Privacy Policy & KVKK Disclosure
This Privacy Policy and Personal Data Protection Disclosure ("Policy") explains how your personal data is collected, processed, stored, and protected when you use the Koken Akademi online education platform ("Platform"). This Policy is prepared in accordance with the Turkish Personal Data Protection Law No. 6698 ("KVKK") and its secondary regulations.
1. Data Controller Information
Pursuant to Article 10 of the KVKK, the data controller responsible for the processing of your personal data is:
- Data Controller: Gulay Okuyucu / Koken Akademi
- Email: info@kokenakademi.com
- Location: Istanbul, Turkey
As the data controller, Koken Akademi determines the purposes and means of processing your personal data and is responsible for the establishment and management of the data recording system.
2. Personal Data Collected
The Platform collects and processes the following categories of personal data:
| Data Category | Data Types | Collection Method |
|---|---|---|
| Identity Information | First name, last name | Registration form |
| Contact Information | Email address | Registration form |
| Account Security | Password (stored only in bcrypt-hashed form) | Registration and account settings |
| Learning Progress | Course enrollments, lesson completion records, quiz scores, certificates earned | Automatically recorded during platform usage |
| Usage Data | Session data, pages visited, feature interactions, timestamps of activity | Automatically generated server logs and analytics |
| Device & Technical Data | IP address, browser type and version, operating system, screen resolution, referring URL | Automatically captured via server logs and Plausible Analytics |
We do not collect any special categories of personal data (sensitive data) as defined under Article 6 of the KVKK, such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data.
3. Purposes of Data Processing
Your personal data is processed for the following purposes:
- Creating and managing your user account
- Delivering educational services, including access to courses, video lessons, and quizzes
- Tracking your learning progress and issuing completion certificates
- Authenticating your identity and maintaining session security
- Processing payments for course purchases (via Iyzico, when available)
- Ensuring the security and stability of the Platform and preventing misuse
- Analyzing aggregate usage patterns to improve the Platform (via cookie-free Plausible Analytics)
- Communicating service-related notifications, such as course updates and account alerts
- Sending promotional and informational communications (only with your explicit consent)
- Fulfilling legal and regulatory obligations under Turkish law
4. Legal Basis for Processing
Under Article 5 of the KVKK, personal data may be processed without explicit consent only in certain circumstances. Your data is processed based on the following legal grounds:
| Legal Basis (KVKK Art. 5) | Processing Activities |
|---|---|
| Performance of a contract (Art. 5/2-c) | Account creation, course access, delivery of educational services, certificate issuance, payment processing |
| Legal obligation (Art. 5/2-c, Alt.) | Retention of financial records, compliance with tax and commercial regulations, responding to lawful requests from authorities |
| Legitimate interest of the data controller (Art. 5/2-f) | Platform security, fraud prevention, error detection and debugging, aggregate analytics for service improvement |
| Explicit consent (Art. 5/1) | Marketing and promotional communications, optional non-essential cookies (if any in the future) |
Where processing is based on your explicit consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
5. Data Transfers
Your personal data may be transferred to the following third-party service providers in accordance with Articles 8 and 9 of the KVKK:
| Recipient | Purpose | Location | Services Used |
|---|---|---|---|
| Cloudflare, Inc. | Web hosting, content delivery, security, data storage | USA / Global Edge Network | Pages, Workers, D1 (database), R2 (file storage), KV (key-value store) |
| Plausible Analytics | Privacy-friendly, cookie-free website analytics | EU | Aggregate traffic analytics (no personal identifiers collected) |
| Iyzico (future) | Payment processing | Turkey | Secure payment gateway for course purchases |
International Data Transfers
Some of your personal data may be processed in countries outside of Turkey through our infrastructure provider Cloudflare. These international transfers are carried out in accordance with Article 9 of the KVKK, which requires one of the following conditions:
- The receiving country provides an adequate level of data protection as recognized by the Personal Data Protection Board ("KVKK Board"), or
- Sufficient safeguards are provided through written commitments and authorization by the KVKK Board, or
- Your explicit consent is obtained for the transfer.
We ensure that all service providers maintain appropriate technical and organizational measures to protect your data during and after transfer.
6. Data Retention Periods
Your personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:
| Data Category | Retention Period |
|---|---|
| Account and identity data | Duration of active account membership plus 1 year after account deletion |
| Learning progress and certificates | Duration of active account membership; anonymized upon account deletion |
| Transaction and payment records | 10 years (as required by Turkish Commercial Code and Tax Procedure Law) |
| Server logs and technical data | Maximum 12 months, then automatically purged |
| Analytics data (Plausible) | Aggregate only; no personal data is stored by Plausible Analytics |
| Communication consent records | Duration of consent plus 3 years after withdrawal (for compliance evidence) |
Upon expiration of the retention period or upon your deletion request, your personal data will be deleted, destroyed, or anonymized in accordance with the Regulation on Deletion, Destruction, or Anonymization of Personal Data. Legal retention obligations take precedence over deletion requests.
7. Data Security Measures
In accordance with Article 12 of the KVKK, we implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure:
Technical Measures
- Encryption in transit: All data communications between your browser and our servers are protected with SSL/TLS encryption (HTTPS)
- Password security: Passwords are hashed using the bcrypt algorithm and are never stored or transmitted in plain text
- Authentication: Session management is implemented using secure JWT (JSON Web Token) technology with appropriate expiration periods
- Rate limiting: Brute-force and credential-stuffing attacks are mitigated through request rate limiting
- DDoS protection: Cloudflare provides enterprise-grade protection against distributed denial-of-service attacks
- Input validation: All user inputs are validated and sanitized to prevent injection attacks
Organizational Measures
- Access control: Access to personal data is restricted to authorized personnel on a need-to-know basis
- Principle of least privilege: System permissions are granted at the minimum level required for each function
- Regular security reviews: Security configurations and access rights are periodically reviewed and audited
- Incident response: Procedures are in place to detect, report, and respond to personal data breaches in compliance with KVKK requirements
8. Your Rights Under KVKK (Article 11)
Under Article 11 of the KVKK, you have the following rights with respect to your personal data:
- Right to know: Learn whether your personal data is being processed.
- Right to request information: If your personal data has been processed, request information about such processing.
- Right to learn the purpose: Learn the purpose of processing and whether your data is being used in accordance with that purpose.
- Right to know recipients: Know the third parties to whom your personal data has been transferred, domestically or abroad.
- Right to rectification: Request correction of your personal data if it has been processed incompletely or inaccurately.
- Right to erasure and destruction: Request the deletion or destruction of your personal data under the conditions set forth in Article 7 of the KVKK.
- Right to notification of rectification/erasure: Request that any correction, deletion, or destruction of your data be notified to third parties to whom your data has been transferred.
- Right to object to automated processing: Object to any result arising against you through the analysis of your processed data exclusively by automated systems.
- Right to compensation: Claim compensation for damages caused by unlawful processing of your personal data.
How to Exercise Your Rights
You may submit your requests regarding the above rights through the following methods:
- Email: Send your request to info@kokenakademi.com with the subject line "KVKK Data Request"
- Written application: Submit a signed petition with identity verification documents via registered mail to our address
Your application must include your name, surname, T.C. identification number (for Turkish citizens) or passport number (for foreign nationals), registered electronic mail (KEP) address or email address, and a clear description of the right you wish to exercise.
Your request will be processed free of charge within 30 (thirty) days from the date of receipt. If the request requires additional processing costs, a fee may be charged in accordance with the tariff set by the Personal Data Protection Board.
If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Authority (Kisisel Verileri Koruma Kurumu) within 30 days of receiving our response, or within 60 days of submitting your application if no response has been received.
9. Cookie Policy
Koken Akademi uses Plausible Analytics, a privacy-friendly analytics service that does not use cookies and does not collect any personal data. Plausible complies with GDPR, CCPA, and PECR without requiring a cookie consent banner.
The Platform uses only strictly necessary cookies and local storage mechanisms for essential functionality:
- Authentication tokens (JWT): Stored in browser local storage to maintain your login session
- Theme preference: Stored in local storage to remember your light/dark mode selection
- Cloudflare security cookies: Required by our infrastructure provider for bot protection and security
We do not use any tracking cookies, advertising cookies, or third-party marketing cookies.
For detailed information about cookies and similar technologies, please refer to our Cookie Policy.
10. Policy Changes
We may update this Policy from time to time to reflect changes in our data processing practices, legal requirements, or Platform features. In the event of material changes:
- A notification will be posted prominently on the Platform
- Registered users will be notified via email if the changes affect data processing activities
- The "Effective Date" and "Version" at the top of this page will be updated
We encourage you to review this Policy periodically. Continued use of the Platform after changes take effect constitutes acknowledgment of the updated Policy. If changes require your consent under the KVKK, we will seek your explicit consent before implementing those changes.
11. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you may contact us at:
- Data Controller: Gulay Okuyucu / Koken Akademi
- Email: info@kokenakademi.com
- Location: Istanbul, Turkey
Applicable Legislation
This Policy is governed by the following Turkish legislation:
- Personal Data Protection Law No. 6698 (KVKK)
- Communique on Procedures and Principles for Fulfilling the Obligation of Disclosure
- Regulation on the Data Controllers Registry (VERBIS)
- Regulation on Deletion, Destruction, or Anonymization of Personal Data
- Decisions and guidelines issued by the Personal Data Protection Board