Privacy Notice (KVKK Disclosure)

1. Data Controller

Your personal data is processed by the data controller, natural person Bilgekaan Yılmaz (hereinafter "Neyersin"), within the scope described below.

2. Categories of Personal Data Processed

Neyersin processes the following categories of personal data:

• Identity & Contact: first name, last name, email, phone number, business name
• Account Data: username, password hash (argon2id), role (owner/manager/staff), session ID (JWT)
• Business Data: restaurant name, address, branch details, menu content, product images, opening hours
• Payment Data: subscription tier, billing information. A payment provider is not yet active; once activated, this notice will be updated and the provider explicitly identified. Credit card information is never stored on Neyersin servers under any circumstance.
• Usage & Statistics: QR scan events (device type, language, referral source), menu view counts, anonymous session ID
• Technical Data: IP address, browser user-agent, error logs

3. Purposes of Processing

The above data is processed for the following purposes:

1. Providing the Neyersin service (account creation, QR menu hosting, statistics reporting)
2. Subscription and invoice management
3. Service quality improvement, defect detection and resolution
4. Fulfillment of legal obligations (Tax Procedure Law, Turkish Commercial Code, KVKK)
5. Security, abuse prevention, fraud detection
6. With your explicit consent: marketing and informational communication (product updates, campaigns)

4. Transfer of Personal Data

Neyersin does not transfer your personal data abroad. All data is stored on Turkey-based infrastructure (DT Cloud — Türk Telekom; application servers in Istanbul, backups in Ankara data center).

Only the following limited transfers may occur:

• Hosting and backup provider DT Cloud (Türk Telekom — Turkey): required for server operation and backup
• Payment service provider: not yet active; once activated, the provider name will be explicitly stated in this notice, and transfers will be limited strictly to payment processing
• Authorized public authorities: upon legally compelled request (court order, prosecutor's request)

We do not sell or transfer your data to advertising networks, data brokers, or third parties for marketing purposes.

5. Method of Collection and Legal Basis

Your personal data is collected via the following channels:

• Website registration form (/dashboard/register)
• Business information entered via the account management dashboard
• Technical data automatically collected from QR menu scan events
• Information submitted via email and contact forms

The legal bases for processing under KVKK Article 5 are:

• Conclusion or performance of a contract (Art. 5/2-c): data required to provide the service
• Legal obligation (Art. 5/2-ç): invoices, tax records
• Legitimate interest (Art. 5/2-f): security, abuse prevention, anonymous statistics
• Explicit consent (Art. 5/1): marketing communication and optional cookies

6. Retention Period

• Account data: for the duration of the active account; after deletion, up to 2 years (system recovery + legal compliance)
• Invoice and payment records: 10 years (Tax Procedure Law)
• QR scan statistics: 24 months (after which they are anonymized or deleted)
• Server logs: 90 days
• Marketing consent: until consent is withdrawn

7. Data Security

Neyersin implements the following technical and administrative measures:

• Encryption: TLS 1.3 mandatory in transit; encryption at rest on server disk
• Password storage: hashed with argon2id; plaintext passwords are never stored
• Role-based access control (RBAC): owner / manager / staff levels
• Rate limiting & account lockout: temporary lockout after 5 failed attempts
• Audit logs: critical operations (payment, tenant settings) are logged
• Infrastructure: TR-hosted, KVKK-compliant data center, regular backups

8. Rights of the Data Subject (KVKK Article 11)

As a data subject, you have the following rights under KVKK Art. 11:

1. To learn whether your personal data is being processed
2. To request information if it has been processed
3. To learn the purpose of processing and whether the data is used in accordance with that purpose
4. To know the third parties to whom the data has been transferred, domestically or abroad
5. To request correction if the data has been processed incompletely or incorrectly
6. To request deletion or destruction within the framework of the conditions set out in the KVKK and related legislation
7. To request that correction, deletion, or destruction operations be notified to third parties to whom the data has been transferred
8. To object to a result that arises against you due to the analysis of processed data solely by automated systems
9. To claim compensation for damages incurred due to unlawful processing
10. To withdraw explicit consent at any time
11. To request data portability in a structured, machine-readable format

9. How to Submit a Request

To exercise your rights under KVKK Art. 11, you can reach us through the following channels:

• Email: info@neyersin.tr (with identity verification information)
• Post: wet-signed petition to the address above

Requests are answered free of charge within 30 days at the latest (if the operation requires additional cost, a fee may be charged based on the tariff set by the Board).

If your request is rejected, our response is deemed insufficient, or no response is received within the time limit, you have the right to file a complaint with the Turkish Personal Data Protection Board.

10. Changes

This Privacy Notice may be updated due to changes in legislation or services. The current version is always published on this page; for significant changes, notification is sent to your registered email address.