Home/legal
⚠️ This document is a template for staging/preview. Have a qualified lawyer review it before commercial launch.

Privacy Policy

Last updated: 17 May 2026

1. Who we are

This Privacy Policy describes how izvera.com (the "Service", "Platform", "we") processes personal data. We are the data controller (or, where we process data on behalf of a business customer, a data processor) within the meaning of the EU General Data Protection Regulation (GDPR — 2016/679) and the Turkish Personal Data Protection Law (KVKK — Law No. 6698).

2. Personal data we collect

  • Account data: full name, email address, organisation, role, password hash, language preference.
  • Authentication data: JWT tokens (HttpOnly), session identifiers, CSRF tokens.
  • Usage data: pages accessed, feature usage, audit log records, IP address (truncated where feasible), user agent.
  • Customer-uploaded content: product information, materials, supplier data, attachments. This may include third-party personal data which the customer warrants it has the right to upload.
  • Payment data: processed by our payment provider; we receive only metadata (invoice number, amount, status).

3. Purposes & legal bases

  • Service provision — GDPR Art. 6(1)(b) performance of a contract; KVKK Art. 5/2-c.
  • Security & abuse prevention — GDPR Art. 6(1)(f) legitimate interest; KVKK Art. 5/2-f.
  • Legal compliance (tax, AML, requests from authorities) — GDPR Art. 6(1)(c); KVKK Art. 5/2-a.
  • Analytics (anonymous) — GDPR Art. 6(1)(a) consent; KVKK Art. 5/1.

4. Sub-processors & recipients

We use the following categories of sub-processors: cloud hosting (EU region), database, object storage, email delivery (Resend), error tracking (Sentry, EU Frankfurt), and CDN/DDoS protection (Cloudflare). A current list is available on request. We do not sell personal data.

5. International transfers

Where data is transferred outside the EEA or Türkiye, we rely on (i) European Commission adequacy decisions, (ii) EU Standard Contractual Clauses, or (iii) explicit consent. KVKK transfers outside Türkiye comply with the Personal Data Protection Board's applicable decisions and KVKK Art. 9.

6. Retention

Account and Customer Data are retained while your account is active and for up to 30 days after termination (for export). Audit logs are retained for up to 24 months. Invoices and tax-related records are retained for the period required by law (typically 10 years in Türkiye, 6 years in many EU jurisdictions).

7. Blockchain anchoring

Where enabled, only cryptographic hashes of passport payloads are anchored on public blockchains. No personal data is anchored. Hashes are one-way and cannot be reversed to reveal source content. On-chain records are immutable.

8. Your rights

Under GDPR Articles 12–22 and KVKK Article 11, you have the right to: access, rectify, erase (right to be forgotten), restrict processing, data portability, object to processing, withdraw consent at any time, and lodge a complaint with a supervisory authority. To exercise these rights, contact privacy@izvera.com. We respond within the statutory deadline (1 month GDPR, 30 days KVKK).

9. Security

We implement industry-standard technical and organisational measures: encryption in transit (TLS 1.2+), encryption at rest where applicable, access controls, audit logging, regular dependency updates, and security incident response. No system is perfectly secure; in the event of a personal data breach, we will notify the competent authority and affected users within 72 hours where required.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us to delete it.

11. Cookies

See our separate Cookie Policy for details of cookies and similar technologies.

12. Changes to this Policy

Material changes will be notified at least 14 days in advance by email and/or in-app. The "Last updated" date at the top of this page indicates the effective date.

13. Contact & Supervisory Authorities

Data controller: izvera.comprivacy@izvera.com. EU users may lodge a complaint with their local data protection authority. Türkiye users may contact the Personal Data Protection Authority (KVKK / Kişisel Verileri Koruma Kurumu).

    IZVERA