1 Data Controller
The data controller as defined under KVKK is:
Address: Fethiye, Turkey
Platform: surfinginfethiye.duckdns.org
2 Personal Data Collected
The following categories of personal data are collected through the platform:
| Category | Data Collected | Collection Method |
|---|---|---|
| Identity & Contact | Username, email address | Registration form (explicit consent) |
| Account Security | Hashed password, email verification token, account creation date | Automatic (system) |
| Payment | Payment transaction reference number, subscription type, billing date | Payment provider integration |
| Technical & Usage | IP address, browser type, operating system, pages visited, session duration | Automatic (server logs, cookies) |
| Analytics | Page views, click behaviour, usage statistics | Cookies / analytics tool |
3 Purposes and Legal Bases
Your personal data is processed for the following purposes under the legal bases provided by KVKK:
| Purpose | Legal Basis (KVKK Art. 5) |
|---|---|
| Account creation and management | Performance of contract (Art. 5/2-c) |
| Email verification and security notifications | Performance of contract (Art. 5/2-c) |
| Processing subscription payments | Performance of contract (Art. 5/2-c) |
| Compliance with legal obligations (tax, accounting) | Legal obligation (Art. 5/2-ç) |
| Platform security and abuse detection | Legitimate interest (Art. 5/2-f) |
| Improving service quality (anonymised statistics) | Legitimate interest (Art. 5/2-f) |
| Usage analysis via analytics cookies | Explicit consent (Art. 5/1) |
4 Data Retention Periods
Personal data is retained until the processing purpose lapses or the following maximum periods expire:
- Account data (username, email): 1 year after account closure
- Payment records and invoices: 10 years (Turkish Tax Procedure Law No. 213)
- Server access logs (IP, date): 1 year (Law No. 5651)
- Analytics data: Anonymised and retained for a maximum of 26 months
- Email verification tokens: 48 hours (upon use or expiry)
Upon expiry, data is securely deleted, destroyed, or anonymised.
5 Sharing with Third Parties
Your personal data is not shared, sold, or rented to third parties except in the following necessary circumstances:
- Payment provider: Minimum required data (email, transaction reference) is transferred for subscription processing. The provider is subject to its own privacy policy.
- Hosting / server provider: The provider managing the physical infrastructure may access data in the scope of technical services.
- Legal obligation: Data may be disclosed to competent public authorities upon a court order, prosecutor's request, or statutory obligation.
No international data transfers are made at this time. Should an analytics tool requiring cross-border transfer be introduced, users will be separately notified.
6 Cookies and Analytics
The platform uses the following types of cookies:
| Cookie Type | Purpose | Required? |
|---|---|---|
| Session cookie | Stores login state and language preference | Yes — technical necessity |
| Analytics cookie | Page views and usage statistics | No — consent required |
Analytics cookies are activated on the basis of your explicit consent via the cookie consent notice displayed on your first visit. You may disable cookies at any time through your browser settings, though this may affect certain platform features.
7 Payment Data Security
The platform processes payments through a PCI-DSS compliant payment provider.
- Sensitive payment details such as card numbers, expiry dates, and CVV codes are never transmitted to or stored on our servers.
- The payment form operates on the payment provider's secure infrastructure.
- Only the transaction reference number and subscription status are retained on our platform.
8 Data Security
The following technical and administrative measures are in place to protect your personal data:
- All data transmission is protected by HTTPS/TLS encryption.
- Passwords are stored exclusively as one-way hashes (bcrypt); plaintext passwords are never retained.
- Database access is restricted to authorised personnel; access logs are maintained.
- Regular security updates are applied to the platform infrastructure.
- Time-limited, single-use tokens are used for email verification and password reset flows.
In the event of a confirmed data breach, affected users will be notified within the timeframe required by KVKK, and the Personal Data Protection Authority (KVKK) will be informed accordingly.
9 Your Rights
Under Article 11 of KVKK, you have the following rights regarding your personal data:
To exercise your rights, please send a request to ismailcandursun@gmail.com with sufficient information to verify your identity. Requests will be responded to within 30 days as required by KVKK Article 13. If your request is rejected, you may lodge a complaint with the Personal Data Protection Authority at kvkk.gov.tr.
10 Policy Changes
This Privacy Policy may be updated from time to time. Material changes will be communicated to your registered email address at least 7 days before taking effect and announced on the platform homepage. The current version is always available on this page.
11 Contact and Requests
For exercising your rights or any privacy-related enquiries:
Email: ismailcandursun@gmail.com
Address: Fethiye, Turkey
Web: surfinginfethiye.duckdns.org
Personal Data Protection Authority (KVKK) Web: kvkk.gov.tr
Address: Nasuh Akar Mah., Ziyabey Cad. No:18, 06520 Balgat/Ankara, Turkey