Privacy Notice under the Law on the Protection of Personal Data
Article 10 of Law No. 6698 (KVKK) · Published: March 2025
1. Data Controller
This privacy notice has been prepared by NESILGRUP BILISIM TEKNOLOJI TICARET ANONIM SIRKETI ("Nesil Teknoloji" or the "Company") pursuant to Article 10 of Law No. 6698 on the Protection of Personal Data ("KVKK") and the Communiqué on the Principles and Procedures to Be Followed in Fulfilment of the Obligation to Inform.
The Company is registered with MERSIS No 0631172955000001, Trade Registry No 478284, Tax Office/No Baskent / 6311729550, with its registered address at Orucreis, Tekstilkent Cad., Tekstilkent Plaza D Blok, 34235 Esenler/Istanbul, Türkiye. For applications under the KVKK you may contact the [email protected] registered electronic mail (KEP) address.
2. Personal Data Processed, Purposes and Legal Bases
Nesil Teknoloji processes the following personal data through its website, communication channels and service processes, for the purposes and on the legal bases set out below:
| Data Category | Data Types | Purpose of Processing | Legal Basis (KVKK Art. 5) |
|---|---|---|---|
| Identity | Name, surname, title | Conclusion and performance of contracts, customer account management, preparation of service proposals | Art. 5/2(c) – Conclusion or performance of a contract |
| Contact | E-mail, telephone, address | Responding to requests, technical support, commercial electronic messages (subject to separate consent) | Art. 5/2(c); Art. 5/1 – Explicit consent for commercial messages |
| Corporate Information | Company name, industry, position | Service needs analysis, proposal customisation, project scope assessment | Art. 5/2(f) – Legitimate interest |
| Transaction Security | IP address, browser information, access logs | System security, fault detection, statutory record-keeping obligation under Law No. 5651 | Art. 5/2(a) – Legal obligation |
| Cookie Data | Session, analytics and preference cookies | Measuring site performance, improving user experience | Art. 5/1 – Explicit consent (opt-in) |
| Request/Contact Form | Message content, subject | Preliminary assessment, technical analysis, responding to the request | Art. 5/2(c) – Pre-contractual steps |
3. Transfer of Personal Data
Your personal data may be shared with the following parties within the framework of Article 8 of the KVKK:
- Authorised public institutions and bodies: the Personal Data Protection Authority, the Information and Communication Technologies Authority, tax authorities, courts and public prosecutors — for the fulfilment of legal obligations.
- Business partners and subcontractors: technical support, cloud infrastructure and software suppliers strictly necessary for the performance of the service — only to the extent required and under confidentiality obligations.
Where data is transferred abroad, such transfers are carried out under Article 9 of the KVKK: (i) to countries declared by the Board to provide an adequate level of protection, (ii) to data controllers that have signed undertakings approved by the Board, or (iii) on the basis of your explicit consent.
4. Retention Periods
Your personal data is destroyed in accordance with Article 7 of the KVKK and the Regulation on the Deletion, Destruction or Anonymisation of Personal Data once the purpose of processing ceases to exist or the maximum period prescribed by the applicable legislation expires. The principal retention periods are:
- Contractual data: 10 years from termination of the contract (general limitation period under Art. 146 of the Turkish Code of Obligations No. 6098)
- Contact form and request records: 3 years from the transaction date
- Traffic log records: 2 years under Law No. 5651
- Accounting and invoice data: 5 years under Art. 253 of the Tax Procedure Law No. 213
- Cookie data: end of session or a maximum of 12 months, depending on the cookie type
5. Method and Legal Ground of Data Collection
Your personal data is collected through website forms, e-mail and telephone channels, contract and proposal processes, automated technical means (server logs, analytics platforms, cookies) and commercial events. Collection is based on the legal processing grounds under Art. 5/2 of the KVKK and — in the case of cookies and commercial electronic messages — on explicit consent under Art. 5/1.
6. Rights of the Data Subject
Under Article 11 of the KVKK you have the following rights in relation to your personal data:
- To learn whether your personal data is processed,
- To request information if it has been processed,
- To learn the purpose of processing and whether the data is used in accordance with that purpose,
- To know the third parties to whom the data is transferred, in Türkiye or abroad,
- To request rectification if the data is incomplete or inaccurate,
- To request erasure or destruction of the data under the conditions set out in Art. 7 of the KVKK,
- To request that the operations carried out under items (e) and (d) be notified to the third parties to whom the data has been transferred,
- To object to a result arising to your detriment from analysis carried out exclusively by automated systems,
- To claim compensation for damage suffered as a result of unlawful processing.
To exercise these rights, you may submit your application — including your name and surname, identity details, contact address and the subject of your request — through any of the following channels:
- E-mail: [email protected]
- KEP: [email protected]
- Post / In person: Orucreis, Tekstilkent Cad., Tekstilkent Plaza D Blok, 34235 Esenler/Istanbul, Türkiye
Applications are answered within 30 days at the latest following identity verification (KVKK Art. 13/2). Requests are handled free of charge as a rule; where the transaction entails an additional cost, the tariff determined by the Personal Data Protection Board applies.
7. Use of Cookies
Our website uses strictly necessary, functionality, analytics and marketing cookies. Cookies other than strictly necessary ones are activated only with your explicit consent. You may change your cookie preferences at any time through your browser settings or our cookie management panel (CerezGo). For details, please see our Cookie Policy.
8. Security Measures
As a cybersecurity company holding the TSE Class A Penetration Testing Certificate (TS 13638/T2, No: TSE-STF-065), Nesil Teknoloji implements the technical and administrative security measures required under Art. 12 of the KVKK at an enterprise level. These measures include encrypted communication (SSL/TLS), role-based access control, periodic penetration testing and vulnerability scanning, employee training, a data breach response plan and ISO 27001-aligned process management.
9. Updates to This Notice
This privacy notice may be revised in line with legislative changes or updates to personal data processing activities. The version in force is published at all times at www.nesilteknoloji.com/en/personal-data-processing-policy/.