Privacy Policy

1. Data Controller

The following legal entities act as data controllers within the scope of this Privacy Policy. For data-processing activities carried out within the Republic of Türkiye, the controller under Law No. 6698 on the Protection of Personal Data (“KVKK”) is Partnerfy Bilgi Teknolojileri ve Pazarlama Sanayi Ticaret Ltd. Şti., with registered address at Orta Mah. Kavaklar Cad. No:15 Ofisada Plaza D:104, Adapazarı, Sakarya.

For data subjects domiciled in the European Union, the controller under the EU General Data Protection Regulation (“GDPR”) is Partnerfy Informations- und Marketingtechnologien GmbH, with registered address at Emmy-Noether-Str. 10, 76131 Karlsruhe, Germany.

Personal data protection processes for both entities are managed centrally. The Data Protection Officer (DPO) can be reached at [email protected]. For general client communication you may write to [email protected], for technical support to [email protected], for operations matters to [email protected], or call us at +90 850 259 30 04.

2. Data We Collect

Depending on the services you request and the interactions you have with the Platform, Partnerfy may process the following categories of personal data:

• Identity data: first name, surname, title, role, name of your employer.
• Contact data: e-mail address, phone number, postal address, social-media handle, corporate contact point.
• Technical data: IP address, device type, operating system, browser version, screen resolution, session duration, pages visited, referring URL, language preference, cookie identifiers.
• Behavioural data: page views, click order, form submission events, content interactions, anonymised heat-map data.
• Commercial data: requested service type, project scope, indicative budget, timing expectations, sector and country.
• Customer transaction data: proposal numbers, order records, invoice data, payment method, bank account reference (only while an active customer relationship exists).
• Marketing preferences: newsletter subscription status, consent records, e-mail open and click events.

As a rule we do not process sensitive (special-category) personal data; such data is processed only with your explicit consent or where a statutory exemption applies.

3. How We Collect

Your personal data may be collected directly from you or by automated means from various sources, including:

• Contact, demo-request, quote-request, career application and newsletter subscription forms on the Platform;
• Phone calls to our contact centre (you will be informed if the call is recorded);
• E-mails sent to [email protected], [email protected], [email protected] and [email protected];
• Cookies, pixels, logs and similar tracking technologies used on the website;
• Analytics and advertising tools such as Google Analytics, Google Ads, Meta Pixel and LinkedIn Insights;
• Service agreements, non-disclosure agreements, purchase orders and invoicing workflows;
• Business-development data obtained from public sources (LinkedIn, trade registry, your company website);
• Information transmitted by partners or suppliers through referrals or introductions.

4. Purposes and Legal Basis

Your personal data is processed for the following purposes, on the basis of the legal grounds set out in Article 5 of the KVKK and Article 6(1) of the GDPR:

• Performance of a contract (KVKK 5/2-c, GDPR 6(1)(b)): preparing proposals, entering into contracts, delivering projects, invoicing and fulfilment processes.
• Compliance with a legal obligation (KVKK 5/2-a, GDPR 6(1)(c)): obligations under tax law, commercial law, e-commerce regulations and personal-data protection legislation.
• Legitimate interest (KVKK 5/2-f, GDPR 6(1)(f)): managing customer relationships, preventing fraud, ensuring network and information security, handling requests and complaints, and improving service quality.
• Explicit consent (KVKK 5/1, GDPR 6(1)(a)): marketing communications, sending commercial electronic messages, behavioural advertising via cookies and sharing data with third parties for marketing purposes.
• Vital interest or public interest: only in exceptional circumstances (e.g. notifying affected individuals of a data breach).

If the purpose of processing changes, separate information will be provided to you and your explicit consent may be re-obtained where necessary.

5. Recipients

Your personal data may be transferred to the following categories of recipients, for the indicated purposes and subject to appropriate technical and organisational safeguards:

• Cloud infrastructure providers: AWS, Google Cloud, Microsoft Azure, Hetzner, DigitalOcean (hosting, backup, storage).
• Analytics and advertising providers: Google (Analytics, Ads, Tag Manager), Meta (Facebook, Instagram), LinkedIn, TikTok (campaign measurement and conversion tracking).
• E-mail and messaging providers: SendGrid, Postmark, Mailgun, Amazon SES (transactional and marketing e-mail delivery).
• Payment and invoicing services: banking infrastructure, Stripe, iyzico, e-invoice integrators.
• Professional advisors: accountants, legal counsel, independent auditors and tax advisors.
• Public authorities and judicial bodies: where required by a legal obligation.
• Business partners and suppliers: vendors that directly participate in your project (software, design or marketing services).

All transfers are governed by controller / processor agreements, confidentiality undertakings and Standard Contractual Clauses where applicable.

6. International Transfers

Because of the nature of our services, some cloud providers, analytics and advertising tools are located outside Türkiye or the European Union (in particular in the United States, the United Kingdom and Ireland). As a result, your personal data may be transferred internationally to a limited extent.

Transfers outside the EU are carried out under Articles 44–49 of the GDPR, either to countries benefiting from a European Commission adequacy decision or to recipients that have signed the Standard Contractual Clauses (SCCs). For transfers originating in Türkiye, Article 9 of the KVKK applies; we rely on your explicit consent, written data-transfer commitments or other mechanisms approved by the Turkish Data Protection Authority.

To obtain further information about international transfers or to request a copy of the safeguards in place (e.g. SCCs), please write to [email protected].

7. Retention

Personal data is retained for as long as required to fulfil the purpose of processing and within the minimum and maximum periods set out in applicable legislation. The following table summarises retention periods for the principal categories:

Upon expiry of the retention period, personal data is deleted, destroyed or irreversibly anonymised.

8. Security Measures

Partnerfy implements technical and organisational security measures proportionate to risk in order to protect personal data against unauthorised access, loss, disclosure, alteration or destruction. Key measures include:

• TLS 1.2+ encryption for all communication;
• Encryption at rest for database and file-storage layers;
• Multi-factor authentication (MFA) and role-based access control (RBAC);
• Firewalls, WAF and DDoS protection;
• Regular vulnerability scans and penetration testing;
• Centralised log collection, SIEM-based correlation and audit trails;
• Periodic data-protection and cyber-security awareness training for staff;
• Vendor due-diligence and contractual oversight programme;
• Maturity tracking under our ISO/IEC 27001 and KVKK compliance programme.

Despite these measures, no transmission over the internet can be guaranteed to be one hundred per cent secure; if you notice any unusual activity, please notify [email protected].

9. Cookies

The Partnerfy Platform uses cookies and similar tracking technologies to improve your browsing experience, ensure session security, gather statistical measurements and – subject to your explicit consent – deliver marketing communications. Detailed information about these technologies, cookie categories and how to manage them is provided in our separate Cookie Policy.

When you first visit the Platform, the cookie consent banner allows you to record your preferences regarding performance, functional and marketing cookies. You may update, withdraw or reset your consent at any time by clicking the “Cookie Preferences” link in the site footer.

Strictly necessary cookies (session, security, language preference) do not require your consent, since the Platform cannot function without them.

10. Automated Decision-Making and Profiling

Partnerfy does not take decisions based solely on automated processing that produce legal effects or significantly affect data subjects. Content personalisation, newsletter segmentation and re-marketing activities carried out via our marketing-automation tools may technically constitute profiling, but they do not produce legal effects and your consent can always be withdrawn.

When a service request is being assessed, preliminary qualification scoring (lead scoring based on parameters such as budget, sector and location) may be performed. Acceptance or rejection decisions always involve human intervention and the final decision is taken by authorised personnel.

Under Article 22 of the GDPR and Article 11 of the KVKK, you always have the right to object to automated decision-making, express your view and request human review.

11. Children's Data

Because Partnerfy targets corporate clients and adult professionals, the Platform is not directed at persons under the age of 18. We do not knowingly collect personal data from minors.

If a parent or legal representative becomes aware that personal data of a person under 18 has been processed through the Platform, they may contact us at [email protected] and the data in question will be deleted, destroyed or anonymised promptly.

National “information society service consent age” rules in EU member states (Article 8 GDPR) remain reserved. In Germany this age is 16; where personal data of a child below that threshold needs to be processed, parental consent is mandatory.

12. Your Rights

Under Article 11 of the KVKK and Articles 15–22 of the GDPR you have the following rights as a data subject:

• Know whether your personal data is being processed;
• If so, request information about it and obtain a copy (right of access);
• Request rectification of inaccurate or incomplete data;
• Request erasure or destruction within the conditions set by law (right to be forgotten);
• Request restriction of processing;
• Receive data in a structured, commonly used and machine-readable format (right to data portability);
• Object to automated decisions, profiling or direct marketing;
• Withdraw consent at any time for processing based on consent;
• Be informed in case of a personal data breach;
• Claim compensation for damages suffered as a result of unlawful processing.

13. How to Exercise Rights

To exercise your rights, you may use any of the following methods:

• E-mail: together with information sufficient to verify your identity, write to [email protected].
• Written application (TR): a signed petition may be sent to Orta Mah. Kavaklar Cad. No:15 Ofisada Plaza D:104, Adapazarı/Sakarya.
• Written application (DE): a signed petition may be sent to Emmy-Noether-Str. 10, 76131 Karlsruhe, Germany.
• KEP (TR): if you hold a registered electronic-mail account, you may apply to the Company’s KEP address (provided upon request).

Requests are handled free of charge within the period set by applicable law (in principle within 30 days). Where a request entails additional cost, a fee may be charged in accordance with the tariff established by the Turkish Data Protection Authority.

14. Right to Lodge a Complaint

If your request is rejected, the response you receive is deemed unsatisfactory or no response is provided within the statutory timeframe, you have the right to lodge a complaint with the competent data-protection authority.

In Türkiye, the competent authority is the Kişisel Verileri Koruma Kurumu (kvkk.gov.tr). To lodge a complaint, the 30-day response period must have expired and the complaint must be filed within 30 days of being notified of the response.

In Germany, the competent authority is the supervisory authority of the State of Baden-Württemberg, where Partnerfy GmbH is headquartered – the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg (baden-wuerttemberg.datenschutz.de). Data subjects residing in other EU member states may file a complaint with the supervisory authority of their habitual residence or place of work.

15. Policy Changes

Partnerfy may update this Privacy Policy from time to time, in response to legal changes, commercial requirements or the evolution of our services. The updated version becomes effective from the moment it is published on the Platform; the “Last updated” date at the top of the page always indicates the date of the version in force.

In case of material changes, we make reasonable efforts to notify you via e-mail, on-site banner, in-account message or any of our communication channels.

If you require a specific earlier version of the Policy, you may request a copy by writing to [email protected] within a reasonable period.

16. Contact

For all questions, requests or feedback regarding this Privacy Policy, please use the following contact details:

• Data Controller (TR): Partnerfy Bilgi Teknolojileri ve Pazarlama Sanayi Ticaret Ltd. Şti., Orta Mah. Kavaklar Cad. No:15 Ofisada Plaza D:104, Adapazarı, Sakarya, TÜRKİYE
• Controller (DE): Partnerfy Informations- und Marketingtechnologien GmbH, Emmy-Noether-Str. 10, 76131 Karlsruhe, Germany
• Phone: +90 850 259 30 04
• DPO / Privacy: [email protected]
• General: [email protected]
• Support: [email protected]
• Operations: [email protected]