Privacy Policy

1) Purpose, Scope, and Data Controller

This Privacy Policy explains the principles governing personal data processing activities carried out on the platforms operated by Yiğit Kaan Kuştemir, owner and operator of the Get Society & Get SoArt brands (Beyoğlu Tax Office, TIN: 5981171759) (the “Data Controller”). This document has been prepared in compliance with the Law No. 6698 on the Protection of Personal Data (KVKK) and secondary legislation and must be read together with our KVKK Information Notice.

2) Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data (collection, recording, storage, transfer, etc.).
• Data Subject: Natural persons including customers, visitors, members, and artists/suppliers.
• Data Processor: Service providers processing data on behalf of the Data Controller (IT, courier, payment institution, etc.).

3) Categories of Data Collected

• Identity/Contact: Name‑surname, Turkish ID No.*, date of birth*, signature*, phone, e‑mail, address (*where required).
• Customer Transaction: Cart, orders, return/damage records, support requests.
• Financial: Payment instrument details (token), IBAN/invoicing data (card data are not stored in our systems).
• Visual‑Audio: Artwork/product visuals, artist promotional materials.
• Technical/Security: IP, device/browser info, session logs, cookie data.
• Contractual: Distance sales, artist collaboration, pre‑contract forms.

4) Purposes and Legal Grounds

Your personal data are processed for the purposes below, on the legal grounds set out under Articles 5 and 6 of the KVKK:

• Establishment/Performance of a Contract (Art. 5/2‑c): Orders, delivery, returns/damages, artist collaborations.
• Legal Obligation (Art. 5/2‑ç): Tax, invoicing, responses to requests/audits.
• Legitimate Interests (Art. 5/2‑f): Security, fraud prevention, quality improvement, preservation of records.
• Explicit Consent (Art. 5/1, Art. 6/2): Commercial messages, marketing via cookies, and cross‑border transfers where required.

5) Methods of Collection

Data are obtained through website/mobile app forms, cookies, call center and e‑mail correspondence, contracting processes, shipping/payment flows, and fair/event registrations, via automated and non‑automated means.

6) Sharing and Transfer with Third Parties

• Domestic transfers: Courier/logistics, payment institutions/banks, accounting and certified public accounting, IT infrastructure (hosting, e‑mail, cloud backup) providers; public authorities where required by law.
• Cross‑border transfers: Pursuant to KVKK Art. 9, to countries with adequate protection or with your explicit consent and subject to appropriate undertakings/standard contractual clauses; typical examples include cloud communications, e‑mail, and image hosting services.
• Data processing agreements: All suppliers are bound by confidentiality and data processing terms compliant with the KVKK.

7) Cookies and Similar Technologies

We may use strictly necessary, performance, functional, and advertising/marketing cookies. Preferences can be managed via your browser settings. For details, see our Cookie Policy. Marketing cookies operate only with explicit consent.

8) Security Measures

• Technical: TLS/SSL, access control/role‑based authorization, strong passwords and multi‑factor authentication, encryption, logging/protection of audit trails, backups, and integrity checks.
• Administrative: Confidentiality undertakings, staff awareness training, supplier agreements, authorization matrices, incident response procedures.
• Payment security: Card data are not stored in our systems; transactions are executed through PCI‑DSS compliant institutions.

9) Retention Periods and Destruction

• Contract/invoice records: 10 years (TCC, Tax Procedure Law).
• Customer service records: 3 years.
• Marketing data: Until explicit consent is withdrawn, with periodic reviews.
• Cookie data: Up to 24 months, depending on type.

Upon expiry, data are destroyed by deletion, destruction, or anonymization (see Personal Data Retention and Destruction Policy).

10) Children’s Privacy

The Platform is not directed to persons under 18. If we identify personal data relating to a child processed without parent/guardian consent, we will initiate deletion/destruction.

11) Your Rights (KVKK Art. 11) and Applications

• To learn whether data are processed; to request information; to learn purpose and compliance; to know third‑party transferees; to request rectification/deletion/destruction; to object to results arising from automated processing; to claim damages.
• Applications must comply with the Communiqué on the Procedures and Principles of Application to the Data Controller and will be answered within 30 days.

Application channels:
E‑mail: [KVKK application e‑mail address] • KEP: [KEP address] • Address: [Company Address]

You must apply to the Data Controller before filing a complaint to the Authority. You may complain to the Personal Data Protection Authority within 30 days of receiving the response or within 60 days if no response is provided.

12) Commercial Messages

Electronic commercial messages are sent only to recipients with explicit consent/IYS approval. You can unsubscribe at any time free of charge.

13) Third‑Party Links

The Platform may contain links to third‑party websites. We are not responsible for the privacy practices of such sites; please review their policies.

14) Changes and Entry into Force

This Policy may be updated. The current version takes effect on the date it is published on the Platform. Material changes will be communicated by reasonable means.

15) Disputes and Jurisdiction

This Privacy Policy is governed by Turkish law. In case of disputes, the Istanbul (Çağlayan) Central Courts and Enforcement Offices have jurisdiction. Electronic records maintained by us constitute conclusive evidence.