GDPR Compliance & Data Processing
Last updated: March 25, 2026
1. Overview
Keskintech Marketplaces takes its obligations under the GDPR (General Data Protection Regulation — EU 2016/679) seriously. This page sets out our roles and practices in relation to personal data in a transparent manner.
Our data processing activities occur under two distinct roles:
- Data Controller: We directly collect and process data from subscribers and users who register on the Keskintech Marketplaces platform.
- Data Processor: We process order and customer data retrieved from marketplaces by our merchant customers through the apigw service, solely for the purpose of delivering the service.
2. Activities as Data Controller
We act as Data Controller for the personal data of individuals who register on the Keskintech Marketplaces platform, make a payment, or submit a contact form.
Data Processed and Legal Basis
| Data Category | Purpose | GDPR Legal Basis |
|---|---|---|
| Name, surname, email address | Account creation and management | Article 6(1)(b) — Performance of a contract |
| Payment and billing information | Subscription billing, legal compliance | Article 6(1)(b)(c) — Contract & legal obligation |
| IP address, session logs | Security, fraud prevention, debugging | Article 6(1)(f) — Legitimate interests |
| Marketing consent (optional) | Product announcements by email | Article 6(1)(a) — Explicit consent |
| Support email content | Providing customer support | Article 6(1)(b)(f) — Contract / legitimate interests |
| Cookie and analytics data | Site performance, user experience | Article 6(1)(a) — Consent (per cookie preference) |
Retention Periods
- Account data: For the duration the account is active + 2 years after deletion (legal compliance)
- Billing and payment records: 10 years (Turkish Tax Law)
- Support emails: 3 years from the last correspondence
- IP and session logs: 90 days
- Marketing consent: Until withdrawn; the consent record is retained for 3 years after withdrawal
3. Activities as Data Processor (apigw)
Marketplace integration services are provided to merchant customers via apigw.keskintechmarketplaces.com. The following data may be processed in the course of this service:
- Order data retrieved from marketplaces (Trendyol, Hepsiburada, Amazon, etc.): buyer name, delivery address, email, phone number
- Product catalogue data: title, price, stock, description, images (does not constitute personal data)
Processor Obligations
Acting as Data Processor, Keskintech Marketplaces undertakes the following commitments:
- We do not process data beyond the merchant's (Data Controller's) documented instructions.
- Order data is used solely for delivering the integration service and is not shared with third parties or used for advertising.
- We will delete or return data upon the merchant's request.
- We will notify the merchant within a reasonable time in the event of a security breach.
- We maintain an up-to-date list of sub-processors (below) and provide prior notice of changes.
Order data processed through the apigw is stored exclusively on Hetzner infrastructure (Germany, EU) and is not used beyond the delivery of the service.
4. Sub-processors
The following sub-processors may have access to personal data for the purpose of delivering our services:
| Provider | Service | Location | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Server and hosting | Germany (EU) | EU storage — no transfer safeguard required |
| İyzico Ödeme Hizmetleri A.Ş. | Payment processing | Turkey | BDDK-licensed; SCCs applied pending EU–Turkey adequacy decision |
| Cloudflare Inc. | CDN, DDoS protection, Turnstile CAPTCHA | USA | EU–US Data Privacy Framework (DPF) + SCCs |
| Sendinblue SAS (Brevo) | Transactional email (verification, notifications) | France (EU) | EU storage — no transfer safeguard required |
| Google LLC | Google Analytics, Google Tag Manager | USA | DPF + SCCs; Consent Mode v2 compliant |
| Zoho Corporation | Email communications (support) | USA | DPF + SCCs; GDPR Data Processing Addendum in place |
Users will be notified by email or platform notification before any changes are made to the sub-processor list.
5. International Data Transfers
Transfers of personal data outside the EU/EEA (to the USA and Turkey) are safeguarded by the following mechanisms:
- Standard Contractual Clauses (SCCs): Applied under Commission Decision 2021/914.
- EU–US Data Privacy Framework (DPF): Applicable to US-based providers certified under the DPF (Cloudflare, Google, Zoho).
- Turkey: Processed under KVKK and in the context of Turkey's accession to Council of Europe Convention 108.
6. Data Security
Technical and organisational measures we apply to protect personal data:
- All data transmission is encrypted using TLS 1.2 or higher.
- Passwords are stored using bcrypt hashing; plaintext passwords are never retained.
- Payment card data is never stored on Keskintech infrastructure; it is transmitted directly to iyzico.
- API access is protected by licence-based authentication.
- Access logs are retained for 90 days; unauthorised access attempts are automatically blocked.
- Only authorised personnel may access personal data; all access is logged.
In the event of a security breach, we will notify the relevant supervisory authority within 72 hours under GDPR Article 33 and affected individuals without undue delay under GDPR Article 34.
7. Data Subject Rights
Under the GDPR, you have the following rights:
- Access (Article 15): You may request a copy of the data we process about you.
- Rectification (Article 16): You may request correction of inaccurate or incomplete data.
- Erasure (Article 17): You may request deletion of your data under the "right to be forgotten".
- Restriction of processing (Article 18): You may request that processing be suspended in certain circumstances.
- Data portability (Article 20): You may request your data in a machine-readable format.
- Objection (Article 21): You may object to processing based on legitimate interests.
- Withdrawal of consent: Where processing is based on consent (marketing emails, analytics cookies), you may withdraw it at any time.
Requests should be sent to info@keskintechmarketplaces.com and will be responded to within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your EU country of residence.
8. Contact & DPO
For questions about our data processing activities or your rights:
Keskintech Marketplaces — Data ControllerFurkan Keskintaş
SUNAY MAH. ERZURUM CAD. I BLOK NO: 15 I İÇ KAPI NO: 5 MERKEZ/ MUŞ
info@keskintechmarketplaces.com
Keskintech Marketplaces is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. Please address any data protection enquiries to the contact above.