Privacy Policy
PRIVACY POLICY
This Privacy Policy explains how personal data is collected, used, stored, shared, and protected in compliance with applicable data protection laws, including the Turkish Law on the Protection of Personal Data No. 6698 (“Personal Data Protection Law” / “PDPL”) and, where relevant, the EU General Data Protection Regulation (“GDPR”).
1. Scope and Purpose
This policy governs the collection, processing, transfer, storage, and protection of personal data of individuals who interact with our services, website, mobile applications, or other channels.
The purpose is to ensure transparency and to inform data subjects of their rights and our obligations regarding the protection of personal data.
2. Data Controller
The organization acting as the data controller undertakes to process personal data in compliance with applicable laws and this policy. No specific company name is included here; however, the data controller assumes full responsibility for implementing this policy.
3. Categories of Personal Data Processed
We may process the following categories of personal data, depending on the services provided and the nature of our interaction:
Identity Information: Name, surname, ID or passport number, date of birth, nationality, gender.
Contact Information: Email address, telephone number, physical address, communication preferences.
Customer Transaction Information: Purchases, orders, payment details, billing history.
Financial Information: Bank account details, IBAN, credit/debit card details (processed securely and, where applicable, tokenized).
Transaction Security Data: IP addresses, log records, device identifiers, login credentials.
Visual and Audio Data: Photographs, video recordings (e.g., CCTV for security), call center voice recordings.
Location Data: GPS or city/country-level location data.
Health Data (with explicit consent or where permitted by law): Medical history, prescriptions, reports.
Special Categories of Data: Health, biometric data, criminal convictions/security measures (where legally permitted and with appropriate safeguards).
4. Legal Basis for Processing Personal Data
Personal data is processed on the following legal grounds:
Explicit consent of the data subject.
Performance of a contract or taking steps at the request of the data subject prior to entering into a contract.
Compliance with a legal obligation.
Protection of vital interests of the data subject or another person.
Public interest or exercise of official authority (where applicable).
Legitimate interests of the data controller, provided such processing does not harm fundamental rights and freedoms.
For special categories of personal data: Explicit consent, public health, occupational health and safety obligations, or other lawful exceptions under applicable data protection law.
5. Purposes of Processing Personal Data
Personal data may be processed for the following purposes:
Provision of products and services
Management of customer relations
Processing of orders, payments, and deliveries
Responding to inquiries, complaints, or requests
Execution and management of contracts
Ensuring security of services, facilities, and systems
Fraud detection and prevention
Compliance with legal obligations and responding to lawful requests by authorities
Conducting internal audits and investigations
Managing financial and accounting processes
Human resources and employment processes (for employee data)
Marketing activities (based on consent), such as sending newsletters, promotions, and surveys
Analysis for service improvement, personalization, and customer experience enhancement
Website and mobile application management, including use of cookies and similar technologies (with appropriate consent mechanisms)
6. Methods of Data Collection
Personal data may be collected through:
Online forms, website and mobile applications
Email, SMS, and other electronic communications
Telephone calls and call center services
Contracts, orders, and other commercial documents
CCTV and other security systems
Cookies and similar technologies
Social media platforms and integrations
Third-party business partners, suppliers, and service providers
7. Transfers and Sharing of Personal Data
Personal data may be shared with:
Authorized public institutions and regulatory authorities
Courts and enforcement agencies
Business partners and affiliates
Suppliers and service providers (including cloud, hosting, IT support, call centers, payment processors)
Financial institutions and banks
Legal advisors, auditors, and consultants
Third parties involved in mergers, acquisitions, or asset transfers (with appropriate safeguards)
Other parties when required by law or with the data subject’s explicit consent
8. International Transfers of Personal Data
Where personal data is transferred outside the country, such transfers will comply with applicable data protection laws. This may involve:
Transfers to countries deemed to provide adequate protection by the relevant data protection authority
Transfers subject to standard contractual clauses or other legally recognized safeguards
Transfers based on the data subject’s explicit consent
We will take all reasonable steps to ensure that recipients of personal data maintain appropriate security and confidentiality.
9. Retention of Personal Data
Personal data will be retained for:
Periods required by applicable law
As long as necessary to fulfill the purposes outlined in this policy
Relevant statutory limitation periods
At the end of the applicable retention period, personal data will be securely deleted, destroyed, or anonymized in accordance with internal policies and legal requirements.
10. Data Subject Rights
Data subjects have the following rights under applicable data protection laws:
To learn whether personal data is being processed
To request information about such processing
To learn the purposes of processing and whether personal data is used in accordance with those purposes
To know the third parties to whom personal data is transferred domestically or abroad
To request correction of incomplete or inaccurate personal data
To request deletion or destruction of personal data under legal conditions
To request notification of correction, deletion, or destruction to third parties to whom personal data has been transferred
To object to decisions based solely on automated processing
To request compensation for damages arising from unlawful processing
11. Exercising Your Rights
Data subjects may submit requests to exercise their rights in writing or via other methods accepted by the applicable data protection authority. Requests will be evaluated and answered within the legally prescribed timeframe.
Requests should include:
Name and surname
Signature if submitted in writing
Turkish ID number (for Turkish citizens) or passport number/nationality (for foreigners)
Residential or business address for notification
Email address, telephone number, or fax number
The subject and details of the request
Where legally permitted, a fee may be charged based on the applicable tariff set by the relevant authority.
12. Security of Personal Data
We implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data. Measures include:
Access controls and authorization management
Encryption and secure storage
Secure transmission protocols
Monitoring and logging
Employee training and confidentiality obligations
Incident response and breach notification procedures
13. Updates to This Policy
This Privacy Policy may be updated to reflect changes in legal requirements, business practices, or technology. Any updates will be made available through appropriate channels. Data subjects are encouraged to review the policy periodically.