Dear User,
As Marka Gold SaaS Platform ("Marka Gold", "we"), we provide you with the following information regarding the processing of personal data of our platform users under the Turkish Personal Data Protection Law No. 6698 ("KVKK" — equivalent in scope to the EU GDPR). This notice has been prepared in accordance with Article 10 of KVKK and the Communique on the Procedures and Principles for Fulfilling the Obligation to Inform.
1) DATA CONTROLLER
The identity of the data controller (full name/business title, contact address, e-mail) is displayed in the Data Controller card at the top of this page. The most up-to-date information is always available at markaglbl.com/kvkk.
2) CATEGORIES OF PERSONAL DATA PROCESSED (For Platform Users)
This notice applies to the managers and employees of JEWELRY BUSINESSES registered on the Marka Gold platform.
• IDENTITY: First name, last name • CONTACT: Email, phone number • BUSINESS RELATIONSHIP: Commercial title of the jewelry business, role, assigned branch • ACCOUNT SECURITY: Password (bcrypt hash), session information, IP address, User-Agent • USAGE BEHAVIOUR: Login records, transaction history (audit log)
IMPORTANT NOTE: Personal data of the END CUSTOMERS of jewelry businesses is OUT OF SCOPE of this notice. For end customers, the privacy notice of the relevant jewelry business applies, which can be viewed via self-service at markaglbl.com/sms-preferences after phone verification.
3) PURPOSES AND LEGAL BASES OF PROCESSING
(a) Providing the SaaS service, account management, user authentication → Legal Basis: KVKK Art. 5/2-c (necessary for the conclusion or performance of a contract)
(b) Invoicing, payment collection, subscription management → Legal Basis: KVKK Art. 5/2-c + Turkish Tax Procedure Law No. 213 (VUK) + Turkish Commercial Code No. 6102 (TTK)
(c) Customer support services, complaint and request handling → Legal Basis: KVKK Art. 5/2-c
(d) System security, fraud prevention, abuse detection → Legal Basis: KVKK Art. 5/2-f (legitimate interest) + KVKK Art. 12 (data security obligation)
(e) Legal obligations (TTK Art. 82 book retention, VERBİS registration, requests from the KVKK Authority, etc.) → Legal Basis: KVKK Art. 5/2-ç (legal obligation)
(f) Defence in legal disputes and protection of rights → Legal Basis: KVKK Art. 5/2-e (establishment, exercise, or protection of a right)
4) THIRD PARTIES TO WHOM PERSONAL DATA MAY BE TRANSFERRED
Transfers to the following third parties are made for the stated purposes and only to the extent necessary:
• Amazon Web Services (AWS) — File storage (S3) — USA / EU (Frankfurt) • MongoDB Atlas — Database — EU • Google LLC (Gmail SMTP) — Email delivery — USA • Netgsm İletişim A.Ş. — SMS delivery — Türkiye • Competent public authorities (KVKK Authority, MASAK, tax offices, courts) — Legal requests — Türkiye
Cross-border transfers (USA, EU) are carried out under KVKK Art. 9 on the basis of the Standard Contractual Clauses (SCC) published with the Turkish Personal Data Protection Board decision dated 4 June 2024 No. 2024/959. Such transfers are reported to the Board within 5 business days as required by applicable law.
5) RETENTION PERIODS
• User account information: 10 years (Turkish Code of Obligations No. 6098 Art. 146 — general limitation period) • Invoice and payment records: 5 years (Tax Procedure Law No. 213 Art. 253) • Customer support conversations: 24 months (KVKK Art. 7 — proportionality) • System / operational audit logs: 24 months (KVKK Art. 12 — proportionality) • Subscription agreement + Data Processing Agreement (DPA) texts: 10 years (TTK Art. 82 — book and document retention)
At the end of the relevant retention period, your data is deleted, destroyed, or anonymised in accordance with our Personal Data Retention and Destruction Policy.
6) YOUR RIGHTS (KVKK Art. 11)
As a data subject, you have the following rights at any time:
(a) To learn whether your personal data is being processed, (b) To request information if such processing has taken place, (c) To learn the purpose of processing and whether the data is used in line with that purpose, (ç) To know the third parties to whom data has been transferred domestically or abroad, (d) To request correction if the data is incomplete or incorrect, (e) To request deletion or destruction within the framework of KVKK Art. 7, (f) To request that operations carried out under (d) and (e) be notified to the third parties to whom data has been transferred, (g) To object to outcomes against you produced solely by automated analysis, (ğ) To claim compensation for damages arising from unlawful processing.
APPLICATION CHANNELS:
• Email: support@markaglbl.com (please send from your registered email address) • Written application: Contact address shown in the Data Controller card at the top of the page
Your requests will be concluded within 30 DAYS at the latest. If you find the response insufficient or do not receive a response within 30 days, you may file a complaint with the Turkish Personal Data Protection Board (www.kvkk.gov.tr) within 30 days of learning the response and in any case within 60 days from the date of application (KVKK Art. 14).
7) DATA BREACH NOTIFICATION
In the event of a personal data breach, Marka Gold, acting as Data Controller, will:
• Notify affected users WITHIN 24 HOURS at the latest. • Notify the Turkish Personal Data Protection Board within 72 HOURS (KVKK Art. 12/5 and Board Decision No. 2019/10).
8) SECURITY MEASURES
Marka Gold comprehensively implements the technical and administrative measures required under KVKK Art. 12:
• AES-256 encryption at rest at the database level • TLS 1.3 encryption in transit • Multi-factor authentication (MFA) for administrator access • Annually planned penetration testing • Tamper-evident audit log hash chain (HMAC-SHA256) • Immutable backups via AWS S3 Object Lock Compliance Mode • Regular backups and a disaster recovery (DR) plan • Role-Based Access Control (RBAC) and the principle of least privilege • Security Information and Event Management (SIEM) and 24/7 monitoring
——— Version: v1.0 — 25 May 2026 KVKK Compliance: Prepared in accordance with the obligation to inform under Art. 10, Board Decision No. 2024/959 (SCC), and Principle Decisions No. 2025/1072 and 2026/347.