KVKK Notice | Morpheo Akademi

This notice is issued by Morpheo Akademi in its capacity as data controller under Article 10 of Türkiye's Law No. 6698 on the Protection of Personal Data ("KVKK") and the related Communiqué on Procedures and Principles for Compliance with the Obligation to Inform.

1. Identity of the Data Controller

Legal Name: [COMPANY LEGAL NAME]
Tax ID: [TAX ID]
Registered Address: [REGISTERED ADDRESS, BURSA, TÜRKİYE]
Phone: [PHONE]
Email: [CONTACT EMAIL]

2. Categories of Personal Data Processed

Identity data (name, surname, username);
Contact data (email, phone, billing address);
Transaction data (orders, refunds, coupons);
Payment metadata ([Payment Service Provider] order ID, masked card data);
Learning/usage data (progress, quiz results);
Security/log data (IP address, access logs);
Marketing data (with consent);
Support/communication data.

3. Purposes of Processing

Account creation, authentication, and account security;
Delivery of purchased educational content;
Order, invoice, payment, and refund processing;
Customer support;
Fraud and abuse prevention;
Platform security and log keeping;
Product improvement and user experience;
Marketing communications (with consent);
Compliance with legal obligations.

4. Collection Methods and Legal Bases

Personal data is collected through Platform forms, cookies, support messages, [Payment Service Provider] payment flows, and third-party OAuth providers, by electronic and automated means.

Performance of contract (KVKK Art. 5/2-c): purchase, content delivery, account access.
Legal obligation (KVKK Art. 5/2-a, 5/2-ç): invoice retention (Tax Procedure Law), log retention (Law No. 5651).
Legitimate interest (KVKK Art. 5/2-f): fraud prevention, Platform security.
Explicit consent (KVKK Art. 5/1): marketing, optional analytics.

5. Transfers and Purposes

[PAYMENT SERVICE PROVIDER] (UK) — payment, invoice, tax, refund.
Supabase Inc. (US/EU) — database, authentication, storage.
BunnyWay d.o.o. (Slovenia) — video delivery.
PostHog Inc. (US/EU) — product analytics, with consent.
SMTP / email providers — transactional email delivery.
OAuth providers (Google/LinkedIn) — alternative authentication.
Courts, prosecutors, KVKK Authority — legal obligations.
Accountants, auditors, legal counsel.

Some recipients are located outside Türkiye. Transfers comply with KVKK Art. 9 through standard contractual clauses, undertakings, or explicit consent.

6. Data Subject Rights (Art. 11)

Learn whether your data is processed;
Request information if processing has taken place;
Learn the purpose and whether data is used accordingly;
Know third parties to whom data is transferred domestically or abroad;
Request correction of incomplete or inaccurate data;
Request deletion or destruction under Art. 7;
Request that the above actions be notified to recipients;
Object to results produced solely by automated processing that affect you adversely;
Claim compensation for damages caused by unlawful processing.

7. Exercising Your Rights

In accordance with the Communiqué on Application Procedures and Principles to the Data Controller, you may submit your request along with identification documents to our registered address by post/notary, by KEP to [KEP ADDRESS], or by email from your registered email address to [CONTACT EMAIL]. Requests are answered within 30 days.

If the response is insufficient or not timely, you may file a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu, kvkk.gov.tr) within the time limits prescribed by law.

2. Categories of Personal Data Processed

Identity data (name, surname, username);

Contact data (email, phone, billing address);

Transaction data (orders, refunds, coupons);

Payment metadata ([Payment Service Provider] order ID, masked card data);

Learning/usage data (progress, quiz results);

Security/log data (IP address, access logs);

Marketing data (with consent);

Support/communication data.

3. Purposes of Processing

Account creation, authentication, and account security;

Delivery of purchased educational content;

Order, invoice, payment, and refund processing;

Customer support;

Fraud and abuse prevention;

Platform security and log keeping;

Product improvement and user experience;

Marketing communications (with consent);

Compliance with legal obligations.

4. Collection Methods and Legal Bases

Personal data is collected through Platform forms, cookies, support messages, [Payment Service Provider] payment flows, and third-party OAuth providers, by electronic and automated means.

Performance of contract (KVKK Art. 5/2-c): purchase, content delivery, account access.

Legal obligation (KVKK Art. 5/2-a, 5/2-ç): invoice retention (Tax Procedure Law), log retention (Law No. 5651).

Legitimate interest (KVKK Art. 5/2-f): fraud prevention, Platform security.

Explicit consent (KVKK Art. 5/1): marketing, optional analytics.

5. Transfers and Purposes

[PAYMENT SERVICE PROVIDER] (UK) — payment, invoice, tax, refund.

Supabase Inc. (US/EU) — database, authentication, storage.

BunnyWay d.o.o. (Slovenia) — video delivery.

PostHog Inc. (US/EU) — product analytics, with consent.

SMTP / email providers — transactional email delivery.

OAuth providers (Google/LinkedIn) — alternative authentication.

Courts, prosecutors, KVKK Authority — legal obligations.

Accountants, auditors, legal counsel.

Some recipients are located outside Türkiye. Transfers comply with KVKK Art. 9 through standard contractual clauses, undertakings, or explicit consent.

6. Data Subject Rights (Art. 11)

Learn whether your data is processed;

Request information if processing has taken place;

Learn the purpose and whether data is used accordingly;

Know third parties to whom data is transferred domestically or abroad;

Request correction of incomplete or inaccurate data;

Request deletion or destruction under Art. 7;

Request that the above actions be notified to recipients;

Object to results produced solely by automated processing that affect you adversely;

Claim compensation for damages caused by unlawful processing.

7. Exercising Your Rights

If the response is insufficient or not timely, you may file a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu, kvkk.gov.tr) within the time limits prescribed by law.

KVKK Data Subject Notice

1. Identity of the Data Controller

2. Categories of Personal Data Processed

3. Purposes of Processing

4. Collection Methods and Legal Bases

5. Transfers and Purposes

6. Data Subject Rights (Art. 11)

7. Exercising Your Rights

KVKK Data Subject Notice

1. Identity of the Data Controller

2. Categories of Personal Data Processed

3. Purposes of Processing

4. Collection Methods and Legal Bases

5. Transfers and Purposes

6. Data Subject Rights (Art. 11)

7. Exercising Your Rights