KVKK Notice (Türkiye)

This is an English-language reference translation of the Turkish KVKK (Law no. 6698 on the Protection of Personal Data) information notice we provide to data subjects in Türkiye. The Turkish version is the legally binding text for Türkiye-based users.

1. Identity of the Data Controller

Data Controller: Delilcan Düven (operating the simlek brand)
Email: [email protected]
General contact: [email protected]

simlek is an independent product. It is not affiliated with, endorsed by, or officially partnered with the retailers named in the App (Zara, Mango, Bershka, Pull&Bear and others).

2. Personal Data Processed

2.1. Identity and contact

• First and last name (only if shared by the identity provider)
• Email address (or Apple "Hide My Email" relay address)
• Profile photo URL (Google sign-in only, if available)
• Firebase user ID (including anonymous accounts)

2.2. Transaction security

• IP address (kept for up to 30 days)
• Device model, OS version, app version
• Push notification token

2.3. Customer transactions

• Watched product URLs and selected sizes
• Notification preferences (quiet hours, mutes)
• Notification history (sent at, read state)
• Subscription state (active plan, start, end — via RevenueCat through Apple/Google)
• Referral code used and redemption time

We do not process payment card information. All payments are handled by Apple App Store or Google Play; we only learn the subscription state.

What we do NOT collect: location (GPS), contacts, photo library, microphone, health data, financial accounts, advertising identifiers.

3. Purposes

• Creating your account and signing you in.
• Periodically checking the public APIs of retailers for the products and sizes you watch.
• Sending the notifications you've signed up for.
• Managing your Premium subscription entitlement.
• Diagnosing and fixing app errors (Sentry).
• Preventing abuse and securing accounts.
• Meeting our legal obligations (court orders, regulatory requests).

4. Legal Bases

Your personal data is processed under article 5/2 of the KVKK, on the following bases:

• 5/2-c — necessary for the conclusion or performance of a contract (account, watches, subscription).
• 5/2-ç — necessary for compliance with a legal obligation of the data controller.
• 5/2-e — necessary for the establishment, exercise or defence of a legal claim.
• 5/2-f — necessary for the legitimate interests of the data controller, provided your fundamental rights and freedoms are not overridden (security, error diagnostics).
• Article 9 / Explicit consent — for international transfers (see §6).

5. Collection Method

Your personal data is collected by automated or semi-automated means, in electronic form, through:

• direct input by you in the App (pasting a URL, selecting a size, settings);
• authentication systems provided by Apple Inc. and Google LLC;
• automatic technical data flows between the App and our servers (device, IP, error logs).

6. Domestic and International Transfers

6.1. Domestic transfers

We may share data with authorities (courts, prosecutors, the KVKK Board, etc.) in response to lawful requests, to the extent legally required.

6.2. International transfers — under explicit consent

The technical infrastructure of the service runs on cloud providers located in the United States and other countries. Based on the explicit consent you give at sign-up, your personal data is transferred to the following providers:

• Apple Inc. (US) — Sign in with Apple, push infrastructure, billing.
• Google LLC / Firebase (US) — Sign in with Google, authentication, Remote Config.
• Expo, Inc. (US) — push notification delivery.
• RevenueCat, Inc. (US) — subscription state verification.
• Functional Software, Inc. (Sentry) (US) — error monitoring.
• Render Services, Inc. (US) — server hosting.
• Cloudflare, Inc. (US / global) — CDN, domain, edge network.
• Database provider (Supabase / Neon, US or EU) — database hosting.

You can withdraw your explicit consent at any time. Withdrawal may make it impossible to use the App because these providers form the technical basis of the service.

7. Retention

• Account data: while active + up to 30 days after deletion (backup purge window).
• Watches: 30-day natural expiry or until stopped by you.
• Notification history: 12 months.
• Error logs: 90 days.
• API and server logs: 30 days.
• Invoices / payments: kept by Apple/Google for 10 years per tax law; not retained by us.

8. Rights of the Data Subject (KVKK Article 11)

As a data subject you may exercise the following rights by contacting the data controller:

1. Learn whether your personal data is being processed.
2. Request information about how it is processed.
3. Learn the purpose and whether it's used in line with that purpose.
4. Know the third parties to whom your data has been transferred, domestically or internationally.
5. Request correction of incomplete or inaccurate data.
6. Request deletion or destruction of data, subject to the conditions in article 7 of the KVKK.
7. Request that corrections, deletions, and destructions be communicated to third parties to whom the data has been transferred.
8. Object to results obtained against you solely by automated processing. (Note: simlek does not run automated decision-making within the meaning of the KVKK.)
9. Claim compensation for damages arising from unlawful processing.

9. Application

To exercise these rights, contact us in accordance with the "Communiqué on the Procedures and Principles for Applications to the Data Controller" via:

• Email: [email protected] (from your registered email)
• In-app: Profile → Delete Account creates a deletion request directly.

Applications must clearly state your identity (user ID or registered email), your request, and the basis for it. Applications are processed within 30 days at no charge; an administrative fee may apply per the KVKK Board's tariff if specific costs arise.

If your request is refused, if the response is inadequate, or if no response is received within the statutory period, you may file a complaint with the KVKK Board.