Privacy Notice
1. Data Controller
The data controller providing PratikYedek services:
- Trade name: Berhan Tecer (sole proprietorship → corporation transition before Phase 4)
- KVKK contact: kvkk@pratikyedek.com
- General contact: destek@pratikyedek.com
- Web: https://pratikyedek.com
- VERBİS registration: Will be completed before Phase 4 (launch)
2. What personal data is processed?
A. Identity and contact data
- Name, surname, email, mobile phone
- Accounting firm name (CPA tier)
- Tax ID (VKN) / National ID (TCKN) — CPA + Enterprise tier only
- Address (for billing)
B. Account security data
- Password bcrypt hash (plaintext NEVER stored)
- 2FA TOTP secret (encrypted-at-rest)
- SMS OTP codes (bcrypt hash, 5-minute TTL)
- Session info (cookie + JWT)
C. Backup file content
- Files you upload are end-to-end client-side encrypted (AES-256-GCM)
- Encryption key stays on your device; PratikYedek never sees plaintext
- Only encrypted binary blobs are stored in object storage
D. Usage and audit log data
- IP address, User-Agent (30 days)
- Session start/end time
- Backup/restore time, file size (NOT content; metadata only)
- Account changes (audit_log; KVKK § 12 — 7 years)
E. Mobile-specific data (Android)
- Device ID — for per-device session management and push token rotation
- FCM push token — shared with Google for notification delivery (optional; push can be disabled in Settings)
- App version + Android API level — for compatibility diagnostics
3. Purposes of processing
| Purpose | Legal basis (KVKK § 5) |
|---|---|
| Account creation and user management | Performance of contract — § 5/2-c |
| Cloud backup service provision | Performance of contract — § 5/2-c |
| Billing and subscription management | Performance of contract — § 5/2-c |
| Legal accounting record retention (TTK Art. 82 / VUK — 10 years) | Legal obligation — § 5/2-a |
| Error monitoring (GlitchTip self-hosted, Türkiye VDS) | Legitimate interest — § 5/2-f |
| Push notifications (job complete, alert) | Explicit consent — § 5/1 (opt-in) |
4. Data transfers
A. Domestic sub-processors (Türkiye)
| Sub-processor | Service | Data transferred | Location |
|---|---|---|---|
| GlitchTip self-hosted | Error monitoring | Anonymized error metadata | VDS Türkiye |
| Foriba | e-Archive invoice (GİB) | Invoice data (statutory) | Türkiye |
| PaynKolay | POS / payment | Card masked (PCI-DSS); never stored | Türkiye |
| SMS providers (Kobikom, NetGSM, Turkcell, TT Mesaj, Vodafone) | OTP delivery | GSM + OTP code | Türkiye |
| Cloudflare TR Edge | CDN, DDoS | IP + request metadata | Türkiye edge nodes |
B. International sub-processors (KVKK § 9 — explicit consent)
| Sub-processor | Service | Data transferred | Location |
|---|---|---|---|
| Google (FCM) | Android push notifications | FCM token + notification payload (no PII) | Global |
| Google (BYOS Drive — user choice) | Individual user backup to own Drive | Encrypted binary blob | Multi-region |
| Microsoft (BYOS OneDrive — user choice) | Individual user backup to own OneDrive | Encrypted binary blob | EU |
BYOS is forbidden in the CPA tier — your data stays within Türkiye.
C. What is NEVER transferred
- Plaintext backup file content (end-to-end encryption)
- Marketing to third parties — never
- AI training data — never
5. How is your data protected?
- End-to-end encryption: client-side AES-256-GCM; encryption key only on your device
- Encryption-at-rest: LUKS dm-crypt (server disk level)
- Encryption-in-transit: TLS 1.2+ (modern cipher suite)
- Access control: Row-Level Security (RLS) PostgreSQL; tenant isolation
- Audit log: All sensitive operations retained 7 years (KVKK § 12)
- WAL+PITR: 5-minute granularity point-in-time recovery (Postgres 16; pg_receivewal active)
- Penetration test: Annual (first one before Phase 4; independent third party)
- VERBİS registration: Completed before Phase 4
6. Retention periods
| Data category | Period | Reason |
|---|---|---|
| Account info | For the lifetime of the account + 30-day cooldown | KVKK § 7 deletion request cooldown |
| Audit log | 7 years | KVKK § 12 + audit access |
| Financial records (billing, taxpayer) | 10 years | TTK Art. 82 + VUK |
| Error logs (GlitchTip) | 90 days | Self-hosted retention policy |
| IP address (request log) | 30 days | KVKK proportionality |
| SMS delivery logs | 1 year | BTK regulation |
| Test kullanıcı geri bildirimi | Anonymized 1 year after test user phase ends | Test user retrospective analysis |
7. KVKK § 11 — Your rights
You may submit requests via kvkk@pratikyedek.com or the Data Subject Request Form:
- Learn whether your personal data is processed
- Request information about the processing
- Learn the purpose of processing and whether the data is used accordingly
- Learn the third parties (domestic/international) to whom data is transferred
- Request correction of incomplete or inaccurate data
- Under KVKK § 7, request erasure or destruction
- Request that correction/erasure operations be reported to third parties
- Object to results derived solely from automated analysis that are unfavourable to you
- Claim compensation for damages
Response time: 30 days (KVKK § 13/2)
Deletion process: A 30-day cooldown starts when the request is received (KVKK § 7); at the end of the cooldown, actual deletion occurs along with an Ed25519-signed deletion certificate (PDF). Records subject to statutory retention (TTK Art. 82 + VUK 10 years) are not deleted but moved to a separate encrypted archive.
8. Children's privacy
PratikYedek does not provide services to users under 18. If an under-18 registration is detected, the account is deleted immediately and the parent is contacted.
9. Updates to this Privacy Notice
This notice may be updated due to legal or service changes. A notification is sent to your registered email 30 days before the update takes effect.
10. Cookie policy
For details, see the Cookie Policy page.