PERSONAL DATA PROTECTION, PROCESSING & PRIVACY POLICY
I. INTRODUCTION
Under the Turkish Personal Data Protection Law No. 6698 (“KVKK”), Elite Global Danışmanlık Dış Ticaret Limited Şirketi (the “Company”) values the protection of personal data processed through the CupMate Coffee website, mobile application(s) and related digital platforms (the “Platform”) and aims to implement appropriate administrative and technical measures to ensure compliance.
“Personal data” means any information relating to an identified or identifiable natural person. “Processing” covers any operation performed on personal data, including collection, recording, storage, modification, transfer and deletion.
This Policy explains the key principles applicable to personal data processed for Platform users and other data subjects described below. In case of conflict between this Policy and applicable laws, the laws shall prevail. This Policy is made available via the Platform and may be updated as needed.
II. PROCESSING OF PERSONAL DATA
II.I. PRINCIPLES
The Company processes personal data in line with the general principles set out in Article 4 of KVKK:
• Lawfulness and fairness,
• Accuracy and being kept up to date where necessary,
• Specific, explicit and legitimate purposes,
• Being relevant, limited and proportionate,
• Being retained for the period required by the purpose and/or applicable legislation.
II.II. LEGAL GROUNDS AND PURPOSES
Personal data is generally processed based on the data subject’s explicit consent. However, where one of the legal grounds under Article 5 of KVKK exists, data may be processed without consent (e.g., necessity for the establishment/performance of a contract, compliance with legal obligations, legitimate interests, etc.).
As a rule, the Company does not aim to process special categories of personal data (such as health data) within the Platform. Users are recommended not to enter special category data into free-text fields (e.g., order notes).
The Company may process personal data for purposes including:
• Creating, paying for, preparing and handing over orders at the “designated pick-up point”,
• Customer support, complaint/request management,
• Information security, logging, fraud/abuse prevention controls,
• Accounting/finance and legal compliance obligations,
• Operational planning, quality, efficiency and business continuity,
• Marketing, campaigns and promotions (subject to preferences/consents where required),
• Providing information to competent public authorities as required by law,
• Managing contractual and legal processes.
III. TRANSFER OF PERSONAL DATA
III.I. DOMESTIC TRANSFERS
In accordance with Article 8 of KVKK, the Company may transfer personal data within Türkiye where explicit consent exists or another legal basis applies, and where appropriate safeguards are implemented.
III.II. INTERNATIONAL TRANSFERS
The Company may transfer personal data abroad in accordance with Article 9 of KVKK, including where adequacy decisions, appropriate safeguards, or statutory exceptions apply. Where relevant, details of such transfers may be provided via the Platform and/or related notices.
III.III. RECIPIENT GROUPS
Depending on the purpose, personal data may be shared with:
• Payment infrastructure providers and financial institutions,
• IT/cloud, hosting, software, email/SMS service providers,
• Operational support providers and staff involved in handover at pick-up points,
• Auditors, advisors and legal service providers,
• Competent public authorities (where legally required).
IV. SECURITY OF PERSONAL DATA
The Company implements reasonable administrative and technical measures pursuant to Article 12 of KVKK, such as access controls, network security tools, logging/monitoring, backups and recovery procedures, employee awareness trainings, and contractual safeguards with vendors.
If personal data is unlawfully obtained by third parties, the Company aims to notify the data subjects and, where required, the Authority as soon as reasonably possible.
V. INFORMATION TO DATA SUBJECTS AND RIGHTS
V.I. INFORMATION DUTY
Pursuant to Article 10 of KVKK, the Company informs data subjects about the identity of the data controller, purposes, recipients, collection method and legal basis, and data subject rights.
V.II. DATA SUBJECT RIGHTS
Under Article 11 of KVKK, data subjects may request, among others:
• Whether their data is processed and obtain information if processed,
• The purposes of processing and whether it is used accordingly,
• The third parties to whom data is transferred,
• Correction of incomplete/incorrect data,
• Deletion/destruction under conditions set by KVKK,
• Objection to results against them produced solely by automated processing,
• Compensation for damages arising from unlawful processing.
Limitations under Article 28 of KVKK remain reserved.
V.III. APPLICATION METHOD
Requests may be submitted to the Company pursuant to Article 13 of KVKK. The Company responds within 30 days depending on the nature of the request. Contact email: info@cupmatecoffee.com
The Company may request additional information to verify identity and clarify the request.
VI. DATA SUBJECTS AND DATA CATEGORIES
VI.I. DATA SUBJECT CATEGORIES
The Company may categorize data subjects as:
• Customers/Users,
• Potential customers,
• Visitors (website/app),
• Vendor/business partner employees/representatives,
• Other individuals whose data is processed within the scope of Platform operations.
VI.II. DATA CATEGORIES
Examples of personal data categories processed within the Platform may include:
• Identity/Profile data,
• Contact data (phone/email),
• Customer transaction data (orders, preferences),
• Information security data (IP, logs, session data),
• Financial/transaction data (payment records; card details may not be stored on Company systems),
• Marketing data (subject to consent/preferences),
• Location data (selected pick-up point; approximate location if enabled by the user).
VII. RETENTION PERIODS
Personal data is retained for the period required by applicable laws and the relevant processing purpose. Upon expiry, data is deleted, destroyed or anonymized. Where necessary for legal claims or evidence, data may be retained longer to the extent permitted by law.
VIII. DELETION, DESTRUCTION AND ANONYMIZATION
Pursuant to Article 7 of KVKK and related regulations, personal data is deleted, destroyed or anonymized upon the disappearance of the reasons requiring processing, either upon the Company’s decision or the data subject’s request, subject to legal conditions.
IX. GOVERNANCE
The Company aims to maintain an appropriate organizational structure to manage KVKK compliance, policies and processes. Data subjects may contact the Company via info@cupmatecoffee.com for requests within the scope of this Policy.