KVKK Data Subject Disclosure

1. Introduction

This Disclosure has been prepared by myroERP, acting as data controller, in accordance with Article 10 of Law No. 6698 on the Protection of Personal Data ("KVKK") and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, to provide data subjects with information regarding the processing of their personal data.

At myroERP, we attach the utmost importance to the privacy and security of the personal data of our users who benefit from our products and services, and we process such data solely within the framework of the KVKK and applicable legislation.

This Disclosure sets out in detail for what purpose, on what legal basis, and to whom your personal data may be transferred, the method and legal basis for its collection, and your rights as a data subject under Article 11 of the KVKK.

2. Identity of the Data Controller

Pursuant to Article 3(1)(ı) of the KVKK, the contact details of myroERP, which holds data controller status in relation to your personal data, are as follows:

Data Controller Name: myroERP
Email Address: [email protected]
Data Protection Contact: [email protected]
Website: https://myroerp.com
Address: Turkey

3. Categories of Personal Data Processed

At myroERP, we process the following categories of personal data depending on the nature of the services we provide to you:

Data Category	Data Processed
Identity Data	First name, last name, date of birth (if requested), profile photo, Turkish national ID number (only for e-Invoice integration, optional)
Contact Data	Email address, phone number, postal address, country, city
Customer Transaction Data	Account creation, service usage records, request and complaint records, order and invoice information
Transaction Security Data	Username, password (stored in encrypted form), two-factor authentication records, IP address, device information, session IDs, log records
Financial Data	Billing information, payment method (card details are not stored), subscription information
Marketing Data	Communication preferences, campaign participation, cookie and similar tracking data
Professional Experience Data	Job title, employer, industry (optional)
Legal Transaction Data	Contract information, correspondence related to legal requests

Important Note: myroERP does not actively process data falling within the category of "special categories of personal data" as defined under Article 6 of the KVKK (health, race, ethnicity, political opinion, religious belief, etc.). Should the Customer upload such data into the system, the Customer shall be responsible for its processing.

4. Purposes of Processing

Your personal data specified above is processed in accordance with the general principles set out in Article 4 of the KVKK and on the legal bases regulated under Articles 5 and 6 of the KVKK, for the following purposes:

Managing the establishment, performance, and termination of our contractual relationship;
Providing, maintaining, developing, and improving myroERP services;
Carrying out account creation, identity verification, and session management processes;
Receiving, evaluating, and resolving customer requests and complaints;
Conducting billing, collection, and subscription management processes;
Providing technical support to our customers;
Ensuring the security of the Service and preventing fraud and misuse;
Conducting information security processes and audit activities;
Delivering important updates, security alerts, and service-related notifications to our users;
Where explicit consent has been obtained, conducting marketing, advertising, and campaign activities;
Conducting statistical analyses to improve our business processes and efficiency;
Fulfilling legal obligations towards competent public bodies and authorities;
Resolving legal disputes and managing legal proceedings;
Fulfilling obligations under tax and financial legislation;
Collecting and analysing usage statistics for the development of our products and services.

5. Legal Basis for Processing

Your personal data is processed on the following legal bases set out in Articles 5 and 6 of the KVKK:

KVKK Article 5/2(a): Where expressly provided for by law (Tax Procedure Law, Turkish Commercial Code, Turkish Code of Obligations, Electronic Commerce Law, etc.).
KVKK Article 5/2(c): Where processing of personal data of the parties to a contract is necessary, provided it is directly related to the establishment or performance of that contract.
KVKK Article 5/2(ç): Where processing is mandatory for the data controller to fulfil its legal obligation.
KVKK Article 5/2(e): Where processing of data is mandatory for the establishment, exercise, or protection of a right.
KVKK Article 5/2(f): Where processing of data is mandatory for the legitimate interests of the data controller, provided that such processing does not harm the fundamental rights and freedoms of the data subject.
KVKK Article 5/1: Where none of the above legal bases apply, on the basis of the explicit consent of the data subject.

6. Collection Methods

Your personal data is collected through automated or non-automated means via the following channels:

Through our mobile application (iOS and Android);
Through our website (myroerp.com);
Via email, telephone, and other communication channels;
Through customer support requests and feedback forms;
Through application stores such as Apple App Store and Google Play Store;
Through subscription management platforms such as RevenueCat;
Through cookies and similar tracking technologies;
Where you contact us via social media platforms;
From competent public bodies and authorities and official sources.

7. Transfer of Personal Data

Your personal data may be transferred to the following persons and organisations in accordance with Articles 8 and 9 of the KVKK and solely within the scope of the purposes stated above:

Recipient Group	Purpose of Transfer
Competent Public Bodies and Authorities	Fulfilment of legal obligations, court orders, requests from competent authorities
Cloud Infrastructure Providers	Secure storage and processing of data
Payment Processing Providers	Apple, Google, RevenueCat — management of subscription and payment processes
Communication and Notification Providers	Sending push notifications and emails (Firebase, APNs, etc.)
Legal, Financial, and Technical Advisors	Legal dispute resolution, financial consultancy, technical advisory
Independent Audit Firms	Financial and technical audit processes
Business Partners and Suppliers	Partnerships necessary for service delivery (only to the extent required)

All transfers are carried out within the framework of confidentiality and data protection agreements, and recipients are required to implement data protection standards compliant with the KVKK.

8. Cross-Border Transfers

Due to the provision of the Service through mobile application stores, the use of cloud infrastructure providers, and the integration of push notification systems, your personal data may also be transferred to countries outside Turkey.

Pursuant to Article 9 of the KVKK, cross-border transfers of your personal data are carried out within the framework of the following safeguards:

The destination country has been determined by the Personal Data Protection Board to have an "adequate level of protection";
Where adequate protection is not available, data controllers in Turkey and in the relevant foreign country undertake to provide adequate protection in writing and the Board grants permission;
The explicit consent of the data subject is obtained.

Industry best practices and international data protection standards (e.g. EU Standard Contractual Clauses — SCCs) are applied to protect your data transferred abroad.

9. Retention Periods

Your personal data is retained for the period necessary for the purposes for which it is processed and for the periods prescribed by applicable legislation, in accordance with Article 7 of the KVKK. Data whose retention period has expired is irreversibly deleted, destroyed, or anonymised.

Retention periods for key data categories:

Data Type	Retention Period	Legal Basis
Account and contract data	10 years	Turkish Code of Obligations, Art. 146
Commercial records and invoice documents	10 years	Turkish Commercial Code, Art. 82
Tax-related documents	5 years	Tax Procedure Law, Art. 253
Access and log records	2 years	Law No. 5651
Customer support records	3 years	Legitimate interest
Marketing preferences	Until explicit consent is withdrawn	Explicit consent

10. Data Security Measures

myroERP takes all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent unlawful processing of and unlawful access to personal data, and to ensure the preservation of personal data, in accordance with Article 12 of the KVKK.

10.1. Technical Measures

Firewalls and intrusion detection/prevention systems (IDS/IPS);
Data encryption (at rest and in transit using TLS 1.2+);
Access authorisation and authentication mechanisms;
Two-factor authentication (2FA) support;
Regular security tests and penetration tests;
Regular backup and disaster recovery procedures;
Data loss prevention (DLP) systems;
System and application log records;
Keeping software and systems up to date.

10.2. Administrative Measures

Access to data is restricted on a need-to-know basis;
Regular KVKK and data security training is provided to employees;
All employees sign confidentiality undertakings;
Data inventory and processing records are maintained;
Data protection clauses are included in contracts with business partners and suppliers;
Data security policies and procedures are documented and regularly updated;
Incident response plans are prepared for data breach scenarios.

11. Rights of the Data Subject (KVKK Article 11)

Pursuant to Article 11 of the KVKK, by applying to the data controller you have the following rights:

To learn whether your personal data is being processed;
To request information if your personal data has been processed;
To learn the purpose of processing your personal data and whether it is being used in accordance with that purpose;
To know the third parties to whom your personal data has been transferred, whether domestically or abroad;
To request rectification if your personal data has been processed incompletely or inaccurately;
To request deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7 of the KVKK;
To request that the transactions carried out pursuant to items 5 and 6 above be notified to the third parties to whom your personal data has been transferred;
To object to a result that is to your detriment arising from the analysis of your processed data exclusively through automated systems;
To demand compensation for damages suffered in the event that your personal data is processed unlawfully.

12. Application Procedure

You may submit your requests regarding your rights under Article 11 of the KVKK to myroERP by one of the following methods, in accordance with the Communiqué on the Procedures and Principles for Applications to the Data Controller:

By email: To [email protected], from your registered electronic mail address associated with your account, or with a secure electronic signature;
By post: In writing to our address, with a wet-ink signature on the application form;
Within the mobile app: Via the "Profile > KVKK Requests" menu in the myroERP application.

Your application must include the following information:

First name, last name, and — where the application is in writing — signature;
For Turkish citizens, Turkish national ID number; for foreign nationals, nationality, passport number, or identity number if available;
Residential or business address for service of notice;
Email address, telephone number, and fax number for notifications, if any;
Subject of the request.

We kindly ask that you attach any supporting documents to your application where available.

myroERP will respond to your request free of charge as soon as possible and within no later than 30 (thirty) days from the date of application, depending on the nature of the request. However, if the transaction involves an additional cost, the fee set out in the tariff determined by the Personal Data Protection Board may be charged.

In the event that your application is rejected, the response given is found to be inadequate, or no response is given to your application within the prescribed period, you have the right to lodge a complaint with the Personal Data Protection Board within 30 days from the date the response is notified to you and, in any case, within 60 days from the date of application.

13. Explicit Consent

Your explicit consent may be requested for certain processing activities while using the Service. Such consents may include, but are not limited to:

Receiving marketing and promotional communications;
Processing of location data;
Cross-border data transfers (where required);
Social media integrations.

You have the right to withdraw your explicit consent at any time. Withdrawal of consent does not affect the lawfulness of processing activities carried out prior to withdrawal.

14. Contact

For any questions, requests, or complaints regarding this Disclosure, please use the following contact channels:

Data Controller: myroERP
KVKK Application Email: [email protected]
Data Protection Contact: [email protected]
Website: https://myroerp.com

This Disclosure has been prepared under Law No. 6698 on the Protection of Personal Data and is regularly updated to reflect the current legislation available at www.kvkk.gov.tr.