Privacy Policy and GDPR / KVKK Disclosure

The data controller for the purposes of KVKK (and equivalent under GDPR) is Opsida Teknoloji Yazılım Bilgisayar ve Danışmanlık Ltd. Şti. (trading as "Opsida Technology"), the legal entity operating the Yamazo Studio brand, registered in İzmir, Türkiye. You can reach us at support@yamazovas.com.

Under the Turkish Regulation on the Registry of Data Controllers and current Personal Data Protection Board guidance, data controllers with an annual balance sheet total below 100,000,000 TRY and fewer than 50 employees are exempt from VERBİS registration. Opsida falls below both thresholds and is therefore exempt. We will register without delay if either threshold is exceeded or if our core activity becomes the processing of special-category personal data. The exemption does not remove the obligation under KVKK art. 7 to maintain a written Data Retention and Destruction Policy; that policy is published at opsidatech.com/saklama-imha-politikasi.

The Yamazo Studio desktop application operates entirely offline after activation; production videos, analysis results, and report files are never sent to our servers. Online interaction only occurs at these points: when you fill in the download form (name, email, company, phone, country code, role, team size, campaign parameters), during license activation (hardware fingerprint, license key, timestamp), in email engagement tracking (open/click times and delivery status via Resend webhooks), and in contact / education request forms (form contents).

Per KVKK art. 10 and the Board's transparency guidance, the table below summarizes the data categories we process, the purposes of processing, the legal basis, and the retention period.

We process your data for the following purposes and legal bases: (1) Delivering the download link and setup guide — KVKK art. 5/2-c (performance of a contract); no separate consent is required. (2) License activation and device verification — KVKK art. 5/2-c. (3) Product news, tips, new-version announcements, and follow-up emails — your explicit consent under KVKK art. 5/1 and Turkish E-Commerce Law (ETK) art. 6, given by ticking the opt-in box on the download form. (4) Service quality improvement and product usage metrics — KVKK art. 5/2-f (legitimate interest).

Under ETK article 6, commercial electronic messages (marketing email) may only be sent to recipients who have given prior explicit consent. If you did not tick the "I want to receive product news and tips from Yamazo" box on the download form, you will only receive service emails responding to your specific request (download link, request confirmation) — no marketing email. If you did consent, every marketing email contains a single-click unsubscribe link at the bottom that revokes your consent immediately; from that point you will continue to receive only service emails.

Lead records are retained throughout any active relationship with our product and for 3 years afterward. License activation data is retained for the lifetime of the license plus 5 years (as required by the Turkish Tax Procedure Code and Commercial Code). Email delivery and engagement data is retained for 2 years (for deliverability analysis). At the end of these periods, data is deleted, destroyed, or anonymized within a six-month periodic destruction cycle per KVKK art. 7. The full procedure is documented in our written Data Retention and Destruction Policy (opsidatech.com/saklama-imha-politikasi).

Our server infrastructure is hosted in EU data centers (Supabase, EU-Frankfurt). All traffic is encrypted with TLS 1.2+. Your IP addresses are stored with the last octet masked (/24); raw IPs are not retained. Email addresses do not appear in raw form in our operational logs — only a SHA-256 hash (first 12 characters).

Your data is shared with the following processors: Supabase (database infrastructure, EU-Frankfurt), Resend (email service provider, EU), Vercel (web server, EU and US CDN points of presence), Cloudflare (CDN and bot protection, EU and US). Your in-app video and analysis data is not shared with any of these — only website-form, account-management, and email-delivery data is. Cross-border transfers occur under KVKK article 9, relying on the recipient country's adequacy or binding contractual safeguards.

Operational data (form submissions, license activation records, email delivery logs) is processed inside the European Union at Supabase's Frankfurt data center. Vercel and Cloudflare use EU and US points of presence for content distribution; data passing through those edges is only in transit and is not persistently stored there. Cross-border transfers under KVKK art. 9 (as amended on 12 March 2024) rely on one of: (a) the Board-approved Standard Contractual Clauses (Turkish Personal Data Protection Board Decision dated 04 June 2024, no. 2024/959, Official Gazette 10 July 2024), (b) Binding Corporate Rules, or (c) your explicit consent. Each executed Standard Contract is notified to the Board within five business days of signing per the Regulation on International Personal Data Transfer Procedures and Principles.

We have not appointed a formal Data Protection Officer (DPO) because the appointment thresholds under both KVKK and GDPR art. 37 are not met: we are not a public authority, and our core activity does not consist of large-scale systematic monitoring or large-scale processing of special categories of personal data. Data protection requests are handled directly by senior management and routed to kvkk@opsidatech.com. We have not appointed an EU representative under GDPR art. 27 because we do not currently offer goods or services to, or monitor the behaviour of, data subjects in the EU as a core activity. If we begin operating actively in the EU market, a representative will be appointed without delay and this notice will be updated.

Our website uses only functional/session cookies (to maintain your session), first-party UTM cookies (for campaign source attribution), and analytics measurement cookies (Vercel Analytics). We do not use third-party advertising cookies. You can delete or block cookies in your browser settings at any time; some site functionality may be unavailable as a result.

Under KVKK article 11 you have the right to: (a) learn whether your personal data is being processed, (b) request information about the processing, (c) learn the purpose of processing and whether the data is used in line with that purpose, (d) know the third parties (domestic or foreign) to whom data is transferred, (e) request correction if the data is incomplete or inaccurate, (f) request deletion or destruction, (g) request that any corrections / deletions be communicated to third-party recipients, (h) object to the result of analyses carried out exclusively by automated systems where the result is adverse to you, (i) claim compensation for damages arising from unlawful processing.

Per KVKK art. 13 and the Communiqué on the Procedures and Principles of Application to Data Controllers, you can submit requests via (a) the Data Subject Application Form at opsidatech.com/kvkk-basvuru-formu, (b) a written email to kvkk@opsidatech.com, or (c) the official KEP (registered email) channel. To verify your identity, please use the email address we have on file for you and clearly state the subject of your request. We respond within at most 30 days, free of charge; if the request incurs additional cost we may charge under the fee schedule set by the Data Protection Board. If you are not satisfied with our response, you retain the right to file a complaint with the Personal Data Protection Board (KVKK art. 14).

For all questions and requests about this notice: support@yamazovas.com — this is also our KVKK application channel. Web: www.yamazovas.com.