Data Policy

(Personal Data Protection and Processing Policy – Compliance with KVKK and Relevant Laws)

This Data Policy is intended to inform you about how Tuncay Beşikçi (“we” or “the Data Controller”) collects, processes, and protects personal data in accordance with the Turkish Law on the Protection of Personal Data No. 6698 (known as KVKK) and other applicable data protection regulations.

We are committed to processing personal data lawfully, fairly, and transparently. Herein, we outline what personal data we collect through the tuncaybesikci.com Website and in the course of our services, the purposes and legal bases for processing, how and with whom data may be shared, how long it is retained, and the rights of data subjects (you, the individuals whose data we hold).

Data Controller Identity: Pursuant to KVKK Article 10, we disclose that the Data Controller is Tuncay Beşikçi, the owner and operator of tuncaybesikci.com. You may contact the Data Controller via email at [email protected] for any inquiries about your personal data or to exercise your rights.

By using our services or communicating with us, you acknowledge that you have been informed of the following details as required under KVKK and, where applicable, the EU General Data Protection Regulation (GDPR).

  1. Personal Data Collected

Depending on your interaction with us, we may collect various categories of personal data. The types of data we process include:

  • Identity and Contact Information: This includes any personally identifiable information you provide, such as your name, surname, email address, telephone number, and similar contact details. For instance, when you fill out the contact form on our Website or send us an email, you typically provide your name and contact information so we can respond. If you attach documents or case files for review, any personal data contained in those documents (e.g., names of involved parties, case details) would also be collected as part of your submission.
  • Communication Content: Any information contained in your communications with us, whether via the website contact form, email, phone, or other means. This can include the text of your inquiries, descriptions of the services you are seeking, and any other details you choose to share. For example, if you describe a legal case for which you need forensic analysis, that description may include personal data (like names, dates, incidents).
  • Technical and Usage Data: As you interact with our Website, we collect certain technical data automatically. This includes data such as your IP address, browser type/version, device type, operating system, date and time of site visits, and pages viewed (clickstream data). We also collect data through cookies (see our Cookie Policy) which can include a unique identifier, preferences, and behavior on our site (e.g., which pages you visited, for how long). This technical information is generally not used to identify you directly, and we treat it as personal data only when it is linked to other identifying information or where local law defines it as such (e.g., IP addresses under GDPR).
  • Professional or Case Information (if applicable): In the context of providing forensic consulting or expert witness services, we might process data related to the case or project. For example, this could include case numbers, court documents, digital evidence files, or investigative materials that you provide to us for analysis. These materials may contain personal data related to third parties (such as names of subjects, email logs, phone records, etc.). When we process such data, we do so solely for the purposes of the service you engage us for, and we protect it under strict confidentiality.
  • Other Data: Any other personal data you voluntarily provide during the course of our interaction or as part of service delivery. For instance, if during a consultation you provide a copy of your ID or a contract containing personal info, that would fall under this category. We minimize collection of such information and only request what is necessary.

We do not actively collect sensitive personal data (known in KVKK as “special categories of personal data”) unless it is directly relevant to a case and you provide it (for example, data about health or criminal convictions might appear in a forensic investigation context). We handle any sensitive information with a higher degree of security and confidentiality and in accordance with KVKK provisions (Articles 6) that require explicit consent or other legal grounds for processing such data.

  1. Purposes of Processing Personal Data

We process personal data for specific, clear, and legitimate purposes. The main purposes for which Tuncay Beşikçi processes personal data include:

  • Providing Consulting and Forensic Services: We process identity, contact, and case-related data to assess and carry out the services you request from us. For example, if you approach us for a digital forensic analysis or expert opinion in a legal case, we will use the information and evidence you provide (including any personal data contained therein) to perform the necessary analysis, prepare reports, and deliver our professional findings. This may involve examining digital data for clues, evaluating facts, and writing an expert report. Without processing the provided personal data, we would not be able to render the service you expect.
  • Communication: Personal data (like your contact info and communication content) is used to communicate with you effectively. We may process these details to respond to inquiries, schedule meetings, send service proposals or contracts, provide updates on your project, and address any questions or issues that arise. This ensures we maintain a professional relationship and keep you informed.
  • Improving Service Quality: We may use certain data to improve our services and business operations. For instance, we might review how clients find our website or which types of inquiries are most common in order to enhance our informational materials or service offerings. We might also process feedback you provide to improve our consulting approach. All such processing is done in a way that respects your privacy (often using aggregated or anonymized data when possible).
  • Website Functionality and User Experience: Technical and usage data collected through our website is processed to ensure the site functions properly, to diagnose and fix technical issues, and to analyze traffic and usage patterns on our site. This helps us maintain a secure and user-friendly website. For example, understanding that many users visit a particular blog post can signal us to update that content more frequently. Additionally, ensuring that errors or broken links are fixed improves overall user experience.
  • Security and Fraud Prevention: We process personal data as needed to protect our website, our business, and our clients. IP addresses and other network identifiers may be logged and analyzed to detect suspicious activities (such as multiple failed login attempts or unusual request patterns that might indicate a bot or attack). If you send us files for forensic analysis, we may run them in secure, isolated environments to ensure they do not contain malware. Personal data may thus be processed in logs and security tools for the purpose of preventing unauthorized access, cyber-attacks, fraud, or other misuse of our services.
  • Legal Obligations and Compliance: We process personal data to the extent necessary to comply with our legal obligations under Turkish law and other applicable laws. This includes obligations such as maintaining records for a certain period, responding to lawful requests from authorities, or ensuring compliance with court orders. For instance, KVKK and related regulations might require that we retain certain transaction data for a minimum time, or that we respond to a data subject access request within a set timeframe. We also may process data to comply with obligations under anti-money laundering laws or professional standards if relevant.
  • Establishment, Exercise, or Defense of Legal Claims: In the event of any dispute, litigation, or legal claim, we may need to process and retain personal data relevant to the issue at hand. For example, if there is a dispute over our service outcome or a legal case where Tuncay Beşikçi is involved, relevant communications and files (containing personal data) would be processed to defend our interests or pursue legal remedies. Similarly, if we are serving as expert witnesses in a court case, we process case-related data as part of our professional obligation in legal proceedings.
  • Administration and Business Operations: We may process personal data in the ordinary course of running our business. This includes maintaining client databases, accounting and invoicing (your name or company might be on invoices or financial records), internal audits, insurance, or business analytics. Such processing is done with confidentiality and limited to what is necessary for administration.

We ensure that personal data is processed in a manner compatible with these purposes and not further processed in a way that is incompatible. If we ever need to process your personal data for a new purpose not stated here, we will inform you of that new purpose and, if required, seek your consent or ensure we have a lawful basis for it.

  1. Legal Basis for Processing Personal Data

We process your personal data in compliance with the conditions set forth in KVKK (Article 5 and 6) and, where applicable, the GDPR. Depending on the context, one or more of the following legal bases may apply:

  • Explicit Consent (KVKK Art. 5/1): In situations where no other legal ground is available for processing non-sensitive personal data, we will seek your explicit consent. For example, if we wanted to feature your testimonial or case summary on our website, we would only do so with your explicit consent. Similarly, for processing special categories of personal data (sensitive data like health or biometric information), your explicit consent is typically required unless another specific condition applies (KVKK Art. 6). If we have obtained your consent, you have the right to withdraw it at any time (withdrawal will not affect processing already occurred).
  • Performance of a Contract (KVKK Art. 5/2-c): If you are our client (or in the process of becoming one), processing of your personal data may be necessary to form or fulfill our contract with you. This includes steps taken at your request before entering a contract. For instance, to provide a forensic analysis report, we must process the data you supply; similarly, to pay for our services, we might process your name and billing details. These processing activities are lawful as they directly relate to delivering the service or product you have requested.
  • Legal Obligation (KVKK Art. 5/2-ç): We will process personal data if it is necessary for us to comply with a legal obligation. For example, Turkish laws may require us to keep certain business records for a set period (such as invoices with client names for tax regulations). If authorities lawfully request information (like within an investigation or for national security), we may be obliged to provide it. We only do so to the extent that the law compels us.
  • Legitimate Interests (KVKK Art. 5/2-f): We may process personal data when it is necessary for our legitimate interests, provided that such processing does not infringe on your fundamental rights and freedoms. We rely on this basis for purposes like improving our services, securing our website, and running our business efficiently. For instance, analyzing site usage to enhance user experience or processing client data for internal analytics would fall under legitimate interests. When using this basis, we carefully consider and balance our interests against your privacy rights, and we will not process data on this ground if our interests are overridden by the impact on you.
  • Establishment, Exercise, or Protection of a Right (KVKK Art. 5/2-e): KVKK allows processing if it is necessary for the establishment, exercise, or protection of a legal right. This means if we need to process personal data in order to defend ourselves in legal proceedings or to enforce our rights (for example, using correspondence as evidence in a legal case), such processing is lawful. Likewise, if you need us to process data for your legal claims (say, you are our client and we analyze evidence to support your case), that is covered.
  • Explicitly Provided by Law (KVKK Art. 5/2-a) & Public Order: In cases where Turkish law explicitly requires or permits the processing of certain personal data, we will comply. Also, if processing is necessary for important public interests or public order (though it’s unlikely in our context), it may be allowed under the law. This is more applicable to public institutions, but we note it for completeness.

For special categories of personal data (sensitive data like biometric, health, etc.), our general practice is to avoid processing such unless absolutely necessary. If we must process, we do so under the conditions of KVKK Art. 6 (e.g., with explicit consent, or if clearly allowed by law for specific circumstances like processing health data by a health professional under confidentiality obligations).

If you have questions about the legal basis for a particular processing activity, please contact us and we will provide clarification. In some cases, the same data may be processed under multiple bases (e.g., your contact info is used to perform our contract with you and also retained to comply with a legal obligation).

  1. Methods of Collecting Personal Data

We collect personal data through various methods, including:

  • Directly from You: Most of the personal data we process is directly provided by you. You may give us your information by filling in forms on our Website (such as the contact form), by corresponding with us via email or phone, through in-person meetings, or by sending documents and files to us. For example, when you seek our services, you might hand over digital evidence or case files for analysis – that data collection is initiated by you.
  • Through Our Website and Technology: As you interact with our Website, certain data is collected automatically via cookies, server logs, and similar technologies. For instance, our web server automatically logs IP addresses and page requests; Google Analytics (if used) collects data about your device and browsing actions. These methods involve automated data capture as explained in our Cookie Policy and technical notes.
  • Third Parties or Public Sources: In some cases, we might obtain personal data from third-party sources. For example, if you are involved in a case and we are hired by an attorney or an organization, they might provide us with personal data about you or other individuals related to the case. Another instance could be consulting publicly available databases or social media in the course of an investigation (though any such gathering of data will be done lawfully and ethically). If we verify credentials or backgrounds, we might use public records or professional directories. We do not typically buy or trade data from data brokers. Any third-party data source we use is carefully vetted to ensure compliance with privacy laws.

We process personal data both manually and via automated systems. Manual processing includes human review of case files, writing reports, etc. Automated processing includes running forensic software on digital data, using security tools to scan for malware, or filtering emails for spam.

We store data in both digital formats (on secure servers, cloud services with appropriate safeguards, and local encrypted storage devices when needed) and sometimes in physical form (printed documents or handwritten notes, kept in secure cabinets). We take measures to ensure data is kept secure regardless of form.

  1. Personal Data Sharing and Transfer

We may need to share your personal data with certain parties in line with the purposes described above and as permitted by law. Categories of recipients include:

  • Authorized Personnel of Tuncay Beşikçi: Your data will be accessed only by the Data Controller himself (Tuncay Beşikçi) and, if any, a limited number of authorized personnel or consultants who have a need to know the information for the purpose of providing services. All such individuals are bound by confidentiality obligations. For instance, if we engage an associate or an intern to assist with case preparation, they would have access to relevant data under strict supervision and a duty of confidentiality.
  • Service Providers (Data Processors): We use trusted third-party service providers to support our operations, and in doing so, these providers may process personal data on our behalf. Examples include:
    • IT and Hosting Providers: Companies that host our Website or email servers, cloud storage services where we backup data, or IT support companies. They might technically have access to stored data, but they are not allowed to use it except as needed to provide the service (e.g., a cloud storage provider stores data but does not actively view its contents).
    • Professional Advisors: We may share data with attorneys, auditors, or insurers when necessary (for example, if we seek legal advice, the lawyer may need to see certain communications or data; or if required for audit and compliance checks). Such sharing will be done under confidentiality and only as needed.
    • Analytics and Security Services: As noted, we might use Google Analytics for site metrics – while we don’t send them personal info like names, they do process IP addresses and site usage data (Google is a data processor in this context, and we have a data processing agreement with them as per their terms). Similarly, we might use security scanning services or cloud-based forensic tools that process data under our instructions.

All our service providers are carefully selected and we ensure they are bound by contracts that require them to process personal data in accordance with applicable data protection laws, solely for our stated purposes, and to implement adequate security measures.

  • Law Enforcement and Government Authorities: If we are served with a legally binding request or obligation (such as a court order, subpoena, or a request under an investigation by law enforcement or regulatory authority), we may have to disclose certain personal data to such authorities. We will verify the legitimacy of each request and only provide the minimum data necessary. Additionally, if disclosure is necessary to report unlawful activity (for example, evidence of a crime discovered during analysis, and reporting is required by law), we will comply with the law.
  • Judicial and Legal Proceedings: In the context of legal proceedings (courts, arbitration, etc.), if Tuncay Beşikçi is acting as an expert witness or if a dispute arises related to our services, relevant personal data might be presented as evidence to courts, opposing counsel, or mediators as appropriate. For example, if we produce an expert report containing personal data of case parties, that report will be shared with the court and parties to the case as per legal procedure.
  • Business Transfers: If in the future Tuncay Beşikçi’s consulting practice is merged with or acquired by another entity, or if there is a transfer of Website operations, user data (which may include personal data) could be among the assets transferred to the new owner. The new owner would then become the Data Controller for that information. In such a case, we would ensure that the data continues to be used only in accordance with this policy (unless you are notified of changes and given a chance to consent or opt-out). If such a transfer is relevant, we will notify users as required by law.
  • Third Parties with Consent: Other than the above, we will not share your personal data with third parties unless we have obtained your explicit consent to do so. For instance, if you wish us to collaborate with another expert or service provider of your choosing, and that requires sharing information, we would only do so with your approval.

International Transfers: Some of the recipients or service providers mentioned above may be located in countries other than Turkey. For example, if we use a cloud service whose servers are in the European Union or the United States, or if we email you while you are abroad, personal data may cross borders. Turkey’s KVKK requires that for transferring personal data abroad, certain conditions must be met (adequate protection in the recipient country or other safeguards, KVKK Articles 9). Similarly, if GDPR applies to the data, we must ensure lawful cross-border transfer mechanisms. We will ensure that any international transfer of personal data is done in compliance with applicable laws – for instance, by using countries deemed to have adequate data protection by the Turkish Personal Data Protection Board or the European Commission, or by implementing standard contractual clauses or obtaining necessary permissions. By dealing with us and providing data, you understand that data may be transferred internationally as needed, and we will take steps to protect it.

We do not engage in any transfer of personal data for marketing or advertising purposes to any third parties.

  1. Data Security Measures

We have implemented appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. These security measures include, but are not limited to:

  • Encryption: Sensitive data (especially when stored electronically or transmitted) is encrypted. For example, our website uses HTTPS encryption for data in transit, and files we store may be encrypted at rest using industry-standard encryption algorithms.
  • Access Control: Personal data is stored in secure environments. Access to personal data is restricted to the Data Controller and any authorized personnel on a need-to-know basis. Accounts and systems are protected with strong passwords and, where possible, two-factor authentication. Physical access to devices or documents containing personal data is also controlled (e.g., locked cabinets for paper files, secure office premises).
  • Antivirus and Network Security: We maintain updated antivirus and anti-malware protection on our systems. Firewalls and intrusion detection systems may be in place to guard our network. We avoid using public or unsecured networks when accessing personal data remotely, or we use secure VPNs when necessary.
  • Regular Updates and Patching: We keep our software, applications, and devices updated with the latest security patches to reduce vulnerabilities.
  • Confidentiality Agreements: Any staff, consultants, or service providers who might handle personal data are subject to confidentiality obligations either through employment agreements or specific non-disclosure agreements. They are trained on data protection principles relevant to their work.
  • Data Minimization: We collect and retain only the personal data that is necessary for our purposes, which inherently reduces the risk exposure. If data is no longer needed, we ensure it is securely deleted (using methods like secure erasure for digital files and shredding for paper).
  • Backup and Recovery: We maintain secure backups of critical data to prevent loss from accidental deletion or technical failure. These backups are encrypted and stored safely. In case of any data incidents, we have procedures to restore availability and access to data in a timely manner.
  • Monitoring and Testing: We may periodically test and evaluate the effectiveness of our security measures. Any suspicious activity or potential breaches are investigated promptly.

Despite all these precautions, it’s important to note that no system is 100% secure. If we become aware of a data breach that affects your personal data, we will notify you and the relevant authorities (such as the Turkish Personal Data Protection Authority) without undue delay as required by law. We have an incident response plan in place to handle such situations, aiming to mitigate any harm and prevent future occurrences.

As a data subject, you also play a role in protecting your data. We encourage you to use discretion when sending information over the internet (e.g., use our secure contact form or encrypted email if you need to send highly sensitive info, rather than an open channel). If you suspect any unauthorized access to your personal data in context of our services, please inform us immediately.

  1. Data Subject Rights

Under KVKK (Article 11) and other applicable data protection laws (such as GDPR for EU residents), you – as the data subject – have several rights regarding your personal data that we hold. We are committed to facilitating the exercise of these rights. Specifically, you have the right to:

  1. Learn whether your personal data is being processed by us. (In other words, you can ask us to confirm if we have any personal data about you in our files or systems.)
  2. Request information about the processing if your data has been processed. This means you can ask for details on what data we have, for what purposes we process it, and whether it has been transferred to third parties (and who those parties are, especially if they are in Turkey or abroad).
  3. Learn the purpose of the processing and whether your personal data is used in accordance with the declared purpose. Essentially, we should inform you why we processed data and ensure it’s consistent with the reasons initially communicated to you.
  4. Know the third parties to whom your personal data has been transferred, within Turkey or abroad. We should provide you with information on which categories of recipients (or specific entities, if required) have received your data.
  5. Request correction of your personal data if it is inaccurate or incomplete. If you discover or believe that any personal data we hold about you is wrong, outdated, or misleading, you have the right to ask us to fix it. For instance, if your name is misspelled in our records or your contact number has changed, we will update it upon your request.
  6. Request deletion or destruction of your personal data under certain conditions. If the personal data is no longer needed for the purposes collected, or if you withdraw consent (where consent was basis) and no other legal ground for processing exists, or if you believe we have processed it unlawfully, you can ask us to delete it. We will evaluate this request in line with legal requirements; if, for example, we are mandated by law to keep the data or if it’s needed for legal claims, we might not immediately delete it, but otherwise we will honor valid deletion requests. KVKK also references the “right to be forgotten” principles where applicable.
  7. Request notification of correction or deletion to third parties to whom the data was transferred. If we have corrected, deleted, or destroyed your personal data upon your request, you have the right to ask us to notify the third parties (to whom we had transferred that data) about this change, so that they can also update or delete the data in their systems. We will do so unless it is impossible or involves disproportionate effort.
  8. Object to certain processing: Under GDPR (if applicable) and similarly under KVKK’s spirit, you may object to processing of your personal data based on legitimate interests or to processing that results in an unfavorable outcome for you through automated means. For example, if we were using an algorithm to analyze data that significantly affects you, you could contest the result. In our context, we do not typically make automated decisions about individuals, but you have the right to object to profiling or automated processing if it occurs.
  9. Request compensation for damages if you suffer harm due to unlawful processing of your personal data. KVKK explicitly grants individuals the right to seek compensation through legal channels if a data controller processes data in violation of the law and this causes damage. This means if through some mishandling of your data on our part you incur a loss, you can pursue legal remedy for that damage. Of course, our goal is to ensure compliance and avoid any unlawful processing, thereby preventing harm.

To exercise any of these rights, you should contact us through the channels provided in the Contact section of this policy. Under Turkish law, particularly KVKK, you may need to submit your request in writing or through other methods allowed by the Personal Data Protection Board (such as designated electronic means like registered email or the government portal if applicable).

When you contact us, please clearly state which rights you wish to exercise and provide information to verify your identity (we need to ensure we’re granting data access or making changes for the correct person). For example, we might ask for a valid identification or confirmation via a known email/phone on record.

Response Time: We will respond to your request as soon as possible and within 30 days at the latest from receipt of your application (which is the standard timeframe under KVKK). If your request is complex or if you have multiple requests, we are allowed to extend this period (up to an additional 30 days under KVKK, or up to total 3 months under GDPR in exceptional cases), but we would inform you of any extension and the reasons for it.

Fees: As per KVKK, initial requests are generally free of charge. However, if your request requires incurring additional costs (for example, if you need multiple copies of records or the processing of the request is particularly burdensome), we may charge a reasonable fee based on the tariff set by the Personal Data Protection Board. We will let you know in advance if any fee applies (currently, simple requests are usually processed without charge).

Rejection: We may reject requests that are unfounded or excessive (for example, repetitive requests). If we decline your request (either fully or partially), we will provide a clear explanation for the refusal. For instance, if you request deletion of data that we are legally required to keep, we will explain that conflict.

Complaint: If you are not satisfied with our response or believe your rights have been infringed, under KVKK you have the right to lodge a complaint with the Personal Data Protection Authority (KVKK Kurumu) within 30 days of our response (or 60 days from the date of your request, if we did not respond). Under GDPR, you have the right to lodge a complaint with a supervisory authority in the EU (particularly in the member state of your residence or where the issue occurred). We encourage you to first reach out to us so we can try to resolve the issue directly.

Your rights regarding your personal data are very important to us. We uphold these rights and facilitate their exercise in good faith, and we will never discriminate against you for exercising them.

  1. Data Retention and Destruction Policy

We retain personal data only for as long as it is necessary to fulfill the purposes for which it was collected (as outlined in this policy) and to comply with legal or regulatory requirements. The retention period can vary depending on the category of data and the context:

  • Contact and Inquiry Data: If you contacted us but did not become a client or engage our services further, we may keep your communications for a reasonable period (e.g., up to 1-2 years) in case you reach out again or for our own reference to improve service. After that period, we will delete or anonymize the personal data in those communications, unless there is a valid reason to retain (like a legal dispute or explicit consent to keep for longer).
  • Client Data and Case Files: For clients who have engaged our services, we will retain relevant personal data and case materials for the duration of the service provision and thereafter for a period required by law or recommended by professional practice. In Turkey, legal prescription periods and professional liability considerations often lead to keeping records for a number of years (commonly 10 years for contractual documents, which aligns with the general statute of limitations for contract claims). We may keep case files, reports, and related communications typically for 10 years after the completion of the service, unless a longer period is mandated or justified (for instance, if a lawsuit or investigation is ongoing, we’d keep data until that is resolved, even if it exceeds 10 years). This retention helps us address any follow-up questions, defend our work if challenged, or provide continuity if you return for additional services. After that retention period, case files and personal data therein are securely destroyed, unless further retention is required (or consented to) for specific reasons.
  • Legal Compliance: We retain data to meet various legal obligations:
    • Accounting and financial records (which may include client names and payment details on invoices, receipts, etc.) are kept for 10 years as required by tax law and regulations.
    • Documentation related to KVKK compliance (like records of consent, data processing activities) may be kept as long as relevant to demonstrate compliance, which could be several years.
    • If we processed sensitive data based on explicit consent, KVKK might require that we keep the consent proof for as long as the processing continues plus a certain time after (to defend against any future claims).
  • Web Analytics Data: Analytics and log data are generally retained for shorter periods in identifiable form. For example, raw web server logs might be kept for a few months to a year, and then either deleted or stored only in aggregate form. Google Analytics data retention is set to 14 months (or a similar reasonable period) and is automatically deleted thereafter (we have configured it as such, unless we change the setting, in which case we’ll update this policy accordingly).
  • Security Logs: Security-related logs (such as access logs, intrusion detection logs) are typically retained for a short period (a few months) unless they capture an event of significance (e.g., a security incident) in which case relevant logs may be retained until the issue is resolved plus any necessary period for legal compliance or evidence.

When the retention period for a record expires, or if you validly request deletion and we have no other basis to keep the data, we will ensure the data is securely destroyed or anonymized. Destruction methods:

  • Physical documents containing personal data will be shredded or incinerated through secure document destruction services.
  • Electronic data will be deleted in such a way that it cannot be practicably recovered. This might involve secure deletion software, cryptographic erasure for encrypted data, or physical destruction of storage media if appropriate.
  • If data is stored in backups, we will allow those backups to expire or cycle out and be overwritten; we do not typically restore backups just to delete specific data, but our backup retention is time-limited.
  • For data we anonymize, we remove or irreversibly scramble personal identifiers so that the data can no longer be linked to an individual. Once anonymized, such data is no longer considered personal data and may be kept for analytics or statistical purposes indefinitely without further notice.

We maintain a Personal Data Retention and Destruction Policy internally, as required by Turkish regulations, which outlines specific timeframes and destruction techniques for each category of personal data we handle. You have the right to inquire about how and when your specific data will be deleted as well.

  1. International Data Transfers

As mentioned under Data Sharing, we may transfer personal data to countries other than Turkey, including countries in the European Union or the United States, for example, due to using cloud service providers or communicating with clients/institutions abroad. Turkey’s data protection law (KVKK) and, if applicable, GDPR place restrictions on such international data transfers.

When transferring personal data abroad, we will ensure at least one of the following is in place:

  • The destination country is one that Turkey’s Personal Data Protection Board has declared to have sufficient protection (at the time of this policy, such a list exists in principle but is limited; in practice, we often rely on contractual safeguards).
  • We (as Data Controller in Turkey) and the data recipient abroad sign a data transfer agreement that includes the standard clauses approved by the Turkish Authority, and we obtain necessary permission from the Authority for the transfer. This effectively acts like the Standard Contractual Clauses under GDPR, committing the foreign recipient to protect the data per Turkish standards.
  • If we transfer data to a controller or processor in the EEA or other regions, we may rely on Standard Contractual Clauses (SCCs) recognized under GDPR to ensure an adequate level of protection, along with any additional measures (like encryption in transit and at rest, minimizing data, etc.).
  • In specific cases, we might rely on your explicit consent for the transfer, especially if none of the above safeguards are present and the transfer is necessary (KVKK allows transfers with explicit consent as a fallback). For example, if you, as a client, specifically want us to work with a foreign partner and send data there, we would obtain your explicit consent acknowledging the potential risks.

Additionally, under GDPR (if applicable), we ensure compliance with Chapter V of GDPR for any data leaving the EEA: using adequacy decisions, SCCs, or other valid transfer mechanisms.

By using our Website or engaging our services and providing us with personal data, you understand that your data might be processed in countries outside of your own. However, rest assured that we will always handle your information in accordance with this policy and take necessary steps to protect it regardless of where it is processed.

If you have questions about international transfers or want more information about cross-border safeguards (for instance, to see a copy of relevant contract clauses), you can contact us.

  1. Changes to This Data Policy

We may update or revise this Data Policy from time to time to reflect changes in our data processing practices, legal requirements, or for any other reason. When we make changes, we will:

  • Update the “last updated” date at the top of the policy to let you know a change has occurred.
  • If the changes are significant, we may also provide a more prominent notice, such as an announcement on our Website or directly notifying clients via email.

We encourage you to review this Data Policy periodically to stay informed about how we are protecting the personal data we collect.

If we make a change that requires your consent (for example, if a new purpose for processing arises that originally required consent), we will obtain that consent as needed.

Continuing to use our Website or services after a policy change constitutes acceptance of the revised Data Policy, insofar as the changes concern processing activities.

  1. Contact and Application Methods

If you wish to exercise any of your rights mentioned in Section 7, or if you have any questions or concerns regarding this Data Policy or our data processing practices, you can reach out to us through the following:

  • Email: [email protected] (Preferred method for data requests – please include “Personal Data Inquiry” or “KVKK Application” in the subject line to expedite handling)
  • Postal Mail: Tuncay Beşikçi, Istanbul, Turkey. (For a physical application under KVKK, please send a signed letter to our postal address – contact us via email to obtain the current mailing address and any specific instructions. In your letter, please include your identification details and clearly state your request.)
  • Registered Electronic Mail (KEP): If you have a KEP account (which is a form of verified email in Turkey), you may send us a KEP message. (Our KEP address, if available, would be provided upon request or on our website contact page.)

We may need to verify your identity for certain requests, especially those involving access to data or deletion, to ensure that we do not disclose or erase data at the behest of an unauthorized person. Typically, if you email us from the address we have on file, and the nature of the request is not highly sensitive, that may suffice. For more sensitive requests, we might ask for a scanned ID or a secure identification method.

We will respond to your inquiries and applications as quickly as possible, and always within the timeframe required by law. All communication will be carried out in a transparent and clear manner. If, for any reason, you feel that your request has not been handled adequately, please let us know, and we will do our best to address the issue.

Last Updated: January 13, 2026.

This Data Policy is issued in both English and Turkish. In case of any inconsistencies or interpretation differences between language versions, we will strive to clarify the intent, but for legal purposes with Turkish individuals, the Turkish version (Kişisel Veri Politikası) will typically be considered authoritative in accordance with Turkish law, while the English version serves as a translation for convenience and for our international clients.

By reading this Data Policy, you confirm that you have been informed about how your personal data is processed by Tuncay Beşikçi. We thank you for your trust and assure you that your personal data is handled with care and respect for your privacy.