, the Customer may act as the data controller or equivalent role under applicable data protection laws. In such cases, MOS Academy may act as a processor, service provider or operator only where MOS Academy processes personal data on behalf of the Customer.
Where required by applicable law, the parties may enter into a separate Data Processing Agreement.
3. Applicable Data Protection Laws
Depending on where the Customer, users or data subjects are located, this Privacy Policy is intended to support compliance with applicable data protection laws, including:
- the EU General Data Protection Regulation (GDPR);
- the United Kingdom General Data Protection Regulation (UK GDPR);
- the UK Data Protection Act 2018;
- Turkiye Personal Data Protection Law No. 6698 (KVKK);
- Brazil Lei Geral de Protecao de Dados (LGPD);
- other applicable privacy, data protection, electronic communications and consumer protection laws.
If a local mandatory law gives individuals stronger rights than this Privacy Policy, that mandatory law will apply.
4. What AssetUno Does
AssetUno is designed to help organizations discover, classify and manage hidden digital assets such as digital certificates, commercial fonts, unmanaged DLLs, software components, technical metadata related to scanned systems and related inventory and risk intelligence.
AssetUno is primarily designed to process technical metadata and digital asset intelligence, not business user content.
Unless expressly enabled, provided by the Customer or required for support, AssetUno is not intended to collect or store full business document contents, source code contents, private keys, passwords or unrelated user content.
5. Deployment Models and Data Handling
5.1 On-premise or self-hosted deployment
Where AssetUno is installed in the Customer’s own environment, the Customer is responsible for infrastructure security, operating system security, database security, network security, access controls, backups, scan scope, credential management, user management and retention configuration.
In this model, MOS Academy does not normally access Customer Data unless the Customer provides access for support, onboarding, troubleshooting or professional services.
5.2 Customer-controlled cloud deployment
Where AssetUno is deployed in a cloud environment controlled by the Customer, the Customer remains responsible for the cloud environment, access controls, backups, network configuration and security settings unless otherwise agreed in writing.
5.3 Managed service provided by MOS Academy
Where AssetUno is provided as a service operated by MOS Academy or its authorized service provider, MOS Academy may process Customer Data as necessary to provide, secure, monitor, support and maintain the service. Additional managed service terms, security terms or a Data Processing Agreement may apply.
5.4 Demo and evaluation environments
For demo, pilot or evaluation purposes, MOS Academy may create a dedicated demo environment or temporary workspace for the Customer. Data processed in demo environments should be limited to the minimum necessary for evaluation. Customers should avoid uploading production data, confidential data, sensitive personal data, private keys, passwords or unnecessary business content into demo environments unless expressly agreed and protected by appropriate safeguards.
6. Types of Data We May Process
6.1 Account and contact data
- name;
- business email address;
- company name;
- job title;
- phone number;
- billing contact details;
- support contact details;
- account login information;
- communication preferences.
6.2 Billing and commercial data
- subscription plan;
- purchased modules;
- purchased capacity;
- order forms;
- quotations;
- invoices;
- payment status;
- tax information;
- renewal status;
- billing history.
Payment card data may be processed by third-party payment processors. MOS Academy does not intend to store full payment card numbers unless expressly stated by the relevant payment provider or required for a specific payment process.
6.3 Product usage and license data
- license key;
- subscription status;
- activation data;
- purchased capacity;
- number of Managed Certificates;
- number of Scanned Assets;
- enabled modules;
- product version;
- deployment model;
- system status;
- user access logs;
- product error logs;
- feature usage data.
6.4 Technical metadata and scan results
- certificate metadata;
- certificate expiry dates;
- certificate issuer and subject information;
- certificate location;
- font names and related metadata;
- DLL or component names;
- component version information;
- file paths;
- hostnames;
- server names;
- endpoint identifiers;
- application server identifiers;
- repository or file share references;
- scan timestamps;
- scan results;
- inventory records;
- configuration data.
6.5 Support and communication data
- support tickets;
- emails;
- meeting notes;
- troubleshooting logs;
- screenshots provided by Customer;
- technical diagnostics;
- onboarding information;
- configuration details shared by Customer.
6.6 Website, cookie and analytics data
- IP address;
- browser type;
- device information;
- pages visited;
- referral source;
- session data;
- cookie identifiers;
- analytics data.
If non-essential cookies, marketing cookies or analytics tools are used, additional cookie notice and consent controls may be required.
7. WordPress, Website Content, Comments and Media
The AssetUno website may be operated using WordPress or similar website infrastructure. Some WordPress features may collect personal data depending on which functions are enabled.
7.1 Comments
If comments are enabled and visitors leave comments on the website, we may collect the data shown in the comments form, the visitor’s IP address and browser user agent string to help spam detection. Visitor comments may be checked through an automated spam detection service.
An anonymized string created from an email address, also called a hash, may be provided to the Gravatar service to determine whether the visitor uses that service. After approval of a comment, the visitor’s profile picture may be visible to the public in the context of the comment.
7.2 Media uploads
If users upload images to the website, they should avoid uploading images with embedded location data, including EXIF GPS data. Visitors to the website may be able to download and extract location data from uploaded images.
7.3 Website cookies
If comments are enabled, visitors who leave a comment may choose to save their name, email address and website in cookies for convenience. These cookies may last for one year.
If a visitor accesses a login page, the website may set a temporary cookie to determine whether the browser accepts cookies. This cookie contains no personal data and is discarded when the browser is closed.
When users log in, the website may set cookies to save login information and screen display choices. Login cookies may last for two days, screen options cookies may last for one year and persistent login cookies may last for two weeks if the user selects a remember option. If the user logs out, login cookies are removed.
If a user edits or publishes an article, an additional cookie may be saved in the browser. This cookie contains no personal data and only indicates the post ID of the edited article. It may expire after one day.
7.4 Embedded content from other websites
Articles or pages on the website may include embedded content, such as videos, images or articles. Embedded content from other websites behaves as if the visitor has visited the other website directly. These third-party websites may collect data, use cookies, embed third-party tracking and monitor interaction with the embedded content, including where the visitor has an account and is logged in to that third-party website.
7.5 Password resets and registered website users
If a user requests a password reset, the user’s IP address may be included in the reset email. For users who register on the website, if registration is enabled, we may store the personal information provided in the user profile. Registered users may be able to see, edit or delete certain personal information at any time, except where the system does not allow changes such as username changes. Website administrators may also see and edit that information.
8. Data We Do Not Intentionally Request
- special categories of personal data;
- health data;
- biometric data;
- political opinions;
- religious beliefs;
- trade union membership;
- criminal conviction data;
- private user communications;
- personal financial data unrelated to billing;
- customer passwords;
- private cryptographic keys.
Customers must not submit such data to AssetUno unless it is legally permitted, protected by appropriate safeguards and expressly agreed where required.
9. Purposes and Legal Bases of Processing
| Purpose | Data Categories | Legal Basis |
| Providing AssetUno and related services | Account, license, product usage, technical metadata | Contract performance, legitimate interests |
| Creating and managing customer accounts | Account and contact data | Contract performance, legitimate interests |
| Billing, invoicing and payment processing | Billing and commercial data | Contract performance, legal obligation |
| Subscription renewal and license management | Billing, license and usage data | Contract performance, legitimate interests |
| Support and troubleshooting | Support data, technical logs, configuration data | Contract performance, legitimate interests |
| Onboarding and professional services | Account, technical and support data | Contract performance |
| Product security and fraud prevention | Logs, usage, access and security data | Legitimate interests, legal obligation |
| Product improvement | Usage data, diagnostics and aggregated data | Legitimate interests |
| Legal and regulatory compliance | Billing, commercial, communication and account data | Legal obligation |
| Marketing communications | Contact data and communication preferences | Consent or legitimate interests, depending on applicable law |
| Cookies and analytics | Website, cookie and analytics data | Consent where required, legitimate interests where permitted |
Where we rely on consent, the individual may withdraw consent at any time. Withdrawal does not affect processing carried out before withdrawal.
10. AI Providers and Third-Party Services
AssetUno may allow the Customer to use cloud, local or custom AI providers, including services such as OpenAI, Azure OpenAI, AWS Bedrock, Ollama, local models or other AI endpoints.
Where the Customer selects, configures or connects a third-party AI provider, the Customer is responsible for ensuring that the selected provider is approved under the Customer’s internal policies, reviewing the provider’s privacy and security terms, determining whether Customer Data may be sent to that provider, configuring the integration appropriately and complying with applicable laws and third-party terms.
MOS Academy does not control third-party AI providers selected by the Customer unless expressly agreed in writing or provided as part of a managed service operated by MOS Academy.
MOS Academy is not responsible for third-party AI output, third-party model behavior, third-party service availability, third-party data handling or third-party security incidents unless expressly agreed in writing.
11. Sharing of Data
We may share data with the following categories of recipients where necessary:
- hosting providers;
- payment processors;
- email and communication providers;
- support and ticketing providers;
- analytics providers;
- professional advisors;
- auditors;
- legal or regulatory authorities;
- service providers assisting with AssetUno operations;
- affiliates or successors in connection with a merger, acquisition, restructuring or sale of assets.
We do not sell Customer Data. We do not permit service providers to use Customer Data for their own independent purposes except where legally permitted or separately agreed.
12. International Data Transfers
Because MOS Academy is based in Turkiye and may use service providers located in other countries, personal data may be transferred to, stored in or accessed from countries outside the country where the relevant individual or Customer is located.
Where required, we use appropriate safeguards for international transfers, which may include standard contractual clauses, data processing agreements, adequacy decisions where applicable, contractual safeguards, technical and organizational security measures and Customer instructions for Customer-controlled deployments.
For EU and UK data, international transfers may require safeguards under GDPR or UK GDPR. For Turkiye data, international transfers may require compliance with KVKK requirements. For Brazil data, international transfers may require compliance with LGPD transfer mechanisms and ANPD rules.
13. Security
MOS Academy uses commercially reasonable technical and organizational measures to protect personal data processed by MOS Academy in connection with AssetUno.
These measures may include access controls, authentication controls, encryption in transit, environment separation, logging and monitoring, backup controls, vulnerability management, administrative access restrictions, confidentiality obligations and least privilege access principles.
Customer remains responsible for securing its own systems, credentials, networks, users, backups and deployment environment, especially for on-premise, self-hosted and customer-controlled cloud deployments.
14. Data Retention
We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data Type | Indicative Retention |
| Account and contact data | During the customer relationship and for a reasonable period after termination |
| Billing and invoice data | As required by tax and accounting laws |
| Support tickets | For support history, dispute resolution and quality control |
| License and usage data | During the subscription and for a reasonable audit or compliance period |
| Website analytics | According to analytics and cookie settings |
| Comments and comment metadata, if enabled | May be retained indefinitely to recognize and approve follow-up comments automatically, unless deletion is requested and legally permitted |
| Registered website user profile data, if enabled | For as long as the account remains active or as required for legal, administrative or security purposes |
| Customer Data in managed service or demo environments | As agreed in the Order, DPA, managed service terms or demo terms |
| Customer Data in on-premise deployment | Controlled by Customer |
Customer is responsible for exporting required Customer Data before expiration or termination where applicable.
15. Individual Rights
Depending on the applicable law, individuals may have rights regarding their personal data, including rights to be informed, access data, correct data, request deletion, restrict processing, object, request portability, withdraw consent, request information about international transfers and complain to a supervisory authority.
Requests may be sent to privacy@assetuno.com. We may need to verify identity before responding. Where we process data on behalf of a Customer, we may refer the request to the relevant Customer.
16. GDPR and EU Specific Rights
For individuals located in the European Economic Area, GDPR may provide rights including access, rectification, erasure, restriction of processing, objection, portability, withdrawal of consent and complaint to a supervisory authority.
Where required, MOS Academy or the Customer may need to identify an EU representative or Data Protection Officer depending on the nature and scale of processing.
17. UK GDPR Specific Rights
For individuals located in the United Kingdom, UK GDPR and the UK Data Protection Act 2018 may provide rights similar to GDPR, including the right to be informed, access, rectification, erasure, restriction, portability, objection and rights related to automated decision-making.
Individuals may also have the right to complain to the UK Information Commissioner’s Office. Where required, MOS Academy or the Customer may need to identify a UK representative depending on the nature of processing.
18. KVKK Specific Rights for Turkiye
For individuals located in Turkiye, KVKK may provide the right to learn whether personal data is processed, request information if personal data has been processed, learn the purpose of processing, know third parties to whom data has been transferred domestically or abroad, request correction of incomplete or inaccurate data, request deletion or destruction under applicable conditions, request notification of correction, deletion or destruction to third parties, object to results arising from analysis exclusively by automated systems and claim compensation for damages caused by unlawful processing.
KVKK requests may be submitted to privacy@assetuno.com or to the company address stated in this Privacy Policy.
19. Brazil LGPD Specific Rights
For individuals located in Brazil, LGPD may provide the right to request confirmation of processing, access, correction, anonymization, blocking or deletion of unnecessary, excessive or unlawfully processed data, portability, deletion of data processed based on consent, information about sharing, information about consent choices, withdrawal of consent, review of certain decisions made solely on the basis of automated processing and complaint to the Brazilian National Data Protection Authority, ANPD.
Where required, MOS Academy or the Customer may identify an Encarregado or Data Protection Officer for LGPD-related matters. LGPD requests may be sent to privacy@assetuno.com.
20. Automated Decision-Making
AssetUno may provide discovery, classification, reporting, risk scoring, analytics or intelligence outputs based on technical metadata. AssetUno does not make legally binding decisions about individuals.
Customer is responsible for reviewing AssetUno outputs before making legal, employment, procurement, compliance, security or operational decisions. If automated decision-making subject to GDPR, UK GDPR, KVKK, LGPD or other applicable law is introduced, additional notices and safeguards may be required.
21. Marketing Communications
We may send product, service, renewal, event or commercial communications to business contacts where permitted by law. Users may opt out of marketing communications by using the unsubscribe link or contacting privacy@assetuno.com.
Service, security, billing, legal and transactional communications may still be sent where necessary.
22. Cookies
The AssetUno website may use cookies and similar technologies for website functionality, login sessions, security, analytics, performance measurement, user preferences and marketing if enabled.
Non-essential cookies may require consent depending on applicable law. A separate Cookie Policy or cookie banner may be used to provide additional information and consent choices.
23. Children’s Data
AssetUno is a business software product and is not intended for use by children. We do not knowingly collect personal data from children through AssetUno. If we become aware that a child’s personal data has been collected without appropriate authorization, we will take reasonable steps to delete it.
24. Customer Responsibilities
- ensuring that it has a lawful basis to scan systems and process Customer Data;
- informing its users, employees, contractors and administrators where required;
- configuring scan scope responsibly;
- avoiding submission of unnecessary personal data;
- securing credentials and access rights;
- managing role-based access;
- complying with applicable data protection laws;
- responding to data subject requests where Customer is the controller;
- ensuring that AI providers and third-party integrations comply with Customer policies and applicable laws.
Customer must not use AssetUno to scan systems, networks, devices, repositories or data that Customer is not authorized to scan.
25. Data Processing Agreement
Where MOS Academy processes personal data on behalf of Customer, the parties may enter into a Data Processing Agreement. The Data Processing Agreement may cover processing instructions, processor obligations, confidentiality, security measures, sub-processors, data subject requests, breach notification, audits, return or deletion of data, international transfers and jurisdiction-specific requirements under GDPR, UK GDPR, KVKK or LGPD.
26. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes may be notified through the website, customer portal, email, account notice or other reasonable means. The latest version will be available at https://www.assetuno.com or another location notified by MOS Academy.
27. Contact
For privacy, data protection or data subject rights requests, contact:
MOS Bilisim Danismanlik Sanayi ve Ticaret Ltd. Sti.
FSM Mah. Poligon Cad. No:8 Buyaka Is Merkezi, Kule:3 D:1 Istanbul, Turkiye
Privacy Email: privacy@assetuno.com
For support-related requests, contact: info@assetuno.com