Privacy Policy
Last updated: March 25, 2026
1. Data Controller
This Privacy Policy is prepared by the following entity acting as data controller under the Turkish Personal Data Protection Law No. 6698 ("KVKK") and the EU General Data Protection Regulation ("GDPR"):
Trading Name: Keskintech MarketplacesData Controller: Furkan Keskintaş
Address: SUNAY MAH. ERZURUM CAD. I BLOK NO: 15 I İÇ KAPI NO: 5 MERKEZ/ MUŞ
Email: info@keskintechmarketplaces.com
2. Data We Collect
2.1 Account Registration Data
When you create an account, we collect:
- First and last name
- Company name
- Email address
- Website URL
- Password (stored as a one-way hash; never stored in plain text)
2.2 Billing & Payment Data
When purchasing a subscription, you may provide billing information including:
- Billing name / company name
- Billing address
- Tax identification number
We do not store credit or debit card details. All payment transactions are processed by iyzico Ödeme Hizmetleri A.Ş., a payment institution licensed by the Banking Regulation and Supervision Agency (BDDK). Card data is handled exclusively within iyzico's PCI DSS-compliant environment.
2.3 Marketplace Integration Data
When you connect your store via the Keskintech Marketplaces plugin:
- Marketplace API credentials: API keys for Trendyol, Pazarama and other supported marketplaces are encrypted on the client side before leaving your browser — the plaintext key never reaches our servers. We store only the encrypted form in our API gateway (apigw). Your e-commerce platform installation retains only a fingerprint token.
- Product data: Title, SKU, description, images, price, stock levels and all other product fields, processed for the purpose of syncing to marketplaces.
- Order data: Orders pulled from marketplaces may include buyer name, delivery address, line items and payment totals. This data is currently not stored — it is forwarded directly to your e-commerce store in real time. Should we introduce order analytics in the future, separate explicit consent will be obtained before that feature is activated.
2.4 Usage & Analytics Data
Only with your consent, anonymised usage data is collected via Google Analytics 4 (pages visited, session duration, device type). You can manage cookie preferences via our Cookie Policy.
2.5 Security & Technical Data
To prevent abuse, technical data such as IP address, request timestamps and failed login attempts are processed temporarily. This data is not used for analytics purposes.
3. Purposes & Legal Basis
| Purpose | Data Processed | KVKK Basis | GDPR Basis |
|---|---|---|---|
| Account creation & management | Registration data | Contract formation (Art. 5/2-c) | Contract performance (Art. 6(1)(b)) |
| Service delivery (marketplace integration) | API keys, product & order data | Contract performance (Art. 5/2-c) | Contract performance (Art. 6(1)(b)) |
| Payment processing & invoicing | Billing data | Legal obligation (Art. 5/2-ç) | Legal obligation (Art. 6(1)(c)) |
| Security & fraud prevention | IP address, technical data | Legitimate interest (Art. 5/2-f) | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails | Email address, name | Explicit consent (Art. 5/1) | Consent (Art. 6(1)(a)) |
| Website analytics | Anonymised usage data | Explicit consent (Art. 5/1) | Consent (Art. 6(1)(a)) |
4. Sub-Processors
We rely on the following third-party service providers to deliver our services:
| Provider | Country | Purpose | Data Processed |
|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Server hosting | All account and integration data |
| Brevo (Sendinblue) | France (EU) | Transactional email delivery | Name, email address |
| iyzico Ödeme Hizmetleri A.Ş. | Turkey | Payment processing | Billing information, card data (PCI DSS) |
| Cloudflare, Inc. | USA (DPF Certified) | CDN, security, DDoS protection | IP address, HTTP request headers |
| Google LLC | USA (DPF Certified) | Web analytics (with consent) | Anonymised usage data |
5. International Data Transfers
Your data is primarily processed on servers located within the European Union (Germany). US-based service providers (Cloudflare and Google) are certified under the EU–US Data Privacy Framework (DPF), ensuring that transfers comply with GDPR international transfer requirements.
iyzico is a BDDK-licensed payment institution based in Turkey. Payment data is processed within iyzico's secure infrastructure.
6. Retention Periods
| Data Type | Retention Period |
|---|---|
| Account data | For the duration of the account + 30 days after deletion request |
| Billing & payment records | 10 years (Turkish Tax Procedure Law requirement) |
| Marketplace API keys | Until subscription ends or you request deletion |
| Order data | Not currently stored; separate consent will be obtained in the future |
| Security logs (IP etc.) | 90 days |
| Marketing consent records | Until consent is withdrawn |
7. Marketing Communications
We send marketing emails (new features, updates, special offers) only if you opt in during registration. You may withdraw your consent at any time by:
- Clicking "Unsubscribe" in any marketing email, or
- Emailing info@keskintechmarketplaces.com
Withdrawing marketing consent does not affect your active subscription or access to the service.
8. Our Role as Data Processor
When the Keskintech Marketplaces plugin pulls orders from marketplaces (Trendyol, Pazarama, etc.), those orders may contain personal data belonging to your customers (buyer name, delivery address, etc.).
In this context:
- You are the data controller for your customers' data; we act solely as a data processor.
- We process buyer data only for the purpose of delivering orders to your e-commerce store.
- We do not use this data for marketing, profiling or sharing with third parties.
- This data is not currently stored on our infrastructure.
If you are subject to GDPR, a Data Processing Agreement (DPA) is available upon request at info@keskintechmarketplaces.com.
9. Your Rights
Under KVKK (Article 11), you have the right to:
- Know whether your personal data is being processed
- Request information about the processing
- Know the purpose of processing and whether it is used in accordance with that purpose
- Know the third parties to whom data is transferred domestically or abroad
- Request correction of incomplete or inaccurate data
- Request deletion or destruction under the conditions set out in Article 7
- Object to a result that arises to your detriment through automated processing
- Claim compensation for damages caused by unlawful processing
Under GDPR (for EU/EEA residents), you additionally have the right to:
- Data portability (Article 20)
- Restriction of processing (Article 18)
- Lodge a complaint with a supervisory authority
To exercise your rights, email info@keskintechmarketplaces.com or submit a request via our support system. Requests will be responded to within 30 days.
To request account deletion, open a support ticket or send an email. Billing records will be retained as required by law.
10. Policy Changes
We may update this policy from time to time. For material changes, we will notify you by email to your registered address. The current policy is always available on this page.
11. Contact
Keskintech MarketplacesFurkan Keskintaş
SUNAY MAH. ERZURUM CAD. I BLOK NO: 15 I İÇ KAPI NO: 5 MERKEZ/ MUŞ
info@keskintechmarketplaces.com