Privacy and Personal Data Protection Policy

At Eforpass, we place great importance on the privacy and security of our users' and visitors' personal data. This Privacy and Personal Data Protection Policy ("Policy") explains how we, as the Data Controller, collect, process, share, and protect your personal data in accordance with the Personal Data Protection Law No. 6698 ("PDPL").

While providing our services, we may collect the following categories of personal data from you:

- Identity Information: Name, surname, date of birth. (National ID Number is only requested in cases of legal obligations, such as Law No. 5549, or the necessity to issue an e-invoice/e-archive invoice.)

- Contact Information: Email address, phone number, mailing address.

- Financial Information: Billing information, payment method details (your credit card information is processed securely by our payment service provider and is not stored by us).

- Customer Transaction Information: Account details (username, encrypted password), order history, request and complaint information.

- Marketing Information: Cookie records, marketing and communication preferences.

- Technical Data: IP address, location information, device and browser information, website and application usage data.

We process your personal data for the following purposes based on the legal grounds specified in Articles 5 and 6 of the PDPL:

- Necessary for the establishment or performance of a contract (PDPL Article 5/2-c): To provide our services, create and manage your account, process your orders, handle payments, and provide customer support.

- Necessary for compliance with a legal obligation to which the data controller is subject (PDPL Article 5/2-ç): To fulfill financial and tax obligations (issuing invoices), and to respond to legal requests.

- Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject (PDPL Article 5/2-f): To improve our services, ensure security, prevent fraud, and analyze and enhance the user experience.

- Based on your explicit consent (PDPL Article 5/1): To conduct personalized marketing and advertising activities, send commercial electronic messages, and use cookies that require explicit consent.

We may share your personal data with third parties in Turkey and/or abroad for the purposes stated above and in accordance with Articles 8 and 9 of the PDPL:

- Service Providers: Our business partners who provide services in areas such as payment systems, cloud computing (hosting), shipping, email delivery, and customer relationship management (CRM).

- Authorized Public Institutions and Organizations: In case of a legal obligation, in response to court orders or legal requests.

- Business Partners: For joint marketing activities, subject to your explicit consent.

If your data is transferred abroad, this transfer will be carried out either by obtaining your explicit consent or on the condition that the destination country has been declared to have "adequate protection" by the Personal Data Protection Board, or that adequate protection has been committed to.

Your personal data will be retained for the period necessary for the purpose for which it was processed and/or for the retention periods stipulated in the relevant legal legislation (e.g., 5 years under tax laws, 10 years under the Turkish Commercial Code). Upon the expiration of the period or the disappearance of the processing purpose, your personal data will be deleted, destroyed, or anonymized in accordance with the PDPL.

Pursuant to Article 11 of the PDPL, you have the following rights regarding your personal data:

- To learn whether your personal data is processed,

- To request information if it has been processed,

- To learn the purpose of processing and whether it is used in line with its purpose,

- To know the third parties to whom it is transferred, in Turkey or abroad,

- To request correction if it is incomplete or incorrectly processed,

- To request its deletion or destruction within the framework of the conditions stipulated in Article 7 of the PDPL,

- To request notification of the correction, deletion, or destruction operations to third parties to whom the data has been transferred,

- To object to the emergence of a result against you by analyzing the processed data exclusively through automated systems,

- To request compensation for the damage in case of loss due to unlawful processing of data.

To exercise these rights, you may submit your request in writing or by other methods specified in the Communiqué on Application Procedures and Principles to the Data Controller to our address stated above or via email to [email protected]. Your application will be concluded free of charge as soon as possible and within thirty (30) days at the latest.