Data Controller
Under the KVKK (Turkey's Law No. 6698 on Personal Data Protection, the "KVKK"), the data controller for your personal data is Vakti Geçmeden.
- Name
- Vakti Geçmeden
- Head Office
- İstanbul, Türkiye
- kvkk@vaktigecmeden.com
- Web
- vaktigecmeden.com
Definitions
- Personal Data
- Any information relating to an identified or identifiable natural person.
- Processing
- Any operation performed on data, such as collecting, recording, storing, or transferring it.
- User
- The natural person who uses the Vakti Geçmeden mobile app or website.
- Business
- A cafe, restaurant, bakery, grocery store, or similar legal entity or natural person that sells surprise bags through the app.
- Service
- The Vakti Geçmeden mobile app, website, and all related platforms.
- KVKK
- Turkey's Law No. 6698 on the Protection of Personal Data.
- GDPR
- The European Union General Data Protection Regulation (2016/679).
Personal Data Collected
The following personal data is processed while you use our Service:
Account and Identity Data
- First and last name
- Email address
- Phone number (optional)
- Profile photo (if uploaded)
- In-app user ID
Location Data
- Real-time GPS/network-based location, with your explicit consent, in order to list nearby offers
- Only the manually entered neighborhood/district when location permission is not granted
Important. Location data is used solely to show you offers from nearby businesses; it is not shared with third parties, and your location history is not stored on our servers.
Transaction and Reservation Data
- Reservations made and cancellation records
- Selected business and package information
- Pickup time and QR code verification log
- Reviews and rating scores
Technical and Device Data
- Device model, operating system and version
- App version
- Anonymous device identifier assigned by Firebase
- Crash and error reports
- IP address (for website visits)
Communication Data
- Messages and emails sent to customer support
- Business application form data
Purposes of Processing
Your personal data is processed for the following purposes:
- Account creation, identity verification, and session management
- Listing business offers that are geographically close to you
- Creating and managing reservations and running QR code-based handover processes
- Sending notifications (new offers, package confirmation, pickup reminders)
- App security, fraud detection, and prevention of misuse
- Usage analytics (anonymous) to improve service quality
- Fulfilling legal obligations
- Promotional and campaign notifications, where you have given your explicit consent
Legal Basis (KVKK Arts. 5 and 6)
Your personal data is processed on the following legal bases:
- Performance of a contract: Data required to provide reservations and the service (Art. 5/2-c)
- Legitimate interest: Security, fraud prevention, error monitoring (Art. 5/2-f)
- Explicit consent: Location, marketing notifications, and optional profile data (Art. 5/1)
- Legal obligation: Tax, accounting, and requests from authorized authorities (Art. 5/2-ç)
Sharing with Third Parties
Your personal data is not sold, rented, or shared with third parties for commercial purposes. It is shared with the following service providers only to the extent necessary to operate the Service:
- Google Firebase (Authentication, Firestore, Cloud Messaging, Crashlytics): Authentication, database, notifications, and error monitoring
- Google Maps Platform: Map view and display of nearby business locations
- Google Analytics for Firebase: Anonymous usage analytics
The data processing agreements signed with these service providers ensure that your data is processed to KVKK and GDPR standards.
Your data may be shared with authorized government bodies where legally required (court order, prosecutor's request, etc.).
International Data Transfers
Because of the Google Firebase and Google Maps infrastructure, some of your data may be processed on servers outside Türkiye (primarily in the European Union and the United States). These transfers are carried out under Article 9 of the KVKK and within the scope of the safe-country list of the Personal Data Protection Board.
Google ensures GDPR compliance through the Standard Contractual Clauses (SCC) mechanism and safeguards the lawfulness of these transfers.
Data Retention Periods
- Active Account
- For as long as your account is active; 3 years from your last activity.
- Reservation Records
- 3 years from the last transaction (as required by the Turkish Commercial Code).
- Location Data
- Used in real time; not stored on the server.
- Crash/Error Logs
- 90 days.
- Customer Support Correspondence
- 1 year from the closure of the relevant support request.
- Account Deletion
- All data is permanently deleted within 30 days of the request; records required by law are kept in anonymized form for the legally mandated period.
Cookies and Tracking
Mobile App: Standard HTTP cookies are not used. The Firebase SDK uses an anonymous device identifier and an app installation ID.
Website (vaktigecmeden.com):
- Essential cookies: Session management and language preference (localStorage). No consent required.
- Analytics cookies: Anonymous page-view statistics via Google Analytics. An accept/decline option is provided.
You can disable cookies in your browser settings; however, doing so may affect some features of the Service.
Data Security
The following technical and administrative measures are taken to protect your personal data:
- All data communication is secured with TLS 1.2+ encryption
- Industry-standard authentication via Firebase Authentication
- Role-based access control through Firestore security rules
- Employee access to personal data is limited on a "need-to-know" basis
- Regular security audits and vulnerability scans
- In the event of a potential data breach, the KVKK authority and affected users are notified within 72 hours.
No digital system is 100% secure. For the security of your account, we recommend using a strong password and never sharing it with anyone.
Your Rights Under the KVKK (Article 11)
You have the following rights regarding your personal data:
- To learn whether your personal data is being processed
- To request information if it has been processed
- To learn the purpose of processing and whether the data is used in accordance with that purpose
- To know the third parties to whom the data is transferred, domestically or abroad
- To request the correction of incomplete or inaccurately processed data
- To request the deletion or destruction of the data under the conditions set out in Article 7 of the KVKK
- To request that correction, deletion, or destruction operations be notified to third parties
- To object to a result against you arising from the analysis of the data
- To request compensation for any damages incurred
You can submit your requests to kvkk@vaktigecmeden.com or via registered email. Requests are answered within 30 days at the latest.
Children's Privacy
Our services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from such persons. When we become aware that data belonging to a user under the age of 18 has been collected, that data is deleted immediately.
If, as a parent or guardian, you believe your child has created an account, please write to us at kvkk@vaktigecmeden.com.
Changes to This Policy
This policy may be updated from time to time. When significant changes are made, users are notified by in-app notification and/or email. You can always access the current policy at vaktigecmeden.com/gizlilik.
Continuing to use the app after the changes take effect means you accept the updated policy.
Contact and Requests
For any questions, requests, or KVKK applications regarding your privacy and this policy, get in touch with us. Your requests are answered within 30 days at the latest.
- KVKK Requests
- kvkk@vaktigecmeden.com
- General Support
- destek@vaktigecmeden.com
- Head Office
- İstanbul, Türkiye