KVKK Notice and Our Approach to Your Data
Last updated: June 2026
This page transparently explains how we, at Alman Hesabı, handle personal data. We designed our product to operate in line with the principles of Turkey's Personal Data Protection Law (KVKK) for hospitality businesses and their guests. The text below describes what data we process and why, how long we keep it, and how you can exercise your rights as a data subject. This explanation concerns Alman Hesabı's own data practices and is provided for general information; it is not a substitute for legal advice regarding your business's own obligations.
1. Who Is the Data Controller?
For the personal data we collect through the Alman Hesabı platform, the data controller is Alman Hesabı. Businesses that use the platform — such as restaurants, cafés, and bars — are generally the data controllers for their own guest and staff data; when we provide our service to these businesses, we act in the role of a data processor. You can contact us with any questions, requests, or applications regarding our data approach: Email: [email protected] We keep this distinction of roles transparent so that each party's responsibilities are clear.
2. The Data Categories We Process
We process only the data necessary for the platform to function, in a way that is proportionate and purpose-bound. The main categories are: • Owner / account data: Name, email address, phone number, business name, and account login details. • Staff data: Names and roles of employees that the business adds to the system (e.g. waiter, cashier), along with records related to tip sharing. • Guest order data: The contents of orders placed from the QR menu, table/session information, bill-splitting preferences, and payment status. Card details are not stored in our system; payment is processed through PCI DSS-compliant payment providers. • Technical usage data: IP address, device and browser information, cookie identifiers, and basic usage logs (for security and service improvement). We do not aim to collect special categories of sensitive personal data.
3. The Purposes for Which We Process Data
We process personal data only for clear and legitimate purposes: • Enabling the QR ordering, bill-splitting, and payment flow. • Creating and managing the business account and responding to support requests. • Running the staff and tip-sharing features. • Ensuring the security of the service and preventing misuse and fraud. • Measuring and improving the product's performance (in aggregated or anonymised form where possible). • Sending you service-related information to the extent you have permitted. We do not use data for purposes beyond those for which it was collected.
4. Legal-Basis Framework
We designed our processing activities to align with the processing conditions set out in the KVKK. Depending on the type of processing, the basis may be one of the following: • Processing being necessary for the establishment or performance of a contract (e.g. account creation, ordering, and the payment flow). • Processing being necessary for our legitimate interests, provided it does not harm your fundamental rights and freedoms (e.g. security, fraud prevention). • Your explicit consent (e.g. non-essential cookies or marketing messages). For processing based on consent, you may withdraw your consent at any time.
5. How Long We Retain Data
We retain personal data for as long as necessary for the purpose for which it is processed, in line with the principle of proportionality: • Account data is kept for as long as your account is active; if the account is closed, it is deleted or anonymised within a reasonable period. • Order and transaction records are retained for the period needed to provide the service and to resolve potential disputes. • Contact and support requests are kept for a limited period after the request is resolved. • Technical logs are retained for a short period for security purposes. When the retention period ends, we securely delete, destroy, or anonymise the data.
6. Your Rights as a Data Subject
We have designed our processes so that you can exercise the following rights regarding your personal data: • Access: Learning which data is being processed about you and requesting access to it. • Rectification: Requesting the correction of incomplete or inaccurate data. • Erasure: Requesting the deletion or destruction of your data where the conditions are met. • Objection: Objecting to certain processing activities, particularly those based on legitimate interest. • Withdrawal of consent: Withdrawing your consent for processing based on consent. • Information on processing: Learning the parties to whom your data is transferred and the purpose of processing. Making it easy for you to exercise these rights is our priority.
7. How to Exercise Your Rights
To exercise any of the rights above, you can reach us at [email protected]. When you submit your request in a way that lets us reasonably verify your identity, we will review and resolve it as quickly as possible and, in any case, within a reasonable period. Clearly stating which right you wish to exercise and the nature of your request helps speed up the process. If we decline your request, we will share our reasoning with you.
8. Data Security and Transfers
We have made technical and administrative measures a part of our service's design to protect personal data: encryption in transit, role-based access control, the principle of least privilege, and regular reviews are among them. We share data only when necessary to provide the service and under appropriate security commitments — for example, with our hosting and payment-infrastructure providers. This page may be updated from time to time; for significant changes, we aim to inform you through appropriate channels. For our full approach to security and privacy, please see the pages below.