İçeriğe atla
Start free
LAW NO. 6698

KVKK Disclosure Statement

Disclosure made by the data controller under Article 10 of Law No. 6698 on the Protection of Personal Data.

Last update 31 Mayıs 2026
Effective date 1 Haziran 2026
Basis KVKK Madde 10
This translation is for informational purposes only. The Turkish version of this document is the legally binding one.

This disclosure statement has been prepared by cerez.io ("Company" or "cerez.io"), in its capacity as data controller, within the scope of Article 10 of Law No. 6698 on the Protection of Personal Data ("Law" or "KVKK") and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation.

Table of contents

1. Identity of the Data Controller

The legal entity holding the capacity of data controller pursuant to KVKK Article 3/1-ı of Law No. 6698:

Trade Namecerez.io
Trademarkcerez.io (cerez.io)
AddressAltıeylül, Balıkesir / Turkey
MERSIS Number[cerez.io to be completed by]
Trade Registry No[cerez.io to be completed by], Balıkesir Trade Registry Directorate
Tax Office / NoKurtdereli V.D. / 1400185229
VERBİS Registry No[cerez.io to be completed by] (The data controller's VERBİS registration process is ongoing)
KEP Address[cerez.io to be completed by]
Contact Person[Data Protection Officer, to be appointed]
Contactdestek@cerez.io · +90 540 059 40 40 (WhatsApp)

2. Categories of Personal Data Processed

The categories and scope of personal data processed by our company are shown in the table below:

Data Category Scope
IdentityFirst name, last name, username, Turkish ID number (in Enterprise agreements)
ContactE-mail address, phone number, postal address
Customer TransactionOrder information, subscription plan, invoice information, request and complaint record
FinancialBank account information (in the case of bank transfer/EFT), invoice records
Legal TransactionContract records, KEP correspondence, legal notice/response documents
Transaction SecurityIP address, log records, cookie records, user session information, password hash information
MarketingNewsletter subscription, cookie preferences, campaign interaction data
Visual/AudioSupport call recordings (only with explicit consent), profile photo
Professional ExperienceCV, education information, references in career applications
Important: Our company does not process special categories of personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect, dress, association-foundation-union membership, health, sexual life, criminal conviction, biometric and genetic data) under KVKK Article 6.

3. Purposes of Processing Personal Data

Within the framework of the general principles set out in Article 4 of the Law and the processing conditions specified in Articles 5 and 6, your personal data is processed for the following purposes:

  1. Conduct of contract processes (membership, subscription, SaaS service provision)
  2. Conduct of activities in compliance with legislation (in particular KVKK Article 12, VUK Article 253, TTK Article 82)
  3. Conduct of finance and accounting affairs (billing, payment collection)
  4. Conduct of customer relationship management processes (support, request, complaint)
  5. Conduct of information security processes (detection of unauthorized access, log records)
  6. Conduct of communication activities (information, e-mail sending)
  7. Follow-up and conduct of legal affairs (disputes, court proceedings)
  8. Follow-up of requests and complaints (support requests)
  9. Conduct and supervision of business activities
  10. Provision of information to authorized persons, institutions and organizations (judiciary, public prosecutor's office, BTK, KVKK Board, etc.)
  11. Conduct of marketing analysis work (with explicit consent)
  12. Conduct of advertising, campaign, promotion processes (with explicit consent)
  13. Conduct of employee candidate selection and placement processes (career applications)

4. Legal Basis for Processing Personal Data

Your personal data is processed based on the following legal bases within the scope of Article 5 of the Law:

Article Legal Basis Application
5/2-aBeing expressly provided for in the lawsVUK, TTK, KVKK compliance requirements
5/2-cEstablishment or performance of the contractMembership, subscription, service provision
5/2-çLegal obligation of the data controllerTax legislation, retention of commercial books
5/2-eEstablishment, exercise or protection of rightsLegal dispute, debt collection
5/2-fLegitimate interest (provided that fundamental rights and freedoms are not harmed)Information security, fraud prevention, system logs
5/1Explicit consent of the data subjectMarketing e-mails, marketing cookies, voice recording

5. Parties to Whom Personal Data Is Transferred and Purpose of Transfer

Your personal data is transferred to the following parties within the conditions set out in Articles 8 and 9 of the Law:

Recipient Group Purpose of Transfer Location
Business partners and suppliersSupport required for service provision (e-mail delivery, CDN, payment)Domestic + EU + USA (with SCC)
Legally authorized public authoritiesAs required by the provisions of relevant legislation (KVKK Board, BTK, courts, public prosecutor)Domestic
Financial advisor / Independent audit firmsTax and financial advisory servicesDomestic
Banks and payment institutionsPayment collection, EFT/wire transfer transactionsDomestic
Cloud infrastructure provider (AWS)Data hosting, backupEU, Frankfurt (eu-central-1)
CDN and security provider (Cloudflare)Content distribution, DDoS protectionGlobal (US HQ), DPF certified
E-mail service provider (SendGrid)Transactional e-mail deliveryEU + USA, DPF certified
Payment processor (Stripe, coming soon)Credit card payment processingEU, Ireland
Legal counselLegal advice and follow-upDomestic

Cross-border transfers are carried out within the scope of KVKK Article 9/2 by means of Standard Contractual Clauses (SCC) and/or safeguard mechanisms approved by the Data Protection Board. For the detailed sub-processor list, see our DPA page see.

6. Method of Collecting Personal Data

Your personal data is collected by our Company through the following methods, by automated and partly automated means:

  • Automated methods: Cookies during website visits, IP address, log records, API usage logs, automated form submission.
  • Partly automated methods: Membership form, contact form, demo request, support request, invitation acceptance process, cookie preference banner, contract signing.
  • Physical medium: Notifications received via KEP, contracts or applications delivered by post, telephone calls (with explicit consent in the event of recording).

7. Rights of the Data Subject (KVKK Article 11)

Pursuant to Article 11 of the Law, in your capacity as data subject (relevant person) you have the following rights:

  1. To learn whether your personal data is processed
  2. To request information regarding this if your personal data has been processed
  3. To learn the purpose of processing your personal data and whether they are used in accordance with their purpose
  4. To know the third parties to whom your personal data is transferred domestically or abroad
  5. To request the correction of your personal data in the event that it has been processed incompletely or incorrectly
  6. To request the erasure or destruction of your personal data within the framework of the conditions stipulated in Article 7 of the Law
  7. To request that the operations carried out pursuant to subparagraphs (5) and (6) be notified to the third parties to whom the personal data has been transferred
  8. To object to the emergence of a result against you arising from the analysis of the processed data exclusively by means of automated systems
  9. To claim compensation for the damage in the event that you suffer damage due to the unlawful processing of your personal data

8. Application Procedure

To exercise the rights set out in Article 7, you may submit an application using one of the following channels pursuant to the "Communiqué on the Procedures and Principles of Application to the Data Controller":

Application Method Address / Information
In-Person Application (written)Altıeylül, Balıkesir / Türkiye, identity verification is performed
Via NotaryNotification to the above address via notary
KEP (Registered Electronic Mail) [cerez.io to be completed by]
Secure Electronic Signaturedestek@cerez.io (pursuant to Law No. 5070)
E-mail Registered in the SystemFrom your e-mail address registered in the Company systems destek@cerez.io

Your application must contain the following information:

  • Name, surname and, if the application is written, signature
  • T.C. identity number (for citizens of the Republic of Türkiye), or, if you are a foreign national, passport/nationality
  • Residence or workplace address forming the basis for notification
  • E-mail, telephone and fax number for notification, if any
  • Subject of the request

Applications are concluded within 30 (thirty) days at the latest. The process is free of charge; however, in the event that the process additionally entails a cost, the fee in the tariff determined by the Board may be charged.

The Privacy Notice and the Data Subject Application Form (PDF) will be provided at the contract stage.
Right to Complaint: In the event that the application submitted to our Company is not answered or the answer provided is deemed insufficient, you have the right to lodge a complaint with the Personal Data Protection Board pursuant to KVKK Article 14: www.kvkk.gov.tr

Our relevant policies: Privacy Policy · Cookie Policy · Data Processing Agreement (DPA)

For your questions: destek@cerez.io  ·  This page was last updated on 31 May 2026.


⚡ YASAL ZORUNLULUK 2025/10 Cumhurbaşkanlığı Genelgesi: Kamu, belediye, banka, üniversite, hastane, okullar için 21 Haziran 2026'ya WCAG 2.2 A zorunlu · Ceza: 5.000–25.000 TL/tespit
Detay →