Privacy Policy
Version 2.0 · Effective Date: 14 April 2026
Türkçe oku
1. Introduction and Controller
This Privacy Policy explains how [COMPANY LEGAL NAME]("Morpheo Akademi", "we") collects, uses, stores, transfers, and protects your personal data when you use our Platform. It is drafted in accordance with Türkiye's Law No. 6698 on the Protection of Personal Data ("KVKK"), the EU General Data Protection Regulation ("GDPR"), and other applicable laws.
Data Controller:
- Legal Name: [COMPANY LEGAL NAME]
- Tax ID: [TAX ID]
- Registered Address: [REGISTERED ADDRESS, BURSA, TÜRKİYE]
- Phone: [PHONE]
- Email: [CONTACT EMAIL]
2. Categories of Personal Data Collected
- Identity data: name, surname, username, profile photo, date of birth (optional).
- Contact data: email address, phone number, billing address.
- Transaction data: order history, invoice data, coupon use, refunds.
- Payment metadata: [Payment Service Provider] order ID, masked card data, payment status, currency. Morpheo Akademi does not see, store, or process full card numbers, CVV, or expiry dates.
- Learning and usage data: enrolled courses, progress, watch time, quiz results, Q&A, assignments, certificates.
- Technical data: IP address, browser, operating system, device, screen resolution, language, timezone, referrers.
- Cookie data: See our Cookie Policy.
- Support data: messages, emails, and call recordings (with prior notice).
- Marketing data: communication preferences, campaign responses, survey answers (with consent).
3. Collection Methods
- Registration, profile and purchase forms on the Platform;
- Third-party OAuth providers (Google, LinkedIn, etc.);
- Payment flow via [Payment Service Provider] (metadata only);
- Cookies and similar tracking technologies;
- Support, email, and messaging channels;
- Platform logs and analytics.
4. Processing Purposes and Legal Bases
| Purpose | Legal Basis |
|---|
| Account creation, authentication, Platform access | Performance of contract (GDPR 6(1)(b); KVKK 5/2-c) |
| Delivery of educational content and progress tracking | Performance of contract |
| Order processing, invoicing, record keeping | Legal obligation (GDPR 6(1)(c)) |
| Fraud prevention, chargeback and abuse detection | Legitimate interest (GDPR 6(1)(f)) |
| Customer service and support | Performance of contract / Legitimate interest |
| Platform security, logging, incident response | Legitimate interest / Legal obligation |
| Product analytics and improvement | Consent (GDPR 6(1)(a)) |
| Marketing communications and newsletters | Consent |
| Compliance with legal requests and authorities | Legal obligation |
5. Recipients of Data
- [PAYMENT SERVICE PROVIDER] (UK): Merchant of Record and payment processing.
- Bunny CDN / BunnyWay d.o.o. (Slovenia): Video hosting and delivery.
- Supabase Inc. (US/EU): Authentication, database, and storage.
- PostHog (US/EU): Product analytics (with consent).
- SMTP email providers: Transactional and marketing emails.
- OAuth providers: Google, LinkedIn, etc., if chosen by the User.
- Legal authorities: Courts, public prosecutors, regulators, where legally required.
- Professional advisors: Accountants, auditors, lawyers, under confidentiality.
6. International Data Transfers
Some of the recipients above ([Payment Service Provider], Supabase, Bunny CDN, PostHog, email providers, OAuth providers) are established outside Türkiye, primarily in the EU, UK, and United States. Transfers are based on standard contractual clauses, commitments, or explicit consent, in compliance with KVKK Article 9 and GDPR Chapter V.
7. Retention Periods
- Account data: while the account is active, plus 3 years.
- Orders, invoices, and payment records: 10 years (Turkish Tax Procedure Law No. 213 and Turkish Commercial Code).
- Access and security logs: up to 2 years (Law No. 5651).
- Support communications: 3 years from closure.
- Marketing consents: until withdrawn.
Data is deleted, destroyed, or anonymized once the applicable retention period expires.
8. Security Measures
- TLS 1.2+ encryption in transit (HTTPS);
- At-rest encryption for sensitive fields;
- Row-Level Security (RLS) in the database;
- Role-based access controls;
- Password hashing (bcrypt/argon2-class);
- Two-factor authentication support;
- Rate limiting by IP/session;
- Regular security audits, penetration tests, log review;
- Employee privacy training and confidentiality undertakings;
- Incident response plan.
9. Your Rights (KVKK Article 11 / GDPR Articles 15–22)
Subject to applicable law, you have the right to:
- Know whether your personal data is being processed and access it;
- Request rectification of inaccurate or incomplete data;
- Request deletion or erasure ("right to be forgotten");
- Restrict or object to processing;
- Request data portability;
- Withdraw consent at any time without affecting prior lawfulness;
- Not be subject to solely automated decisions;
- Lodge a complaint with a supervisory authority.
Requests may be sent to [CONTACT EMAIL]. We will respond within 30 days. You may also file a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu, kvkk.gov.tr) or your local EU supervisory authority.
10. Children's Privacy
The Platform is intended for Users aged 18 and above. Users under 18 may only use the Platform with express written consent from a parent or legal guardian.
11. Policy Updates
We may update this Privacy Policy from time to time. The latest version will always be posted on this page and material changes will be communicated by email.
12. Contact
For all privacy-related requests and questions, please contact us at [CONTACT EMAIL] or via post at the registered address above.