GDPR Compliance Statement

1. Introduction and Scope

This GDPR Compliance Statement has been prepared by myroERP to provide comprehensive information about our data processing activities concerning the personal data of data subjects residing in the European Union, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR" – General Data Protection Regulation).

To the extent that myroERP provides services to EU citizens, it is subject to the territorial scope of the GDPR (Article 3) and commits to acting in full compliance with all requirements of the Regulation.

This Statement applies alongside Turkey's Law No. 6698 on the Protection of Personal Data ("KVKK"). Citizens of the Republic of Turkey and persons resident in Turkey may also consult our KVKK Data Subject Disclosure.

2. Data Controller

The entity holding data controller status within the meaning of Article 4(7) of the GDPR is set out below:

Data Controller: myroERP
Contact Email: [email protected]
General Contact: [email protected]
Website: https://myroerp.com

3. Data Protection Officer (DPO)

In accordance with Article 37 of the GDPR, and having regard to the nature and volume of our data processing activities, we have appointed a Data Protection Officer (DPO). Our DPO is responsible for ensuring and monitoring GDPR compliance and for communication with data subjects and supervisory authorities.

DPO Contact: [email protected]

Data subjects may contact the DPO directly on all matters relating to their personal data and the exercise of their rights under this Regulation.

4. Categories of Data Processed

At myroERP, we process personal data in the following categories for the purpose of providing our service:

4.1. Identity Data

First name and last name
Profile photo (optional)
Date of birth (optional)
Username / user ID

4.2. Contact Data

Email address
Phone number (optional)
Postal address (optional)
Country and city

4.3. Account and Authentication Data

Encrypted password
Two-factor authentication records
Device information and identity identifiers
IP address and connection information
Session and login records

4.4. Business and Profile Data

Company name
Industry and company size
Tax number (optional)
Job title
Preferred currency and language

4.5. Billing and Payment Data

Billing address
Subscription information
Payment history (payment card details are not stored; these are processed by Apple, Google, and RevenueCat)

4.6. Technical and Usage Data

Device type and operating system
Application version
Usage statistics
Error and crash reports
Performance data

5. Purposes of Processing

We process your personal data solely for the following specific, explicit, and legitimate purposes:

Performance of our service agreement and management of your account;
Authentication, session management, and security;
Billing, subscription management, and payment processing;
Providing customer support and technical assistance;
Maintaining, developing, and improving our Service;
Sending important security and system notifications;
Fulfilling our legal obligations;
Fraud prevention and service security;
Marketing communications where explicit consent has been obtained;
Aggregated statistical analyses and product development.

6. Legal Bases (GDPR Article 6)

Pursuant to Article 6(1) of the GDPR, the processing of your personal data is based on the following legal bases:

Processing Activity	Legal Basis
Account creation and service delivery	Article 6(1)(b) – Performance of a contract
Billing and payment management	Article 6(1)(b) and Article 6(1)(c) – Performance of a contract and legal obligation
Maintaining tax, commercial, and legal records	Article 6(1)(c) – Legal obligation
Customer support	Article 6(1)(b) – Performance of a contract
Security and fraud prevention	Article 6(1)(f) – Legitimate interests
Marketing communications	Article 6(1)(a) – Consent
Service development and analytics	Article 6(1)(f) – Legitimate interests
Vital interest situations	Article 6(1)(d) – Vital interests

Legitimate interests assessment: In every case where we rely on Article 6(1)(f) as a legal basis, we carry out a balancing test to ensure that our legitimate interests do not override the fundamental rights and freedoms of data subjects. You may contact our DPO to request our detailed legitimate interests assessments.

7. Data Protection Principles (GDPR Article 5)

At myroERP, we strictly adhere to all data protection principles set out in Article 5 of the GDPR:

Lawfulness, fairness, and transparency: We process personal data in a lawful, fair, and transparent manner.
Purpose limitation: We collect data only for specified, explicit, and legitimate purposes and do not process it further in a manner incompatible with those purposes.
Data minimisation: We collect only data that is adequate, relevant, and limited to what is necessary for the processing purposes.
Accuracy: We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date; inaccurate data is erased or rectified without delay.
Storage limitation: We retain data in an identifiable form only for as long as necessary for the processing purposes.
Integrity and confidentiality: We ensure the security, integrity, and confidentiality of personal data through appropriate technical and administrative measures.
Accountability: We maintain processing records and conduct regular audits to demonstrate compliance with all of these principles.

8. Data Subject Rights (GDPR Articles 12–22)

As a data subject under the GDPR, you have the following rights:

8.1. Right to Information (Articles 13–14)

The right to receive transparent and understandable information about how your personal data is processed.

8.2. Right of Access (Article 15)

The right to access your processed personal data and to obtain a copy of it.

8.3. Right to Rectification (Article 16)

The right to request the correction or completion of inaccurate or incomplete personal data.

8.4. Right to Erasure / Right to be Forgotten (Article 17)

The right to request the deletion of your personal data under certain conditions. This right may be exercised in the following circumstances:

The data is no longer necessary for the purposes for which it was collected;
Consent has been withdrawn and there is no other legal basis;
The data has been processed unlawfully;
Erasure is required to comply with a legal obligation.

8.5. Right to Restriction of Processing (Article 18)

The right to request that the processing of your personal data be restricted under certain conditions.

8.6. Right to Data Portability (Article 20)

The right to receive the personal data you have provided in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.

8.7. Right to Object (Article 21)

The right to object to processing activities based on legitimate interests or public interest. You may object to processing for direct marketing purposes at any time, without giving any reason.

8.8. Right Not to be Subject to Automated Decision-Making (Article 22)

The right not to be subject to decisions based solely on automated processing (including profiling) that produce significant effects on you.

8.9. Right to Withdraw Consent

Where processing is based on your consent, the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

8.10. Right to Lodge a Complaint

The right to lodge a complaint with the relevant supervisory authority (see Article 17 — Right to Lodge a Complaint).

9. International Data Transfers

Due to the global infrastructure of our Service and our third-party service providers, your personal data may be transferred to countries outside the European Economic Area (EEA).

For such transfers, we apply one of the following safeguards as required by Chapter V of the GDPR (Articles 44–50):

Adequacy Decision (Article 45): Transfer to countries determined by the European Commission to provide an adequate level of protection;
Standard Contractual Clauses (Article 46(2)(c) – SCCs): Application of standard contractual clauses adopted by the European Commission;
Binding Corporate Rules (Article 47 – BCRs): Rules approved by a competent authority and applied within a group of companies;
Explicit Consent (Article 49(1)(a)): Your explicit consent given after being informed of the transfer risks;
Performance of a Contract (Article 49(1)(b)): Transfers necessary for the performance of a contract.

You may contact our DPO to obtain further information about transfers or to request a copy of the applicable safeguards.

10. Data Retention Policy

In accordance with the "storage limitation" principle under Article 5(1)(e) of the GDPR, we retain your personal data only for as long as is necessary for the purposes of processing.

Data Category	Retention Period	Criterion
Account data	For as long as the account is active + 30 days after termination	Performance of service
Contract and invoice documents	10 years	Legal obligation (Turkish Code of Obligations; EU member state tax legislation)
Customer support records	3 years	Legitimate interest – dispute resolution
Security and audit logs	2 years	Legitimate interest – security analysis
Marketing preferences	Until explicit consent is withdrawn	Explicit consent
Cookie data	1 hour – 13 months (depending on cookie type)	Cookie policy

Data whose retention period has expired is irreversibly deleted or anonymised.

11. Data Security (GDPR Article 32)

Pursuant to Article 32 of the GDPR, we implement the following technical and administrative measures to ensure a level of security appropriate to the risk:

11.1. Technical Measures

Encryption: All data transfers are encrypted using TLS 1.2+; sensitive data at rest is encrypted using industry-standard algorithms;
Pseudonymisation: Personal data is pseudonymised where possible;
Access control: Role-based access control (RBAC) and the need-to-know principle are applied;
Authentication: Multi-factor authentication (MFA/2FA) is supported;
Monitoring: Continuous monitoring and alerting systems for unauthorised access attempts;
Backup: Regular backup and disaster recovery procedures;
Testing: Regular penetration tests and vulnerability scans;
Breach detection: Automated data breach detection and alerting systems.

11.2. Administrative Measures

Regular GDPR and data security training for employees;
All employees sign confidentiality agreements;
Maintaining records of processing activities (Article 30);
Risk assessments and impact assessments;
Supplier and business partner audits;
Regular policy and procedure reviews;
Incident response plans and data breach notification procedures.

12. Processors and Sub-processors

In providing our Service, we work with various third parties acting as processors within the meaning of Article 28 of the GDPR. All of our processors have signed GDPR-compliant contracts (Data Processing Agreement – DPA) and have committed to implementing appropriate data protection standards.

Our current processor categories:

Cloud Infrastructure: Infrastructure providers using servers in European data centres or providing GDPR-compliant data transfer safeguards;
Payment Processors: Apple Inc., Google LLC, RevenueCat;
Notification Services: Firebase Cloud Messaging (Google), Apple Push Notification Service;
Analytics Services: Providers of anonymised usage analysis;
Email Service Providers: For the delivery of communication emails;
Error Tracking: For application crash and error reports.

You may contact the DPO to request the full list of sub-processors and the relevant safeguards.

13. Data Breach Notification (GDPR Articles 33–34)

In the event of a personal data breach, we follow the steps below in accordance with Articles 33 and 34 of the GDPR:

13.1. Notification to the Supervisory Authority (Article 33)

We notify the competent supervisory authority within 72 (seventy-two) hours of becoming aware of the personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

13.2. Communication to Data Subjects (Article 34)

Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we also communicate with affected data subjects directly, without undue delay and in clear and plain language. This communication includes:

The nature of the breach;
The contact details of the DPO or contact point;
The likely consequences of the breach;
The measures taken or proposed to address the breach.

14. Data Protection Impact Assessment (DPIA)

In accordance with Article 35 of the GDPR, we carry out a Data Protection Impact Assessment (DPIA) before initiating new processing activities that may entail high risk. These assessments include:

A systematic description of the envisaged processing operations and their purposes;
An assessment of the necessity and proportionality of the processing activities;
An assessment of the risks to the rights and freedoms of data subjects;
The measures envisaged to address the risks.

15. Children and Young Users (GDPR Article 8)

Our Service is not designed for persons under the age of 18. We do not knowingly collect personal data from children under the age of 16. The age threshold applicable in EU member states varies between 13 and 16.

If you suspect that a child has provided us with personal data, please contact our DPO immediately. We will take the necessary steps to delete that data promptly.

16. Automated Decision-Making (GDPR Article 22)

We do not use fully automated decision-making processes (including profiling) in our Service that produce legal effects or similarly significant effects on users.

Automated systems used for spam detection, fraud prevention, and security threat identification operate under human supervision, and significant decisions are always reviewed by a human.

17. Right to Lodge a Complaint

Pursuant to Article 77 of the GDPR, if you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

The full list of Data Protection Authorities of EU Member States can be found at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

For users resident in Turkey, the competent authority is the Personal Data Protection Authority (KVKK):

https://www.kvkk.gov.tr

Before lodging a complaint, we encourage you to first attempt to resolve the matter directly with our DPO; most issues can be resolved quickly.

18. Contact

For any questions, requests, or the exercise of rights relating to the GDPR, please use the following contact channels:

Data Controller: myroERP
GDPR and General Privacy: [email protected]
Data Protection Officer (DPO): [email protected]
Website: https://myroerp.com

We will respond to all requests received for the exercise of data subject rights within 1 month of receipt of the request, in accordance with Article 12(3) of the GDPR. Where the request is complex or numerous requests have been received, this period may be extended by a further 2 months; in that event, we will notify you of the delay within 1 month.

This Statement has been prepared in accordance with the provisions of EU Regulation 2016/679 (GDPR) and is regularly reviewed on the basis of the official text accessible via EUR-Lex.