KVKK Disclosure

1. Data Controller

This disclosure is provided for English-speaking visitors in accordance with the transparency obligations under the Law on the Protection of Personal Data No. 6698 (“KVKK”) of the Republic of Turkey. Although this text is in English, KVKK is the governing statute for our processing activities because D'Cloud Software & Digital Agency (“Company”) is established in Mersin, Turkey.

For the purposes of the KVKK, the data controller is the Company, which determines the purposes and means of processing personal data collected through this website and related business activities. The Company serves clients across three continents (including Turkey, Europe, and the Middle East) and communicates in four languages; however, the location of the data controller in Turkey means Turkish personal data protection law applies to the processing described herein.

If you interact with us only as a website visitor or prospective client, the Company remains responsible for ensuring that processing complies with KVKK, including providing this disclosure (“aydınlatma”) where personal data are obtained.

2. Purpose of Processing Personal Data

Personal data are processed for specific, explicit, and legitimate purposes tied to our business as a software and digital agency. These purposes include managing communications initiated through our website, performing contracts where a client relationship exists, and maintaining the security and reliability of our information systems.

We also process data where necessary to comply with legal obligations, to establish or defend legal claims, and to improve our services through analytics, provided such processing is compatible with the original purpose and permitted under KVKK. We do not process personal data for purposes that are incompatible with those communicated to you without an additional legal basis or, where required, your explicit consent.

Retention periods are determined based on the purpose of processing, statutory retention requirements, and our legitimate need to keep limited records for dispute resolution and audit purposes.

• Responding to requests: Evaluating and answering inquiries submitted via contact forms or email.
• Client and project management: Delivering digital and software-related services and managing ongoing relationships.
• Legal compliance: Fulfilling tax, accounting, corporate, and regulatory obligations.
• Security and improvement: Operating information security processes, monitoring for abuse, and analyzing website usage to improve user experience across regions and languages.

3. Personal Data Processed

The categories of personal data we process depend on your interaction with us. Not every category will apply to every visitor. We aim to minimize data collection and to process only what is adequate, relevant, and limited to what is necessary for the stated purposes.

Special categories of personal data (“sensitive” data under KVKK) are not routinely collected through our website. If you voluntarily include such information in a free-text message, we will treat it in accordance with Article 6 of the KVKK and applicable secondary legislation, including stricter conditions where required.

• Identity data: Name, surname, and title or role where provided.
• Contact data: Email address, telephone number, postal or business address if supplied.
• Transaction security data: IP address, cookie identifiers, log records, browser and device information, and similar technical metadata.
• Communication content: Text of messages and attachments you send through our forms or email.

4. Method of Collection and Legal Basis

Personal data are collected through partly automated and partly manual means, primarily via electronic channels such as our website’s contact forms, cookies, and server logs. Data may also be collected during email correspondence or through client onboarding processes where a contractual relationship is formed.

Under Article 5 of the KVKK, processing is lawful only when at least one of the statutory conditions is met. Depending on the situation, we may rely on your explicit consent, the necessity of processing for the performance or conclusion of a contract, our legitimate interests (where not overridden by your fundamental rights), or compliance with a legal obligation.

Where consent is the basis for certain cookies or marketing activities, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. We document consent where required and provide clear withdrawal mechanisms.

• Explicit consent: Where required for specific processing, such as certain optional communications or non-essential cookies.
• Contract: Processing necessary to respond to your request or to perform a contract to which you are a party.
• Legitimate interests: For example, network security, fraud prevention, and limited analytics, balanced against your rights.
• Legal obligation: Where we must retain or disclose data to comply with applicable laws or competent authority requests.

5. Transfer of Personal Data

Personal data may be transferred to third parties only when permitted under Articles 8 and 9 of the KVKK. Transfers within Turkey may be made to service providers acting as processors, to professional advisers, or to public institutions when legally required. Transfers abroad require adequate protection or other mechanisms recognized under Turkish law, including the Board’s decisions on adequate countries or appropriate safeguards such as standard contractual clauses where applicable.

Because we work with international clients and cloud or analytics vendors, some recipients may be located outside Turkey. In such cases, we assess the transfer and implement required measures under KVKK before the transfer occurs or continues.

We do not authorize recipients to use your personal data for their own unrelated marketing purposes. Processors are bound by instructions and confidentiality obligations appropriate to the nature of the services.

• Domestic transfers: To hosting providers, IT vendors, and other suppliers supporting our operations in Turkey.
• International transfers: To subprocessors or platforms located abroad, subject to KVKK Chapter 9 and related Board decisions.
• Legal and regulatory recipients: To courts, regulators, or law enforcement when a valid legal basis exists.

6. Rights of the Data Subject

Article 11 of the KVKK grants data subjects a comprehensive set of rights regarding personal data processed by the data controller. These rights include obtaining information, requesting correction or deletion in prescribed circumstances, learning about third-party recipients, and objecting to certain automated outcomes, among others.

Exercising your rights is free of charge in principle, unless the request is manifestly unfounded or repetitive, in which case a reasonable fee may be charged or the request refused in line with Board guidance. We may ask you to verify your identity to prevent unauthorized disclosure or changes to personal data.

If you believe your rights have been violated, you may lodge a complaint with the Turkish Personal Data Protection Board. This English summary does not replace the official text of Article 11; we provide it to assist international visitors in understanding the framework.

• Information: Learn whether your personal data are processed and request related information.
• Purpose and proportionality: Learn the purpose of processing and whether data are used accordingly.
• Recipients: Know third parties to whom data are transferred domestically or internationally.
• Correction and deletion: Request correction of inaccurate data and deletion or destruction where Article 7 conditions are met.
• Notification: Request that third parties who received incorrect or unlawfully processed data be informed of corrections or deletion.
• Objection and remedies: Object to adverse results from solely automated processing where applicable, and seek compensation for damages from unlawful processing.

7. Application

To exercise your rights under the KVKK, you may submit a request to the Company using the methods announced on our website. Applications should clearly state which right you wish to exercise and include identifying information so we can process your request securely.

Under applicable rules, the Company must conclude applications within thirty days at the latest. If the request is accepted, we will act accordingly; if rejected, we will provide a reasoned response, including information on your right to appeal to the Board where relevant.

English-speaking users may initiate contact through our contact page. We may request additional documentation where necessary to confirm your identity or authority to act on behalf of another person.

8. Changes

The Company reserves the right to update this disclosure text when required by changes in law, regulatory guidance, our services, or data processing practices. Material changes will be reflected on our website, and where appropriate we will provide additional notice.

Continued use of the website after updates constitutes acknowledgment of the revised disclosure for processing that falls within the scope of the new text, except where separate consent is required by law. We encourage you to review this page periodically, especially if you provide new categories of personal data or engage us for new services.

The effective version is the one published on the Company’s website at the time of your interaction. Archived versions may be available upon request where retention is justified for legal or operational reasons.