Legal

KVKK Notice

How personal data is collected, processed, retained, and which rights you can exercise.

Son güncelleme / Last updated: March 02, 2026

01.Data Controller

ℹ

This Privacy Notice has been prepared in accordance with Turkish Law No. 6698 on the Protection of Personal Data ("KVKK / PDPL") by the data controller. It explains how your personal data is collected, processed, and protected.

02.Categories of Personal Data Processed

The data controller pursuant to Article 10 of KVKK: EPOLE GLOBAL YAZILIM VE DANIŞMANLIK — Tax Office: Konak, Tax ID: 6131033762 — Çınarlı Mh. 1572 Sk. No:33, Konak / İzmir, Turkey — destek@paftalk.com.tr — +90 232 332 21 83.

03.Purposes of Processing Personal Data

The following personal data categories are processed within the scope of the Application:

Identity data: First name, last name

Contact data: Email address, phone number

Professional data: Office/company name, area of expertise, portfolio information

Customer (CRM) data: Customer name, phone, notes, budget, and follow-up dates

Transaction data: Appointment, income, expense, and note records

Visual data: Profile photo (optional, with user consent)

Technical data: Device type, OS version, application usage logs, IP address, app version

Voice data: Voice command recordings — used only for real-time processing; not permanently stored

Financial data: Income, expense items, and commission information (no bank/card numbers are processed)

04.Legal Basis for Processing

Service delivery: Operating all application functions without interruption

Account management: Authentication, OTP processing, and session management

Subscription and billing management: Payment tracking and subscription status monitoring

AI services: Processing voice/text commands and generating content through the PAF assistant

Customer support: Handling user support requests and resolving errors

Security and fraud prevention: Detecting unauthorized access and malicious use

Product development: Improving application performance and user experience

Legal compliance: Fulfilling legal obligations and ensuring regulatory compliance

Notifications: Appointment reminders and important application notifications

05.Recipients of Personal Data

Your personal data is processed under the following legal bases pursuant to Article 5 of KVKK:

Explicit consent (Art. 5/1): Profile photo upload and marketing notifications

Performance of contract (Art. 5/2-c): All data required for account creation and service delivery

Legal obligation (Art. 5/2-ç): Tax, accounting, and regulatory records

Legitimate interest (Art. 5/2-f): Security, service quality, and fraud prevention

Establishment, exercise, or defence of legal claims (Art. 5/2-e): Preservation of evidence in legal disputes

06.Data Retention Periods

Your personal data may be shared with the following recipient groups only to the extent necessary for service delivery:

Supabase Inc. (USA) — Database, authentication, and file storage infrastructure; acting as data processor

Google LLC (USA) — Gemini AI API; only during the processing of voice commands and text generation

RevenueCat Inc. (USA) — Subscription management and purchase verification service

Authorized public authorities — Only when legally required or upon official request

ℹ

Cross-border transfers are carried out in accordance with Article 9 of KVKK and Personal Data Protection Board decisions, with the adequacy determination for the relevant country or Standard Contractual Clauses (SCC) as a safeguard.

07.Rights of the Data Subject (KVKK Article 11)

Account and profile data: For the duration the account is active + 3 years after account deletion

Financial records: 10 years pursuant to Turkish Commercial Code and Tax Procedure Law

Appointment, CRM, and note records: For the duration the account is active + 1 year

Technical access and error logs: 6 months

Voice data: Deleted immediately upon processing completion; never permanently stored on any server

Subscription records: 5 years after subscription expiry

08.How to Submit a Request

As a data subject under Article 11 of KVKK, you have the following rights:

To learn whether your personal data is being processed

To request information about your processed data

To learn the purpose of processing and whether it is used in accordance with its purpose

To learn the third parties to whom data is transferred domestically or abroad

To request correction of incomplete or inaccurate data

To request deletion or destruction within the conditions set out in KVKK Article 7

To request notification of correction and deletion to third parties

To object to data analysis performed solely through automated systems

To claim compensation for damages incurred due to unlawful processing

09.Data Protection Contact Point

You may exercise your KVKK rights through any of the following channels:

Email: destek@paftalk.com.tr (subject: "KVKK / Data Subject Request")

Post: EPOLE GLOBAL YAZILIM VE DANIŞMANLIK, Çınarlı Mh. 1572 Sk. No:33, Konak / İzmir, Turkey

In-app: Profile → Support & Feedback

Requests will be responded to within 30 (thirty) days after identity verification. You always retain the right to file a complaint with the Personal Data Protection Authority (www.kvkk.gov.tr).

10.Automated Decision-Making

For questions regarding our personal data processing activities, you may reach our data protection contact point at: destek@paftalk.com.tr · Including "Data Protection" in the subject line will expedite the response process.

11.Data Breach Notification

The Application may analyze your usage data to provide suggestions (e.g., customers to follow up, goal achievement analysis). These analyses are performed by the PAF artificial intelligence and do not produce legally binding consequences. You may object to this automated analysis at any time under KVKK Article 11/g.

12.Children's Data

In the event of a security breach threatening your personal data, the Company will notify the Personal Data Protection Board within 72 (seventy-two) hours of becoming aware of the breach, in accordance with Article 12 of KVKK. Breaches that may affect data subjects will also be communicated to Users as soon as possible via in-app notification and/or email.

13.Withdrawal of Consent

Paftalk is designed solely for individuals aged 18 and over. Personal data belonging to persons under the age of 18 is not knowingly collected or processed. If such data is found to have inadvertently entered our systems, it will be promptly deleted.

14.Cross-Border Transfer Safeguards

You may withdraw your consent for data processing activities based on explicit consent at any time. To withdraw consent, simply write to destek@paftalk.com.tr. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

15.Updates to This Notice

Supabase Inc.: EU-US Data Privacy Framework and Standard Contractual Clauses (SCC) are in place as transfer safeguards.

Google LLC (Gemini AI): Processed under Google's GDPR-compliant Data Processing Addendum (DPA) and SCC.

RevenueCat Inc.: Transfer is made under the company's privacy policy and SCC.

This Privacy Notice may be revised from time to time in response to changes in legislation or updates to data processing activities. Significant changes will be announced via in-app notification. The current version is always accessible on this screen within the Application.