Privacy Policy

1. Identity of the Data Controller

The legal entity acting as data controller under Law No. 6698 on the Protection of Personal Data (KVKK) and the EU General Data Protection Regulation (GDPR, Regulation EU 2016/679) is as follows:

2. Personal Data We Collect

cerez.io When providing its services, we process the following data categories within the framework of the principles set out in KVKK Article 4, namely "compliance with the law and the rules of good faith" and "being relevant, limited and proportionate to the purpose":

3. Purposes of Data Processing

Your personal data is processed for the following specific, explicit and legitimate purposes:

1. Service provision: Account creation, subscription management, SDK service provision, technical support.
2. Contractual obligations: Performance of the subscription, billing, issuing invoices (Tax Procedure Law No. 213).
3. Legal obligations: KVKK Article 12 (data security), Tax Procedure Law Article 253 (record retention), Turkish Commercial Code Article 82 (retention of commercial documents).
4. Customer relations: Informational e-mails, product updates, support request tracking.
5. Security: Detection of unauthorized access, fraud prevention, DDoS protection (Cloudflare).
6. Analytics: Service improvement, usage statistics (aggregated/anonymous).
7. Marketing (with explicit consent): Sending newsletters, product announcements, targeted advertising.

4. Legal Bases

Under KVKK Article 5/2 and GDPR Article 6/1, our data processing activities are based on the following legal bases:

5. Retention Periods

Pursuant to KVKK Article 7 and GDPR Article 5/1-e, your data is retained for as long as required by the purpose of processing. At the end of the period, it is deleted, destroyed or anonymized.

6. Data Transfer (Domestic and International)

As part of our service infrastructure, your data is hosted within the borders of Turkey, in a domestic data center. This means that no additional mechanism is required for the international transfer requirements set out in KVKK Article 9.

Domestic Transfer:

• Domestic hosting provider (server, backup)
• Financial advisors and audit firms established in Turkey (invoice retention)
• Courts and official authorities in the event of a legal dispute
• Banks and payment institutions (collection)

International Transfer (KVKK Article 9):

Since customer personal data is processed within the borders of Turkey, as a rule no international data transfer is carried out. For a limited number of support services (CDN, e-mail service provider, etc.), third-party providers may be used in general terms; their up-to-date list is published in the Sub-processor table on our DPA page is published. Should an international transfer become necessary, a letter of undertaking providing adequate protection or a standard contract mechanism is applied under KVKK Article 9/2.

7. Third-Party Processors (Sub-processors)

As part of our service provision, a limited number of support services (CDN and e-mail service providers) are used together with the domestic hosting provider. The up-to-date list of third-party providers is maintained in the contractual annex list; for the detailed sub-processor table, see our DPA page see.

Payment integration is not yet active; the billing and collection of your subscriptions is carried out manually (invoice + bank transfer/EFT).

8. Rights of the Data Subject (KVKK Article 11 / GDPR Article 15-22)

You have the following rights regarding your personal data:

1. Right to Request Information: Learning whether your data is being processed.
2. Right of Access: If processed, requesting information on which data is processed and how.
3. Information on Purpose: Learning the purpose of processing and whether the data is used in accordance with it.
4. Information on Transfer: Knowing the third parties to whom the data is transferred domestically or internationally.
5. Right to Rectification: Requesting the correction of incompletely or incorrectly processed data.
6. Right to Erasure/Destruction: Requesting erasure when the conditions set out in KVKK Article 7 are met ("Right to be Forgotten").
7. Notification to Third Parties: Requesting that rectification/erasure operations also be notified to the third parties to whom the data was transferred.
8. Right to Object: Objecting to a result arising against you as a consequence of analysis carried out through automated systems.
9. Right to Compensation: Claiming compensation if you have suffered damage due to unlawful processing.
10. Data Portability (GDPR-only): Requesting that your data be provided to you in a structured, machine-readable format or transmitted to another data controller.

To exercise these rights, you may use one of the following methods:

• E-mail: destek@cerez.io (with identity verification)
• Mail: Altıeylül, Balıkesir / Türkiye (with notary certification)
• KEP: [cerez.io to be completed by]

Requests are concluded within 30 days at the latest (KVKK Article 13/2). It is free of charge; however, if the operation incurs an additional cost, the fee in the tariff determined by the KVK Board may be charged.

9. Cookies

For detailed information about the cookies used on our site and the consent mechanism, please see our separate Cookie Policy . This policy covers cookie categories, third-party providers and browser-level control methods.

10. Contact and Applications

To exercise your data subject rights or to ask a question about the privacy policy:

The KVKK Application Form will be provided at the contract stage. KVKK Disclosure Statement

If you believe that your applications have not been evaluated in accordance with the provisions of KVKK, you have the right to lodge a complaint with the Personal Data Protection Board: kvkk.gov.tr

For your questions: destek@cerez.io  ·  This page was last updated on 31 May 2026.