Privacy Policy
Last updated: April 17, 2026
This privacy policy is prepared by Kartial under Turkish Personal Data Protection Law No. 6698. It is drafted separately from the explicit consent notice in line with the Personal Data Protection Board's Decision No. 2026/347 dated February 18, 2026.
1. Data Controller
- Trade name: Nedime Erdogan - Kartial Sahis Isletmesi
- Address: Anittepe Mahallesi, Cankaya, Ankara / Turkiye
- Email: destek@kartial.com
Kartial acts as data controller for its own website, account management, security, support, billing-like operational processes and waitlist activities. For end-customer or other third-party data imported or synchronized into the service under the user's instructions, Kartial's role may vary depending on the processing activity; in such cases, the user remains responsible for the underlying notice, legal basis and purpose limitation obligations.
2. Categories of Personal Data We Process
2.1. Account and contact data
- Name, surname and email address
- Profile photo URL and Google account identifier if Google sign-in is used
- Firebase Authentication user ID, sign-in method and email verification status
2.2. Business data entered or imported by the user
- Orders, products, inventory, material, expense, income and reporting data
- Shop, channel, marketplace and accounting settings
- CSV or similar import data such as province, district, gender, age and related analytics fields when supplied by the user
2.3. Marketplace integration data
- API keys, tokens, access credentials and connection settings
- Order numbers, product details, amounts, statuses, shipping, commissions and payment terms
- Limited buyer-related order fields such as customer name, customer identifier and city
2.4. Waitlist and communication data
- Email address submitted through the waitlist form
- Language preference, registration timestamp and IP address used for abuse prevention
2.5. Technical data
- IP address, browser type, device information and session logs
- Cookies, localStorage and IndexedDB data
- Security, troubleshooting and abuse-prevention logs
3. Purposes of Processing
- To create user accounts, manage sessions and authenticate users
- To provide profit tracking, reporting, accounting and inventory features
- To establish marketplace integrations requested by the user
- To synchronize data across devices and maintain service continuity
- To provide customer support, detect errors and prevent misuse
- To comply with legal obligations and answer lawful requests
- To manage waitlist registrations and send launch or beta notifications where requested
4. Legal Grounds
| Processing activity | Legal ground | KVKK |
|---|
| Account creation, session management and provision of the application service |
Necessary for the establishment or performance of a contract |
Art. 5/2-c |
| Marketplace integrations, processing of imported files and order-level analytics |
Necessary for the establishment or performance of a contract |
Art. 5/2-c |
| Security, logging, troubleshooting and abuse prevention |
Legitimate interest of the data controller |
Art. 5/2-f |
| Regulatory compliance, legal retention and official requests |
Compliance with legal obligations |
Art. 5/2-ç |
| Waitlist, launch notifications and non-essential analytics technologies where required |
Explicit consent |
Art. 5/1 |
5. Storage and Security
- Application data may be stored on the user's device through IndexedDB and similar local storage mechanisms.
- Signed-in user data may be synchronized through Firebase infrastructure.
- Marketplace credentials are encrypted before storage; when required for integration requests, they may be transmitted over secure connections to server-side functions.
- All data transfers use HTTPS/TLS. Access controls, security rules and abuse-prevention measures are applied.
- When the legal basis or operational need ends, personal data is deleted, destroyed or anonymized subject to applicable law and technical constraints.
6. Transfers of Personal Data
6.1. Domestic transfers
Personal data may be transferred to competent public authorities, legal advisors, accounting or operational service providers only to the extent necessary.
6.2. International transfers
Because Kartial uses infrastructure and communication services such as Google Firebase, Google Analytics, Resend and user-authorized marketplace platforms, personal data may be transferred abroad. Such transfers are carried out under the post-2024 regime of KVKK Article 9, relying on the appropriate mechanism available for the specific transfer, such as an adequacy decision, appropriate safeguards, standard contracts, incidental transfer grounds or explicit consent where required.
The main categories of service providers used for such transfers include Google Firebase for authentication, database, hosting and server-side functions; Google Analytics for consent-based analytics; Resend for email delivery; and the marketplace services specifically connected by the user.
6.3. Note on end-customer data
If a user imports or syncs end-customer data into Kartial, the user remains responsible for providing the required notices, legal basis and usage restrictions for that data. Kartial does not intend such data to be used for independent marketing purposes.
7. Retention Periods
- Account and application data may be retained while the account remains active or until deleted by the user.
- Waitlist data may be retained until the relevant launch communication is completed, consent is withdrawn or the record is deleted.
- Security and abuse-prevention logs may be retained for operationally necessary periods or longer where required by law.
8. Your Rights
Under Article 11 of KVKK, you may request information about processing, access, correction, deletion, recipients of transfers, objection and compensation where the legal conditions are met. Requests may be sent to destek@kartial.com.
9. Updates
This policy may be updated in line with legal, technical or operational changes. The current version is always published on this page.