GDPR / KVKK Compliance
SetGet provides built-in tools to help you comply with the European Union's General Data Protection Regulation (GDPR) and Turkey's Kisisel Verilerin Korunmasi Kanunu (KVKK). The GDPR / KVKK page in the Admin Panel lets you configure data retention policies, process data subject requests, manage consent, and maintain processing records.
Navigate to Admin Panel > GDPR / KVKK or go directly to /backoffice/settings/gdpr.
WARNING
This documentation describes SetGet's compliance tools. It does not constitute legal advice. Consult a qualified data protection officer or legal counsel to ensure your specific deployment meets regulatory requirements.
Data retention policies
Data retention policies control how long SetGet keeps different types of data before automatic deletion.
| Data type | Description | Default retention | Configurable |
|---|---|---|---|
| Audit logs | Administrative action records | 365 days | Yes |
| Login logs | Authentication attempt records | 180 days | Yes |
| Deleted user data | Soft-deleted user accounts and associated data | 30 days | Yes |
| Deleted workspace data | Soft-deleted workspaces | 30 days | Yes |
| Session data | Expired session records | 7 days | Yes |
| Activity logs | Work item and project activity | Indefinite | Yes |
| Chat messages | Messages in workspace channels | Indefinite | Yes |
| Notification history | Past notifications | 90 days | Yes |
| File uploads | Orphaned files (not referenced by any entity) | 30 days | Yes |
Configuring retention
- Navigate to Admin Panel > GDPR / KVKK > Data Retention.
- For each data type, set the retention period in days (0 = keep indefinitely).
- Click Save.
- SetGet runs a nightly cleanup job that deletes data exceeding the configured retention period.
TIP
Start with conservative (longer) retention periods and shorten them over time as you understand your operational needs. Shortened retention periods take effect on the next cleanup run.
User data export
Under GDPR Article 20 and KVKK Article 11, users have the right to receive a copy of their personal data in a portable format.
Processing an export request
- Navigate to Admin Panel > GDPR / KVKK > Data Requests.
- Click New Export Request.
- Select the user by email or display name.
- Choose the data categories to include:
| Category | Contents |
|---|---|
| Profile data | Name, email, avatar, timezone, preferences |
| Workspace memberships | Workspaces, roles, join dates |
| Work items | Issues created or assigned to the user |
| Comments | All comments authored by the user |
| Pages | Pages created or edited by the user |
| Activity | Activity log entries for the user |
| Chat messages | Messages sent by the user |
| Uploads | Files uploaded by the user |
| Login history | Authentication events for the user |
- Click Generate Export.
- SetGet compiles the data into a JSON archive (ZIP format).
- When ready, the export appears in the request list with a download link.
- Download and provide the archive to the user.
WARNING
Export archives may contain sensitive data. Handle them with the same security precautions as any personal data. Download links expire after 24 hours.
User data deletion
Under GDPR Article 17 (right to be forgotten) and KVKK Article 7, users can request deletion of their personal data.
Processing a deletion request
- Navigate to Admin Panel > GDPR / KVKK > Data Requests.
- Click New Deletion Request.
- Select the user.
- Review the data that will be deleted:
| Action | Description |
|---|---|
| Profile deletion | User's name, email, and avatar are removed |
| Content anonymization | Work items, comments, and pages are attributed to "Deleted User" |
| Chat message deletion | All chat messages by the user are deleted |
| Upload deletion | All files uploaded by the user are deleted from storage |
| Session termination | All active sessions are invalidated |
| Login history purge | All login records for the user are deleted |
- Click Execute Deletion.
- Confirm the action in the dialog.
- SetGet processes the deletion and logs it in the audit trail.
WARNING
Data deletion is irreversible. Once executed, the user's personal data cannot be recovered. The audit log records that a deletion occurred (who requested it, when, which user) but does not store the deleted data.
Anonymization vs. full deletion
SetGet uses a combination approach:
- Personal identifiers (name, email, avatar) are fully deleted.
- Authored content (work items, comments, pages) is anonymized — the content remains but attribution changes to "Deleted User."
- Private data (chat messages, uploads, login history) is fully deleted.
This preserves workspace integrity (work item history remains intact) while removing all personal identifiers.
Right to be forgotten
The right to be forgotten workflow combines data deletion with additional steps:
- Data deletion — As described above.
- Search index removal — The user's name and email are removed from all search indexes.
- Backup exclusion — Deleted user data is flagged for exclusion from future backup restorations.
- Third-party notification — If data was shared with integrations, the admin is notified to request deletion from those services.
Consent management
SetGet tracks user consent for different processing purposes.
| Consent type | Description | Required |
|---|---|---|
| Terms of service | Agreement to platform terms | Yes (at sign-up) |
| Privacy policy | Acknowledgment of data processing practices | Yes (at sign-up) |
| Email notifications | Consent to receive email notifications | Yes (at sign-up, can opt out) |
| Marketing communications | Consent to receive marketing emails | No (opt-in only) |
| Analytics / telemetry | Consent to anonymous usage analytics | No (opt-in only) |
Consent configuration
- Navigate to Admin Panel > GDPR / KVKK > Consent Management.
- For each consent type, configure:
| Setting | Description |
|---|---|
| Enabled | Whether this consent type is collected |
| Required | Whether the user must consent to use the platform |
| Consent text | The text shown to the user |
| Policy URL | Link to the full policy document |
- Click Save.
When consent requirements change, users are prompted to review and accept the updated terms at their next login.
Data processing records
GDPR Article 30 requires organizations to maintain records of processing activities. SetGet provides a structured template.
Processing record fields
| Field | Description |
|---|---|
| Processing activity | Name of the data processing activity |
| Purpose | Why the data is processed |
| Legal basis | Lawful basis (consent, contract, legitimate interest, etc.) |
| Data categories | Types of personal data processed |
| Data subjects | Categories of individuals (users, guests, contacts) |
| Recipients | Who the data is shared with |
| Retention period | How long the data is kept |
| Security measures | Technical and organizational measures in place |
Managing processing records
- Navigate to Admin Panel > GDPR / KVKK > Processing Records.
- Click Add Record to create a new processing activity record.
- Fill in all required fields.
- Click Save.
- Records can be exported as PDF or CSV for supervisory authority requests.
TIP
Pre-populate processing records based on SetGet's default data flows (user registration, workspace creation, file uploads, etc.), then customize for your specific integrations and workflows.
Compliance dashboard
The GDPR / KVKK section includes a compliance dashboard summarizing:
| Metric | Description |
|---|---|
| Pending export requests | Number of unprocessed data export requests |
| Pending deletion requests | Number of unprocessed data deletion requests |
| Consent coverage | Percentage of users who have accepted current terms |
| Data retention health | Whether cleanup jobs are running on schedule |
| Processing records | Number of documented processing activities |
Related pages
- Admin Panel Overview — Navigate the Admin Panel
- User Management — Delete or deactivate user accounts
- Audit Logs — Track compliance-related actions
- Security Settings — Data protection measures
- Email Templates — Consent and privacy-related email content