KVKK & GDPR Compliance

Last updated: March 7, 2026

This document describes Pommy.ai's data processing activities under Turkish Personal Data Protection Law No. 6698 (KVKK) and the European Union General Data Protection Regulation (GDPR — EU 2016/679).

1. Data Controller

Data controller as defined under KVKK Article 3 and GDPR Article 4:

Pommy.ai

Data Protection Contact: privacy@dev.pommy.ai

2. Data Processing Principles

Pommy is committed to acting in accordance with KVKK and GDPR principles. The following core principles are observed in data processing activities:

  • Lawfulness and fairness (KVKK Art. 4/2-a, GDPR Art. 5/1-a)
  • Accuracy and being up to date (KVKK Art. 4/2-b, GDPR Art. 5/1-d)
  • Processing for specific, explicit, and legitimate purposes (KVKK Art. 4/2-c, GDPR Art. 5/1-b)
  • Relevance, limitation, and proportionality (KVKK Art. 4/2-d, GDPR Art. 5/1-c)
  • Retention only for the period required (KVKK Art. 4/2-e, GDPR Art. 5/1-e)

3. Categories of Personal Data Processed

Categories of personal data that may be processed within the Platform:

Data CategoryScopeLegal Basis
Identity DataName, surname, emailContract performance
Contact DataEmail, phone (optional)Contract performance
Customer Service DataChat contents, support recordsContract / Legitimate interest
Technical DataIP address, browser info, device infoLegitimate interest
Transaction SecuritySession logs, access recordsLegal obligation
Financial DataBilling address, tax IDLegal obligation

4. Purposes of Data Processing

Personal data is processed for the following purposes:

  • Providing platform services and fulfilling contractual obligations
  • Conducting customer support operations
  • Maintaining security and system integrity
  • Meeting legal regulatory requirements
  • Measuring and improving service quality
  • Managing billing and subscription processes

5. Legal Bases for Processing

Under KVKK (Article 5)

  • Explicit consent (Art. 5/1)
  • Establishment and performance of a contract (Art. 5/2-c)
  • Legal obligation (Art. 5/2-d)
  • Legitimate interest (Art. 5/2-f)

Under GDPR (Article 6)

  • Consent of the data subject (Art. 6/1-a)
  • Performance of a contract (Art. 6/1-b)
  • Legal obligation (Art. 6/1-c)
  • Legitimate interest (Art. 6/1-f)

6. Data Security Measures

Technical and organizational measures under KVKK Article 12 and GDPR Article 32:

Technical Measures

  • TLS 1.3 encrypted data transmission
  • AES-256 encrypted data storage
  • Role-based access controls (RBAC)
  • Audit log system
  • DDoS protection and WAF
  • Automated security updates

Organizational Measures

  • Data processing inventory and record system
  • Data Protection Impact Assessment (DPIA) processes
  • Third-party Data Processing Agreements (DPA)
  • Regular security assessments
  • Data breach notification procedures

7. Data Transfers

Domestic Transfers

Data is shared with infrastructure and service providers under KVKK Article 8 only to the extent necessary for service provision.

International Transfers

International data transfers under KVKK Article 9 and GDPR Article 46:

  • Cloudflare (USA) — infrastructure and security services, under EU SCC
  • Transfers are made to countries with adequate levels of protection or where appropriate safeguards are in place
  • Transfers are made with explicit consent where applicable

8. Data Subject Rights

KVKK Article 11 Rights

  • Learn whether personal data is being processed
  • Request information about processing if data has been processed
  • Learn the purpose of processing and whether it is used accordingly
  • Know third parties to whom data is transferred domestically or abroad
  • Request correction if data is incomplete or inaccurate
  • Request deletion or destruction under KVKK Art. 7
  • Request notification of corrections/deletions to third-party transferees
  • Object to results produced by automated analysis against the individual
  • Claim compensation for damages caused by unlawful processing

GDPR Rights

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / Right to be forgotten (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right not to be subject to automated decision-making (Art. 22)
  • Right to withdraw consent (Art. 7/3)
  • Right to lodge a complaint with a supervisory authority (Art. 77)

9. Data Retention and Destruction

Under KVKK Article 7 and GDPR Article 17, personal data for which the processing purpose has ceased is deleted, destroyed, or anonymized ex officio or upon request of the data subject.

  • Retention periods are determined based on processing purpose and legal requirements
  • Periodic destruction is applied at 6-month intervals
  • Deletion operations are performed irreversibly

10. Data Breach Notification

  • KVKK: The KVKK Board is notified as soon as possible, and data subjects are notified within a reasonable period (KVKK Art. 12/5)
  • GDPR: The relevant supervisory authority is notified within 72 hours (GDPR Art. 33); in high-risk cases, data subjects are also notified (GDPR Art. 34)

11. How to Exercise Your Rights

To exercise your rights under KVKK and GDPR:

Via Platform

Use the Account > Privacy & Data Management section to export data (GDPR Art. 20), delete your account, or anonymize your data.

Via Email

Contact privacy@dev.pommy.ai with identity-verifying information.

Requests are responded to within 30 days under KVKK and 1 month under GDPR. You retain the right to file a complaint with the KVKK Board (kvkk.gov.tr) under Turkish law or the relevant EU Data Protection Authority under GDPR.

12. Data Controller Information

Pommy.ai

Data Protection: privacy@dev.pommy.ai

For VERBIS registration status and current contact information, please visit our website.