PRIVACY POLICY

Privacy
Policy

Protecting your personal data is one of our top priorities. Learn about our data processing procedures under Law No. 6698 (KVKK).

Version: 1.1
Last Updated: 01.01.2025

Table of Contents

1 Purpose and Scope

As Ahmet Çevik ("Hostopya", "Company"), we value the protection of your personal data and private information. Therefore, as the Data Controller, we make every effort to process your personal data in accordance with Law No. 6698 on Protection of Personal Data ("KVK Law"), including use, recording, storage, updating, transfer and/or classification within the framework described below.

In this context, all technical and administrative measures are taken by our Company to ensure an appropriate level of security, primarily to protect the privacy of individuals, fundamental rights and freedoms, and to prevent unlawful processing of, unauthorized access to, and ensure the preservation of your personal data in accordance with the relevant Laws and Regulations.

The target audience of this text is all natural persons and our employees whose personal data are processed on our websites and corporate processes. As Hostopya, we provide services through our web-based and cloud services ("Services") over the internet. This Disclosure Text covers all of the aforementioned software, sites and applications.

Our Websites: www.hostopya.com

Personal information processed on our sites is processed in accordance with the legislation on the protection of personal data. We are in the status of "data controller" only for those who create user accounts and use our websites, and this Privacy Policy is valid only in relation to the processing of data belonging to these persons.

Our Customers who process and record data using our Services are independent data controllers. In such cases, as we are only in the status of "data processor", we recommend that you refer to the privacy policies and disclosure texts of our Customers who process your personal data when necessary.

On the other hand, we do not guarantee the data security and data protection practices and policies of third-party websites that we link to on our Sites. We recommend that you separately review the data security and data protection policies of the relevant data controller.

2 Identity of the Data Controller

Hostopya (or "Organization") is in the status of "Data Controller" against all natural persons whose personal data it processes while conducting its commercial activities, including employees, employee candidates, customers, suppliers, supplier employees and visitors, and is obliged to fulfill its obligations arising from the law.

Hostopya processes your personal data in the capacity of "Data Controller" as defined in Article 3 of Law No. 6698 on the Protection of Personal Data, and its contact information is as follows:

Hostopya is in the status of "Data Controller" against natural persons in terms of personal data of visitors to its websites and users of the services it provides over the internet.

Our contact information as "Data Controller" and how you can reach us regarding personal data is as follows:

NameAhmet Çevik
AddressOrtabayır Mah. Atalar Cad. No 57 Kağıthane/İstanbul
Websitewww.hostopya.com
Phone+90 (850) 309 88 67

3 Key Concepts

Explicit Consent:Consent given on a specific matter, based on being informed and expressed with free will
Anonymization:Making personal data impossible to associate with any identified or identifiable natural person, even when matched with other data
Data Subject:Natural person whose personal data is processed
Personal Data:Any information relating to an identified or identifiable natural person
Processing of Personal Data:Any operation performed on data by fully or partially automatic means, or non-automatic means provided that it is part of any data recording system, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, or classifying
Board:Personal Data Protection Board
Authority:Personal Data Protection Authority
KVK:Law No. 6698 on the Protection of Personal Data
Special Category Personal Data:Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data
Data Processor:Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller
Data Recording System:Recording system where personal data is processed by being structured according to certain criteria
Data Controller:Natural or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system
Joint Data Controller:Another data controller with whom the organization shares personal data within the scope of its commercial and corporate activities and jointly carries out processing activities
Independent Data Controller:Other independent data controllers who process personal data of the same persons within the scope of their commercial and corporate purposes

4 Purposes of Personal Data Processing

Personal data of data subjects in our organization is processed entirely and directly in connection with the organization's activities and the commercial, business or legal relationship with the data subject.

Management Process Related Purposes

  • Conducting commercial activities
  • Ensuring business continuity, legal and administrative work safety
  • Planning and execution of business and application strategies
  • Management of occupational health and safety processes
  • Presentations, promotions and information about the organization, services and products
  • Fulfilling obligations arising from legislation and contracts
  • Ensuring physical space security within and around the organization
  • Obtaining legal support
  • Use of electronic and other social media tools and printed, periodical and non-periodical publications
  • Conducting dealership processes
  • Establishing and maintaining communication with press members and media organizations
  • Informing the public about activities
  • Conducting business meetings in a timely and effective manner
  • Completing work in a timely and appropriate manner
  • Planning and conducting activities at local, national and international levels
  • Managing relationships with domestic and international business partners and group companies
  • Conducting intellectual and industrial property related transactions
  • Promotion, marketing and information about the organization, products and services
  • Receiving notifications and feedback from customers and potential customers
  • Providing technical support to customers
  • Answering questions from customers and potential customers
  • Providing support for electronic invoice services
  • Participating in events such as fairs and seminars

Employee Related Purposes

  • Creating and executing employee employment contracts
  • Fulfilling and implementing services offered to employees
  • Providing socio-economic benefits to employees
  • Conducting domestic and international assignment, travel and accommodation processes
  • Planning and executing human resources processes
  • Recruitment, conducting employment relationships, performance evaluation processes
  • Creating personnel files, storing in physical and electronic environments
  • Attendance tracking
  • Conducting exit procedures and interviews
  • Conducting performance and audit activities

IT Process Related Purposes

  • Creating and updating IT and communication infrastructure
  • Managing users of IT tools and systems
  • Managing corporate email accounts
  • Managing corporate social media accounts
  • Managing, auditing and closing email accounts of former employees
  • Managing, monitoring and auditing portable and/or desktop electronic devices
  • Conducting operations related to website members
  • Ensuring data security and archiving data
  • Keeping internet access logs
  • Tracking organization's vehicles and their users
  • Protecting and managing customers' digital assets and rights

5 Data Subjects Whose Personal Data is Processed

Hostopya generally processes data subjects' data within the scope of this Privacy Policy and other administrative and technical measures. The organization's data processing policies, primarily this Privacy Policy, will be followed in the processing of personal data of natural persons outside these categories.

  • Employees
  • Employees with indefinite-term employment contracts
  • Interns and İŞKUR on-the-job training program participants
  • Job applicants
  • Customer representatives and employees
  • Supplier representatives and employees
  • Consultants and Auditors
  • Public officials
  • Our visitors
  • Website visitors
  • Potential customers and users
  • Our dealers

6 Legal Grounds and Processed Personal Data Categories

6.1. Personal Data of Our Employees, Indefinite-Term Employees and Interns

The organization processes personal data of employees, employee candidates and interns in accordance with Employment Contracts, Labor Law No. 4857, Turkish Code of Obligations No. 6098, Social Insurance and General Health Insurance Law No. 5510, Occupational Health and Safety Law No. 6331, Turkish Commercial Code No. 6102, Electronic Signature Law No. 5070, Law No. 5651 on Internet Publications, and similar laws, regulations and communiqués. The organization processes identity, contact, personnel, financial, professional experience, physical space security, legal proceedings, transaction security, risk management, audio-visual records and special category data.

6.2. Personal Data of Job Applicants

We process personal data such as identity, personnel, contact, family information, financial, education, professional experience, and habits shared voluntarily by job applicants through resumes, cover letters, or shared by online employment platforms and talent agents, including any special category data they voluntarily share.

6.3. Personal Data of Individual Suppliers and Corporate Supplier Representatives

The organization processes personal data of individual suppliers and corporate supplier representatives in accordance with Service Agreements, Turkish Code of Obligations No. 6098, Execution and Bankruptcy Law No. 2004, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213 and similar laws and regulations. The organization processes personal data in the categories of identity, contact, finance, legal proceedings and other information.

6.4. Personal Data of Auditors, Consultants and Public Employees

The organization processes personal data of auditors, consultants and public employees who carry out control and audit duties in accordance with Turkish Commercial Code No. 6102, Customs Law No. 4458, Tax Procedure Law No. 213, Labor Law No. 4857 and similar laws and regulations. The organization processes personal data in the categories of identity, contact and personnel.

6.5. Personal Data of Individual Customers and Corporate Customer Representatives

Our products and services are purchased, tried and managed through user accounts created on our website. We process personal data in the categories of identity, personnel, contact, customer transactions and finance of users who use our services individually or corporately.

6.6. Personal Data of Our Visitors

We process personal data of visitors for the purpose of ensuring IT and facility security, within the scope of Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications, and based on our legitimate interest. Personal data in categories such as Identity, Transaction Security, and Physical Space Security are processed.

6.7. Personal Data of Site Visitors and Members

Based on our legitimate interest, personal data of those who visit our websites is processed through "cookies". We recommend that you review our "Cookie Policy" for more information about cookies.

6.8. Personal Data of Our Potential Customers

In addition to advertisements on our sites, we may inform our users, trial users, customers and potential customers about new products or services via email, social media or phone with their consent. Data subjects may object to such promotional communications at any time. We process information such as identity, contact, personnel, finance and customer transactions of our potential customers.

6.9. Personal Data of Our Dealers

The organization processes identity, contact and personnel data of our dealer representatives who play a role in sales, marketing and after-sales support services, in accordance with Dealership Agreements, Turkish Code of Obligations No. 6098, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213 and similar laws and regulations.

7 Rights of the Data Subject

The organization acknowledges that the data subject has the right to give consent before data processing and has the right to determine the fate of their data after processing. In this regard, data subjects may apply to the Contact Person to:

  • Learn whether personal data is being processed
  • Request information if personal data has been processed
  • Learn the purpose of processing personal data and whether they are used in accordance with their purpose
  • Know the third parties to whom personal data is transferred domestically or abroad
  • Request correction of personal data if it has been processed incompletely or incorrectly
  • Request deletion or destruction of personal data within the framework of the conditions set forth in Article 7 of the Law
  • Request notification of operations to third parties to whom personal data has been transferred
  • Object to the emergence of a result against you through analysis of processed data exclusively by automated systems
  • Claim compensation for damages arising from unlawful processing of personal data

However, individuals have no rights regarding anonymized data within the Company. Personal data may be shared with relevant institutions and organizations as required by business and contractual relationships, or when a legal authority is exercised by a judicial or public authority.

Requests within the scope of the listed rights are fulfilled by completing the organization's Application Form completely with your wet signature and submitting it to the Contact Person via registered mail with copies of identification.

8 Fundamental Rules for Processing Personal Data

Hostopya units and employees will pay attention to the following fundamental rules on which the Privacy Policy and other corporate policies are built when processing personal data of data subjects.

Compliance with law and good faith: The organization checks whether the conditions such as informing the data subject and obtaining explicit consent of the data subject for processing data in necessary cases are fulfilled.

Being accurate and up-to-date when necessary: The organization tries to ensure that personal data it processes and keeps in its databases contain correct information to the extent that its control mechanisms allow. It strives to keep data up-to-date as much as possible.

Processing for specific, clear and legitimate purposes: The organization processes personal data only for the specific, clear and legitimate purposes set forth in this Privacy Policy.

Being relevant, limited and proportionate to the purpose: The organization strives not to process personal data for any purpose other than the boundaries of the purpose for which they are processed, and to inform the data subject and obtain explicit consent when such a need arises.

Time Limitation: The organization strives to retain personal data for the period stipulated in the relevant legislation or for the period necessary for the purpose of processing. When these purposes cease to exist, the organization deletes or anonymizes the personal data.

Data Minimization: The organization, its units and employees collect data in the categories relevant to the purpose, only to the extent required by the processing purpose, except for the scope and periods required by laws and relevant legislation.

Deletion and Destruction: The organization retains personal data it processes for the periods stipulated in relevant legislation and/or for the periods required by the processing purpose. When these periods expire, it deletes, destroys or anonymizes the personal data.

Confidentiality and Data Security: Throughout all processes of processing, transferring and storing personal data in the organization, attention is paid to general confidentiality rules and ensuring data security. Necessary administrative and technical measures are taken.

9 Transfer of Personal Data

Hostopya benefits from domestic and international service and product suppliers to conduct its commercial activities and ensure the execution of specialized activities it needs as an organization, and may transfer personal data to these suppliers, business partners or authorized institutions and organizations.

9.1. Principles to be Observed in Personal Data Transfer

  • During personal data sharing, data transfer is secured by signing a data transfer agreement or similar documents with all parties to whom data is transferred.
  • Each unit and employee must anticipate the risks that the recipient of personal data transfer may create regarding personal data.
  • Care is taken to comply with relevant legislation such as KVK and GDPR when using foreign-origin applications and services.
  • Data transfers must be carried out through appropriate and secure means and channels for data security.
  • Organization units and employees are obliged to report situations that may create risks to their superiors in a timely manner.

9.2. Situations Where Personal Data is Transferred and Parties to Whom Transfer is Made

Personal data is shared with the following parties for the following purposes:

  • Business partners, affiliates, consulting firms, service suppliers and public institutions when necessary for planning and fulfilling commercial activities
  • Natural and legal persons providing services in areas of business continuity, legal, technical and commercial work safety
  • Persons and third parties with whom the organization has signed agreements within the framework of procured services
  • Suppliers providing socio-economic benefit services to employees from outside
  • Relevant departments and group companies during recruitment and exit processes
  • Business partners, consulting firms, courts, public institutions and authorized authorities for fulfilling legal obligations
  • Relevant banks for payment and collection transactions
  • Insurance agents and insurance companies for employees to benefit from insurance and similar rights
  • Law and accounting offices for legal and financial support
  • Domestic and international cloud service providers for ensuring data security
  • Foreign-origin platforms and applications for online communication channels and tools
  • Auditors and audit organizations for conducting audits

9.3. Transfer of Personal Data Abroad

Hostopya shares personal data with service providers located abroad for the purposes of operating our website, developing services, and providing services to users:

  • Whatsapp (Facebook) based in the USA for instant messaging
  • Zoom and Google based in the USA for video conferencing
  • Tawk.to based in the USA for customer support and requests
  • Google and Wetransfer based in the USA for file sharing
  • Anydesk and Teamviewer based in Germany for remote access
  • Apple and Google based in the USA for mobile operating systems
  • Facebook, Twitter, Instagram, Youtube and Google based in the USA for social media services
  • SendinBlue based in France for email delivery
  • RapidSSL and TheSSLStore based in the USA for SSL certificate services
  • Realtime Register based in the Netherlands for domain registrations
  • P.D.R Solutions based in India for domain registrations

You can access each service provider's privacy policy through the links below:

MicrosoftWhatsappGoogleWetransferAnydeskTeamviewerFacebookTwitterInstagramLinkedinCloudflareTawk.toRealtime RegisterP.D.R SolutionsRapidSSL / DigiCertSendinBlue

10 Auditing, Applications and Data Breach Notifications

The organization may conduct necessary internal and external audits regarding the protection of personal data.

Applications made by data subjects are answered within 30 days at the latest, by the Committee with the opinion of the relevant unit.

When the organization is notified of any breach related to personal data, it notifies the KVK Board without delay and within 72 hours at the latest from the date it learns of the situation. It also informs the relevant parties and persons in the same manner.

11 Updates

This policy document is updated when the organization's personal data processing conditions, tools, purposes and scope change and when the parties with whom personal data is shared change. Updates made to each article are kept in a separate table.