1. Purpose
This Personal Data Protection and Processing Policy ("Policy") sets out the principles regarding the processing of personal data by Yamanlar Bilişim Sanayi ve Ticaret Limited Şirketi ("Company" or "Yamanlar Bilişim") within the framework of the Personal Data Protection Law No. 6698 ("KVKK") and its secondary legislation.
This Policy covers the principles adopted within the Company for the protection of personal data, the administrative and technical measures taken, the rights of data subjects, and how these rights can be exercised.
2. Scope
This Policy covers all personal data processed by the Company in the course of its activities, whether wholly or partly by automated means or by non-automated means provided that the data forms part of a data filing system, and the processes related to such data.
The audience of the Policy:
- The Company's customers and customer representatives
- The Company's prospective customers
- Visitors to the Company's website
- Suppliers and business partners
- Employees and job applicants
- Visitors and other third parties
3. Definitions
| Term | Description |
|---|---|
| Personal Data | Any information relating to an identified or identifiable real person. |
| Special Categories of Personal Data | Data listed in Article 6 of KVKK: race, ethnic origin, political opinion, philosophical belief, religion, sect, dress, association/foundation/union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. |
| Processing | Any operation performed on personal data — wholly or partly by automated means or by non-automated means provided that the data forms part of a data filing system — such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of. |
| Data Subject | The real person whose personal data is processed. |
| Data Controller | The real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system (in this Policy: Yamanlar Bilişim). |
| Explicit Consent | Consent on a specific subject, based on being informed, and expressed by free will. |
| Anonymization | Making personal data impossible to associate with an identified or identifiable real person, even when combined with other data. |
4. Basic Principles in the Processing of Personal Data
Under Article 4 of KVKK, the Company acts in line with the following principles:
- Compliance with the law and rules of integrity
- Accuracy and, where necessary, being up to date
- Processing for specific, explicit, and legitimate purposes
- Being relevant to, limited to, and proportionate to the purposes for which they are processed
- Retention for the period required by the relevant legislation or for the purpose for which they are processed
5. Conditions for Processing Personal Data
The Company processes personal data only based on the following legal grounds set out in Articles 5 and 6 of KVKK:
- a) Existence of explicit consent
- b) Expressly prescribed by law
- c) Necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract
- ç) Necessary for the data controller to fulfill its legal obligation (e.g. logging under Law No. 5651, book-keeping under Tax Procedure Law No. 213)
- d) Made public by the data subject themselves
- e) Data processing necessary for the establishment, exercise, or protection of a right
- f) Data processing necessary for the legitimate interests of the data controller, provided that fundamental rights and freedoms of the data subject are not violated
Special categories of personal data are processed only under the conditions stipulated in Article 6 of KVKK and with the necessary administrative/technical measures.
6. Transfer of Personal Data
The Company transfers personal data only under the conditions set out in Articles 8 and 9 of KVKK.
Domestic transfer: Within the scope of our service delivery, transfers may be made to server/hosting infrastructure providers based in Türkiye, to authorized public authorities and institutions as required by our legal obligations, and where necessary to financial advisors and lawyers.
International transfer: The Company may transfer personal data to data centers located in European Union member states and to countries declared by the Personal Data Protection Board to provide adequate protection. For transfers to other countries, the explicit consent of the data subject is obtained or the exceptional conditions set out in Article 9 of KVKK apply.
7. Retention Periods for Personal Data
The Company retains personal data for the period stipulated in the relevant legislation or required by the processing purpose. General retention periods:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Contact / Quote form records | 2 years | Legitimate interest |
| Customer contract and all related data | 10 years | Turkish Code of Obligations statute of limitations |
| Commercial invoice and accounting records | 10 years | Tax Procedure Law No. 213, Art. 253 |
| Server access and traffic logs | 2 years | Law No. 5651 and secondary legislation |
| Request / complaint / support records | 5 years | Legitimate interest |
| E-mail correspondence | 5 years | Legitimate interest |
Personal data whose retention period has expired is deleted, destroyed, or anonymized.
8. Rights of the Data Subject
Under Article 11 of KVKK, every data subject has the right to apply to the Company regarding:
- Learning whether personal data is processed,
- Requesting information about personal data, if processed,
- Learning the purpose of processing and whether it is used appropriately for that purpose,
- Knowing the third parties to whom personal data is transferred within and outside Türkiye,
- Requesting correction of personal data if processed incompletely or incorrectly,
- Requesting deletion or destruction of personal data within the framework of Article 7 of KVKK,
- Requesting that the correction and deletion actions be notified to third parties to whom personal data has been transferred,
- Objecting to a result that disadvantages the person arising from analysis exclusively by automated systems,
- Requesting compensation for damages suffered due to processing of personal data contrary to law
Data subjects may exercise these rights under the Data Subject Application Procedure.
9. Measures for Data Security
The Company applies the following administrative and technical measures to protect personal data:
Technical Measures
- Encrypted communication protocols (HTTPS/TLS)
- Regular backup and disaster recovery plans
- Access authorization controls and role-based authorization
- Strong password policy and multi-factor authentication
- Firewall, anti-malware protection, and EDR solutions
- Regular vulnerability scanning
- Monitoring of system and application logs
Administrative Measures
- KVKK awareness training for employees
- Confidentiality agreements and job descriptions
- Data processing/transfer contracts with third-party service providers
- Regular internal audits
- Keeping the personal data inventory up to date
10. VERBIS Registration Status
Our Company does not meet the employee count and annual financial balance sheet thresholds set out under Article 16 of KVKK and the "Regulation on the Registry of Data Controllers", and is therefore not subject to the registration obligation with the Registry of Data Controllers (VERBIS). This status is independent of our Company's other obligations under KVKK.
11. Changes to the Policy
The Company may update this Policy from time to time. Updates take effect on the date they are published on our website.
Effectiveness and updates: This text is in effect as of 28 April 2026 . Yamanlar Bilişim may update this text when deemed necessary; the updated version takes effect on the date it is published on our website.
Contact: You may send your KVKK-related applications to kvkk@yamanlarbilisim.com.tr or via yamanlarbilisim@hs06.kep.tr (KEP, Turkey's registered e-mail). For the detailed application procedure, please see the Data Subject Application Procedure page.