KVKK Data Processing Notice

1. Data Controller

Under the Turkish Personal Data Protection Law No. 6698 ("KVKK"), your personal data is processed by Takasla ("Platform") as the data controller, for the purposes and methods described below.

2. Personal Data Collected

The following personal data may be processed by our Platform:

• Identity Data: Full name, display name
• Contact Data: Email address, phone number, postal address
• Account Data: User ID, password hash, account creation date, role
• Transaction Data: Listing details, trade history, offer history, payment information
• Visual Data: Product photos, profile photos, proof images
• Location Data: City, district, neighbourhood (for listings and shipping)
• Reputation Data: Trust score, ratings, risk flags
• Technical Data: IP address, browser information, access logs

3. Purposes of Processing

• Account creation and management
• Identity and email verification
• Facilitating and managing trade transactions
• Providing shipping and delivery services
• Processing payments
• Ensuring platform security and fraud prevention
• Managing dispute resolution processes
• Blockchain certification and verification services
• Providing customer support
• Fulfilling legal obligations

4. Legal Basis for Processing

Your personal data is processed under KVKK Article 5 based on the following legal grounds:

• Explicit consent: Marketing communications, profile photo upload
• Contractual necessity: Account creation, trade transactions, shipping services
• Legal obligation: Legal notifications, tax obligations
• Legitimate interest: Platform security, fraud detection, service improvement

5. Data Transfers

Your personal data may be shared with the following third parties for service delivery:

Cross-border data transfers are conducted under KVKK Article 9, to countries with adequate protection or under Standard Contractual Clauses (SCCs).

6. Data Retention Periods

• Account data: While account is active + 30 days after deletion
• Trade and transaction records: 2 years from transaction completion (commercial legal retention)
• Payment records: 2 years from transaction (financial audit obligation)
• Dispute records: 2 years from resolution
• Email verification tokens: 24 hours (after use or expiry)
• Session tokens: 7 days (refresh token lifespan)

7. Your Rights (Article 11)

Under KVKK Article 11, you have the following rights:

• Learn whether your personal data is being processed
• Request information about the processing of your personal data
• Learn the purpose of processing and whether data is used in accordance with its purpose
• Know the third parties to whom your personal data is transferred
• Request correction of incomplete or inaccurate personal data
• Request deletion or destruction of personal data under KVKK Article 7
• Request notification of correction and deletion operations to third parties
• Object to any result arising from the analysis of processed data exclusively through automated systems
• Claim compensation for damages arising from unlawful processing of personal data

8. How to Exercise Your Rights

You can exercise your rights through the following methods:

• Data download: Use the "Download My Data" option on your profile page to download your personal data in JSON format
• Account deletion: Permanently delete your account and all associated data from your profile page
• Email: Submit a request to kvkk@takasla.com

Your requests will be answered free of charge within 30 days at the latest. If the process requires additional costs, the fee schedule determined by the Personal Data Protection Board will apply.

9. Security Measures

• Passwords are stored hashed with bcrypt
• All communications are encrypted with SSL/TLS
• JWT-based authentication and authorization
• EXIF metadata (including GPS coordinates) is automatically stripped from uploaded images
• Distributed locking mechanism for concurrent transaction security
• Regular data retention audits and automatic cleanup