Privacy Policy and KVKK Disclosure Statement

Last updated: May 8, 2026

1. Data Controller

This application (“webdesiz” or “we”) is owned and operated by Birim Ajans Yazılım Limited Şirketi. Our company acts as the data controller under the Personal Data Protection Law No. 6698 (“KVKK”, the Turkish Personal Data Protection Law). For contact: gizlilik@webdesiz.com.

2. Personal Data We Process

2.1 Data we collect during registration

  • Full name, email address, password (bcrypt hash; the raw value is never stored)
  • Business name, tax number, and tax office (for invoicing, optional)
  • Phone number (optional — for notifications)

2.2 Data processed during Meta integration

After you use Connect with Facebook or the manual token connection process, we receive and process the following data from Meta:

  • Your Meta user ID, ad account IDs, account name, currency
  • Ad access token (stored encrypted with AES-256-GCM)
  • Campaign, ad set, and ad IDs, names, and statuses
  • Ad performance metrics: impressions, clicks, conversions, spend, ROAS, CPM, CPC
  • Lead form responses (only from forms you have explicitly authorized)

2.3 Automatically collected data

  • Login time, IP address, user agent (security audit log)
  • Application usage statistics (anonymous)

3. Purposes of Processing

  • Providing the service: running the ad management panel, generating reports
  • AI-assisted ad copy and image generation (anonymous prompts are sent to OpenAI)
  • Running automation rules (user-defined)
  • Billing and subscription management (via Stripe)
  • Security, fraud prevention, error tracking
  • Compliance with legal obligations (KVKK, tax legislation)

4. Legal Basis for Data Processing

  • Establishment and performance of a contract (KVKK art. 5/2-c)
  • Fulfillment of legal obligations (KVKK art. 5/2-ç)
  • Legitimate interest (KVKK art. 5/2-f) — security, product improvement
  • Explicit consent (KVKK art. 5/1) — marketing communications, AI copy/image generation

5. Data Transfers — Third Parties

To provide the service, data is transferred in the following processes:

  • Meta Platforms, Inc. (Facebook/Instagram) — to access your ad accounts, only within the scopes you have authorized
  • OpenAI, Inc. — for AI copy and image generation (prompts are anonymous and contain no personal data)
  • Stripe, Inc. — subscriptions and billing (card details are stored with Stripe and are not transmitted to us)
  • Resend — transactional email delivery (registration confirmation, password reset)
  • DigitalOcean / Cloudflare — hosting and content delivery

Your data is under no circumstances sold or shared for advertising purposes.

6. Data Retention Period

  • For as long as the account is active
  • After the account is deleted: fully erased within 30 days (except where legal retention is required)
  • Audit logs: 2 years (as required by KVKK security requirements)
  • Invoices and financial records: 10 years (as required by tax legislation)

7. Your Rights Under KVKK Article 11

You have the following rights, which you may exercise through the application or by email:

  • Learn whether your data is being processed
  • Request information if it has been processed
  • Learn the purpose of processing and whether your data is used appropriately
  • Request correction of incomplete or inaccurate data — Settings → Profile
  • Request the deletion or destruction of your data — Data Deletion Request
  • Download your data in a machine-readable format — Settings → Security → Download my data
  • Request restriction of processing
  • Object to decisions made by automated systems — e.g. automation rules
  • Request compensation for any damages you suffer due to unlawful processing of your data

8. Security Measures

  • All connections are over HTTPS / TLS 1.2+
  • The database is encrypted at rest; Meta access tokens use AES-256-GCM
  • Passwords use bcrypt (cost factor 12)
  • JWT refresh token rotation + reuse detection
  • Regular security audits and dependency updates
  • Access control: role-based authorization (RBAC)

9. Use of Cookies

We use only strictly necessary cookies: login, CSRF protection, and preference settings. We do not use any third-party cookies for advertising or analytics.

10. Contact

To exercise your rights under KVKK or for any questions regarding privacy: gizlilik@webdesiz.com