PRIVACY POLICY & KVKK CLARIFICATION TEXT
Effective Date: April 2026 Version: 2.0 — KVKK + GDPR Aligned
Prepared under the obligation to inform the data subject under Turkish Law No. 6698 on the Protection of Personal Data ("KVKK") Art. 10 and the accompanying Communiqué on Procedures and Principles for the Fulfilment of the Clarification Obligation (Official Gazette 10/03/2018, No. 30356). Consistent with EU GDPR (Reg. 2016/679). Turkish version prevails in case of conflict.
1. DATA CONTROLLER
TABA TASARIM İNŞAAT A.Ş. (brand: Extrais). Address: Şehit Şakir Elkovan Cad. No:3, Ataşehir / İstanbul. Registered with the Turkish Data Controllers Registry (VERBİS) per KVKK Art. 16 and the VERBİS Regulation. KVKK contact: kvkk@extrais.com.
2. CATEGORIES OF PERSONAL DATA
Per the KVKK Personal Data Categories Guideline (December 2019):
- Identity: name, date of birth, Turkish ID (TCKN) — only in KYC for MASAK compliance.
- Contact: e-mail, phone, address.
- Transaction: session logs, IP, device info, click stream — retained 6 months to 2 years per Law No. 5651 Art. 5.
- Finance: invoicing data, IBAN, bank name. Card PAN/CVC/expiry never collected by Platform (held by the licensed PSP in PCI-DSS L1).
- Special category (Art. 6): only KYC documents (ID photo, address certificate), on explicit consent. No health, biometric, or criminal data.
- Audio-visual: profile photo, delivery files.
- Marketing: only with explicit consent per Law No. 6563 Art. 6; managed via the İYS national opt-out system.
3. PURPOSES & LEGAL BASIS
| Basis (KVKK) | Purpose |
|---|---|
| Art. 5/2-c — Contract | Account setup, KYC, job-post and bid flow, messaging, credit-pack payment collection (no escrow — Platform does not hold the work fee), e-archive invoicing |
| Art. 5/2-ç — Legal obligation | Invoicing (VUK Art. 229-232), log retention (Law No. 5651) |
| Art. 5/2-ç — MASAK | Identity verification, suspicious-transaction reporting (Law No. 5549); retained 8 years |
| Art. 5/2-f — Legitimate interest | Fraud prevention, account security, analytics |
| Art. 5/1 / 6/3 — Explicit consent | Marketing, non-essential cookies, special-category data |
4. DATA TRANSFERS
4.1 Domestic (Art. 8)
Licensed PSP (payments), banks (settlement), accountants, GİB (tax authority), MASAK, courts / law enforcement on lawful request.
4.2 Cross-border (Art. 9, as amended by Law No. 7499/2024)
| Recipient | Country | Basis |
|---|---|---|
| Neon DB | EU — Ireland | Standard contract (Art. 9/6-b) |
| Cloudflare | US + EU | Standard contract + technical safeguards |
| Google LLC | US | Explicit consent (Google Sign-In) |
| Apple Inc. | US | Explicit consent (Sign in with Apple) |
| OpenRouter | US | Explicit consent (AI features) |
| Hetzner GmbH | Germany | Contract + standard contract |
| Yandex SMTP | Russia | Consent / contract — alternative available |
Law No. 7499 (OG 12/03/2024) introduced standard contractual clauses as a valid cross-border transfer basis.
5. DATA SUBJECT RIGHTS — KVKK Art. 11
You may request to: (1) learn whether your data is processed; (2) obtain information on processing; (3) learn processing purposes; (4) know domestic/foreign transfer recipients; (5) request correction of incomplete/wrong data; (6) request deletion / destruction / anonymization per Art. 7 + Regulation on Deletion (OG 28/10/2017, 30224); (7) have corrections/deletions propagated; (8) object to decisions based solely on automated processing; (9) claim damages under unlawful processing.
5.1 How to request
Per the Communiqué on Applications (OG 10/03/2018, 30356): in writing to our registered address; secure e-signature to kvkk@extrais.com; or in-app KVKK form. Responses within 30 days, free of charge (fees only where the KVKK Board tariff applies).
5.2 Board complaint
If the response is unsatisfactory or absent after 30 days, you may file a complaint with the KVKK Board within 30 days (Art. 14).
6. RETENTION
| Category | Duration | Basis |
|---|---|---|
| Identity / contact | Account + 10 years | TTK Art. 82; TBK Art. 146 |
| Payment / accounting | 10 years | VUK Art. 253; TTK Art. 82 |
| IP / traffic logs | 2 years | Law No. 5651 Art. 5 |
| KYC / MASAK | 8 years | MASAK Reg. Art. 10 |
| Marketing consent | Until withdrawal | Law No. 6563 Art. 6 |
| Non-essential cookies | 13 months | KVKK Cookie Guide 2022 |
| Disputes | 10 years | TBK Art. 146 |
| Post-closure anonymization | 90 days | KVKK Art. 7 |
7. SECURITY — KVKK Art. 12
TLS 1.3 in transit; AES-256 + PBKDF2-SHA256 at rest; RBAC; 2FA admin panel; audit log. Breach notification to the Board within 72 hours (KVKK Art. 12/5, Board Decision 2019/10). Cloud providers: SOC 2 Type II + ISO 27001.
8. COOKIES (summary)
See Cookie Policy. Essential cookies on legitimate interest; functional on legitimate interest; analytics + marketing only on explicit consent via the consent banner (per KVKK Cookie Guide, June 2022).
9. MINORS
We do not knowingly collect data from users under 18. Concerns → kvkk@extrais.com.
10. CHANGES
Material changes announced at least 15 days before entry into force. Current version: https://extrais.com/en/legal/privacy
11. CONTACT
- Data Controller: TABA TASARIM İNŞAAT A.Ş.
- KVKK Contact: kvkk@extrais.com
- Support: support@extrais.com
- KVKK Board: https://www.kvkk.gov.tr/
_This clarification text discharges the controller's duty to inform; activities requiring explicit consent are covered by a separate Explicit Consent Text (KVKK Art. 3/1-a, Art. 5/1)._