PRIVACY POLICY - extraİŞ (EXTRAIS)

Last Updated: April 2026 Effective Date: April 2026

1. INTRODUCTION AND DATA CONTROLLER

This Privacy Policy explains how TABA TASARIM İNŞAAT A.Ş. ("Data Controller," "we," "our," "us," or "Company") collects, uses, processes, stores, shares, and protects your personal data when you use the Extrais Platform (extrais.com, mobile applications, and related services).

This policy complies with:

• Turkish Law on the Protection of Personal Data (KVKK) - Law No. 6698
• General Data Protection Regulation (GDPR) - EU Regulation 2016/679
• ePrivacy Directive - Directive 2002/58/EC

1.1 Data Controller Information

Data Controller: TABA TASARIM İNŞAAT A.Ş. Address: Şehit Şakir Elkovan cad. No:3 Ataşehir Istanbul Türkiye Email: kvkk@extrais.com Data Protection Officer (DPO): kvkk@extrais.com Response Time: 30 days (may be extended by 60 additional days for complex requests)

2. PERSONAL DATA WE COLLECT

2.1 Data Provided Directly by You

Registration and Account Information

• Full legal name
• Email address
• Phone number
• Residential or business address
• Country of residence
• Date of birth (if provided)
• Government-issued ID (for verification)
• Password and security questions
• Payment method information (processed by third parties)
• Profile information (skills, expertise, bio)
• Work samples and portfolio
• Professional credentials and certifications

Transaction Data

• Project descriptions and specifications
• Proposal submissions
• Contractual terms agreed with other users
• Payment amounts and transaction history
• Milestone progress and delivery records
• Dispute details and resolution history
• Feedback and ratings provided

Communication Data

• Messages and chat communications with other users
• Support tickets and customer service inquiries
• Email correspondence
• Video call/meeting recordings (if applicable)
• File uploads and document sharing

Preference and Account Settings

• Language preferences
• Notification settings
• Privacy settings
• Cookies and tracking preferences
• Two-factor authentication records
• Login activity and device information

2.2 Data Collected Automatically

Device and Browser Information

• IP address
• Device type and operating system
• Browser type and version
• Device identifiers and advertising IDs
• Mobile device information (for app users)
• Screen resolution and timezone
• Device language settings

Usage and Behavioral Data

• Pages visited and time spent on each
• Features used and interaction patterns
• Search queries and filter selections
• Project views and engagement
• Job posting frequency
• Bidding patterns and proposal patterns
• Login dates, times, and frequency
• File uploads and downloads
• API calls and integration usage

Cookies and Tracking Technologies

• Persistent and session cookies
• Web beacons and pixels
• Local storage and similar technologies
• Cross-domain tracking identifiers
• Session replay recordings (Hotjar)
• Heatmaps of page interactions
• Form interaction tracking

Location Data

• IP-based geolocation
• Country and city location (approximate)
• GPS location (if permission granted)
• Timezone information

2.3 Data from Third Parties

Payment Processors

• Transaction details
• Payment verification status
• Billing address and payment history
• Fraud detection signals
• KYC/AML verification results

Identity Verification Services

• Identity verification results
• Government ID information
• Document verification status
• Facial recognition results (if applicable)
• Background check results

Analytics and Third-Party Tools

• Google Analytics data
• Hotjar session recordings
• Third-party ad network data
• Email service provider information
• CRM integration data

Social Media and OAuth

• Social media profile information (if using social login)
• Email address and public profile data
• Friend/connection list (if permission granted)
• Social media advertising IDs

Other Sources

• Credit reporting agencies (for fraud prevention)
• Law enforcement (upon valid legal request)
• Other Platform users (in disputes)
• Public sources (domain registration data, business records)

3. LEGAL BASES FOR DATA PROCESSING

3.1 KVKK Legal Bases (Turkish Law)

We process personal data under the following legal bases under KVKK Article 5:

Article 5(2)(a) - Contractual Performance

Processing necessary to perform the Service Contract between you and the Company or between you and other Platform users.

Article 5(2)(b) - Legal Obligation

Processing required to comply with Turkish law, including:

• Tax reporting and record-keeping
• Money laundering prevention (KYC/AML)
• Consumer protection laws
• Employment and labor law records
• Government requests and court orders

Article 5(2)(c) - Protection of Vital Interests

Processing necessary to protect your vital interests or someone else's vital interests.

Article 5(2)(d) - Public Interest and Official Authority

Processing for public interest purposes or official authority functions.

Article 5(2)(e) - Legitimate Interests

Processing for legitimate interests of the Data Controller or third parties, including:

• Platform security, fraud prevention, and abuse detection
• Improving Platform features and user experience
• Marketing and promotional communications (with consent)
• Analytics and business intelligence
• Dispute resolution and legal claims
• Network and system administration

3.2 GDPR Legal Bases (EU Users)

For users in the EU, we rely on GDPR Article 6 legal bases:

Article 6(1)(b) - Contract Performance

Necessary for performance of contract with you.

Article 6(1)(c) - Legal Obligation

Compliance with legal obligations under EU and member state law.

Article 6(1)(e) - Public Task

Processing necessary for official authority or public interest.

Article 6(1)(f) - Legitimate Interests

Legitimate interests pursued by Data Controller or third parties (balance test applied).

4. DATA RETENTION PERIODS

4.1 Account and Registration Data

• Active Account: Retained for duration of account and up to 3 years after termination
• Deleted Account: Deleted within 30 days of deletion request, except as required by law

4.2 Transaction and Payment Data

• Transaction Records: Retained for 7 years (Turkish tax law requirement)
• Payment Details: Deleted from Platform systems (retained by payment processors per their policies)

4.3 Communications Data

• Support Tickets: Retained for 2 years after resolution
• User Messages: Retained for 7 years (dispute/evidence purposes)
• Email Correspondence: Retained for 5 years

4.4 Dispute and Legal Data

• Active Disputes: Retained indefinitely (necessary for legal claims)
• Resolved Disputes: Retained for 7 years
• Arbitration Records: Retained per arbitration rules (minimum 10 years)

4.5 Analytics and Technical Data

• Google Analytics: 26 months (user-configurable, default)
• Hotjar Sessions: 90 days
• Server Logs: 90 days
• IP Addresses: Anonymized after 13 months

4.6 Marketing Data

• Email Lists: Retained for 3 years after last engagement
• Preference Data: Retained while account active
• Advertising Data: Retained for 12 months (cookies expire)

4.7 Legal Hold

Notwithstanding retention periods, we retain data indefinitely if:

• Required by court order or legal proceeding
• Subject of active investigation
• Necessary to defend legal claims
• Required by government or regulatory request

5. DATA SHARING AND DISCLOSURE

5.1 Sharing Between Platform Users

Visible to All Users

• Public profile information (skills, bio, ratings, reviews)
• Project titles and descriptions
• Completed work samples (in portfolio)
• Public feedback and testimonials

Visible to Matched Users

• Freelancer profile and qualifications (to clients considering hire)
• Client project details (to freelancers submitting proposals)
• Contact information (once project accepted)

Shared in Disputes

• Full project details
• All communications between parties
• Payment records
• Work samples and deliverables

5.2 Sharing with Third-Party Service Providers

We share data with carefully selected service providers for specific purposes:

Payment Processing

• Stripe, PayPal, and other payment processors
• Data: Payment method, billing address, transaction details
• Purpose: Payment processing and fraud prevention

Identity Verification

• ID verification services, facial recognition providers
• Data: Government ID, photo, legal name, date of birth
• Purpose: Account verification and anti-fraud

Analytics and Measurement

• Google Analytics, Mixpanel, Hotjar
• Data: Usage patterns, device info, behavioral data
• Purpose: Platform improvement and analytics

Email and Communication

• SendGrid, Mailchimp, or similar email providers
• Data: Email address, name, communication preferences
• Purpose: Transactional emails and marketing (with consent)

Advertising Networks

• Google Ads, Facebook Pixel, LinkedIn Insight Tag
• Data: Advertising ID, device ID, browsing behavior
• Purpose: Targeted advertising and retargeting

Customer Support

• Zendesk, Intercom, or similar support tools
• Data: Name, email, support history, technical data
• Purpose: Customer support and issue resolution

Fraud and Security

• Fraud detection services, IP reputation databases
• Data: IP address, device fingerprint, transaction patterns
• Purpose: Fraud detection and prevention

Data Storage and Hosting

• AWS, Google Cloud, or similar cloud providers
• Data: All personal data (encrypted storage)
• Purpose: Infrastructure and data storage

5.3 Sharing with Authorities and Legal Requests

We may disclose personal data without your consent when:

• Legally Required: Required by court order, subpoena, or law
• Government Request: Valid government or law enforcement request
• Abuse Prevention: Necessary to prevent fraud, abuse, or security threat
• Rights Protection: Necessary to protect our legal rights or those of users
• Law Compliance: Required to comply with Turkish, EU, or other applicable law
• GDPR/KVKK Compliance: Required under data protection law

We will:

• Provide you with notice before disclosure (except where legally prohibited)
• Seek to limit disclosure to necessary information only
• Request confidentiality from authorities where possible
• Notify affected users of government data requests annually (transparency report)

5.4 Mergers, Acquisition, and Corporate Changes

In case of merger, acquisition, bankruptcy, or business restructuring:

• Personal data may be transferred as part of business assets
• You will receive notice of the transfer and new Privacy Policy
• You may object to the transfer of your data
• Continuing to use the Platform after notice constitutes consent to transfer

5.5 Prohibited Sharing

We do NOT:

• Sell personal data to third parties for profit (except as part of business sale)
• Share data with brokers or data aggregators
• Lease data to marketers or advertisers
• Disclose data to political campaigns or controversial organizations
• Share sensitive health or financial data without explicit consent

6. INTERNATIONAL DATA TRANSFERS

6.1 Data Transfer Mechanisms

Personal data is primarily stored on servers in:

• Turkey (primary data residency)
• EU (secondary backup)
• US (optional - only with explicit consent)

6.2 Transfers to Non-adequate Jurisdictions

If data is transferred outside Turkey/EU:

• Data Processing Agreement: Valid DPA in place per GDPR Article 28
• Standard Contractual Clauses: SCCs for transfers to non-adequate countries
• Adequacy Determination: Standard Contractual Clauses provide appropriate safeguards
• Your Rights: Right to object or request local data storage

6.3 Transfers to Third Countries

Data may be transferred to:

• Standard Contractual Clauses: Valid SCCs to non-adequate countries
• Binding Corporate Rules: Where applicable to multinational groups
• Explicit Consent: Transfer only with your explicit, informed consent
• Legitimate Interests: Limited transfer for service delivery (with safeguards)

For EU users, non-adequate jurisdiction transfers comply with GDPR Chapter V.

7. YOUR RIGHTS UNDER KVKK AND GDPR

7.1 KVKK Rights (Turkish Law)

Under KVKK Article 11, you have the right to:

Right of Access

• Right to learn if your personal data is processed
• Right to request how and why it is processed
• Right to request a copy of your personal data
• Request Process: Email kvkk@extrais.com with "KVKK Access Request" subject
• Response Time: 30 days (may be extended 60 additional days)
• Fee: Free (except excessive or repeated requests)

Right of Correction

• Right to correct inaccurate personal data
• Right to request completion of incomplete data
• Implementation: Changes made within 30 days
• Notification: Third parties notified of corrections where possible

Right of Erasure

• Right to request deletion of personal data
• Exceptions: Data required by law, active disputes, legal holds
• Implementation: Deletion within 30 days
• Scope: Data deleted from active systems (may retain in backups for 90 days)

Right to Object

• Right to object to processing of personal data
• Right to object to marketing communications
• Automated Objection: Unsubscribe link in all marketing emails
• Manual Objection: Email kvkk@extrais.com

Right to Restrict Processing

• Right to request restriction of data processing
• Right to limit processing to necessary purposes
• Implementation: Data flagged as restricted, processing limited

Right to Data Portability

• Right to request your data in portable format
• Right to transfer data to another service provider
• Format: CSV, JSON, or compatible format
• Implementation: Provided within 30 days

Right to Withdraw Consent

• Right to withdraw consent at any time
• Withdrawal does not affect past processing
• Mechanism: Email or account settings
• Effect: Processing stops upon withdrawal

7.2 GDPR Rights (EU Users)

EU users have equivalent rights under GDPR Articles 15-22:

• Right of access (GDPR Article 15)
• Right to rectification (GDPR Article 16)
• Right to erasure ("right to be forgotten") (GDPR Article 17)
• Right to restrict processing (GDPR Article 18)
• Right to data portability (GDPR Article 20)
• Right to object (GDPR Article 21)
• Rights related to automated decision-making (GDPR Article 22)

Important: GDPR rights may provide broader protections than KVKK in specific cases.

7.3 Exercise Your Rights

To exercise any of the above rights:

Contact Information:

• Email: kvkk@extrais.com
• Subject Line: State the right you're exercising (e.g., "KVKK Access Request")
• Content: Include your name, email, account information, and specific request
• Verification: We may request proof of identity for security

Response:

• Timeline: 30 days (KVKK/GDPR) or as specified by law
• Format: Response provided in writing (email or mail)
• Scope: We'll provide all personal data held about you
• Costs: Generally free; excessive/repeated requests may incur reasonable fee

8. CHILDREN'S PRIVACY

The Platform is not intended for users under 18 years of age (or legal age of majority in their jurisdiction).

8.1 Our Practices

• We do not knowingly collect data from minors
• If we discover data from a minor, we delete it immediately
• Parents/guardians cannot consent on behalf of minors

8.2 If You're Under 18

Do not register or use the Platform. If you provide false age information, your Account will be terminated.

8.3 Reporting Child Data

If you believe we have collected data from a minor, please email kvkk@extrais.com immediately.

9. SECURITY AND DATA PROTECTION

9.1 Security Measures

We implement industry-standard security measures:

• Encryption: TLS/SSL encryption for data in transit
• Storage Encryption: AES-256 encryption for data at rest
• Access Controls: Role-based access, multi-factor authentication
• Monitoring: Continuous security monitoring and intrusion detection
• Firewalls: Enterprise-grade firewalls and DDoS protection
• Backups: Encrypted daily backups with tested recovery
• Penetration Testing: Annual third-party security audits
• ISO 27001: Compliance with information security standards

9.2 Data Breach Notification

In case of data breach affecting personal data:

• Notification: We will notify affected individuals within 72 hours (GDPR) or 3 days (KVKK)
• Content: Nature of breach, data affected, recommended actions
• Authorities: Reported to Turkish DPA (KVKK) and relevant EU authorities (GDPR)
• Transparency: Published breach notification on the Platform

9.3 Your Security Responsibilities

You must:

• Maintain confidentiality of your password
• Never share account credentials
• Use strong, unique passwords
• Enable two-factor authentication
• Monitor Account activity for suspicious access
• Notify us immediately of unauthorized access
• Log out when finished, especially on shared devices

10. COOKIES, PIXELS, AND TRACKING TECHNOLOGIES

10.1 Cookie Types

We use the following cookie categories:

Essential Cookies (No Consent Required)

• Session identification
• CSRF protection
• Security and fraud prevention
• User preferences (language, timezone)
• Strictly necessary for Platform functionality

Performance/Analytics Cookies (Consent Required)

• Google Analytics (usage analytics)
• Mixpanel (feature analytics)
• Hotjar (session recording, heatmaps)
• Server-side analytics logging

Preference Cookies (Consent Required)

• Saved user settings
• Remember-me functionality
• Notification preferences
• Accessibility settings

Marketing Cookies (Explicit Consent Required)

• Google Ads (retargeting)
• Facebook Pixel (campaign tracking)
• LinkedIn Insight Tag (B2B retargeting)
• Remarketing and promotional tracking

10.2 Cookie Management

Users can control cookies through:

• Cookie Banner: Consent options at first visit
• Cookie Settings: Account privacy settings (Settings → Privacy → Cookies)
• Browser Settings: Disable cookies in browser preferences
• Cookie Opt-Out: Provide email to kvkk@extrais.com

Important: Disabling essential cookies will impair Platform functionality.

10.3 Third-Party Cookies

Third-party providers set their own cookies:

• Google Analytics Cookie: _ga, _gid (26-month retention)
• Facebook Pixel: fbp, fr (90-day retention)
• LinkedIn Tag: li_fat_id, li_fat_id (30-day retention)
• Hotjar Cookie: _hjid, _hjc (365-day retention)

These providers may also track you across other websites.

11. MARKETING AND PROMOTIONAL COMMUNICATIONS

11.1 Email Marketing

We may send promotional emails if you:

• Consent to marketing communications
• Have opted in during registration or settings
• Have provided email address

11.2 Opting Out of Marketing

To unsubscribe from marketing emails:

• Unsubscribe Link: Click the link at the bottom of each marketing email
• Account Settings: Disable marketing in Privacy settings
• Request: Email marketing@extrais.com with "Unsubscribe" request

We will honor opt-out requests within 10 business days.

11.3 Transactional Emails

You will continue to receive transactional emails (payment, account, disputes) even if you opt out of marketing, as these are necessary for contract performance.

12. POLICY UPDATES

12.1 Changes to This Privacy Policy

We may update this Privacy Policy at any time. Changes will be:

• Posted on the Platform with "Last Updated" date change
• Effective immediately for new users
• Effective 30 days after notice for existing users

Your continued use after notice constitutes acceptance of changes.

12.2 Material Changes

For material changes that negatively affect your rights, we will:

• Provide prominent notice on the Platform
• Send email notification
• Require affirmative consent to continue using Platform

13. CONTACT AND COMPLAINTS

13.1 Privacy Questions

For privacy-related questions or concerns:

TABA TASARIM İNŞAAT A.Ş.

• Email: kvkk@extrais.com
• Address: Şehit Şakir Elkovan cad. No:3 Ataşehir Istanbul Türkiye
• Response Time: 30 days

13.2 Data Protection Authority Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

For Turkish users (KVKK):

• Authority: Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu - KVKK)
• Website: kvkk.gov.tr
• Process: File complaint through authority website

For EU users (GDPR):

• Authority: Your national Data Protection Authority
• Process: File complaint with relevant member state authority
• Resources: Find authority contact at edpb.europa.eu

You have the right to lodge a complaint without exhausting Company remedies first.

Last Updated: April 2026 Effective Date: April 2026

This Privacy Policy is designed to provide comprehensive protection of your personal data under KVKK and GDPR standards.