TR·EN

Work With Us →

GDPR / KVKK

Privacy Policy and KVKK Disclosure Notice

Last updated: 13 May 2026

1. Data Controller

Pursuant to the Turkish Personal Data Protection Law no. 6698 (“KVKK”), Kritera Teknoloji A.Ş. (“Kritera”, “Company”) acts as the Data Controller. This notice explains how personal data of website visitors, contact-form submitters, and customers (“Data Subject”) is processed.

Data Controller: Kritera Teknoloji A.Ş.
Address: Kızılırmak Mah. Dumlupınar Blv. No:3 C-1 Suite 160, Çankaya, Ankara, Türkiye
Email: [email protected]

2. Personal Data Processed

During your visit and our service delivery, the following categories of personal data may be processed:

  • Identity information: Name, surname, title
  • Contact information: Email address, phone number, organisation
  • Transaction security: IP address, user-agent, cookies, session data, log records
  • Customer transaction: Service request, date, content
  • Marketing information: Cookie preferences, anonymous site usage statistics (only with explicit consent of the Data Subject)

3. Method and Legal Basis

Personal data is collected automatically or semi-automatically during your visit to our website, the submission of contact forms, the execution of service agreements, or electronic communication with Kritera.

Legal bases: KVKK Article 5/2-(a) explicitly stipulated by law, 5/2-(c) execution of a contract, 5/2-(e) establishment, exercise, or protection of a right, 5/2-(f) legitimate interest of the data controller, and 5/1 explicit consent.

4. Purposes of Processing

  • Responding to contact requests
  • Negotiation, conclusion and performance of service agreements
  • Delivery of services in penetration testing, security architecture, GDPR/KVKK, Common Criteria, cybersecurity training, R&D and IoT
  • Compliance with legal obligations
  • Ensuring website security and detecting malicious activity
  • Maintenance and auditing of information security processes
  • Subject to explicit consent: marketing and informational communication

5. Data Transfer

Personal data may be shared in compliance with KVKK Articles 8 and 9, and only with the following parties:

  • Service providers: Hosting, email, CDN/security (Cloudflare), analytics — only to the extent required and under contractual obligations.
  • Authorities: In response to lawful requests by courts, prosecutors, law enforcement, or competent administrative bodies.
  • Group entities and consultants: When necessary for business operations, under confidentiality agreements.

For international transfers, explicit consent of the Data Subject pursuant to KVKK Article 9/1-(a) is obtained, or transfers are based on undertakings to recipients in jurisdictions deemed to provide adequate protection by the KVKK Board.

6. Retention

Personal data is retained for the periods stipulated by applicable law. Contractual records: 10 years (Turkish Code of Obligations Art. 146). Contact form records: 3 years. Web access logs: 2 years (Law No. 5651). After expiry, data is erased, destroyed, or anonymized ex officio or upon request.

7. Rights of the Data Subject (KVKK Article 11)

Each Data Subject may exercise the following rights by applying to the Data Controller:

  • To learn whether personal data is processed
  • To request information if processing has occurred
  • To learn the purpose and whether data is used accordingly
  • To know third parties to whom data has been transferred
  • To request correction of incomplete or inaccurate processing
  • To request erasure or destruction under conditions stipulated by KVKK Article 7
  • To request notification of corrections/erasures to third parties
  • To object to results derived solely from automated processing
  • To request compensation for damages resulting from unlawful processing

8. How to Apply

To exercise your rights, submit a request, with identification documents, by:

  • A signed petition delivered to the Company address
  • Email to [email protected] from your registered address
  • Notarised request

Requests will be answered within 30 (thirty) days. A fee may apply for certain requests, pursuant to KVKK Article 13/2.

9. Cookie Policy

Our website uses cookies to improve user experience, measure performance, and ensure security. Categories:

  • Strictly necessary: Required for core site functionality; no consent required (session, security).
  • Functional: Remember preferences (language, cookie choices).
  • Analytics: Anonymous usage statistics. Requires explicit consent.
  • Performance: Page-load speed and interaction quality.
  • Advertising: Personalised content or campaigns (currently not used).

You can update your cookie preferences any time via the cookie panel at the bottom of the page. Disabling cookies in your browser may limit access to certain site features.

10. Updates

This Privacy Policy may be updated periodically in line with regulatory changes and service scope. Material changes are announced on the website. The “last updated” date appears at the top.