Privacy Policy
Last updated: 2026-05-06
Effective date: 2026-05-06
At EZAR.TR ("Company", "we"), the security and privacy of your personal data is our top priority. This policy explains, in compliance with the EU General Data Protection Regulation (GDPR) and Turkey's Personal Data Protection Law (KVKK), what data we collect, why we collect it, how we protect it, and what rights you have.
1. Data Controller
The data controller under GDPR/KVKK is:
- Entity: EZAR.TR
- Address: Kocaeli, Turkey
- Email: [email protected]
- Web: https://ezar.tr
2. Personal Data We Collect
2.1. Data You Provide Directly
- Account info: Name, email address, phone number, password (stored hashed)
- Profile info: Profile picture, language preference, contact address
- Order info: Billing address, shipping address, purchased products/services
- Contact form data: Information you provide in your message, company name, budget range
- Support tickets: Tickets you open, messages, attachments
2.2. Data Collected Automatically
- Technical data: IP address, browser type and version, OS, device type, screen resolution
- Usage data: Pages visited, session duration, links clicked, referrer URL
- Cookie data: Session cookies, analytics cookies, preference cookies (see Cookie section)
- Location data: IP-based approximate location (city/country level)
2.3. Data from Third-Party Integrations
- Google Sign-In: Name, email, profile picture, Google ID
- Facebook Login: Name, email (if you grant), profile picture, Facebook user ID
- Payment providers: Card details for PayTR payments are not stored on our systems — only the transaction reference is kept
3. Why We Use Your Data
We process your personal data only for the following legitimate purposes:
- Account management: Registration, authentication, session handling, password reset
- Service delivery: Order processing, invoicing, fulfillment, customer support
- Communication: Service-related email/SMS notifications, order status updates
- Marketing (only with explicit consent): New service announcements, campaigns, newsletter
- Analytics & improvement: Performance measurement, debugging, UX enhancements
- Legal obligations: Tax law, consumer rights, fraud prevention
- Security: Account security, unauthorised-access detection, IP-based controls
4. Legal Basis for Processing
Under GDPR Article 6 / KVKK Article 5/2:
- Performance of contract: Account creation, order processing, service delivery
- Legal obligation: Invoice retention (Tax Procedure Law — 5 years), consumer claims
- Legitimate interest: Site security, fraud prevention, service improvement
- Explicit consent: Marketing communications, optional cookies, third-party integrations
5. Sharing with Third Parties
We share your personal data only in the following limited cases:
- Service providers:
- Cloudflare (CDN, DDoS protection)
- PayTR (payment processing — Turkey-based, BDDK-licensed)
- SMTP email provider (for order notifications)
- Google Analytics (anonymised usage statistics)
- Meta Pixel (only with explicit consent for ad optimisation)
- Legal authorities: Court orders, prosecutor requests, or legal obligations
- Corporate transfer: In case of company sale/merger to the new owner (we will notify you in advance)
We never sell, rent, or share your data with third parties for marketing purposes.
6. Cookies
Our site uses the following cookie categories:
- Strictly necessary: Session management, security, language preference (no consent required)
- Analytics: Google Analytics — page views, visit duration (with consent)
- Marketing: Meta Pixel, Google Ads — retargeting (with consent)
- Preference: Theme, language, user preferences
You can manage cookie preferences via browser settings or the in-site consent panel.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account info | As long as account is active |
| Orders and invoices | 5 years (Tax Procedure Law) |
| Contact form messages | 2 years |
| Support tickets | 3 years |
| Server logs | 90 days |
| Marketing consents | Until consent is withdrawn |
| Anonymised analytics | Indefinite (no person identifiable) |
When an account is deleted, data is removed from systems within 7 days; legally retained records (such as invoices) are anonymised and kept.
8. Your Rights (GDPR Articles 15–22 / KVKK Art. 11)
As a data subject, you have the following rights:
- Right to be informed: Whether your data is being processed
- Right of access: Obtain a copy of processed data
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure (right to be forgotten): Request deletion of your data
- Right to restrict processing: Stop specific processing activities
- Right to data portability: Receive your data in a machine-readable format
- Right to object: Opt out of marketing-driven processing
- Right against automated decisions: Not be subject to purely automated decision-making
- Right to lodge a complaint: File a complaint with the Data Protection Authority
To exercise these rights: send a request from a verifiable identity to [email protected], or use the methods on /data-deletion. Your requests are answered within 30 days free of charge.
9. Data Security
Technical and organisational measures in place to protect your data:
- Encryption: All traffic over HTTPS/TLS 1.3, passwords hashed with bcrypt
- Access control: Only authorised personnel access data, on a need-to-know basis
- Regular backups: Encrypted, geographically distributed backups
- System monitoring: 24/7 security logs, anomaly detection
- Attack protection: WAF, DDoS protection, brute-force lockout
- NDAs: All employees sign confidentiality agreements
- Regular audits: At least one security audit per year
In case of a data breach, affected users and authorities are notified within 72 hours.
10. Children's Privacy
Our services are not designed for users under 18. We do not knowingly collect personal data from minors. If you believe your child's data has been collected, please email [email protected] — we will delete it immediately.
11. International Data Transfers
Your data is primarily stored on servers in Turkey. Some service providers (Cloudflare CDN, Google Analytics, Meta) may have infrastructure abroad. These transfers are made under GDPR Standard Contractual Clauses and KVKK Board decisions.
12. Policy Updates
We may update this policy from time to time. For material changes we will notify you via email and update the "Last updated" date at the top of the page. The current version is always available on this page.
13. Contact and Complaints
For privacy questions, complaints, or requests:
- Email: [email protected]
- Form: /contact
- WhatsApp: +90 539 733 6332
For unresolved matters you may contact the Personal Data Protection Authority of Turkey: https://www.kvkk.gov.tr