Privacy Notice

1. Data Controller

As the data controller under Law No. 6698 on the Protection of Personal Data ("KVKK"), the Zekiya Platform ("Platform") aims, through this Disclosure Notice, to inform you about the purposes for which your personal data is processed, to whom and for what purposes it may be transferred, the method of collection and its legal basis, and your rights under the KVKK.

Contact: [email protected]

2. Personal Data Collected

Data Category	Data Collected
Identity Data	First name, last name, username
Contact Data	Email address, phone number, WhatsApp number
Financial Data	Payment transaction references (card details are processed by Iyzico and not stored by the Platform), subscription information, ad budget movements
Technical Data	IP address, session information, browser type, access times
Content Data	Site content (bio, product information, images), conversation logs with the AI Assistant, ad copy and visuals
Visitor Data	Conversations that visitors of member sites have with the AI Assistant (matched to an anonymous session ID)

3. Purposes of Processing Personal Data

Creating a membership registration on the Platform and managing the account
Carrying out subscription and payment transactions
Providing the personalized website creation service
Providing the AI Assistant service (site setup assistant and visitor assistant)
Managing Facebook and Instagram ad campaigns (Pro and Business members)
Sending the morning ad suggestion and notifications via WhatsApp
Reporting and performance analysis
Fulfilling legal obligations (tax legislation, KVKK, etc.)
Providing customer support services
Ensuring Platform security and preventing fraud
Informational and marketing communication about the Platform (where you give consent)

4. Legal Basis for Processing Personal Data

Purpose of Processing	Legal Basis (KVKK Art. 5)
Membership and subscription services	Conclusion and performance of a contract (Art. 5/2-c)
Payment transactions	Performance of a contract; legal obligation (Art. 5/2-c, 5/2-ç)
Security, log records	Legitimate interest (Art. 5/2-f)
Marketing communication	Explicit consent (Art. 5/1)
Legal retention obligations	Legal obligation (Art. 5/2-ç)

5. Third Parties to Whom Personal Data Is Transferred

Within the framework of Articles 8 and 9 of the KVKK, your personal data may be shared with the following third parties:

Recipient	Data Transferred	Purpose
Iyzico	Name, email, payment amount	Payment infrastructure (PCI-DSS compliant)
AI Service Provider	Message content sent to the AI Assistant	AI response generation; under a Data Processing Agreement
Meta (Facebook/Instagram)	Ad account information, campaign data	Ad publishing and performance tracking; under Meta's data processing terms
Canva	Product name, brand colors, information for the visual to be created	AI Ad Visual generation; under the Canva API data policy
WhatsApp Business API	Phone number, message content	Sending notifications and the morning ad suggestion
Natro (Hosting)	All data held on the server	Website hosting and database service
Cloudflare (Turnstile)	IP address, browser fingerprint, session risk signals	Bot protection and DDoS prevention — does not set cookies, does not store personal data; processed under the Cloudflare Privacy Pass standard

When transferring your personal data abroad, the Platform ensures the safeguards set out in Article 9 of the KVKK and/or takes into account the adequacy decisions of the Personal Data Protection Board.

6. Retention Periods for Personal Data

Data Type	Retention Period
Member account information	Throughout active membership + anonymization after the account is deleted (PII is deleted; payment records are kept anonymized for 10 years as required by tax legislation)
Payment and invoice records	10 years (as required by tax legislation)
AI conversation logs (site visitors)	90 days active, then cold storage/deletion
WhatsApp message records	At most 30 days
Admin action logs (audit log)	2 years
Ad performance data	Starter: 30 days · Business: Unlimited (throughout the subscription)
Login attempts and security logs	90 days

7. Your Rights as a Data Subject

Pursuant to Article 11 of the KVKK, you have the following rights:

To learn whether your personal data is being processed
To request information if your personal data has been processed
To learn the purpose of processing your personal data and whether it is used in line with that purpose
To know the third parties to whom your personal data is transferred domestically or abroad
To request correction of your personal data if it has been processed incompletely or incorrectly
To request the deletion or destruction of your personal data within the conditions set out in Article 7 of the KVKK
To request that correction and deletion operations be notified to third parties to whom the data has been transferred
To object where a result against you arises from the analysis of processed data exclusively through automated systems
To request compensation for damages if you suffer loss due to the unlawful processing of your personal data

To exercise your rights, you may submit a written application to [email protected] together with documents verifying your identity. Your applications will be answered within 30 days.

7.1. Account Deletion — Direct User Control

You can exercise your right to deletion under Article 7 of the KVKK directly from the panel, without waiting for an email. The flow is as follows:

Starting a request — Panel → My Account → Danger Zone → press the "Delete My Account" button. To confirm, you must type DELETE MY ACCOUNT in the box, enter your current password, and check the box indicating that you accept the deletion terms.
Email confirmation — Once your request is created, a confirmation link valid for 24 hours is sent to your registered email address. No data is deleted until you click the link. This step is to protect your account from unauthorized access.
7-day waiting period — When you click the link, the deletion is confirmed; however, the actual deletion takes place after 7 days. During this period you can log in to the panel and press the "Cancel My Request" button in the top banner to reverse the process.
When deletion is complete — The automated system (cron) applies the following steps:
- All identifying data including name, email, phone and password is anonymized (the record is converted to an anonymous form such as deleted-{id}@deleted.local);
- Your site, products, AI Assistant, uploaded images, galleries and onboarding records are permanently deleted (including files on the server);
- If you have an active subscription, access continues until the end of the current period but is not renewed; if you have an ad balance, it is forwarded to the admin for a refund;
- Payment and invoice records are kept anonymously, without personal data, for 10 years as required by tax legislation (Tax Procedure Law Art. 253);
- Security audit logs (audit_logs) are kept anonymously for 2 years within the framework of the legal retention obligation.
Completion notice — When deletion is finished, a one-time informational email is sent to your email address before it is anonymized.

Note: The 7-day waiting period is not against the consumer; it is to allow reversal of deletion requests started unintentionally or by malicious third parties. If you request deletion within a shorter period, you may apply in writing to [email protected]; your request will be processed manually by an admin.

8. Use of Cookies

The Platform uses mandatory session cookies for session management and security purposes. Platform functionality cannot be provided without these cookies. Should any third-party cookies be used for analytics or advertising, your consent will be obtained separately. For more information, see our Privacy Policy.

Referral Cookie (zk_ref): When you arrive from a friend's invite link, a 30-day HttpOnly + Secure cookie is stored until the registration stage. It is deleted when registration is completed or when the 30 days expire. This cookie is used only to attribute the referring member to the right person; it is not shared with third parties.

8.1. Referral System Data

Our members can invite their friends and earn subscription extensions in return. In this process:

The referring member only sees the masked email address of the person they invited (e.g. ay***@g***.com) — the full email is not shared.
The invited member's name, phone, package and other personal information are not shown to the referrer.
The IP address is kept only for multiple-fake-registration (anti-fraud) checks from the same IP and is not reflected in the panel.
If the invited member cancels their subscription within 7 days, the bonus earned by the referrer is reclaimed; this is notified only to the referring member.
Referral records are kept for 2 years for accounting and anti-fraud auditing; they are anonymized afterwards.

The referral system is based on the legal grounds of legitimate interest under KVKK Art. 5/2-f and the performance of the customer-acquisition process.

9. Bot Protection and DDoS Prevention

To ensure your account security and to prevent automated attacks (credential stuffing, brute-force, scraping) and service disruption (DDoS) attempts, the Cloudflare Turnstile bot protection service is used on the login, registration and password reset forms.

Turnstile performs a risk assessment in the background without showing you a puzzle; for most users only a short verification indicator appears.
It does not set cookies, does not build a browser fingerprint profile and does not collect data for tracking; it works according to the Cloudflare Privacy Pass standard.
Data processed: IP address, short-lived risk signals and a session token — used only to distinguish bot from human and deleted by Cloudflare shortly after.
This processing is based on the legal ground of legitimate interest under KVKK Art. 5/2-f.

For Cloudflare's data processing policy: cloudflare.com/privacypolicy.

Personal Data Protection — Disclosure Notice