Privacy Policy (Turkish KVKK) | Official Zimmet Takip Contract

Last Updated: May 2026

1. Data Controller

The data controller within the scope of this Privacy Policy is: Ragıp Aziz Şentürk (“Data Controller”)
Email: info@zimmettakip.com
Address: Istanbul, Türkiye

2. Scope and Data Subject Groups

This policy applies to the following groups of individuals:

(a) Website visitors, (b) Users who create an account, (c) Contract/payment/communication representatives of the customer company, (d) End Users of the customer company (employees/representatives), (e) Individuals submitting support requests, (f) Individuals for whom asset assignment forms are created.

3. Important Role Distinction: Who is the Data Controller for Customer Data?

For “Customer Data” entered or uploaded to the Service by the customer company (e.g., asset assignment records, employee assignments, asset information, delivery records), in most cases:

The customer company acts as the data controller, while the Provider processes the data on behalf of the customer as a data processor. The determination of roles depends on who decides the purposes and means of processing personal data.

Therefore, End Users of the customer company should primarily direct their requests and rights under the Turkish Personal Data Protection Law (KVKK) to their own employer or the relevant corporate data controller.

4. Categories of Personal Data Processed

The following categories of personal data may be processed during the use of the Service:

4.1. Identity and contact information: identification number, full name, corporate/personal email address, employment start/end dates.

4.2. Customer/corporate account information: company name, authorized person details, subscription plan, user roles.

4.3. Usage and transaction security: IP address, login/logout timestamps, session records, device/browser information, error logs.

4.4. Financial transactions: invoice details (company title/tax information, address), payment status, transaction records.

4.5. Support records: support requests and message contents, attached files (if any).

4.6. Customer Data (processed as data processor): asset assignment records, personnel assignment/delivery records, internal audit reports, attached documents (if uploaded by the Customer).

Note: Processing or uploading special categories of personal data (KVKK Art. 6) is not intended within the Service. Customers should avoid uploading such data.

5. Purposes of Processing Personal Data

Your personal data may be processed for the following purposes:

(a) Creating memberships, identity verification, user management, and provision of the Service,

(b) Customer account/subscription management, billing, and payment processes,

(d) Information security processes, ensuring system security, and preventing misuse,

(e) Compliance with legal obligations (request/complaint management, requests from authorities),

(f) Dispute management and the establishment, exercise, or protection of legal rights.

6. Legal Grounds

Under Article 5 of the Turkish Personal Data Protection Law (KVKK), personal data may be processed based on the following legal grounds depending on the nature of the processing activity:

(a) Processing is necessary for the establishment or performance of a contract (membership/subscription),

(b) Processing is necessary for the data controller to fulfill its legal obligations (accounting/transactions),

(d) Legitimate interests of the data controller (such as information security), provided that the fundamental rights and freedoms of the data subject are not harmed.

In cases where marketing or analytics cookies (e.g., Google Analytics, Yandex Metrica) are used, explicit consent may be obtained where required (see Cookie Policy).

7. Transfer of Personal Data and Recipient Groups

Your personal data may be transferred to the following recipient groups limited to the purposes stated above:

(a) Payment service providers (for subscription/payment processing),

(b) Hosting, infrastructure, email, and notification service providers (for providing the Service),

(d) Legal advisors or auditors (when necessary for dispute resolution and protection of rights).

Subprocessor list: Hosting service provider (Natro – Çizgi Telekomünikasyon A.Ş.), email service provider (Brevo – EU-based). Appropriate contractual confidentiality and data protection obligations are established with subprocessors.

8. International Data Transfers

By default, your personal data is not transferred abroad. However, if the use of foreign-based service providers becomes necessary for the Service infrastructure, appropriate transfer mechanisms under Article 9 of the KVKK (such as standard contractual clauses) will be implemented and the required notifications will be made. According to the authority’s guidance, such standard agreements must be notified to the Authority within 5 business days after signing.

9. Data Retention Periods

9.1. Transaction security (log) records: generally retained for a maximum of 90 days.

9.2. Subscription/account data: retained during the contractual relationship and afterward for the duration required for potential disputes or legal obligations.

9.3. Invoice and financial records: retained for the period required by applicable legislation.

9.4. Customer Data: returned or deleted upon termination of the contract in accordance with the DPA and the Customer’s instructions.

Important note (Law No. 5651): If the Service activity is evaluated as “hosting provider services” under Law No. 5651, traffic data retention periods may range between 1–2 years. In such cases, the log retention policy may be updated accordingly.

10. Data Security

The Data Controller is responsible for implementing necessary technical and administrative measures under Article 12 of the KVKK. Further details are explained in the Security Policy and the annexes of the Data Processing Agreement (DPA).

11. Personal Data Breach Notification

If personal data is obtained by unlawful means, the data controller will notify the relevant individuals and the Data Protection Authority as soon as possible. According to Decision No. 2019/10 of the Turkish Data Protection Board, a 72-hour approach is applied for notifications to the Authority. Data processors must notify the data controller without delay.

12. Your Rights Under the KVKK and Application Method

Under Article 11 of the KVKK, you have the right to learn whether your personal data is processed, request correction, request deletion or destruction, learn the third parties to whom your data has been transferred, and other related rights.

Application: Pursuant to Article 13 of the KVKK, you may submit your requests in writing or through other methods determined by the Authority. The data controller will respond within 30 days.

Application channel: info@zimmettakip.com (Subject: “KVKK Request”)

Additional information may be requested for identity verification.

Applications are free of charge; however, if the process requires additional costs, a fee may be charged according to the tariff determined by the Turkish Data Protection Authority.