1. Introduction and Scope
At myroERP, we attach the utmost importance to the privacy and security of your personal data. This Privacy Policy ("Policy") has been prepared to provide you with comprehensive information about the personal data collected, processed, stored, and shared by us through the application, website, and all related services offered under the myroERP brand ("Service").
This Policy has been prepared in accordance with the provisions of Law No. 6698 on the Protection of Personal Data ("KVKK") in force in the Republic of Turkey and the European Union General Data Protection Regulation ("GDPR"), among other applicable legislation.
By using our Service, you are deemed to have read, understood, and consented to the data processing practices described in this Policy. If you do not accept the Policy, you are advised not to use the Service.
2. Data Controller
myroERP is the data controller within the meaning of Article 3(1)(ı) of the KVKK and Article 4(7) of the GDPR with respect to personal data processed under this Policy.
- Data Controller
- myroERP
- Contact Email
- [email protected]
- Website
- https://myroerp.com
- Data Protection Officer (DPO)
- [email protected]
Where the processing of personal data belonging to third parties — such as a Customer's own customers, suppliers, or employees — takes place through the Service, the Customer acts as the "data controller" and myroERP acts as the "data processor" for those processing activities.
3. Information We Collect
We collect information in the following categories in order to provide and improve the Service and to communicate with you:
3.1. Information Collected Directly from You
When you create an account, use the Service, or contact us, we collect the following information directly from you:
- Identity Information: First name, last name, username, date of birth (if requested), profile photo.
- Contact Information: Email address, phone number, postal address.
- Account Information: Password (stored in encrypted form), two-factor authentication (2FA) settings, account preferences.
- Business Information: Company name, tax number, industry, company size, country, currency, and language preference.
- Payment Information: Payment method and billing details (payment information is processed directly by Apple App Store, Google Play Store, or RevenueCat; we do not store your card details).
- Communication Content: Content you share with us via email, support requests, or feedback forms.
3.2. Information Collected Automatically During Use of the Service
When you use the Service, we collect the following information through various automated technologies:
- Device Information: Device model, operating system and version, device identifiers, screen resolution, language settings, time zone.
- Connection Information: IP address, internet service provider, mobile network operator, connection type.
- Location Information: Approximate or precise geographic location, if you grant permission.
- Usage Information: Which modules you use and how frequently, which features you access, session duration, click trails.
- Performance Information: Application error reports, crash logs, response times.
- Security Logs: Login attempts, session initiation and termination records, audit trails.
3.3. Third-Party Data Stored as Customer Data
While using the Service, you may enter personal data belonging to your own customers, suppliers, employees, or business partners into the system. With respect to such data, you act as the "data controller" and myroERP acts as the "data processor", processing this data solely for the purpose of providing the Service to you.
3.4. Information Obtained from Third Parties
In certain circumstances, we may also obtain information from the following sources:
- Apple App Store and Google Play Store (subscription status, payment confirmations);
- RevenueCat (subscription management);
- Social media platforms (if you sign in with a social account);
- Analytics and error tracking providers;
- Official registry systems and publicly available sources.
4. Purposes of Use
We process the personal data we collect for the following purposes:
- Service Delivery: Creating, managing, verifying your account, and providing all features of the Service.
- Subscription Management: Managing your Plan, renewing your subscription, issuing invoices, and processing payments.
- Customer Support: Answering your questions, resolving requests, and responding to feedback.
- Communication: Informing you about important notifications, security alerts, and updates relating to the Service.
- Development and Optimisation: Improving the performance, usability, and features of the Service.
- Security and Fraud Prevention: Protecting against unauthorised access, account takeover, fraud, and other illegal activities.
- Compliance with Legal Obligations: Fulfilling tax, commercial, and other legal obligations.
- Marketing and Promotion: Informing you about new features, campaigns, and offers, where you have given explicit consent.
- Analytics and Reporting: Analysing Service usage through aggregated and anonymised data.
5. Legal Bases
When processing your personal data, we rely on the following legal bases:
| Processing Activity | Legal Basis (KVKK) | Legal Basis (GDPR) |
|---|---|---|
| Account creation and service delivery | Art. 5/2(c) (Performance of a contract) | Art. 6(1)(b) (Performance of a contract) |
| Billing and payment processing | Art. 5/2(ç) (Legal obligation) | Art. 6(1)(c) (Legal obligation) |
| Customer support and communication | Art. 5/2(c) (Performance of a contract) | Art. 6(1)(b) (Performance of a contract) |
| Marketing communication | Art. 5/1 (Explicit consent) | Art. 6(1)(a) (Consent) |
| Security and fraud prevention | Art. 5/2(f) (Legitimate interest) | Art. 6(1)(f) (Legitimate interest) |
| Legal obligations | Art. 5/2(ç) (Legal obligation) | Art. 6(1)(c) (Legal obligation) |
| Analytics and development | Art. 5/2(f) (Legitimate interest) | Art. 6(1)(f) (Legitimate interest) |
6. Cookies and Similar Technologies
We use various cookies and similar tracking technologies on our website and application. These technologies help us maintain the functionality of the Service, analyse usage, and personalise the experience.
6.1. Types of Cookies We Use
- Strictly Necessary Cookies: Absolutely required for the core functions of the Service to operate. These cookies cannot be disabled. Examples: session cookies, security cookies, load-balancing cookies.
- Functional Cookies: Allow us to remember your preferences (language, theme, region).
- Performance Cookies: Help us understand how the Service is used. Provide aggregated and anonymised data.
- Targeting/Advertising Cookies: Used to show you relevant advertisements, only where you have given explicit consent.
6.2. Managing Your Cookie Preferences
You can change your cookie preferences at any time through the cookie management panel on our website or through your browser settings. You may disable all cookies other than strictly necessary ones; however, some features of the Service may not function as a result.
7. Sharing of Information
We share your personal data with third parties only under the following limited circumstances and only to the extent necessary:
7.1. Service Providers
We work with service providers in the following categories in order to deliver the Service:
- Cloud Infrastructure Providers: For the secure storage of your data.
- Payment Processors: Apple App Store, Google Play Store, RevenueCat — for subscription management and payment processing.
- Notification Providers: Firebase Cloud Messaging, Apple Push Notification Service — for delivering push notifications.
- Analytics and Error Tracking Services: For monitoring the performance of the Service.
- Exchange Rate Providers: TCMB, Open Exchange Rates — for foreign exchange rate data.
- Email Service Providers: For sending communication emails.
All of our service providers are contractually obligated to process personal data only on our behalf and in accordance with our instructions, and are required to implement appropriate data protection standards.
7.2. Legal Obligations
We may be required to share your personal data with competent authorities in the following circumstances:
- In accordance with applicable laws, court orders, or requests from competent authorities;
- To protect our legal rights and interests;
- To protect the security or integrity of the Service or the rights of our users;
- In emergency situations (threat to life or personal safety, etc.).
7.3. Business Transfers
In the event of a company merger, acquisition, asset sale, or similar corporate transaction, your personal data may be transferred as part of that transaction. In such cases, you will be notified prior to the transfer.
7.4. With Your Consent
We may share your personal data in other circumstances where you have given your explicit consent.
Important: We never sell, rent, or transfer Customer Data to third parties for marketing purposes.
8. International Data Transfers
Your personal data may be processed or stored on servers located outside Turkey. Such transfers are carried out in compliance with Article 9 of the KVKK and Chapter V of the GDPR.
Where international data transfers take place, at least one of the following safeguards is in place:
- The destination country provides an adequate level of protection;
- Standard Contractual Clauses (SCCs) adopted by the European Commission are applied;
- Binding Corporate Rules (BCRs);
- Explicit consent of the data subject;
- Other safeguards provided for by law.
9. Data Retention
We retain your personal data for as long as necessary for the purposes of processing. Retention periods vary depending on the type of data and the purpose of processing:
| Data Type | Retention Period |
|---|---|
| Account information | For as long as the account is active + 30 days after termination |
| Transaction and invoice records | 10 years (as required by the Turkish Commercial Code) |
| Tax-related documents | 5 years (as required by the Tax Procedure Law) |
| Communication and support records | 3 years |
| Security and audit logs | 2 years |
| Marketing preferences | Until consent is withdrawn |
| Cookie data | 1 hour to 13 months, depending on cookie type |
Data whose retention period has expired is irreversibly deleted, anonymised, or destroyed.
10. Data Security
We implement technical and administrative measures in line with industry best practices to ensure the security of your personal data:
10.1. Technical Measures
- All data transfers are encrypted using TLS 1.2+;
- Sensitive data is also encrypted at rest;
- Regular security tests and penetration tests are conducted;
- Multi-factor authentication (MFA/2FA) is supported;
- Intrusion detection and prevention systems (IDS/IPS) are used;
- Regular security patches and updates are applied;
- Backup and disaster recovery procedures are in place.
10.2. Administrative Measures
- Access to data is restricted on a need-to-know basis;
- Regular privacy and security training is provided to staff;
- All employees sign confidentiality agreements;
- Data security policies and procedures are documented and regularly updated;
- Data protection clauses are included in contracts with suppliers.
11. Children's Privacy
Our Service is not intended for persons under the age of 18. We do not knowingly collect personal data from persons under the age of 18. If you believe a child has provided us with personal data, please contact us; we will take the necessary steps to delete that data as soon as possible.
12. Your Rights
Under Article 11 of the KVKK and Articles 15–22 of the GDPR, you have the following rights in relation to your personal data:
- Right to Information: To learn whether your personal data is being processed.
- Right of Access: To request information about the personal data being processed about you.
- Right to Rectification: To request that incomplete or inaccurate data be corrected.
- Right to Erasure (Right to be Forgotten): To request the deletion of your personal data.
- Right to Restriction of Processing: To request that the processing of your personal data be restricted.
- Right to Data Portability: To request that your data be provided to you in a structured, machine-readable format or transferred to another data controller.
- Right to Object: To object to the processing of your personal data.
- Right to Object to Automated Decision-Making: To request review of decisions made solely through automated systems.
- Right to Withdraw Consent: To withdraw any explicit consent you have previously given, at any time.
- Right to Lodge a Complaint: To lodge a complaint with the competent data protection authority (the Personal Data Protection Authority (KVKK) for Turkey; the relevant national supervisory authority for the EU).
To exercise these rights, you may submit a written request to [email protected]. Your requests will be responded to within 30 days at the latest.
13. Third-Party Links
Our Service may contain links to third-party websites or services. The privacy practices of those third parties are not under our control and fall outside the scope of this Policy. We recommend that you review the privacy policy of any third-party website you visit.
14. Automated Decision-Making and Profiling
Our Service does not use fully automated decision-making processes that produce significant legal effects on users. Although some automated checks are applied for spam and fraud prevention purposes, these checks are carried out under human supervision.
15. Data Breach Notification
In the event that your personal data is subject to a security breach such as unauthorised access, disclosure, or loss, in accordance with Article 12 of the KVKK and Articles 33–34 of the GDPR:
- We will notify the Data Protection Authority within 72 hours of becoming aware of the breach;
- In the case of high-risk breaches, we will directly and promptly inform affected users;
- We will take the necessary measures to limit the effects of the incident and prevent recurrence.
16. Policy Changes
This Policy may be updated from time to time. When significant changes are made, we will notify you through the Service and via your registered email address. The most current version of the Policy will always be accessible on our website.
The date on which the Policy was last updated is shown as "Last Updated" at the top of the page. Continued use of the Service after any changes constitutes your acceptance of the updated Policy.
17. Contact
For any questions, requests, or complaints regarding this Policy, please use the following contact channels:
- Data Controller
- myroERP
- [email protected]
- Data Protection Officer (DPO)
- [email protected]
- Website
- https://myroerp.com
Thank you for trusting us with your privacy. Please do not hesitate to contact us if you have any questions.