Suitally | Privacy Policy & KVKK Disclosure

Version 1.0 | Effective Date: 27 February 2026

Info Box

This document serves as both a GDPR-compliant Privacy Policy and a KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698) Clarification Text (Aydınlatma Metni). It applies to all users of the Suitally platform accessible at suitally.com and app.suitally.com.

1. Data Controller / Veri Sorumlusu

Under GDPR Article 4(7) and KVKK Article 3(1)(i), the data controller for all personal data processed through the Suitally platform is:

Table (labels and values):

Company Name — Suitally (known as Ismail Enes Sabanoglu / Registered as Sole Proprietorship in Türkiye)
Platform URL — https://suitally.com / https://app.suitally.com
Contact Email — [email protected]
KVKK Role — Veri Sorumlusu (Data Controller)
GDPR Role — Data Controller (Article 4(7), GDPR)

2. What Personal Data We Collect / Toplanan Kişisel Veriler

2.1 Data You Provide Directly

• Account registration data: name, email address, password (hashed, never stored in plain text).

• Billing information: invoicing details required for paid subscriptions. Payment card data is processed directly by our payment provider and is never stored on Suitally servers.

• Profile information: company name, website URL, industry sector, advertising goals.

• Communications: support tickets, feedback forms, and emails sent to us.

2.2 Data Collected Automatically

• Usage data: pages visited, features used, session duration, click interactions — collected to improve platform performance.

• Technical data: IP address (anonymised after processing), browser type, operating system, device type.

• Log data: server access logs retained for security and debugging purposes.

• Cookies and similar technologies: see Section 6.

2.3 Data from Third-Party Integrations

When you connect third-party advertising or analytics platforms (e.g. Meta Ads, Google Ads, Google Search Console) to Suitally, we receive and process data provided by those platforms under the terms of your authorisation. This may include:

• Campaign performance metrics, spend data, and audience statistics.

• Page and website analytics data.

• Ad account identifiers and associated metadata.

3. Purposes of Processing / İşleme Amaçları

Purpose of Processing

GDPR Legal Basis (Article 6)

KVKK Legal Basis (Article 5)

Providing and operating the Suitally platform and user account tools — Article 6(1)(b) — Performance of contract — Article 5(2)(c) — Necessary for performance of contract
Processing payments and managing subscriptions — Article 6(1)(b) — Performance of contract — Article 5(2)(c) — Contract necessity
Sending transactional emails (account alerts, reports) — Article 6(1)(b) — Performance of contract — Article 5(2)(c) — Contract necessity
Anonymised usage analytics for platform performance improvements — Article 6(1)(f) — Legitimate interests — Article 5(2)(f) — Legitimate interest of data controller
Personalising platform features based on your usage patterns — Article 6(1)(f) — Legitimate interests — Article 5(2)(f) — Legitimate interest
Sharing anonymised aggregated data with third-party analytics and performance partners — Article 6(1)(f) — Legitimate interests (data is anonymised, no individual identification possible) — Article 5(2)(f) — Legitimate interest; data is anonymised and does not identify individuals
Sharing personal data with legal partners where required by law — Article 6(1)(c) — Legal obligation — Article 5(2)(a) — Explicitly provided by law
Marketing communications (optional, opt-in) — Article 6(1)(a) — Consent — Article 5(1) — Explicit consent
Security monitoring, fraud prevention, abuse detection — Article 6(1)(f) — Legitimate interests — Article 5(2)(f) — Legitimate interest

4. Anonymous Data & Platform Performance / Anonim Veri ve Platform İyileştirme

Suitally collects and processes certain data in anonymised form for the purpose of improving platform performance, reliability, and feature development. Anonymisation is performed in accordance with the standards described in GDPR Recital 26 and the guidelines issued by the Turkish Personal Data Protection Authority (KVKK / KVKK Board Opinion No. 2018/10).

Specifically:

• Behavioural usage patterns (e.g. which features are used most frequently, average session length) are aggregated and anonymised before any analysis. No individual user can be identified from this data.

• Technical performance metrics (page load times, error rates, API response times) are collected at the system level and do not contain personal identifiers.

• Anonymised aggregated usage data may be shared with third-party service providers (including analytics and performance monitoring tools) under contractual data processing agreements that prohibit re-identification.

• IP addresses, where collected for security or logging purposes, are truncated or hashed within 24 hours and are not used for identification in analytics contexts.

Once data has been fully anonymised so that no individual can be reasonably identified, it falls outside the scope of GDPR and KVKK and may be processed without further restriction.

5. Data Sharing & Third-Party Transfers / Veri Paylaşımı ve Üçüncü Taraflar

We do not sell your personal data. We may share data in the following circumstances:

5.1 Service Providers (Data Processors)

We engage third-party companies to provide services on our behalf, including cloud hosting, email delivery, payment processing, customer support tools, and analytics. These providers act as Data Processors under GDPR Article 28 and as authorised persons under KVKK Article 8. They are permitted to process personal data only as instructed by us and under binding contractual obligations.

5.2 Analytics & Performance Partners (Anonymous Data)

We share anonymised, aggregated, non-personally identifiable data with analytics and performance optimisation partners. This data cannot reasonably be used to identify any individual user and is shared solely for the purpose of improving our services and benchmarking platform performance.

5.3 Legal Partners & Compliance Transfers

We may share personal data with legal advisors, auditors, regulatory authorities, or law enforcement agencies where:

• Required by applicable law, court order, or regulatory requirement (including Turkish law and EU regulations);

• Necessary to protect the rights, property, or safety of Suitally, our users, or the public;

• Required as part of a merger, acquisition, or business transfer (users will be notified in advance).

All such transfers are performed in full legal compliance with both GDPR Chapter V and KVKK Article 9 (cross-border transfer) requirements.

5.4 Third-Party Advertising Platforms

When you connect advertising platforms (e.g. Meta Ads, Google Ads) to Suitally, data from those platforms is processed within Suitally under your instruction. Suitally acts as a Data Processor with respect to your ad account data. The relevant advertising platforms remain independent Data Controllers under their own privacy policies.

6. Cookies & Tracking Technologies / Çerezler

Suitally uses cookies and similar technologies on its web platform. Under the EU ePrivacy Directive, GDPR, and the Turkish Electronic Communications Law (Law No. 5809) as interpreted by the Information and Communication Technologies Authority (BTK), certain cookies require your consent.

Cookie Type

Purpose

Consent Required?

Retention

Strictly Necessary — Session management, authentication, security (CSRF) — No (legitimate interest / contract) — Session
Functional — User preferences, language, UI settings — No (legitimate interest) — 1 year
Analytics — Anonymised usage statistics for platform improvement — Yes (opt-in) — 13 months
Marketing — Personalised communications (if opted in) — Yes (explicit consent) — 6 months

7. Data Retention / Saklama Süreleri

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with GDPR Article 5(1)(e) and KVKK Article 7:

• Account data: retained for the duration of your account and deleted within 30 days of account closure upon verified request.

• Billing and transaction records: retained for 10 years in accordance with Turkish Commercial Code (TTK) Article 82 and applicable tax regulations.

• System and server logs: retained for a maximum of 6 months for security purposes.

• Anonymised analytics data: no defined retention limit, as anonymised data falls outside the scope of GDPR and KVKK.

• Marketing preferences: retained until you withdraw consent.

8. Your Rights / Haklarınız

You have the following rights regarding your personal data under both GDPR and KVKK:

Under GDPR

Under KVKK

Right to be informed — Article 13–14 — Article 10
Right of access — Article 15 — Article 11(1)(b)
Right to rectification — Article 16 — Article 11(1)(c)
Right to erasure (right to be forgotten) — Article 17 — Article 11(1)(e)
Right to restriction of processing — Article 18 — Article 11(1)(d)
Right to data portability — Article 20 — Article 11(1)(f) (where applicable)
Right to object — Article 21 — Article 11(1)(g)
Right not to be subject to automated decisions — Article 22 — Article 11(1)(h)
Right to withdraw consent — Article 7(3) — Article 5(1) — consent basis

To exercise any of these rights, please submit a written request to [email protected]. Under KVKK Article 13, we will respond within 30 days. Under GDPR Article 12, we will respond within one calendar month.

KVKK Complaint: You have the right to file a complaint with the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK) at kvkk.gov.tr.

GDPR Complaint: You have the right to lodge a complaint with the supervisory authority in your EU member state of residence.

9. Data Deletion / Veri Silme

You may request deletion of your personal data at any time. Requests can be submitted by:

• Emailing [email protected] with subject line “Data Deletion Request”;

• Using the in-platform account deletion feature (Settings → Account → Delete Account);

• Submitting a request via our data deletion callback endpoint at https://app.suitally.com/api/v1/meta/data-deletion.

We will process data deletion requests within 30 days. Note that certain data may be retained where required by law (e.g., financial transaction records under TTK Article 82) or to resolve disputes or enforce our agreements. Where retention is mandatory, data will be isolated from active systems.

10. Data Security / Veri Güvenliği

Suitally implements appropriate technical and organisational measures to protect personal data in accordance with GDPR Article 32 and KVKK Article 12, including:

• AES-256 encryption for sensitive data stored at rest (including third-party access tokens).

• TLS 1.2+ encryption for all data in transit.

• Hashed passwords — plain-text passwords are never stored.

• Access controls and least-privilege principles for internal data access.

• Regular security assessments and dependency updates.

• Incident response procedures with mandatory breach notification as required by GDPR Article 33 (72-hour supervisory authority notification) and KVKK Board Decision requirements.

11. International Data Transfers / Uluslararası Veri Transferleri

Some of our third-party service providers are located outside Turkey and the European Economic Area (EEA). Where personal data is transferred internationally, we ensure appropriate safeguards are in place:

• For transfers to countries with an EU adequacy decision (GDPR Article 45): transfers proceed on that basis.

• For other transfers: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Article 46(2)(c)).

• For KVKK compliance: transfers are made in accordance with KVKK Article 9, either to countries declared adequate by the KVKK Board or with appropriate safeguards and explicit consent where required.

12. Changes to This Policy / Politika Değişiklikleri

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email and/or by displaying a prominent notice within the platform at least 14 days before the changes take effect. Continued use of Suitally after the effective date constitutes acceptance of the updated policy.

The current version of this policy is always available at: https://suitally.com/privacy-policy

13. Contact Us / İletişim

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us: